Univention Bugzilla – Bug 46695
openjdk-8: Multiple issues (4.3)
Last modified: 2018-05-16 17:04:16 CEST
New Debian openjdk-8 8u162-b12-1~deb9u1 fixes: This update addresses the following issues: * CVE-2016-10165: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. * CVE-2016-9841: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * CVE-2017-10274: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. * CVE-2017-10281: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. * CVE-2017-10285: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. * CVE-2017-10295: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. * CVE-2017-10345: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. * CVE-2017-10346: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. * CVE-2017-10347: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. * CVE-2017-10348: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit on the size. * CVE-2017-10349: Better Node predications. An array is allocated based on data in the serial stream without a limit on the size. * CVE-2017-10350: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit on the size. * CVE-2017-10355: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). * CVE-2017-10356: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. * CVE-2017-10357: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. * CVE-2017-10388: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. * CVE-2018-2579: unsynchronized access to encryption key data * CVE-2018-2582: insufficient validation of the invokeinterface instruction * CVE-2018-2588: LdapLoginModule insufficient username encoding in LDAP query * CVE-2018-2599: DnsClient missing source port randomization * CVE-2018-2602: loading of classes from untrusted locations * CVE-2018-2603: DerValue unbounded memory allocation * CVE-2018-2618: insufficient strength of key agreement * CVE-2018-2629: GSS context use-after-free * CVE-2018-2633: LDAPCertStore insecure handling of LDAP referrals * CVE-2018-2634: use of global credentials for HTTP/SPNEGO * CVE-2018-2637: SingleEntryRegistry incorrect setup of deserialization filter * CVE-2018-2641: GTK library loading use-after-free * CVE-2018-2663: ArrayBlockingQueue deserialization to an inconsistent state * CVE-2018-2677: unbounded memory allocation during deserialization * CVE-2018-2678: unbounded memory allocation in BasicAttributes deserialization CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212) CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325) CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292) CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601) CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) CVE-2018-2582 OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026) CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109) CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966) CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751) CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794) CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711) CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100) CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323) CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327) CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370) CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432) CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597) CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612) CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692) CVE-2016-10165 lcms2: Out-of-bounds read in Type_MLU_Read() CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c
[4.3-0] 4788ab0212 Bug #46695: openjdk-8_8u162-b12-1~deb9u1 doc/errata/staging/openjdk-8.yaml | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) Copied from Debian
--- mirror/ftp/4.3/unmaintained/4.3-0/source/openjdk-8_8u151-b12-1~deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/openjdk-8_8u162-b12-1~deb9u1.dsc @@ -1,6 +1,57 @@ -8u151-b12-1~deb9u1 [Wed, 01 Nov 2017 14:17:57 +0000] Moritz Muehlenhoff <jmm@debian.org>: +8u162-b12-1~deb9u1 [Fri, 16 Mar 2018 00:05:30 +0100] Moritz Mühlenhoff <jmm@debian.org>: * Rebuild for stretch-security + +8u162-b12-1 [Thu, 15 Mar 2018 18:19:50 +0100] Matthias Klose <doko@ubuntu.com>: + + [ Tiago Stürmer Daitx ] + * Update to 8u162-b12. Hotspot 8u162-b12 for aarch32 and 8u161-b16 + for aarch64 (wth 8u162-b12 patches). + * Security updates: + - CVE-2018-2633,S8186606: Improve LDAP lookup robustness. + - CVE-2018-2637,S8186998: Improve JMX supportive features. + - CVE-2018-2634,S8186600: Improve property negotiations. + - CVE-2018-2582,S8174962: Better interface invocations. + - CVE-2018-2641,S8185325: Improve GTK initialization. + - CVE-2018-2618,S8185292: Stricter key generation. + - CVE-2018-2629,S8186212: Improve GSS handling. + - CVE-2018-2603,S8182387: Improve PKCS usage. + - CVE-2018-2599,S8182125: Improve reliability of DNS lookups. + - CVE-2018-2602,S8182601: Improve usage messages. + - CVE-2018-2588,S8178449: Improve LDAP logins. + - CVE-2018-2678,S8191142: More refactoring for naming deserialization + cases. + - CVE-2018-2677,S8190289: More refactoring for client deserialization + cases. + - CVE-2018-2663,S8189284: More refactoring for deserialization cases. + - CVE-2018-2579,S8172525: Improve key keying case. + * d/p/aarch64-hotspot-8u162-b12.patch: update aarch64 hotspot to 8u162-b12. + * d/p/icedtea-4953367.patch: removed, fixed upstream by "S8136570: Stop + changing user environment variables related to /usr/dt". + * d/p/gcc6.diff: removed, fixed upstream. + * d/p/jdk-getAccessibleValue.diff: updated, removed chunks fixed upstream + by "S8076249: NPE in AccessBridge while editing JList model" and + "S8145207: [macosx] JList, VO can't access non-visible list items". + * d/p/openjdk-ppc64el-S8170153.patch, d/p/8164293.diff, + d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch, + d/p/hotspot-ppc64el-S8168318-cmpldi.patch, + d/p/hotspot-ppc64el-S8170328-andis.patch, + d/p/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch, + d/p/hotspot-ppc64el-S8181055-use-numa-v2-api.patch, + d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: removed, + applied upstream. + * d/rules, d/control: depend on GKT3 instead of GTK2 for newer releases. + LP: #1735482. + * d/rules: wait 10 seconds before issuing SIGKILL to buildwatch. + * d/buildwatch.sh: find hs_err files and cat them to help debugging build + failures. + * S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter. + LP: #8173853. + + [ Matthias Klose ] + * Disable Hotspot workaround for Exec Shield (Debian only). + Closes: #876051. + * Fix some lintian warnings. 8u151-b12-1 [Wed, 01 Nov 2017 07:12:56 +0100] Matthias Klose <doko@ubuntu.com>: @@ -28,17 +79,17 @@ missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated - based on data in the serial stream without a limit onthe size. + based on data in the serial stream without a limit on the size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is - allocated based on data in the serial stream without a limit onthe size. + allocated based on data in the serial stream without a limit on the size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit - onthe size. + on the size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy.
[4.3-0] 7259dad414 Bug #46695: openjdk-8 8u171-b11-1~deb9u1 doc/errata/staging/openjdk-8.yaml | 29 ++++++++++++++++++++++++++++-
--- mirror/ftp/4.3/unmaintained/4.3-0/source/openjdk-8_8u151-b12-1~deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/openjdk-8_8u171-b11-1~deb9u1.dsc @@ -1,6 +1,91 @@ -8u151-b12-1~deb9u1 [Wed, 01 Nov 2017 14:17:57 +0000] Moritz Muehlenhoff <jmm@debian.org>: +8u171-b11-1~deb9u1 [Fri, 27 Apr 2018 14:37:13 +0000] Moritz Muehlenhoff <jmm@debian.org>: * Rebuild for stretch-security + +8u171-b11-1 [Fri, 27 Apr 2018 08:56:10 +0200] Matthias Klose <doko@ubuntu.com>: + + [ Tiago Stürmer Daitx ] + * Update to 8u171-b11. Hotspot 8u162-b12 for aarch32 with 8u171-b10 hotspot + security fixes and 8u171-b10 for aarch64. + - CVE-2018-2790,S8189969: Manifest better manifest entries. + - CVE-2018-2795,S8189977: Improve permission portability. + - CVE-2018-2796,S8189981: Improve queuing portability. + - CVE-2018-2797,S8189985: Improve tabular data portability. + - CVE-2018-2798,S8189989: Improve container portability. + - CVE-2018-2799,S8189993: Improve document portability. + - CVE-2018-2794,S8189997: Enhance keystore mechanisms. + - CVE-2018-2814,S8192025: Less referential references. + - CVE-2018-2815,S8192757: Improve stub classes implementation. + - CVE-2018-2800,S8193833: Better RMI connection support. + - S8169080: Improve documentation examples for crypto applications. + - S8180881: Better packaging of deserialization. + - S8182362: Update CipherOutputStream Usage. + - S8189123: More consistent classloading. + - S8190478: Improved interface method selection. + - S8190877: Better handling of abstract classes. + - S8191696: Better mouse positioning. + - S8192030: Better MTSchema support. + - S8193409: Improve AES supporting classes. + - S8193414: Improvements in MethodType lookups. + * d/p/aarch64-hotspot-8u162-b12.patch: removed, tarball has been updated to + 8u171-b10. + * d/p/hotspot-S8185723-zero-ppc32-atomic_copy64-fix.patch, + d/p/hotspot-S8201509-zero-s390x-atomic_copy64-fix.patch: fix ppc32, s390x + javac segmentation fault caused by wrong inline assembler. + + [ Matthias Klose ] + * Bump standards version. + +8u162-b12-1 [Thu, 15 Mar 2018 18:19:50 +0100] Matthias Klose <doko@ubuntu.com>: + + [ Tiago Stürmer Daitx ] + * Update to 8u162-b12. Hotspot 8u162-b12 for aarch32 and 8u161-b16 + for aarch64 (wth 8u162-b12 patches). + * Security updates: + - CVE-2018-2633,S8186606: Improve LDAP lookup robustness. + - CVE-2018-2637,S8186998: Improve JMX supportive features. + - CVE-2018-2634,S8186600: Improve property negotiations. + - CVE-2018-2582,S8174962: Better interface invocations. + - CVE-2018-2641,S8185325: Improve GTK initialization. + - CVE-2018-2618,S8185292: Stricter key generation. + - CVE-2018-2629,S8186212: Improve GSS handling. + - CVE-2018-2603,S8182387: Improve PKCS usage. + - CVE-2018-2599,S8182125: Improve reliability of DNS lookups. + - CVE-2018-2602,S8182601: Improve usage messages. + - CVE-2018-2588,S8178449: Improve LDAP logins. + - CVE-2018-2678,S8191142: More refactoring for naming deserialization + cases. + - CVE-2018-2677,S8190289: More refactoring for client deserialization + cases. + - CVE-2018-2663,S8189284: More refactoring for deserialization cases. + - CVE-2018-2579,S8172525: Improve key keying case. + * d/p/aarch64-hotspot-8u162-b12.patch: update aarch64 hotspot to 8u162-b12. + * d/p/icedtea-4953367.patch: removed, fixed upstream by "S8136570: Stop + changing user environment variables related to /usr/dt". + * d/p/gcc6.diff: removed, fixed upstream. + * d/p/jdk-getAccessibleValue.diff: updated, removed chunks fixed upstream + by "S8076249: NPE in AccessBridge while editing JList model" and + "S8145207: [macosx] JList, VO can't access non-visible list items". + * d/p/openjdk-ppc64el-S8170153.patch, d/p/8164293.diff, + d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch, + d/p/hotspot-ppc64el-S8168318-cmpldi.patch, + d/p/hotspot-ppc64el-S8170328-andis.patch, + d/p/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch, + d/p/hotspot-ppc64el-S8181055-use-numa-v2-api.patch, + d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: removed, + applied upstream. + * d/rules, d/control: depend on GKT3 instead of GTK2 for newer releases. + LP: #1735482. + * d/rules: wait 10 seconds before issuing SIGKILL to buildwatch. + * d/buildwatch.sh: find hs_err files and cat them to help debugging build + failures. + * S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter. + LP: #8173853. + + [ Matthias Klose ] + * Disable Hotspot workaround for Exec Shield (Debian only). + Closes: #876051. + * Fix some lintian warnings. 8u151-b12-1 [Wed, 01 Nov 2017 07:12:56 +0100] Matthias Klose <doko@ubuntu.com>: @@ -28,17 +113,17 @@ missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated - based on data in the serial stream without a limit onthe size. + based on data in the serial stream without a limit on the size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is - allocated based on data in the serial stream without a limit onthe size. + allocated based on data in the serial stream without a limit on the size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit - onthe size. + on the size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy.
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory adjusted: f6fb3894a8 | sort CVEs
<http://errata.software-univention.de/ucs/4.3/62.html>