Ubuntu
openjdk-8 package

Update openjdk-8 to 8u212 - security fixes are provided

Bug #1826001 reported by Julian Alarcon
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openjdk-8 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Current OpenJDK 8 version in Ubuntu is 8u191.

Java is now on 8u212 version

Debian already updated this in stable:

https://metadata.ftp-master.debian.org/changelogs//main/o/openjdk-8/openjdk-8_8u212-b01-1~deb9u1_changelog

Debian packages:
https://packages.debian.org/search?keywords=openjdk-8&searchon=names&suite=all&section=all

Changelog from OpenJDK:

https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-April/009115.html

Seems that source code is already in Launchpad: https://launchpad.net/ubuntu/+source/openjdk-8/+changelog

* Security fixes
  - S8211936, CVE-2019-2602: Better String parsing
  - S8218453, CVE-2019-2684: More dynamic RMI interactions
  - S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()

See original description

CVE References

Julian Alarcon (julian-alarcon)
description: updated
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Paul White (paulw2u)
tags: added: upgrade-software-version
Julian Alarcon (julian-alarcon)
tags: added: bionic xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-8 - 8u212-b03-0ubuntu1

---------------
openjdk-8 (8u212-b03-0ubuntu1) eoan; urgency=medium

  [ Tiago Stürmer Daitx ]
  * Update to 8u212-b03. LP: #1826001.
  * Security fixes:
    - S8211936, CVE-2019-2602: Better String parsing.
    - S8218453, CVE-2019-2684: More dynamic RMI interactions.
    - S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID().
  * Revert to GTK2 as default since GTK3 still has padding and component
    issues:
    - debian/rules: always Build-Depends on libgtk2.0-dev and Depends on
      libgtk2.0-0 instead of relying on gtk3 for some releases.
  * debian/control: add missing dependency on testng (required by the
    testsuites).

  [ Andrej Shadura ]
  * debian/rules: check for nodoc instead of nodocs in DEB_BUILD_OPTIONS.
    Closes: 922757.

  [ Matthias Klose ]
  * debian/rules, debian/tests/jtdiff-autopkgtest.sh,
    debian/tests/jtreg-autopkgtest.in, debian/tests/jtreg-autopkgtest.sh:
    only set the JDK under test and allow jtreg to use its default JDK
    for running the tests.

  [ Thorsten Glaser ]
  * Improve compatibility with older releases. Closes: #925407.
    - debian/rules: determine source date using backwards-compatible
      dpkg-parsechangelog call.
    - debian/control.in: put @bd_cross@ onto same line as @bd_nss@ as
      it can be empty.

 -- Tiago Stürmer Daitx <email address hidden> Thu, 25 Apr 2019 21:28:59 +0000

Changed in openjdk-8 (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

OpenJDK 8 8u212 has been published for Ubuntu 16.04 LTS and newer releases, please see:

Ubuntu 16.04 LTS:
  https://usn.ubuntu.com/3975-1/
  https://launchpad.net/ubuntu/+source/openjdk-8/8u212-b03-0ubuntu1.16.04.1

Ubuntu 18.04 LTS:
  https://launchpad.net/ubuntu/+source/openjdk-8/8u212-b03-0ubuntu1.18.04.1

Ubuntu 18.10:
  https://launchpad.net/ubuntu/+source/openjdk-8/8u212-b03-0ubuntu1.18.10.1

Ubuntu 19.04:
  https://launchpad.net/ubuntu/+source/openjdk-8/8u212-b03-0ubuntu1.19.04.2

Thanks.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.