diff --git a/debian/changelog b/debian/changelog index fd583c1..7c93bdb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +openjdk-8 (8u362-ga-0buntu1) lunar; urgency=medium + + * New upstream release + * CVEs + - CVE-2023-21830 + - CVE-2023-21843 + * Security fixes + - JDK-8285021: Improve CORBA communication + - JDK-8286496: Improve Thread labels + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds + * Other changes see + https://mail.openjdk.org/pipermail/jdk8u-dev/2023-January/016479.html + + -- Vladimir Petko Fri, 20 Jan 2023 09:19:08 +1300 + openjdk-8 (8u352-ga-1) unstable; urgency=medium * Update GCC for bookworm/sid and kinetic-proposed from 11 to 12 diff --git a/debian/openjdk-8-jre-headless.NEWS b/debian/openjdk-8-jre-headless.NEWS index 15d7f2e..627022d 100644 --- a/debian/openjdk-8-jre-headless.NEWS +++ b/debian/openjdk-8-jre-headless.NEWS @@ -1,3 +1,94 @@ +openjdk-8 (8u362-ga-0buntu1) lunar; urgency=medium + + Upstream-provided “Notes on individual issues”: + + client-libs/javax.imageio: + + JDK-8295687: Better BMP bounds + ============================== + Loading a linked ICC profile within a BMP image is now disabled by + default. To re-enable it, set the new system property + `sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property + replaces the old property, + `sun.imageio.plugins.bmp.disableLinkedProfiles`. + + client-libs/javax.sound: + + JDK-8293742: Better Banking of Sounds + ===================================== + Previously, the SoundbankReader implementation, + `com.sun.media.sound.JARSoundbankReader`, would download a JAR + soundbank from a URL. This behaviour is now disabled by default. To + re-enable it, set the new system property `jdk.sound.jarsoundbank` to + `true`. + + hotspot/runtime: + + JDK-8274840: Release Now Recognises Windows 11 + ============================================== + This release now correctly sets the `os.name` property to `Windows + 11`, as would be expected. + + other-libs/corba:idl: + + JDK-8285021: Improve CORBA communication + ======================================== + The JDK's CORBA implementation now refuses by default to deserialize + objects, unless they have the "IOR:" prefix. The previous behaviour + can be re-enabled by setting the new property + `com.sun.CORBA.ORBAllowDeserializeObject` to `true`. + + security-libs/java.security: + + JDK-8269039: Disabled SHA-1 Signed JARs + ======================================= + JARs signed with SHA-1 algorithms are now restricted by default and + treated as if they were unsigned. This applies to the algorithms used + to digest, sign, and optionally timestamp the JAR. It also applies to + the signature and digest algorithms of the certificates in the + certificate chain of the code signer and the Timestamp Authority, and + any CRLs or OCSP responses that are used to verify if those + certificates have been revoked. These restrictions also apply to + signed JCE providers. + + To reduce the compatibility risk for JARs that have been previously + timestamped, there is one exception to this policy: + + - Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + + This exception may be removed in a future JDK release. To determine if + your signed JARs are affected by this change, run: + + $ jarsigner -verify -verbose -certs` + + on the signed JAR, and look for instances of "SHA1" or "SHA-1" and + "disabled" and a warning that the JAR will be treated as unsigned in + the output. + + For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + + JARs affected by these new restrictions should be replaced or + re-signed with stronger algorithms. + + Users can, *at their own risk*, remove these restrictions by modifying + the `java.security` configuration file (or override it by using the + `java.security.properties` system property) and removing "SHA1 usage + SignedJAR & denyAfter 2019-01-01" from the + `jdk.certpath.disabledAlgorithms` security property and "SHA1 + denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security + property. + + -- Vladimir Petko Fri, 20 Jan 2023 09:19:08 +1300 + openjdk-8 (8u352-ga-1) unstable; urgency=medium Warning: JVM_Exit and the ability to run finalisers on exit are gone diff --git a/debian/rules b/debian/rules index edff271..39d3915 100755 --- a/debian/rules +++ b/debian/rules @@ -100,10 +100,10 @@ shortver = 8 is_release = is_release = yes gh_project = jdk8u -gh_tag = jdk8u352-ga +gh_tag = jdk8u362-ga version_dash_buildnr = $(subst ${gh_project},,${gh_tag}) -version_dash_buildnr = 352-b08 -gh_tag_aarch32 = jdk8u352-ga-aarch32-20221020 +version_dash_buildnr = 362-b09 +gh_tag_aarch32 = jdk8u362-ga-aarch32-20230119 #gh_tag_aarch64 = aarch64-shenandoah-jdk8u322-b06 package_version = $(subst jdk,,${gh_tag}) ifneq ($(is_release),yes)