Univention Bugzilla – Bug 46320
openjdk-7: Multiple issues (4.2)
Last modified: 2018-05-08 14:57:03 CEST
+++ This bug was initially created as a clone of Bug #44687 +++
171: WIP <http://mail.openjdk.java.net/pipermail/jdk7u-dev/2018-February/010751.html
The OpenJDK 7 u161 security updates where cherry-picked into Debians 7u151-2.6.11-2.
We need to rebuild OpenJDK-7 for errata4.2-3 anyway, as that version is less than the version in errata4.1-5: <http://xen1.knut.univention.de:8000/packages/source/openjdk-7/?since=4.1-1>
This breaks UCS-4.3 as there the version from errata4.1-5 is picked, which still depends on "tzdata-java" from Debian-Jessie, has a conflicts with "tzdata" from Debian-Stretch.
$ deb-ver-comp 7u121-2.6.8-1.34.201701252027 7u121-2.6.8-2~deb8u1 7u151-2.6.11-2~deb8u1A~22.214.171.124712111344 7u151-2.6.11-2.36.201712111508 7u151-2.6.11-2.A126.96.36.199712111344
Sort as given
7u121-2.6.8-1.34.201701252027 ← errata4.1.4
7u121-2.6.8-2~deb8u1 ← 4.2-0
7u151-2.6.11-2~deb8u1A~188.8.131.52712111344 ← current errata4.2-3
7u151-2.6.11-2.36.201712111508 ← current errata4.1-5
7u151-2.6.11-2.A184.108.40.206712111344 ← this errata4.2-3
$ build-package-ng -r 4.2 -s errata4.2-3 -p openjdk-7 -v 7u151-2.6.11-2.A220.127.116.11712111344
OpenJDK is dropped from Debian-Jessie and any upgrade to UCS-4.3 currently failes when installed, as old tzdata-java from Debian-Jessie conflicts with the newer tzdata from Debian-Stretch.
- Java has its own TZ datase, which is part of src:openjdk-X
- it received quaterly updates
- Debian maintains only src:tzdata
- the data is compiled into the format required by OpenJDK
- the compiler is only available with bin:OpenDJK <= 7
- OpenJDK-8 uses a new format - the compiler is no longer available in bin:openjdk-8
- Debian dropped the compilation from src:tzdata
Oracle provided an online update too for their versions:
As the current version works for UCS-4.2 and OpenJDK-7 is not supported in Debian-Stretch/UCS-4.3 anyway, there is nothing more to do.
Users should upgrade to OpenJDK-8 anyway: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818308>
TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is uninstalled.
39787a637f Bug #46320: openjdk-7
doc/errata/staging/openjdk-7.yaml | 11 +++++++++++
(In reply to Philipp Hahn from comment #3)
> TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is
This is Bug #45959.
So OpenJDK-7 is ready for errata4.2-3 (for now, as 171 is not yet available)
r18068 | Bug #46320: OpenJDK-7 7u151-2.6.11-2~deb8u1
[4.2-3] 39eaee0c31 Bug #46320: openjdk-7 7u171-2.6.13-1~deb8u1
doc/errata/staging/openjdk-7.yaml | 36 ++++++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
* r18068 10_tzdata.patch switching to tzdata-java
* patch applied during built
* errata4.2-3 package update works
* Advisory Ok
@@ -1,11 +1,60 @@
-7u151-2.6.11-2.36.201712111508 [Mon, 11 Dec 2017 15:08:47 +0100] Univention builddaemon <firstname.lastname@example.org>:
+7u171-2.6.13-1~deb8u1A~18.104.22.168804061203 [Fri, 06 Apr 2018 12:03:50 +0200] Univention builddaemon <email@example.com>:
* UCS auto build. The following patches have been applied to the original source package
-7u151-2.6.11-2~deb7u3 [Thu, 23 Nov 2017 18:57:05 +0100] Emilio Pozuelo Monfort <firstname.lastname@example.org>:
+7u171-2.6.13-1~deb8u1 [Tue, 03 Apr 2018 09:00:06 +0200] Moritz Muehlenhoff <email@example.com>:
+ * Rebuild for jessie-security
+7u171-2.6.13-1 [Mon, 02 Apr 2018 10:36:32 +0200] Matthias Klose <firstname.lastname@example.org>:
+ [ Tiago Stürmer Daitx ]
+ * IcedTea release 2.6.13 (based on 7u171). Closes: #891330.
