Bug 40483

Summary: openjdk-7: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P3 CC: botner, gohmann, walkenhorst
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-2-errata   
Hardware: Other   
OS: Linux   
URL: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 40482    

Description Arvid Requate univentionstaff 2016-01-21 18:41:30 CET 
+++ This bug was initially created as a clone of Bug #40482 +++

New issues fixed in Debian package version 7u95-2.6.4-1:

 - S8059054, CVE-2016-0402: Better URL processing
 - S8130710, CVE-2016-0448: Better attributes processing
 - S8132210: Reinforce JMX collector internals
 - S8132988: Better printing dialogues
 - S8133962, CVE-2016-0466: More general limits
 - S8137060: JMX memory management improvements
 - S8139012: Better font substitutions
 - S8139017, CVE-2016-0483: More stable image decoding
 - S8140543, CVE-2016-0494: Arrange font actions
 - S8143185: Cleanup for handling proxies
 - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays
 - S8144773, CVE-2015-7575: Further reduce use of MD5 (SLOTH)
Comment 1 Arvid Requate univentionstaff 2016-01-28 14:53:16 CET 
Package version in wheezy: 7u95-2.6.4-1~deb7u1
Comment 2 Daniel Tröder univentionstaff 2016-02-05 17:30:49 CET 
dtroeder@dimma:~$ repo_admin.py --cherrypick --release 4.0-0-0 -s errata4.0-4 --releasedest 4.1-0-0 --dest errata4.1-0 --package openjdk-7

dtroeder@dimma:~$ repo_stat.py openjdk-7
7u95-2.6.4-1~deb7u1 imported on 2016-02-05 12:34:15.794837
 Included in scope errata4.0-4 for release tag 4.0-0-0 (77864)
 Included in scope errata4.1-0 for release tag 4.1-0-0 (77864)

dtroeder@dimma:~$ b41-scope errata4.1-0 openjdk-7
The following patches will be applied:
 00_hardcode-debian-settings-in-lsb-detection.patch

Advisory: 67256
Comment 3 Felix Botner univentionstaff 2016-02-09 16:11:15 CET 
java7-jdk is missing in openjdk-7-jdk Provides!

Package: openjdk-7-jdk
Version: 7u95-2.6.4-1.22.201602051241
Provides: java-compiler, java-sdk, java2-sdk, java5-sdk, java6-sdk, java7-sdk

Package: openjdk-7-jdk
Version: 7u91-2.6.3-1.19.201512041548
Provides: java-compiler, java-sdk, java2-sdk, java5-sdk, java6-sdk, java7-jdk

This breaks the heliumvserver App:

-> apt-get install heliumv-base 
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Einige Pakete konnten nicht installiert werden. Das kann bedeuten, dass
Sie eine unmögliche Situation angefordert haben oder, wenn Sie die
Unstable-Distribution verwenden, dass einige erforderliche Pakete noch
nicht erstellt wurden oder Incoming noch nicht verlassen haben.
Die folgenden Informationen helfen Ihnen vielleicht, die Situation zu lösen:

Die folgenden Pakete haben unerfüllte Abhängigkeiten:
 heliumv-base : Hängt ab von: java7-jdk
E: Probleme können nicht korrigiert werden, Sie haben zurückgehaltene defekte Pakete.

-> apt-cache show heliumv-base 
Package: heliumv-base
Section: net
Installed-Size: 66585
Maintainer: it25 GmbH <packages@it25.de>
Architecture: all
Source: heliumv
Version: 0.1-3
Depends: java-common, java7-jdk, perl, ttf-mscorefonts-installer

See, http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=member/lastCompletedBuild/testReport/20_appcenter/20_can_apps_be_installed/test/

We may need to add java7-jdk to openjdk-7-jdk Provides, but debian deliberately replaced java7-jdk with java7-sdk, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803150. So, not sure what to do here.
Comment 4 Daniel Tröder univentionstaff 2016-02-10 17:30:30 CET 
'java7-jdk' has been added to the 'Provides' field of openjdk-7-jdk (r15871). i386 ha built, amd64 is in the making.
Comment 5 Arvid Requate univentionstaff 2016-05-03 15:30:12 CEST 
New issues fixed in Debian package version 7u101-2.6.6-2~deb7u1:

  * S8129952, CVE-2016-0686: Ensure thread consistency (Serialization)
    S8132051, CVE-2016-0687: Better byte behavior (Hotspot)
    S8138593, CVE-2016-0695: Make DSA more fair (Security Sub-component)
    S8139008: Better state table management
    S8143167, CVE-2016-3425: Better buffering of XML strings (JAXP)
    S8144430, CVE-2016-3427: Improve JMX connections (JMX)
    S8152335, CVE-2016-0636: Improve MethodHandle consistency (Hotspot)

For details see http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html


Additionally the openjdk-7.yaml needs to be merged and updated for ucs4.0-5
Comment 6 Daniel Tröder univentionstaff 2016-05-06 10:24:52 CEST 
openjdk-7 package version 7u101-2.6.6-2~deb7u1 was built in scope ucs_4.1-0-errata4.1-1 and the advisory moved and updated in r69181.
Comment 7 Arvid Requate univentionstaff 2016-05-31 19:09:04 CEST 
Advisory adjusted for 7u101 and moved to ucs4.1-2.
Note: Package is built in errata4.1-1, advisory correctly says so.

The binary packages are updatable and basic Java tests worked.
Comment 8 Janek Walkenhorst univentionstaff 2016-06-02 13:15:44 CEST 
<http://errata.software-univention.de/ucs/4.1/186.html>