Univention Bugzilla – Bug 52268
openjdk-8: Multiple issues (4.4)
Last modified: 2020-12-22 12:16:54 CET
New Debian openjdk-8 8u272-b10-0+deb9u1 fixes: This update addresses the following issues: * High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862) (CVE-2020-14779) * Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781) * Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995) (CVE-2020-14782) * Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792) * Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796) * Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685) (CVE-2020-14797) * Missing maximum length check in WindowsNativeDispatcher.asNativeBuffer() (Libraries, 8242695) (CVE-2020-14798) * Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/openjdk-8_8u265-b01-0+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/openjdk-8_8u272-b10-0+deb9u1.dsc @@ -1,3 +1,28 @@ +8u272-b10-0+deb9u1 [Wed, 21 Oct 2020 23:52:22 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Update to 8u272-b10 (GA). + * Security fixes: + - JDK-8233624: Enhance JNI linkage + - JDK-8236196: Improve string pooling + - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + - JDK-8237995, CVE-2020-14782: Enhance certificate processing + - JDK-8240124: Better VM Interning + - JDK-8241114, CVE-2020-14792: Better range handling + - JDK-8242680, CVE-2020-14796: Improved URI Support + - JDK-8242685, CVE-2020-14797: Better Path Validation + - JDK-8242695, CVE-2020-14798: Enhanced buffer support + - JDK-8243302: Advanced class supports + - JDK-8244136, CVE-2020-14803: Improved Buffer supports + - JDK-8244479: Further constrain certificates + - JDK-8244955: Additional Fix for JDK-8240124 + - JDK-8245407: Enhance zoning of times + - JDK-8245412: Better class definitions + - JDK-8245417: Improve certificate chain handling + - JDK-8248574: Improve jpeg processing + - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + - JDK-8253019: Enhanced JPEG decoding + 8u265-b01-0+deb9u1 [Wed, 12 Aug 2020 10:17:29 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: * Non-maintainer upload by the LTS Team. <http://10.200.17.11/4.4-6/#4858172219651191012>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-6] d58a5f8ce2 Bug #52268: openjdk-8 8u272-b10-0+deb9u1 doc/errata/staging/openjdk-8.yaml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) [4.4-6] bdc1b45140 Bug #52268: openjdk-8 8u272-b10-0+deb9u1 doc/errata/staging/openjdk-8.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x785>