openjdk-8 (8u111-b14-2ubuntu0.16.04.2) xenial-security; urgency=medium
* Backport to 16.04.
openjdk-8 (8u111-b14-2ubuntu0.16.10.2) yakkety-security; urgency=medium
* debian/rules: remove samevm/othervm options from jtreg tests.
* debian/buildwatch.sh: noisy and quiet logic blocks were swapped.
openjdk-8 (8u111-b14-2ubuntu0.16.10.1) yakkety-security; urgency=medium
* Security fixes in 8u111:
- CVE-2016-5568, S8158993: Service Menu services.
- CVE-2016-5582, S8160591: Improve internal array handling.
- CVE-2016-5573, S8159519: Reformat JDWP messages.
- CVE-2016-5597, S8160838: Better HTTP service.
- CVE-2016-5554, S8157739: Classloader Consistency Checking.
- CVE-2016-5542, S8155973: Tighten jar checks.
* debian/rules: removed all mauve and cacao references, updated jtreg tests
to use agentvm and auto concurrency, use autoconf 2.68 for precise.
* debian/buildwatch.sh: updated to stop it if no 'make' process is running,
as it probably means that the build failed - otherwise buildwatch keeps
the builder alive until it exits after the timer (3 hours by default)
* debian/control.in: removed mauve and cacao references.
* debian/copyright.cacao: deleted file.
* debian/README.source: removed caco and mauve references.
* debian/patches/aarch64.diff: removed cacao vm reference.
* debian/patches/autoconf-2.68.diff: reduce minimum autoconf requirement to
* debian/patches/autoconf-select.diff: deleted file as it has been replaced
by autoconf 2.68 changes for precise.
* debian/patches/cacao-armv4.diff: deleted file.
* debian/tests/control: added autopkgtest to run jtreg testsuite.
* debian/tests/jtreg-autopkgtest: run jtreg tests on autopkgtest.
openjdk-8 (8u111-b14-2) unstable; urgency=high
* Apply the kfreebsd patches conditionally.
openjdk-8 (8u111-b14-1) unstable; urgency=high
* Update to 8u111-b14, including security fixes.
* Enable hotspot builds for sparc64. Closes: #835973.
openjdk-8 (8u102-b14.1-2) unstable; urgency=medium
* Fix build failure with GCC 6. Closes: #811694.
* Fix JamVM, lacking JVM_GetResourceLookupCacheURLs (Xerxes Rånby).
* Explicitly build using GCC 6.
openjdk-8 (8u102-b14.1-1) unstable; urgency=medium
* Use the 8u101 tarballs instead of the 8u102 tarballs (inventing a fake
openjdk-8 (8u102-b14-2) unstable; urgency=medium
* Update AArch64 and KFreeBSD patches.
openjdk-8 (8u102-b14-1) unstable; urgency=medium
* Update to 8u101-b14, including security fixes:
* IIOP Input Stream Hooking. CVE-2016-3458:
defaultReadObject is not forbidden in readObject in subclasses of
InputStreamHook which provides leverage to deserialize malicious objects
if a reference to the input stream can be obtained separately.
* Complete name checking. S8148872, CVE-2016-3500:
In some cases raw names in XML data are not checked for length limits
allowing for DoS attacks.
* Better delineation of XML processing. S8149962, CVE-2016-3508:
Denial of service measures do not take newline characters into account.
This can be used to conduct attacks like the billion laughs DoS.
* Coded byte streams. S8152479, CVE-2016-3550:
A fuzzed class file triggers an integer overflow in array access.
* Clean up lookup visibility. S8154475, CVE-2016-3587:
A fast path change allowed access to MH.invokeBasic via the public lookup
object. MH.iB does not do full type checking which can be used to create
* Bolster bytecode verification. S8155981, CVE-2016-3606:
The bytecode verifier checks that any classes' <init> method calls
super.<init> before returning. There is a way to bypass this requirement
which allows creating subclasses of classes that are not intended to be
* Persistent Parameter Processing. S8155985, CVE-2016-3598:
TOCTOU issue with types List passed into dropArguments() which can be used
to cause type confusion.
* Additional method handle validation. S8158571, CVE-2016-3610:
MHs.filterReturnValue does not check the filter parameter list size.
The single expected parameter is put in the last parameter position for
the filter MH allowing for type confusion.
* Enforce GCM limits. S8146514:
In GCM the counter should not be allowed to wrap (per the spec), since that
plus exposing the encrypted data could lead to leaking information.
* Construction of static protection domains. S8147771:
SubjectDomainCombiner does not honor the staticPermission field and will
create ProtectionDomains that vary with the system policy which may allow
unexpected permission sets.
* Share Class Data. S8150752:
Additional verification of AppCDS archives is required to prevent an
attacker from creating a type confusion situation.
* Enforce update ordering. S8149070:
If the GCM methods update() and updateAAD() are used out of order, the
security of the system can be weakened and an exception should be thrown
to warn the developer.
* Constrain AppCDS behavior. S8153312:
AppCDS does not create classloader constraints upon reloading classes
which could allow class spoofing under some circumstances.
Date: 2016-10-27 14:35:14.498946+00:00
Changed-By: Tiago Stürmer Daitx <tiago.da...@canonical.com>
Maintainer: OpenJDK <open...@lists.launchpad.net>
Signed-By: Steve Beattie <sbeat...@ubuntu.com>
Sorry, changesfile not available.
Xenial-changes mailing list
Modify settings or unsubscribe at: