-
openjdk-7 (7u211-2.6.17-1) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* IcedTea release 2.6.17 (based on 7u211).
* Security fixes:
- S8206290, CVE-2019-2422: Better FileChannel transfer performance.
- S8209094, CVE_2019-2426: Improve web server connections.
- S8210866, CVE-2018-11212: Improve JPEG processing.
- S8199156: Better route routing.
- S8199161: Better interface enumeration.
- S8199166: Better interface lists.
- S8199552: Update to build scripts.
- S8200659: Improve BigDecimal support.
- S8203955: Improve robot support.
- S8204895: Better icon support.
- S8205356: Choose printer defaults.
- S8205709: Proper allocation handling.
- S8205714: Initial class initialization.
- S8206295: More reliable p11 transactions.
- S8206301: Improve NIO stability.
- S8208585: Make crypto code more robust.
- S8210094: Better loading of classloader classes.
- S8210606: Improved data set handling.
- S8210610: Improved LSA authentication.
- S8210870: Libsunmscapi improved interactions.
* debian/patches/hotspot-S8207151-fix-bad-klassoop.patch,
debian/patches/openjdk-jdk7u191-b01-jaxp.patch
debian/patches/openjdk-jdk7u191-b01-jdk.patch
debian/patches/openjdk-jdk7u201-b00-hotspot.patch
debian/patches/openjdk-jdk7u201-b00-jaxp.patch
debian/patches/openjdk-jdk7u201-b00-jdk.patch: removed, applied upstream.
* debian/patches/zero-sparc.diff: updated to fix merge failure in
file hotspot/src/share/vm/c1/c1_LIRAssembler.cpp.
[ Matthias Klose ]
* Bump standards version.
* Fix lintian warnings.
-- Matthias Klose <email address hidden> Tue, 26 Mar 2019 19:25:17 +0100
-
openjdk-7 (7u181-2.6.14-2) experimental; urgency=medium
* Apply 7u191-b01 and 7u201-b00 security patches.
* Security fixes:
- CVE-2018-3136, S8194534: Manifest better support.
- CVE-2018-3139, S8196902: Better HTTP redirection support.
- CVE-2018-3149, S8199177: Enhance JNDI lookups.
- CVE-2018-3169, S8199226: Improve field accesses.
- CVE-2018-3180, S8202613: Improve TLS connections stability.
- CVE-2018-2938, S8197871: Support Derby connections.
- CVE-2018-2952, S8199547: Exception to Pattern Syntax.
- S8191239: Improve desktop file usage.
- S8193419: Better Internet address support.
- S8197925: Better stack walking.
- S8200666: Improve LDAP support.
* debian/patches/hotspot-disable-exec-shield-workaround.patch: removed,
upstream fixed i386 stack guard support in S8197429 (hotspot's mercurial
commit 6636:d673ec579604).
* debian/patches/jdk-freetypeScaler-crash.diff: removed, it caused
a memory leak and has been fixed upstream already, albeit in a
different way. Closes: #910672.
* debian/patches/jdk-8132985-backport-double-free.patch,
debian/patches/jdk-8139803-backport-warning.patch: fix crash in
freetypescaler due to double free, thanks to Heikki Aitakangas for
the report and patches. (Closes: #911847)
* debian/rules: run only the hotspot testsuite for jamvm and zero
alternative vms to make build faster.
-- Tiago Stürmer Daitx <email address hidden> Thu, 11 Oct 2018 01:47:12 +0000
-
openjdk-7 (7u181-2.6.14-1) experimental; urgency=medium
* IcedTea release 2.6.14 (based on 7u181). Closes: #898976.
* Security fixes:
- S8162488: JDK should be updated to use LittleCMS 2.8
- S8180881: Better packaging of deserialization
- S8182362: Update CipherOutputStream Usage
- S8183032: Upgrade to LittleCMS 2.9
- S8189123: More consistent classloading
- S8189969, CVE-2018-2790: Manifest better manifest entries
- S8189977, CVE-2018-2795: Improve permission portability
- S8189981, CVE-2018-2796: Improve queuing portability
- S8189985, CVE-2018-2797: Improve tabular data portability
- S8189989, CVE-2018-2798: Improve container portability
- S8189993, CVE-2018-2799: Improve document portability
- S8189997, CVE-2018-2794: Enhance keystore mechanisms
- S8190478: Improved interface method selection
- S8190877: Better handling of abstract classes
- S8191696: Better mouse positioning
- S8192025, CVE-2018-2814: Less referential references
- S8192030: Better MTSchema support
- S8192757, CVE-2018-2815: Improve stub classes implementation
- S8193409: Improve AES supporting classes
- S8193414: Improvements in MethodType lookups
- S8193833, CVE-2018-2800: Better RMI connection support
* debian/patches/it-patch-updates.diff:
- Refreshed.
* debian/patches/hotspot-powerpcspe.diff:
- Removed, fixed upstream.
-- Emilio Pozuelo Monfort <email address hidden> Fri, 08 Jun 2018 12:23:38 +0200
-
openjdk-7 (7u171-2.6.13-1) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* IcedTea release 2.6.13 (based on 7u171). Closes: #891330.
* Security fixes:
- S8160104: CORBA communication improvements
- S8172525, CVE-2018-2579: Improve key keying case
- S8174756: Extra validation for public keys
- S8175932: Improve host instance supports
- S8176458: Revise default document styling
- S8178449, CVE-2018-2588: Improve LDAP logins
- S8178458: Better use of certificates in LDAP
- S8178466: Better RSA parameters
- S8179536: Cleaner print job handling
- S8179990: Cleaner palette entry handling
- S8180011: Cleaner native graphics device handling
- S8180015: Cleaner AWT robot handling
- S8180020: Improve SymbolHashMap entry handling
- S8180433: Cleaner CLR invocation handling
- S8180877: More deeply colored ICC spaces
- S8181664: Improve JVM UTF String handling
- S8181670: Improve implementation of keystores
- S8182125, CVE-2018-2599: Improve reliability of DNS lookups
- S8182387, CVE-2018-2603: Improve PKCS usage
- S8182601, CVE-2018-2602: Improve usage messages
- S8185292, CVE-2018-2618: Stricter key generation
- S8185325, CVE-2018-2641: Improve GTK initialization
- S8186080: Transform XML interfaces
- S8186212, CVE-2018-2629: Improve GSS handling
- S8186600, CVE-2018-2634: Improve property negotiations
- S8186606, CVE-2018-2633: Improve LDAP lookup robustness
- S8186867: Improve native glyph layouts
- S8186998, CVE-2018-2637: Improve JMX supportive features
- S8189284, CVE-2018-2663: More refactoring for deserialization cases
- S8190289, CVE-2018-2677: More refactoring for client deserialization cases
- S8191142, CVE-2018-2678: More refactoring for naming deserialization cases
* Remove multiarch-support pre-dependency. Closes: #887858.
[ Matthias Klose ]
* Bump standards version.
* Disable bootstrap on sid/buster, gcj is removed.
* Remove Damien Raude-Morvan as uploader. Closes: #889378.
-- Matthias Klose <email address hidden> Mon, 02 Apr 2018 10:36:32 +0200
-
openjdk-7 (7u161-2.6.12-1) experimental; urgency=medium
* IcedTea release 2.6.12 (based on 7u161).
* Disable Hotspot workaround for Exec Shield (Debian only).
Addresses: #876051.
* Build-depend on g++-4.7 on wheezy. This is the default on some
architectures such as amd64 or i386, but not on armhf or armel,
which default to 4.6. There the build was working before because
the bootstrap build pulled gcj-jdk, which depends on gcj-4.7-jdk
and that in turn depends on g++-4.7. However since we have
disabled the bootstrap build now, g++-4.7 is no longer installed
on arm* builds, causing the build failure which couldn't be seen
on amd64 (Emilio Pozuelo Monfort).
-- Matthias Klose <email address hidden> Thu, 07 Dec 2017 09:12:51 +0100
-
openjdk-7 (7u151-2.6.11-3) experimental; urgency=medium
[ Matthias Klose ]
* Disable bootstrap on wheezy, it currently fails due to the last round
of 8u151 security patches (Emilio Pozuelo Monfort).
[ Tiago Stürmer Daitx ]
* debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch:
the S8144028 fix was incomplete and followed up by S8145438; without it
aarch64 JVM can fail with "Internal Error, failed: Field too big for
insn".
-- Matthias Klose <email address hidden> Thu, 23 Nov 2017 16:37:21 +0100
-
openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* Backport of 8u151 security fixes. Closes: #881764.
* Security patches:
- CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
CardImpl can be recovered via finalization, then separate instances
pointing to the same device can be created.
- CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
readObject allocates an array based on data in the stream which could
cause an OOM.
- CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
thread can be used as the root of a Trusted Method Chain.
- CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
possibly other Linux flavors) CR-NL in the host field are ignored and
can be used to inject headers in an HTTP request stream.
- CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
implementations can incorrectly take information from the unencrypted
portion of the ticket from the KDC. This can lead to an MITM attack
impersonating Kerberos services.
- CVE-2017-10346, S8180711: Better alignment of special invocations. A
missing load constraint for some invokespecial cases can allow invoking
a method from an unrelated class.
- CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
based on data in the serial stream without a limit onthe size.
- CVE-2017-10347, S8181323: Better timezone processing. An array is
allocated based on data in the serial stream without a limit on the
size.
- CVE-2017-10349, S8181327: Better Node predications. An array is
allocated based on data in the serial stream without a limit onthe size.
- CVE-2017-10345, S8181370: Better keystore handling. A malicious
serialized object in a keystore can cause a DoS when using keytool.
- CVE-2017-10348, S8181432: Better processing of unresolved permissions.
An array is allocated based on data in the serial stream without a limit
onthe size.
- CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
serialized stream could cause an OOM due to lack on checking on the
number of interfaces read from the stream for a Proxy.
- CVE-2017-10355, S8181612: More stable connection processing. If an
attack can cause an application to open a connection to a malicious FTP
server (e.g., via XML), then a thread can be tied up indefinitely in
accept(2).
- CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
keystores should be retired from common use in favor of more modern
keystore protections.
- CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
check could lead to leaked memory contents.
- CVE-2016-9841, S8184682: Upgrade compression library. There were four
off by one errors found in the zlib library. Two of them are long typed
which could lead to RCE.
* debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused
template breaks builds with gcc-6 due to macro conflict.
* debian/rules: try /etc/os-release before lsb-release; allows one to check
if patches still apply cleanly across distros from the command line by
setting distrel.
-- Matthias Klose <email address hidden> Mon, 20 Nov 2017 21:24:32 +0100
-
openjdk-7 (7u151-2.6.11-1) experimental; urgency=medium
* IcedTea release 2.6.11 (based on 7u151). Closes: #869816.
* Security fixes:
- S8163958, CVE-2017-10102: Improved garbage collection.
- S8167228: Update to libpng 1.6.28.
- S8169209, CVE-2017-10053: Improved image post-processing steps.
- S8169392, CVE-2017-10067: Additional jar validation steps.
- S8170966, CVE-2017-10081: Right parenthesis issue.
- S8172204, CVE-2017-10087: Better Thread Pool execution.
- S8172461, CVE-2017-10089: Service Registration Lifecycle.
- S8172465, CVE-2017-10090: Better handling of channel groups.
- S8172469, CVE-2017-10096: Transform Transformer Exceptions.
- S8173286, CVE-2017-10101: Better reading of text catalogs.
- S8173697, CVE-2017-10107: Less Active Activations.
- S8173770, CVE-2017-10074: Image conversion improvements.
- S8174098, CVE-2017-10110: Better image fetching.
- S8174105, CVE-2017-10108: Better naming attribution.
- S8174113, CVE-2017-10109: Better sourcing of code.
- S8174770: Check registry registration location.
- S8174873: Improved certificate processing.
- S8175106, CVE-2017-10115: Higher quality DSA operations.
- S8175110, CVE-2017-10118: Higher quality ECDSA operations.
- S8176055: JMX diagnostic improvements.
- S8176067, CVE-2017-10116: Proper directory lookup processing.
- S8176760, CVE-2017-10135: Better handling of PKCS8 material.
- S8178135, CVE-2017-10176: Additional elliptic curve support.
- S8181420, CVE-2017-10074: PPC: Image conversion improvements.
- S8182054, CVE-2017-10243: Improve wsdl support.
- S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements.
- S8184119, CVE-2017-10111: Incorrect return processing for the LF editor
of MethodHandles.permuteArguments.
[ Tiago Stürmer Daitx ]
* d/control.in:
- remove @bd_compress@ dependency.
- replace @bd_autotools@ with fixed dependencies.
* d/control.tests: package to hold all tests artifacts and logs.
* d/repack: fixed and simplified download script.
* d/rules:
- include openjdk-7-tests package on Ubuntu derivatives only.
- only save the full jtreg results when the openjdk-7-tests package
is being built, otherwise stick to old behaviour (keep compressed
test summaries + failed test results). Closes: #863007, #865533.
- only run the long jdk testsuite when default vm is a hotspot.
- only run the full testsuite for zero alternative vm on very fast
systems, otherwise stick to the hotspot testsuite to avoid long
build times.
- remove with_nss as all supported releases have it now.
- remove gcc/g++ configurations for EOL releases.
- keep libjpeg8 dependency on wheezy, replace it with libjpeg62-turbo
on other Debian releases and libjpeg-turbo8 on Ubuntu. Closes: #766601.
- remove old logic to depend on libcupsys2.
- always set rhino_source, all supported releases have dpkg > 1.16.2.
- remove bd_compress and pkg_compress as they haven't been used for
quite a while.
- remove with_wgy_zenhai logic, lenny is EOL.
- remove bd_autotools logic if/then, call dh_autoreconf and
dh_autoreconf_clean.
- simplify bootstrap dependency logic and remove EOL releases.
- remove EOL releases from gcc/g++ dependency logic.
- remove unused jamvm_defaults and simplify jamvm_archs logic.
- use ttf-indic-fonts for trusty, otherwise stick to fonts-indic.
- patch configure after dh_autoreconf call to include additional
/usr/lib/jvm directories; setting DEB_HOST_ARCH=alpha to check
if patches apply correctly fails because alpha requires a jdk for
bootstrap and IcedTea does not look into our usual directories.
* d/p/fontconfig-arphic-uming.diff: removed, not used since lenny.
* d/p/jdk-getAccessibleValue.diff: libatk-wrapper-java: File selection
dialog not refreshed when changing directory. Kindly provided by
Samuel Thibault. Closes: #827741.
* d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
deleted, included in IcedTea 2.6.10.
* d/p/kfreebsd-support-jdk.diff: updated, was failing to apply due to
jdk changes in NetworkInterface.c.
* d/p/sec-webrev-8u131-*.patch: deleted, included in IcedTea 2.6.10.
* d/p/zero-sparc.diff: commented out chaitin.hpp hunk #1 as that #ifdef
has been removed by JDK-8011621 (backported by IcedTea 2.6.10); this
was also backported to 7u131 through JDK-8160961 but then backed out,
better keep the hunk in case IcedTea decides to back it out as well.
[ Matthias Klose ]
* Build using gcc-6 on recent releases.
* Fix libjvm.so's .debug file names. Closes: #865749. LP: #1548434.
-- Matthias Klose <email address hidden> Wed, 23 Aug 2017 16:02:57 +0200
-
openjdk-7 (7u131-2.6.9-3) experimental; urgency=medium
* Only include the failing tests in the packages, not the whole test world.
* openjdk-7-jdk: Provide openjdk-7-jdk-headless.
-- Matthias Klose <email address hidden> Sat, 20 May 2017 15:52:17 -0700
-
openjdk-7 (7u131-2.6.9-2) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126)
- d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
fix "IllegalArgumentException: jdk.tls.namedGroups" backported
from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c
-- Matthias Klose <email address hidden> Tue, 16 May 2017 21:42:12 -0700
-
openjdk-7 (7u131-2.6.9-1) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* IcedTea release 2.6.9 (based on 7u131):
* Security fixes
- S8167110, CVE-2017-3514: Windows peering issue.
- S8163528, CVE-2017-3511: Better library loading.
- S8169011, CVE-2017-3526: Resizing XML parse trees.
- S8163520, CVE-2017-3509: Reuse cache entries.
- S8171533, CVE-2017-3544: Better email transfer.
- S8170222, CVE-2017-3533: Better transfers of files.
- S8171121, CVE-2017-3539: Enhancing jar checking.
- S8172299: Improve class processing.
* debian/compat: updated from 5 to 9.
* debian/watch: using watch version 4 to download both icedtea and
icedtea-sound. LP: #1642420.
* debian/repack: simplified tarball download.
* debian/rules:
- removed 8u121 patches as they have been applied to 7u131.
- building icedtea-sound on build/ directory
- replaced 'dh_strip -k' calls by dh_prep
- have the 'build' rule depend on 'debian/control' rule to force
failure if debian/control gets regenerated.
- added file 'security/blacklisted.cert' to be copied to etc dir
(introduced by S8011402).
- simplified build dependencies.
- removed jtreg's xvfb-run call since icedtea takes care of calling it.
- removed window manager as there are no additional significant failures
on the jdk tests when not running one.
- re-enabled jdk jtreg tests.
- removed lpia arch.
- use fonts-wqy-microhei and fonts-wqy-zenhei instead of transitional
package names.
- drop Recommends on obsolete GNOME libraries so they are not in a
default GNOME desktop installation (Simon McVittie). Closes: #850270.
+ sun.net.spi.DefaultProxySelector prefers libglib2.0-0 (>= 2.24)
over obsolete libgconf2-4.
+ sun.nio.fs.GnomeFileTypeDetector prefers libglib2.0-0 (>= 2.24)
over libgnomevfs-2-0.
+ sun.xawt.awt_Desktop prefers libgtk2.0-0 (>= 2.14) over
libgnomevfs2-0.
* debian/control.in: added static build dependencies as their previous
selection logic in debian/rules is no longer required.
* debian/control: regenerated.
* debian/patches/icedtea-sound.diff: removed, now packing icedtea-sound
1.0.1 which includes those fixes.
* debian/upstream/signing-key.asc: add new signing key.
[ Matthias Klose ]
* Remove obsolete changelog entries from previous release.
-- Matthias Klose <email address hidden> Tue, 16 May 2017 13:49:35 -0700
-
openjdk-7 (7u121-2.6.8-2) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* Security fixes from 8u121:
- S8167104, CVE-2017-3289: Custom class constructor code can bypass the
required call to super.init allowing for uninitialized objects to be
created.
- S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
dispose() on a CMenuComponentmultiple times.
- S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
extraneous bytes added to them whereas the signature is supposed to be
unique.
- S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
sections to be 2^32-1 bytes long so these should not be uncompressed
unless the user explicitly requests it.
- S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
leak information about k.
- S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
deserialize responses from an LDAP server when an LDAP context is
expected.
- S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
users or external applications would interpret them leading to possible
security issues.
- S8168705, CVE-2016-5547: A value from an InputStream is read directly
into the size argument of a new byte[] without validation.
- S8164147, CVE-2017-3261: An integer overflow exists in
SocketOutputStream which can lead to memorydisclosure.
- S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
dispatch HTTP GET requests where the invoker does not have permission.
- S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
long running sessions are allowed.
* Missing
- S8165344, CVE-2017-3272: A protected field can be leveraged into type
confusion.
- S8156802, CVE-2017-3241: RMI deserialization should limit the types
deserialized to prevent attacks that could escape the sandbox.
* Ignored
- S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may
leak information about k.
-- Matthias Klose <email address hidden> Tue, 07 Feb 2017 11:09:39 +0100
-
openjdk-7 (7u121-2.6.8-1) experimental; urgency=medium
* IcedTea release 2.6.8 (based on 7u121):
-- Matthias Klose <email address hidden> Mon, 14 Nov 2016 13:38:40 +0100
-
openjdk-7 (7u111-2.6.7-3) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* Don't use precompiled header files on arm64.
* Update the sec-webrev-8u111-S8159503.hotspot patch.
-- Matthias Klose <email address hidden> Sat, 05 Nov 2016 13:19:09 +0100
-
openjdk-7 (7u111-2.6.7-2) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* Backported security fixes from 8u111:
- CVE-2016-5568, S8158993: Service Menu services.
- CVE-2016-5582, S8160591: Improve internal array handling.
- CVE-2016-5573, S8159519: Reformat JDWP messages.
- CVE-2016-5597, S8160838: Better HTTP service.
- CVE-2016-5554, S8157739: Classloader Consistency Checking.
- CVE-2016-5542, S8155973: Tighten jar checks.
* debian/rules:
- removed lcms version 1 option as no current release uses that, lcms2
is now default.
- removed in-tree/system lcms selection to always use system's lcms.
- removed all cacao references except for the transitional cacao package.
- updated jtreg tests to use othervm.
- simplified rhino and libcups dependency selection.
* debian/buildwatch.sh: updated to stop it if no 'make' process is running,
as it probably means that the build failed - otherwise buildwatch keeps
the builder alive until it exits after the timer (3 hours by default)
expires.
* debian/control.in: removed cacao references.
* debian/README.source: removed cacao references.
* debian/patches/cacao-armv4.diff: deleted file.
* Makefile.am: remove -samevm
* debian/patches/it-jamvm-8158260-unsafe-methods.patch: fix JAMVM
after the introduction of two new Unsafe methods in the OpenJDK
hotspot. Closes: #833933. (LP: #1611598)
[ Matthias Klose ]
* Fix building the -dbg package depending on the debhelper level.
-- Matthias Klose <email address hidden> Fri, 04 Nov 2016 18:50:39 +0100
-
openjdk-7 (7u111-2.6.7-1) experimental; urgency=medium
[ Matthias Klose ]
* Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used
(Andreas Beckmann). Closes: #821858.
* Add missing includes for aarch64 hotspot backport (building without pch).
* Use in-tree lcms for backports.
[ Tiago Stürmer Daitx ]
* IcedTea release 2.6.7 (based on 7u111):
* Security fixes
- S8079718, CVE-2016-3458: IIOP Input Stream Hooking
- S8145446, CVE-2016-3485: Perfect pipe placement (Windows only)
- S8147771: Construction of static protection domains under Javax
custom policy
- S8148872, CVE-2016-3500: Complete name checking
- S8149962, CVE-2016-3508: Better delineation of XML processing
- S8150752: Share Class Data
- S8151925: Font reference improvements
- S8152479, CVE-2016-3550: Coded byte streams
- S8155981, CVE-2016-3606: Bolster bytecode verification
- S8155985, CVE-2016-3598: Persistent Parameter Processing
- S8158571, CVE-2016-3610: Additional method handle validation
* debian/rules:
- Create symbolic link in source package (thanks Avinash).
Closes: #832720.
* debian/JB-jre-headless.prerm.in: check for /var/lib/binfmts/jar
instead of /var/lib/binfmts/@basename@ before removing jar entry
from binfmts. Closes: #821146.
-- Matthias Klose <email address hidden> Sat, 30 Jul 2016 08:13:07 +0200
-
openjdk-7 (7u101-2.6.6-2) experimental; urgency=medium
* Configure with --disable-arm32-jit, broken by the security update.
-- Matthias Klose <email address hidden> Sat, 23 Apr 2016 02:28:28 +0200
-
openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* IcedTea release 2.6.6 (based on 7u101):
* Security fixes
- S8129952, CVE-2016-0686: Ensure thread consistency
- S8132051, CVE-2016-0687: Better byte behavior
- S8138593, CVE-2016-0695: Make DSA more fair
- S8139008: Better state table management
- S8143167, CVE-2016-3425: Better buffering of XML strings
- S8144430, CVE-2016-3427: Improve JMX connections
- S8146494: Better ligature substitution
- S8146498: Better device table adjustments
* debian/patches/jdk-8152335-improve-methodhandle-consistency.patch:
removed, fix is upstream since 2.6.5
[ Matthias Klose ]
* Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas
Beckmann). Closes: #821858.
-- Matthias Klose <email address hidden> Fri, 22 Apr 2016 21:14:22 +0200
-
openjdk-7 (7u95-2.6.4-3) experimental; urgency=medium
[ Tiago Stürmer Daitx ]
* SECURITY UPDATE: Applies to client deployment of Java only. This
vulnerability can be exploited only through sandboxed Java Web Start
applications and sandboxed Java applets.
- d/p/jdk-8152335-improve-methodhandle-consistency.patch: S8152335,
CVE-2016-0636: Improve MethodHandle consistency
[ Matthias Klose ]
* Use internal tzdata for builds in stretch, unstable, experimental.
Closes: #818308.
-- Matthias Klose <email address hidden> Thu, 24 Mar 2016 15:24:32 +0100
-
openjdk-7 (7u95-2.6.4-2) experimental; urgency=medium
* Upload to experimental.
-- Matthias Klose <email address hidden> Fri, 05 Feb 2016 17:51:20 +0100
-
openjdk-7 (7u17-2.3.8-2) experimental; urgency=low
* Remove Torsten Werner as uploader.
-- Matthias Klose <email address hidden> Mon, 01 Apr 2013 00:39:58 +0200
-
openjdk-7 (7u17-2.3.8-1) experimental; urgency=low
* IcedTea7 2.3.8 release.
* Security fixes:
- S8007014, CVE-2013-0809: Improve image handling.
- S8007675, CVE-2013-1493: Improve color conversion.
* Backports:
- S8002344: Krb5LoginModule config class does not return proper KDC list
from DNS.
- S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c.
- S8006179: JSR292 MethodHandles lookup with interface using findVirtual().
- S8006882: Proxy generated classes in sun.proxy package breaks JMockit.
* Bug fixes:
- PR1303: Correct #ifdef to #if.
- PR1340: Simplify the rhino class rewriter to avoid use of concurrency.
- Revert 7017193 and add the missing free call, until a better fix is ready.
-- Matthias Klose <email address hidden> Sun, 31 Mar 2013 14:31:11 +0200
-
openjdk-7 (7u15-2.3.7-1) experimental; urgency=low
* IcedTea7 2.3.7 release.
* Security fixes:
- S8004937, CVE-2013-1484: Improve proxy construction.
- S8006439, CVE-2013-1485: Improve MethodHandles coverage.
- S8006446, CVE-2013-1486: Restrict MBeanServer access.
- S8006777, CVE-2013-0169: Improve TLS handling of invalid messages.
- S8007688: Blacklist known bad certificate.
* Backports:
- S8007393: Possible race condition after JDK-6664509.
- S8007611: logging behavior in applet changed.
* For zero builds, use the same hotspot version as in 2.1.6.
* Reenable bootstrap builds, except for alpha.
* Explicitly disable building on mips/mipsel. Not supported by the
Debian OpenJDK maintainers, the Debian mips porters, or the Debian
Java team.
-- Matthias Klose <email address hidden> Wed, 20 Feb 2013 23:33:58 +0100
-
openjdk-7 (7u13-2.3.6-1) experimental; urgency=low
* IcedTea7 2.3.6 release.
- Disable bootstrap builds, currently broken in IcedTea.
* Security fixes:
- S6563318, CVE-2013-0424: RMI data sanitization.
- S6664509, CVE-2013-0425: Add logging context.
- S6664528, CVE-2013-0426: Find log level matching its name or value given
at construction time.
- S6776941: CVE-2013-0427: Improve thread pool shutdown.
- S7141694, CVE-2013-0429: Improving CORBA internals.
- S7173145: Improve in-memory representation of splashscreens.
- S7186945: Unpack200 improvement.
- S7186946: Refine unpacker resource usage.
- S7186948: Improve Swing data validation.
- S7186952, CVE-2013-0432: Improve clipboard access.
- S7186954: Improve connection performance.
- S7186957: Improve Pack200 data validation.
- S7192392, CVE-2013-0443: Better validation of client keys.
- S7192393, CVE-2013-0440: Better Checking of order of TLS Messages.
- S7192977, CVE-2013-0442: Issue in toolkit thread.
- S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies.
- S7200491: Tighten up JTable layout code.
- S7200500: Launcher better input validation.
- S7201064: Better dialogue checking.
- S7201066, CVE-2013-0441: Change modifiers on unused fields.
- S7201068, CVE-2013-0435: Better handling of UI elements.
- S7201070: Serialization to conform to protocol.
- S7201071, CVE-2013-0433: InetSocketAddress serialization issue.
- S8000210: Improve JarFile code quality.
- S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class.
- S8000540, CVE-2013-1475: Improve IIOP type reuse management.
- S8000631, CVE-2013-1476: Restrict access to class constructor.
- S8001235, CVE-2013-0434: Improve JAXP HTTP handling.
- S8001242: Improve RMI HTTP conformance.
- S8001307: Modify ACC_SUPER behavior.
- S8001972, CVE-2013-1478: Improve image processing.
- S8002325, CVE-2013-1480: Improve management of images.
* Fix font suggestion for indic fonts in wheezy.
* Fix fontconfig definitions for japanese and korean fonts, fixing
compilation of the fontconfig file.
* Add Built-Using: rhino attribute for the -lib package.
* Don't use concurrent features to rewrite the rhino jar file.
* Enable class data sharing for the hotspot server VM.
-- Matthias Klose <email address hidden> Tue, 12 Feb 2013 20:59:48 +0100
-
openjdk-7 (7u9-2.3.5~pre1-1) experimental; urgency=low
* IcedTea7 2.3.5 snapshot, taken from the icedtea7-2.3 branch.
- Disable bootstrap builds, currently broken in IcedTea.
* Security fixes:
- S6563318, CVE-2013-0424: RMI data sanitization.
- S6664509, CVE-2013-0425: Add logging context.
- S6664528, CVE-2013-0426: Find log level matching its name or value given
at construction time.
- S6776941: CVE-2013-0427: Improve thread pool shutdown.
- S7141694, CVE-2013-0429: Improving CORBA internals.
- S7173145: Improve in-memory representation of splashscreens.
- S7186945: Unpack200 improvement.
- S7186946: Refine unpacker resource usage.
- S7186948: Improve Swing data validation.
- S7186952, CVE-2013-0432: Improve clipboard access.
- S7186954: Improve connection performance.
- S7186957: Improve Pack200 data validation.
- S7192392, CVE-2013-0443: Better validation of client keys.
- S7192393, CVE-2013-0440: Better Checking of order of TLS Messages.
- S7192977, CVE-2013-0442: Issue in toolkit thread.
- S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies.
- S7200491: Tighten up JTable layout code.
- S7200500: Launcher better input validation.
- S7201064: Better dialogue checking.
- S7201066, CVE-2013-0441: Change modifiers on unused fields.
- S7201068, CVE-2013-0435: Better handling of UI elements.
- S7201070: Serialization to conform to protocol.
- S7201071, CVE-2013-0433: InetSocketAddress serialization issue.
- S8000210: Improve JarFile code quality.
- S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class.
- S8000540, CVE-2013-1475: Improve IIOP type reuse management.
- S8000631, CVE-2013-1476: Restrict access to class constructor.
- S8001235, CVE-2013-0434: Improve JAXP HTTP handling.
- S8001242: Improve RMI HTTP conformance.
- S8001307: Modify ACC_SUPER behavior.
- S8001972, CVE-2013-1478: Improve image processing.
- S8002325, CVE-2013-1480: Improve management of images.
* Fix font suggestion for indic fonts in wheezy.
* Fix fontconfig definitions for japanese and korean fonts, fixing
compilation of the fontconfig file.
* Add Built-Using: rhino attribute for the -lib package.
* Don't use concurrent features to rewrite the rhino jar file.
* Enable class data sharing for the hotspot server VM.
-- Matthias Klose <email address hidden> Sun, 10 Feb 2013 21:42:44 +0100
-
openjdk-7 (7u9-2.3.4-1) experimental; urgency=low
* IcedTea7 2.3.4 release.
* Security fixes
- S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries.
- S8006017, CVE-2013-0422: Improve lookup resolutions.
- S8006125: Update MethodHandles library interactions.
* Bug fixes
- S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit
shifts.
- G422525: Fix building with PaX enabled kernels.
[ Matthias Klose ]
* Loosen OpenGL dependency. Closes: #695028.
* Fix error parsing drop files parameter from pcmanfm (Alberto Fernández
Martínez). Closes: #695992.
[ Thorsten Glaser ]
* debian/rules: Use gcj-4.6-jdk for m68k builds.
* d/patches/text-relocations.patch: build with -fPIC on all archs.
-- Matthias Klose <email address hidden> Tue, 15 Jan 2013 23:38:48 +0100
-
openjdk-7 (7u9-2.3.3-1) experimental; urgency=low
* Upload to experimental.
-- Matthias Klose <email address hidden> Wed, 17 Oct 2012 15:16:51 +0200
-
openjdk-7 (7u7-2.3.2a-1) experimental; urgency=low
* Upload to experimental.
-- Matthias Klose <email address hidden> Sat, 15 Sep 2012 22:20:06 +0200
-
openjdk-7 (7u7-2.3.2-1) experimental; urgency=low
* New upstream IcedTea7 2.3.2 release.
* Security fixes:
- CVE-2012-4681: Reintroduce PackageAccessible checks removed in 6788531.
- S7079902, CVE-2012-1711: Refine CORBA data models.
- S7143606, CVE-2012-1717: File.createTempFile should be improved
for temporary files created by the platform.
- S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement.
- S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations.
- S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC.
- S7143872, CVE-2012-1718: Improve certificate extension processing.
- S7152811, CVE-2012-1723: Issues in client compiler.
- S7157609, CVE-2012-1724: Issues with loop.
- S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile.
- S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup.
* Bump version to 7u7 (OpenJDK), 2.3.2 (IcedTea). Closes: #685276.
* d/p/icedtea7-forest-jdk_7104625-XEvent_wrap_logging_calls_with_if.patch,
d/p/hotspot-sparc.diff: Remove, integrated upstream.
* d/p/{deb-multiarch,fix_extra_flags,hotspot-no-werror}.diff:
Add variants for hotspot and zero builds.
* d/p/default-jvm-cfg.diff, d/p/icedtea-4953367.patch,
d/p/icedtea-patch.diff, d/p/icedtea-pretend-memory.diff,
d/p/libpcsclite-dlopen.diff, d/p/nonreparenting-wm.diff:
Update for 2.3.2.
* Remove build support for Ubuntu releases earlier than hardy.
* d/update-shasum.sh: Only update the shasums of the -dfsg tarballs.
* Don't apply shark patches (not built anyway).
-- Matthias Klose <email address hidden> Sat, 01 Sep 2012 11:46:50 +0200
-
openjdk-7 (7~b147-2.0~pre3-3) experimental; urgency=low
* Merge debian packaging r485:489 from openjdk-6:
- Build using GCC-4.4 on sparc and sparc64.
- Enable testsuite runs in s390x.
* Merge debian packaging r490 from openjdk-6:
- Set plugin name for the jinfo file. Closes: #638548,
- Disable the mauve testsuite on i386.
- Make the installation multiarch aware.
-- Matthias Klose <email address hidden> Sun, 28 Aug 2011 20:42:54 +0200
-
openjdk-7 (7~b147-2.0~pre3-2) experimental; urgency=low
* d/patches/jdk-no-mapfile.diff: Re-add was not merged into
current (e46d527097f1) revision but latter.
-- Damien Raude-Morvan <email address hidden> Mon, 22 Aug 2011 00:11:33 +0200
-
openjdk-7 (7~b147-2.0~pre2-3) experimental; urgency=low
* d/patches/kfreebsd-support-hotspot.diff: Fix access to CPU registry under
kfreebsd-amd64.
-- Damien Raude-Morvan <email address hidden> Sun, 07 Aug 2011 12:22:47 +0200
-
openjdk-7 (7~b147-2.0~pre2-2) experimental; urgency=low
* d/patches/kfreebsd-support-jamvm.diff: Add support for kfreebsd-amd64.
* d/patches/kfreebsd-support-hotspot.diff: Small fixes for Hotspot on
kfreebsd-i386.
* Split d/patches/hotspot-s390.diff and zero-missing-headers.diff.
* Re-add missing changes from last upload:
- patches/use-idx_t.patch: Edit upstream patch to avoid FTBFS on s390.
- Makefile.{am,im}: Force bootclasspath (useful when building from
openjdk-6).
-- Damien Raude-Morvan <email address hidden> Sat, 06 Aug 2011 23:50:58 +0200
-
openjdk-7 (7~b147-2.0~pre2-1) experimental; urgency=low
* Update to icedtea7-forest snapshot (20110804):
- d/patches/pr753.diff: drop, merged in icedtea7-forest.
- d/patches/pr757.diff: drop, merged in icedtea7-forest.
- d/patches/zero-jsr292-fixes.diff: drop, merged in icedtea7-forest.
- d/patches/no-compiler-path.diff: drop, now handled correctly icedtea7's
configure and openjdk's Makefile (by CC and CXX environment variables).
- Updated JamVM to the 2011-08-01 revision.
[ Damien Raude-Morvan ]
* d/patches/zero-fpu-control-is-noop.diff: Remove ShouldNotCallThis from
os_linux_zero.cpp (fix crash under i386).
* d/rules: Enable support for GNU/kFreeBSD arch:
- d/patches/kfreebsd-support-*: Update with latest fixes.
- d/patches/kfreebsd-sync-issues.diff: hack to force some wait
until we fix sync issues.
- d/rules: Enable shark for GNU/kFreeBSD.
