Bug 46320 - openjdk-7: Multiple issues (4.2)
openjdk-7: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P3 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-16 16:53 CET by Philipp Hahn
Modified: 2018-05-08 14:57 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 8.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-02-16 16:53:30 CET
+++ This bug was initially created as a clone of Bug #44687 +++
151: <http://blog.fuseyism.com/index.php/2017/08/10/security-icedtea-2-6-11-for-openjdk-7-released/>
161: <http://blog.fuseyism.com/index.php/2017/12/06/security-icedtea-2-6-12-for-openjdk-7-released/>
171: WIP <http://mail.openjdk.java.net/pipermail/jdk7u-dev/2018-February/010751.html

The OpenJDK 7 u161 security updates where cherry-picked into Debians 7u151-2.6.11-2.

We need to rebuild OpenJDK-7 for errata4.2-3 anyway, as that version is less than the version in errata4.1-5: <http://xen1.knut.univention.de:8000/packages/source/openjdk-7/?since=4.1-1>

This breaks UCS-4.3 as there the version from errata4.1-5 is picked, which still depends on "tzdata-java" from Debian-Jessie, has a conflicts with "tzdata" from Debian-Stretch.
Comment 1 Philipp Hahn univentionstaff 2018-02-16 17:31:25 CET
$ deb-ver-comp 7u121-2.6.8-1.34.201701252027 7u121-2.6.8-2~deb8u1 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 7u151-2.6.11-2.36.201712111508 7u151-2.6.11-2.A4.2.0.201712111344
        Sort as given
7u121-2.6.8-1.34.201701252027              ← errata4.1.4
7u121-2.6.8-2~deb8u1                       ← 4.2-0
7u151-2.6.11-2~deb8u1A~4.2.0.201712111344  ← current errata4.2-3
7u151-2.6.11-2.36.201712111508             ← current errata4.1-5
7u151-2.6.11-2.A4.2.0.201712111344         ← this errata4.2-3

$ build-package-ng -r 4.2 -s errata4.2-3 -p openjdk-7 -v 7u151-2.6.11-2.A4.2.0.201712111344

Package: openjdk-7
Version: 7u151-2.6.11-2.A4.2.0.201712111344
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 2 Philipp Hahn univentionstaff 2018-02-17 12:56:07 CET
OpenJDK is dropped from Debian-Jessie and any upgrade to UCS-4.3 currently failes when installed, as old tzdata-java from Debian-Jessie conflicts with the newer tzdata from Debian-Stretch.
Comment 3 Philipp Hahn univentionstaff 2018-02-19 16:31:50 CET
TL;DR: <https://lists.debian.org/debian-glibc/2014/08/msg00007.html>
- Java has its own TZ datase, which is part of src:openjdk-X
- it received quaterly updates
- Debian maintains only src:tzdata
- the data is compiled into the format required by OpenJDK
- the compiler is only available with bin:OpenDJK <= 7
- OpenJDK-8 uses a new format - the compiler is no longer available in bin:openjdk-8
- Debian dropped the compilation from src:tzdata

Oracle provided an online update too for their versions:
 <http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html>/tzdata

As the current version works for UCS-4.2 and OpenJDK-7 is not supported in Debian-Stretch/UCS-4.3 anyway, there is nothing more to do.
Users should upgrade to OpenJDK-8 anyway: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818308>

TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is uninstalled.

39787a637f Bug #46320: openjdk-7
 doc/errata/staging/openjdk-7.yaml | 11 +++++++++++
Comment 4 Philipp Hahn univentionstaff 2018-02-21 13:12:09 CET
(In reply to Philipp Hahn from comment #3)
> TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is
> uninstalled.

This is Bug #45959.
So OpenJDK-7 is ready for errata4.2-3 (for now, as 171 is not yet available)
Comment 5 Philipp Hahn univentionstaff 2018-04-07 10:04:09 CEST
r18068 | Bug #46320: OpenJDK-7 7u151-2.6.11-2~deb8u1

Package: openjdk-7
Version: 7u171-2.6.13-1~deb8u1A~4.2.0.201804061203
Branch: ucs_4.2-0
Scope: errata4.2-3

[4.2-3] 39eaee0c31 Bug #46320: openjdk-7 7u171-2.6.13-1~deb8u1
 doc/errata/staging/openjdk-7.yaml | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)
Comment 6 Arvid Requate univentionstaff 2018-05-04 15:52:11 CEST
Verified:
* r18068 10_tzdata.patch switching to tzdata-java
* patch applied during built
* errata4.2-3 package update works
* Advisory Ok
Comment 7 Quality Assurance univentionstaff 2018-05-04 16:56:31 CEST
--- mirror/ftp/4.1/unmaintained/component/4.1-5-errata/source/openjdk-7_7u151-2.6.11-2.36.201712111508.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/openjdk-7_7u171-2.6.13-1~deb8u1A~4.2.0.201804061203.dsc
@@ -1,11 +1,60 @@
-7u151-2.6.11-2.36.201712111508 [Mon, 11 Dec 2017 15:08:47 +0100] Univention builddaemon <buildd@univention.de>:
+7u171-2.6.13-1~deb8u1A~4.2.0.201804061203 [Fri, 06 Apr 2018 12:03:50 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
-    00_hardcode-debian-settings-in-lsb-detection
-    10_add_java7-jdk_provides
-
-7u151-2.6.11-2~deb7u3 [Thu, 23 Nov 2017 18:57:05 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
-
+    10_tzdata
+
+7u171-2.6.13-1~deb8u1 [Tue, 03 Apr 2018 09:00:06 +0200] Moritz Muehlenhoff <jmm@debian.org>:
+
+  * Rebuild for jessie-security
+
+7u171-2.6.13-1 [Mon, 02 Apr 2018 10:36:32 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  [ Tiago Stürmer Daitx ]
+  * IcedTea release 2.6.13 (based on 7u171). Closes: #891330.
+  * Security fixes:
+    - S8160104: CORBA communication improvements
+    - S8172525, CVE-2018-2579: Improve key keying case
+    - S8174756: Extra validation for public keys
+    - S8175932: Improve host instance supports
+    - S8176458: Revise default document styling
+    - S8178449, CVE-2018-2588: Improve LDAP logins
+    - S8178458: Better use of certificates in LDAP
+    - S8178466: Better RSA parameters
+    - S8179536: Cleaner print job handling
+    - S8179990: Cleaner palette entry handling
+    - S8180011: Cleaner native graphics device handling
+    - S8180015: Cleaner AWT robot handling
+    - S8180020: Improve SymbolHashMap entry handling
+    - S8180433: Cleaner CLR invocation handling
+    - S8180877: More deeply colored ICC spaces
+    - S8181664: Improve JVM UTF String handling
+    - S8181670: Improve implementation of keystores
+    - S8182125, CVE-2018-2599: Improve reliability of DNS lookups
+    - S8182387, CVE-2018-2603: Improve PKCS usage
+    - S8182601, CVE-2018-2602: Improve usage messages
+    - S8185292, CVE-2018-2618: Stricter key generation
+    - S8185325, CVE-2018-2641: Improve GTK initialization
+    - S8186080: Transform XML interfaces
+    - S8186212, CVE-2018-2629: Improve GSS handling
+    - S8186600, CVE-2018-2634: Improve property negotiations
+    - S8186606, CVE-2018-2633: Improve LDAP lookup robustness
+    - S8186867: Improve native glyph layouts
+    - S8186998, CVE-2018-2637: Improve JMX supportive features
+    - S8189284, CVE-2018-2663: More refactoring for deserialization cases
+    - S8190289, CVE-2018-2677: More refactoring for client deserialization cases
+    - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases
+  * Remove multiarch-support pre-dependency. Closes: #887858.
+
+  [ Matthias Klose ]
+  * Bump standards version.
+  * Disable bootstrap on sid/buster, gcj is removed.
+  * Remove Damien Raude-Morvan as uploader. Closes: #889378.
+
+7u161-2.6.12-1 [Thu, 07 Dec 2017 09:12:51 +0100] Matthias Klose <doko@ubuntu.com>:
+
+  * IcedTea release 2.6.12 (based on 7u161).
+  * Disable Hotspot workaround for Exec Shield (Debian only).
+    Addresses: #876051.
   * Build-depend on g++-4.7 on wheezy. This is the default on some
     architectures such as amd64 or i386, but not on armhf or armel,
     which default to 4.6. There the build was working before because
@@ -13,15 +62,19 @@
     and that in turn depends on g++-4.7. However since we have
     disabled the bootstrap build now, g++-4.7 is no longer installed
     on arm* builds, causing the build failure which couldn't be seen
-    on amd64.
-
-7u151-2.6.11-2~deb7u2 [Mon, 20 Nov 2017 23:00:27 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
-
-  * Non-maintainer upload by the LTS team.
-  * Backport to wheezy.
+    on amd64 (Emilio Pozuelo Monfort).
+
+7u151-2.6.11-3 [Thu, 23 Nov 2017 16:37:21 +0100] Matthias Klose <doko@ubuntu.com>:
+
+  [ Matthias Klose ]
   * Disable bootstrap on wheezy, it currently fails due to the last round
-    of 8u151 security patches.
-  * Use deb7u2 version as deb7u1 was used by mistake for the jessie update.
+    of 8u151 security patches (Emilio Pozuelo Monfort).
+
+  [ Tiago Stürmer Daitx ]
+  * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch:
+    the S8144028 fix was incomplete and followed up by S8145438; without it
+    aarch64 JVM can fail with "Internal Error, failed: Field too big for
+    insn".
 
 7u151-2.6.11-2 [Mon, 20 Nov 2017 21:24:32 +0100] Matthias Klose <doko@ubuntu.com>:
Comment 8 Arvid Requate univentionstaff 2018-05-08 14:57:03 CEST
<http://errata.software-univention.de/ucs/4.2/386.html>