+ * Security fixes:
+ - S8160104: CORBA communication improvements
+ - S8172525, CVE-2018-2579: Improve key keying case
+ - S8174756: Extra validation for public keys
+ - S8175932: Improve host instance supports
+ - S8176458: Revise default document styling
+ - S8178449, CVE-2018-2588: Improve LDAP logins
+ - S8178458: Better use of certificates in LDAP
+ - S8178466: Better RSA parameters
+ - S8179536: Cleaner print job handling
+ - S8179990: Cleaner palette entry handling
+ - S8180011: Cleaner native graphics device handling
+ - S8180015: Cleaner AWT robot handling
+ - S8180020: Improve SymbolHashMap entry handling
+ - S8180433: Cleaner CLR invocation handling
+ - S8180877: More deeply colored ICC spaces
+ - S8181664: Improve JVM UTF String handling
+ - S8181670: Improve implementation of keystores
+ - S8182125, CVE-2018-2599: Improve reliability of DNS lookups
+ - S8182387, CVE-2018-2603: Improve PKCS usage
+ - S8182601, CVE-2018-2602: Improve usage messages
+ - S8185292, CVE-2018-2618: Stricter key generation
+ - S8185325, CVE-2018-2641: Improve GTK initialization
+ - S8186080: Transform XML interfaces
+ - S8186212, CVE-2018-2629: Improve GSS handling
+ - S8186600, CVE-2018-2634: Improve property negotiations
+ - S8186606, CVE-2018-2633: Improve LDAP lookup robustness
+ - S8186867: Improve native glyph layouts
+ - S8186998, CVE-2018-2637: Improve JMX supportive features
+ - S8189284, CVE-2018-2663: More refactoring for deserialization cases
+ - S8190289, CVE-2018-2677: More refactoring for client deserialization cases
+ - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases
+ * Remove multiarch-support pre-dependency. Closes: #887858.
+ [ Matthias Klose ]
+ * Bump standards version.
+ * Disable bootstrap on sid/buster, gcj is removed.
+ * Remove Damien Raude-Morvan as uploader. Closes: #889378.
+7u161-2.6.12-1 [Thu, 07 Dec 2017 09:12:51 +0100] Matthias Klose <email@example.com>:
+ * IcedTea release 2.6.12 (based on 7u161).
+ * Disable Hotspot workaround for Exec Shield (Debian only).
+ Addresses: #876051.
* Build-depend on g++-4.7 on wheezy. This is the default on some
architectures such as amd64 or i386, but not on armhf or armel,
which default to 4.6. There the build was working before because
@@ -13,15 +62,19 @@
and that in turn depends on g++-4.7. However since we have
disabled the bootstrap build now, g++-4.7 is no longer installed
on arm* builds, causing the build failure which couldn't be seen
- on amd64.
-7u151-2.6.11-2~deb7u2 [Mon, 20 Nov 2017 23:00:27 +0100] Emilio Pozuelo Monfort <firstname.lastname@example.org>:
- * Non-maintainer upload by the LTS team.
- * Backport to wheezy.
+ on amd64 (Emilio Pozuelo Monfort).
+7u151-2.6.11-3 [Thu, 23 Nov 2017 16:37:21 +0100] Matthias Klose <email@example.com>:
+ [ Matthias Klose ]
* Disable bootstrap on wheezy, it currently fails due to the last round
- of 8u151 security patches.
- * Use deb7u2 version as deb7u1 was used by mistake for the jessie update.
+ of 8u151 security patches (Emilio Pozuelo Monfort).
+ [ Tiago Stürmer Daitx ]
+ * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch:
+ the S8144028 fix was incomplete and followed up by S8145438; without it
+ aarch64 JVM can fail with "Internal Error, failed: Field too big for
7u151-2.6.11-2 [Mon, 20 Nov 2017 21:24:32 +0100] Matthias Klose <firstname.lastname@example.org>: