Univention Bugzilla – Bug 54444
openjdk-8: Multiple issues (4.4)
Last modified: 2022-02-16 12:23:25 CET
New Debian openjdk-8 8u322-b06-1~deb9u1 fixes: This update addresses the following issues: * Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248) * Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282) * Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283) * Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293) * Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294) * Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296) * Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305) * Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340) * Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341) * Unaligned memory access in ContextualGlyphSubstProc2 (2D, 8273748) (CVE-2022-21349) * Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360) * Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/openjdk-8_8u312-b07-1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/openjdk-8_8u322-b06-1~deb9u1.dsc @@ -1,3 +1,38 @@ +8u322-b06-1~deb9u1 [Wed, 09 Feb 2022 11:40:17 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: + + [ Emilio Pozuelo Monfort ] + * New upstream release. + * Adapt rules for the move to git and for the new merged repo layout. + * Security fixes: + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + * Other changes, see + https://mail.openjdk.java.net/pipermail/jdk8u-dev/2022-January/014522.html + 8u312-b07-1~deb9u1 [Sat, 06 Nov 2021 18:41:21 +0100] Thorsten Glaser <tg@mirbsd.de>: * Disable tests (debian/README.source documents why they fail) <http://piuparts.knut.univention.de/4.4-8/#5375059639555803433>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 3d55e534d8 Bug #54444: openjdk-8 8u322-b06-1~deb9u1 doc/errata/staging/openjdk-8.yaml | 47 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1176>