First Last Prev Next    This bug is not in your last search results.
Bug 40482 - openjdk-7: Multiple issues (4.0)
openjdk-7: Multiple issues (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-5-errata
Assigned To: Daniel Tröder
Arvid Requate
http://www.oracle.com/technetwork/top...
:
Depends on: 40483
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-21 18:40 CET by Arvid Requate
Modified: 2016-06-01 17:28 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-01-21 18:40:28 CET 
New issues fixed in Debian package version 7u95-2.6.4-1:

 - S8059054, CVE-2016-0402: Better URL processing
 - S8130710, CVE-2016-0448: Better attributes processing
 - S8132210: Reinforce JMX collector internals
 - S8132988: Better printing dialogues
 - S8133962, CVE-2016-0466: More general limits
 - S8137060: JMX memory management improvements
 - S8139012: Better font substitutions
 - S8139017, CVE-2016-0483: More stable image decoding
 - S8140543, CVE-2016-0494: Arrange font actions
 - S8143185: Cleanup for handling proxies
 - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays
 - S8144773, CVE-2015-7575: Further reduce use of MD5 (SLOTH)
Comment 1 Arvid Requate univentionstaff 2016-01-28 14:53:00 CET 
Package version in wheezy: 7u95-2.6.4-1~deb7u1
Comment 2 Daniel Tröder univentionstaff 2016-02-05 17:30:36 CET 
dtroeder@dimma:~$ repo_admin.py -U -r 4.0-0-0 -s errata4.0-4 -d wheezy -p openjdk-7

dtroeder@dimma:~$ repo_stat.py openjdk-7
7u95-2.6.4-1~deb7u1 imported on 2016-02-05 12:34:15.794837
 Included in scope errata4.0-4 for release tag 4.0-0-0 (77864)

dtroeder@dimma:~$ b40-scope errata4.0-4 openjdk-7
The following patches will be applied:
 00_hardcode-debian-settings-in-lsb-detection.patch

Advisory: 67256
Comment 3 Felix Botner univentionstaff 2016-02-09 16:12:15 CET 
see Bug #40483
Comment 4 Daniel Tröder univentionstaff 2016-02-10 17:30:52 CET 
'java7-jdk' has been added to the 'Provides' field of openjdk-7-jdk (r15872). i386 has been built, amd64 is in the making.
Comment 5 Arvid Requate univentionstaff 2016-05-03 15:31:16 CEST 
New issues fixed in Debian package version 7u101-2.6.6-2~deb7u1:

  * S8129952, CVE-2016-0686: Ensure thread consistency (Serialization)
    S8132051, CVE-2016-0687: Better byte behavior (Hotspot)
    S8138593, CVE-2016-0695: Make DSA more fair (Security Sub-component)
    S8139008: Better state table management
    S8143167, CVE-2016-3425: Better buffering of XML strings (JAXP)
    S8144430, CVE-2016-3427: Improve JMX connections (JMX)
    S8152335, CVE-2016-0636: Improve MethodHandle consistency (Hotspot)

For details see http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html


Additionally the openjdk-7.yaml needs to be updated for ucs4.1-1
Comment 6 Daniel Tröder univentionstaff 2016-05-06 10:24:48 CEST 
openjdk-7 package version 7u101-2.6.6-2~deb7u1 was built in scope ucs_4.0-0-errata4.0-5 and the advisory moved and updated in r69180.
Comment 7 Arvid Requate univentionstaff 2016-05-31 18:49:30 CEST 
Note: 7u101-2.6.6-2~deb7u1 corresponds to JDK 7u101:

https://blogs.oracle.com/thejavatutorials/entry/jdk_8u91_8u92_7u101_and

root@master50:~# java -version
java version "1.7.0_101"
OpenJDK Runtime Environment (IcedTea 2.6.6) (7u101-2.6.6-2.29.201605040859)
OpenJDK 64-Bit Server VM (build 24.95-b01, mixed mode)

Advisory updated accordingly. I also remove the point about IcedTea 2.6.6 because that can easily be confused with the IcedTea-Web browser plugin, which still shows 1.4-3.7.201411012253 (don't ask).

The binary packages are updatable and basic Java application testing worked.
Comment 8 Janek Walkenhorst univentionstaff 2016-06-01 17:28:08 CEST 
<http://errata.software-univention.de/ucs/4.0/434.html>
First Last Prev Next    This bug is not in your last search results.