openjdk-8 8u151-b12-0ubuntu0.16.04.2 source package in Ubuntu
Changelog
openjdk-8 (8u151-b12-0ubuntu0.16.04.2) xenial-security; urgency=medium * Backport to 16.04. openjdk-8 (8u151-b12-0ubuntu0.17.10.2) artful-security; urgency=medium * Update to 8u151-b12. Hotspot 8u144-b01 for aarch32 with 8u151 hotspot patches. * Security patches: - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. - CVE-2017-10346, S8180711: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. - CVE-2017-10355, S8181612: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. - CVE-2016-9841, S8184682: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * debian/rules: - own /usr/share/man/man1 since we use it in the postinst script. Closes: #863199. - openjdk8 now ships limited and unlimited policy.jar files (S8157561) into their own directories under jre/lib/security/policy, thus we must to copy those directories instead of the policy.jar files. * debian/rules, debian/patches/sec-webrev-8u151-hotspot-8179084.patch, debian/patches/sec-webrev-8u151-hotspot-8180711.patch: apply hotspot security updates to both aarch32 and aarch64. * debian/patches/gcc6.diff, debian/patches/aarch64.diff, debian/patches/aarch32.diff, debian/patches/m68k-support.diff, debian/patches/system-libjpeg.diff: removed hunks related to the common/autoconf/generated-configure.sh file as we regenerate it, no need to keep maintaining those. * debian/patches/hotspot-ppc64el-S8168318-cmpldi.patch: use cmpldi instead of li/cmpld. LP: #1723893. * debian/patches/hotspot-ppc64el-S8170328-andis.patch: use andis instead of lis/and. LP: #1723862. * debian/patches/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch: add Montgomery multiply intrinsic. LP: #1723860. * debian/patches/hotspot-ppc64el-S8181810-leverage-extrdi.patch: leverage extrdi for bitfield extract is absent in OpenJDK 8. LP: #1723861. * debian/patches/jdk-S8165852-overlayfs.patch: mount point not found for a file which is present in overlayfs. openjdk-8 (8u144-b01-2) unstable; urgency=medium [ Matthias Klose ] * Don't regenerate the control file during the build. * Enable systemtap on sh4. * Bump standards version to 4.1.0. * Build using GCC 7 on recent development versions. [ Tiago Stürmer Daitx ] * debian/rules: - when zero/shark alternate vm is build, add '-zero KNOWN' to jvm.cfg. - for non-hotspot builds add '-zero ALIASED_TO -server' to jvm.cfg. - enable zero alternate vm on armhf. * debian/jvm.cfg-client_default: aarch32 only builds the client compiler and requires its own default jvm. Closes: #874434. openjdk-8 (8u144-b01-1) unstable; urgency=medium * Update to 8u144-b01. - fix regression introduced by security fix S8169392. LP: #1707082. [ Matthias Klose ] * Fix libjvm.so's .debug file names. LP: #1548434. * Remove dependency on multiarch-support. Closes: #870520. [ Tiago Stürmer Daitx ] * debian/apport-hook.py: - truncate hs_err if bigger than 100 KiB instead of ignoring it. - add message if hs_err file is not found at expected location. - report file size in human readble SI units. * debian/control.in: - move 'Breaks:' from openjdk-8-jdk-headless to openjdk-8-jre-headless. - remove jamvm references. * debian/control.jamvm-jre: removed. * debian/control.jamvm-trans: transactional package for jamvm. * debian/rules: - add aarch32 hotspot support. - build aarch32 using client jvm-variant (no server in aarch32 port). - use DEB_HOST_ARCH instead of DEB_HOST_ARCH_CPU as armel and armhf are both reported as arm. - explicitly add kfreebsd-i386, kfreebsd-amd64, hurd-i386 to arch_map and archdir_map due to usage of DEB_HOST_ARCH. - avoid building zero as an alternative vm for aarch32. - disable precompiled headers on Trusty to minimize g++-4.8 segfaults. - don't build zero alternate vm on Trusty, avoid g++-4.8 segfaults. - add a 'Breaks:' entry to ca-certificates-java for all releases except Trusty. LP: #1706567. - remove jamvm. * debian/patches/aarch64.diff: remove unnecessary chunks as aarch64 is now upstream. * debian/patches/aarch32.diff: add required changes to root and jdk to build aarch32. * debian/patches/hotspot-libpath-aarch32.diff: copied from hotspot-libpath-default.diff. * debian/patches/ppc64le-8036767.diff: updated. * debian/patches/jdk-ppc64el-S8170153.patch: updated to include aarch64. * debian/patches/jdk-java-nio-bits-unligned-aarch64.diff: Check for "aarch64" along with other unaligned access supporting architectures. openjdk-8 (8u141-b15-3) unstable; urgency=high * Fix building the javadocs, build error introduced by the m68k changes. * Update the kfreebsd patches (Adrian Glaubitz). Closes: #869643, #869672. openjdk-8 (8u141-b15-2) unstable; urgency=high [ Matthias Klose ] * Update the m68k-support patch (Adrian Glaubitz). Closes: #864180. * Disable generation of jvmti.html on m68k (Adrian Glaubitz). Closes: #864205. * Disable the jamvm autopkg tests. * CVE-2017-10243 is also fixed in 8u141-b15 (S8182054). [ Tiago Stürmer Daitx ] * patches/hotspot-ppc64el-S8181055-use-numa-v2-api.patch: mbind invalid argument message is still seen after S8175813; use numa_interleave_memory v2 api when available. LP: #1705763. openjdk-8 (8u141-b15-1) unstable; urgency=high * Update to 8u141-b15, Hotspot 8u141-b16 for AArch64. * Security fixes from 8u141: - CVE-2017-10102, S8163958: Improved garbage collection. - CVE-2017-10053, S8169209: Improved image post-processing steps. - CVE-2017-10067, S8169392: Additional jar validation steps. - CVE-2017-10081, S8170966: Right parenthesis issue. - CVE-2017-10078, S8171539: Better script accessibility for JavaScript. - CVE-2017-10087, S8172204: Better Thread Pool execution. - CVE-2017-10089, S8172461: Service Registration Lifecycle. - CVE-2017-10090, S8172465: Better handling of channel groups. - CVE-2017-10096, S8172469: Transform Transformer Exceptions. - CVE-2017-10101, S8173286: Better reading of text catalogs. - CVE-2017-10107, S8173697: Less Active Activations. - CVE-2017-10074, S8173770: Image conversion improvements. - CVE-2017-10110, S8174098: Better image fetching. - CVE-2017-10108, S8174105: Better naming attribution. - CVE-2017-10109, S8174113: Better sourcing of code. - CVE-2017-10115, S8175106: Higher quality DSA operations. - CVE-2017-10118, S8175110: Higher quality ECDSA operations. - CVE-2017-10116, S8176067: Proper directory lookup processing. - CVE-2017-10135, S8176760: Better handling of PKCS8 material. - CVE-2017-10176, S8178135: Additional elliptic curve support. - CVE-2017-10193, S8179101: Improve algorithm constraints implementation. - CVE-2017-10198, S8179998: Clear certificate chain connections. - S8174770: Check registry registration location. - S8174873: Improved certificate procesing. - S8176055: JMX diagnostic improvements. - S8176536: Improved algorithm constraints checking. - S8181420: PPC: Image conversion improvements. - S8182054: Improve wsdl support. - S8184185: Rearrange MethodHandle arrangements. [ Matthias Klose ] * Provide jvmdir symlink in /usr/lib/debug. Closes: #867314. * Fix pt_BR translation in awt message. Closes: #863331. [ Tiago Stürmer Daitx ] * debian/rules: - enable apport hook on Ubuntu and derivatives only. - remove with_zenhai logic. - remove unused with_tzdata logic, move tzdata build dependency to control.in. - add Breaks:tzdata-java except for wheezy, jessie or trusty. - re-enable jamvm for Xenial only. - run debian/control before build so we won't build with a invalid control file. - remove logic to select between ttf or font packages and depend on fonts-wqy-microhei and fonts-wqy-zenhei instead * debian/apport-hook.py: add an apport hook to include conffiles modified by the user on any report and the hs_err log file on crash report only. LP: #1696886. * patches/fontconfig-arphic-uming.diff: only enabled when with_zenhai was false; not required since lenny. * patches/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch: prevent invalid argument message when invoking UseNUMA on a system with non-consecutive numa topology. LP: #1697348. -- Tiago Stürmer Daitx <email address hidden> Thu, 26 Oct 2017 19:48:24 +0000
Upload details
- Uploaded by:
- Tiago Stürmer Daitx
- Uploaded to:
- Xenial
- Original maintainer:
- Ubuntu Developers
- Architectures:
- alpha amd64 armel armhf arm64 i386 ia64 mips mipsel mips64 mips64el powerpc powerpcspe ppc64 ppc64el m68k sh4 sparc sparc64 s390x x32 kfreebsd-i386 kfreebsd-amd64 all
- Section:
- java
- Urgency:
- Very Urgent
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
openjdk-8_8u151-b12.orig.tar.bz2 | 67.1 MiB | eac46e7eb87e15144697043feca86f1fa0cbcf0eaf84de765a57405116140b49 |
openjdk-8_8u151-b12-0ubuntu0.16.04.2.debian.tar.xz | 247.2 KiB | 61ebeb76c259e00e621661d1518289da0d7157502e79ddd654e87c9c920f41b2 |
openjdk-8_8u151-b12-0ubuntu0.16.04.2.dsc | 4.6 KiB | 2e0d6f9721c2f31f55928b18a7840c57c9f252695a145d177f31b303b9ee77ca |
Available diffs
Binary packages built by this source
- openjdk-8-dbg: Java runtime based on OpenJDK (debugging symbols)
OpenJDK is a development environment for building applications,
applets, and components using the Java programming language.
.
This package contains the debugging symbols.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-demo: Java runtime based on OpenJDK (demos and examples)
OpenJDK Java runtime
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-doc: OpenJDK Development Kit (JDK) documentation
OpenJDK is a development environment for building applications,
applets, and components using the Java programming language.
.
This package contains the API documentation.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-jdk: OpenJDK Development Kit (JDK)
OpenJDK is a development environment for building applications,
applets, and components using the Java programming language.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-jdk-headless: OpenJDK Development Kit (JDK) (headless)
OpenJDK is a development environment for building applications,
applets, and components using the Java programming language.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-jre: OpenJDK Java runtime, using Hotspot Zero
Full Java runtime environment - needed for executing Java GUI and Webstart
programs, using Hotspot Zero.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-jre-headless: OpenJDK Java runtime, using Hotspot Zero (headless)
Minimal Java runtime - needed for executing non GUI Java programs,
using Hotspot Zero.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.
- openjdk-8-jre-jamvm: Transitional package for obsolete JamVM for OpenJDK
JamVM support was removed for recent versions of OpenJDK 8.
.
This is a transitional package which can be safely removed.
- openjdk-8-jre-zero: Alternative JVM for OpenJDK, using Zero/Shark
The package provides an alternative runtime using the Zero VM and the
Shark Just In Time Compiler (JIT). Built on architectures in addition
to the Hotspot VM as a debugging aid for those architectures which don't
have a Hotspot VM.
.
The VM is started with the option `-zero'. See the README.Debian for details.
- openjdk-8-source: OpenJDK Development Kit (JDK) source files
OpenJDK is a development environment for building applications,
applets, and components using the Java programming language.
.
This package contains the Java programming language source files
(src.zip) for all classes that make up the Java core API.
.
The packages are built using the IcedTea build support and patches
from the IcedTea project.