* d/rules: Use DEB_HOST_ARCH_CPU for jvmarch/archdir. Thanks to
Jérémie Koenig <email address hidden> for patch.
* d/patches/jexec.diff: Update for openjdk-7.
* d/JB-jdk.overrides.in: Fix override for new Lintian 2.5.0 path handling.
* d/icedtea-7-jre-jamvm.overrides: As for others libjvm.so, we use
--strip-debug instead of --strip-unneeded.
* d/source.lintian-overrides: Drop, not used anymore in openjdk-7.
[ Matthias Klose ]
* Merge debian packaging r472:482 from openjdk-6:
- openjdk-6-jre-headless: Depend on icedtea-6-jre-jamvm, if it's
the default VM.
- Use gcj-4.4 as the stage1 java VM on mips and mipsel.
- Make JamVM the default VM on Ubuntu oneiric/ARM.
-- Matthias Klose <email address hidden> Thu, 04 Aug 2011 11:38:01 +0200
-
openjdk-7 (7~b147-2.0~pre1-1) experimental; urgency=low
* New b147 code drop (OpenJDK7 RC1). [ Matthias Klose ] * Fix build on sparc64. * Recognize 32bit user space on sparc. * Build shark using llvm-2.9. [ Damien Raude-Morvan ] * d/patches/zero-jsr292-fixes.diff: Fixes on Zero/Shark for JSR 292 support from Chris Phillips <email address hidden>. * d/generate-dfsg-zip.sh: Update for OpenJDK7 as a first step to get #623693 fixed. * d/patches/kfreebsd-*: WiP patches for GNU/kFreeBSD support (not yet enabled by default). -- Matthias Klose <email address hidden> Sun, 17 Jul 2011 16:08:51 +0200
-
openjdk-7 (7~b143-2.0~pre1-2) experimental; urgency=low
* Upload to experimental. -- Matthias Klose <email address hidden> Tue, 12 Jul 2011 14:30:01 +0200
-
openjdk-7 (7~b143-2.0~pre1-1) experimental; urgency=low
[ Damien Raude-Morvan ] * New b143 code drop. * Drop d/patches/7031385.diff: Merged upstream. * Drop d/patches/jamvm-oj7.patch: Merged upstream. * Manpages are now ja_JP.UTF-8 instead of ja_JP.eucJP [ Matthias Klose ] * Apply fix for IcedTea issue #753. * Update s390 hotspot build fixes. * Re-enable zero on i386. -- Matthias Klose <email address hidden> Sun, 10 Jul 2011 14:28:17 +0200
-
openjdk-7 (7~b136-2.0~pre1-2) experimental; urgency=low
* Disable zero on i386. -- Matthias Klose <email address hidden> Sun, 29 May 2011 12:37:03 +0200
-
openjdk-7 (7~b136-1.14+debian1-1) experimental; urgency=low
* New upstream release: Icedtea 1.14. - debian/patches/jamvm-oj7.patch: support new instruction (JVM_FindClassFromBootLoader) in JamVM. - Makefile.am: Fix some missing depends between patch and extract targets. * debian/patches/nonreparenting-wm.diff: Update. * Replace B-D on libxalan2-java by xsltproc for bootstrapping JMVTI. * Don't use GCJ_SUFFIX=4.6 for sid/wheezy/oneiric as GCJ version is not homogeneous between arch. * Enable JamVM support: - d/control: Add B-D on libtool. -- Damien Raude-Morvan <email address hidden> Thu, 26 May 2011 23:03:56 +0200
-
openjdk-7 (7~b136-1.14~pre0-4) experimental; urgency=low
* Re-add build dependency on fastjar. * Fix dependency on liblcms2-2. -- Matthias Klose <email address hidden> Sun, 08 May 2011 10:21:21 +0200
-
openjdk-7 (7~b136-1.14~pre0-3) experimental; urgency=low
* Fix liblcms dependency for -jre-headless package. -- Damien Raude-Morvan <email address hidden> Sat, 07 May 2011 17:20:15 +0200
-
openjdk-7 (7~b136-1.14~pre0-2) experimental; urgency=low
* Fix build failure on i386 with GCC 4.6. -- Matthias Klose <email address hidden> Fri, 06 May 2011 17:10:00 +0200
-
openjdk-7 (7~b136-1.14~pre0-1) UNRELEASED; urgency=low
[ Damien Raude-Morvan ] * New b136 code drop: - d/rules: Use jaxp-1_4_5-dev1.zip as jaxp-drop-zip. - d/patches/icedtea-pretend-memory.diff: Refreshed. [ Matthias Klose ] * Fix -jre-lib dependency on -jre. Closes: #624846. * Add lcms configury. -- Matthias Klose <email address hidden> Thu, 05 May 2011 21:08:55 +0200
-
openjdk-7 (7~b130-1.14~pre0-2) experimental; urgency=low
* Remove obsolete conflicts. Closes: #624090. * Add copyright for the rewriter class. Addresses part of #623693. * Lower priorities for the alternatives below these of OpenJDK 6, as long as OpenJDK 7 is not yet released. * Don't build HotSpot with -Werror on architectures other than amd64 and i386. -- Matthias Klose <email address hidden> Wed, 27 Apr 2011 23:03:45 +0200
-
openjdk-7 (7~b130-1.14~pre0-1) experimental; urgency=low
* New b130 code drop. * Merge debian packaging r464:469 from openjdk-6. * Do not bump the epoch, package was never uploaded to any official repository. -- Matthias Klose <email address hidden> Wed, 20 Apr 2011 21:46:32 +0200
