Univention Bugzilla – Bug 46320
openjdk-7: Multiple issues (4.2)
Last modified: 2018-05-08 14:57:03 CEST
+++ This bug was initially created as a clone of Bug #44687 +++ 151: <http://blog.fuseyism.com/index.php/2017/08/10/security-icedtea-2-6-11-for-openjdk-7-released/> 161: <http://blog.fuseyism.com/index.php/2017/12/06/security-icedtea-2-6-12-for-openjdk-7-released/> 171: WIP <http://mail.openjdk.java.net/pipermail/jdk7u-dev/2018-February/010751.html The OpenJDK 7 u161 security updates where cherry-picked into Debians 7u151-2.6.11-2. We need to rebuild OpenJDK-7 for errata4.2-3 anyway, as that version is less than the version in errata4.1-5: <http://xen1.knut.univention.de:8000/packages/source/openjdk-7/?since=4.1-1> This breaks UCS-4.3 as there the version from errata4.1-5 is picked, which still depends on "tzdata-java" from Debian-Jessie, has a conflicts with "tzdata" from Debian-Stretch.
$ deb-ver-comp 7u121-2.6.8-1.34.201701252027 7u121-2.6.8-2~deb8u1 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 7u151-2.6.11-2.36.201712111508 7u151-2.6.11-2.A4.2.0.201712111344 Sort as given 7u121-2.6.8-1.34.201701252027 ← errata4.1.4 7u121-2.6.8-2~deb8u1 ← 4.2-0 7u151-2.6.11-2~deb8u1A~4.2.0.201712111344 ← current errata4.2-3 7u151-2.6.11-2.36.201712111508 ← current errata4.1-5 7u151-2.6.11-2.A4.2.0.201712111344 ← this errata4.2-3 $ build-package-ng -r 4.2 -s errata4.2-3 -p openjdk-7 -v 7u151-2.6.11-2.A4.2.0.201712111344 Package: openjdk-7 Version: 7u151-2.6.11-2.A4.2.0.201712111344 Branch: ucs_4.2-0 Scope: errata4.2-3
OpenJDK is dropped from Debian-Jessie and any upgrade to UCS-4.3 currently failes when installed, as old tzdata-java from Debian-Jessie conflicts with the newer tzdata from Debian-Stretch.
TL;DR: <https://lists.debian.org/debian-glibc/2014/08/msg00007.html> - Java has its own TZ datase, which is part of src:openjdk-X - it received quaterly updates - Debian maintains only src:tzdata - the data is compiled into the format required by OpenJDK - the compiler is only available with bin:OpenDJK <= 7 - OpenJDK-8 uses a new format - the compiler is no longer available in bin:openjdk-8 - Debian dropped the compilation from src:tzdata Oracle provided an online update too for their versions: <http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html>/tzdata As the current version works for UCS-4.2 and OpenJDK-7 is not supported in Debian-Stretch/UCS-4.3 anyway, there is nothing more to do. Users should upgrade to OpenJDK-8 anyway: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818308> TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is uninstalled. 39787a637f Bug #46320: openjdk-7 doc/errata/staging/openjdk-7.yaml | 11 +++++++++++
(In reply to Philipp Hahn from comment #3) > TODO: A release-upgrade from UCS-4.2 to UCS-4.3 fails as univention-java is > uninstalled. This is Bug #45959. So OpenJDK-7 is ready for errata4.2-3 (for now, as 171 is not yet available)
r18068 | Bug #46320: OpenJDK-7 7u151-2.6.11-2~deb8u1 Package: openjdk-7 Version: 7u171-2.6.13-1~deb8u1A~4.2.0.201804061203 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] 39eaee0c31 Bug #46320: openjdk-7 7u171-2.6.13-1~deb8u1 doc/errata/staging/openjdk-7.yaml | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-)
Verified: * r18068 10_tzdata.patch switching to tzdata-java * patch applied during built * errata4.2-3 package update works * Advisory Ok
--- mirror/ftp/4.1/unmaintained/component/4.1-5-errata/source/openjdk-7_7u151-2.6.11-2.36.201712111508.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/openjdk-7_7u171-2.6.13-1~deb8u1A~4.2.0.201804061203.dsc @@ -1,11 +1,60 @@ -7u151-2.6.11-2.36.201712111508 [Mon, 11 Dec 2017 15:08:47 +0100] Univention builddaemon <buildd@univention.de>: +7u171-2.6.13-1~deb8u1A~4.2.0.201804061203 [Fri, 06 Apr 2018 12:03:50 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package - 00_hardcode-debian-settings-in-lsb-detection - 10_add_java7-jdk_provides - -7u151-2.6.11-2~deb7u3 [Thu, 23 Nov 2017 18:57:05 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: - + 10_tzdata + +7u171-2.6.13-1~deb8u1 [Tue, 03 Apr 2018 09:00:06 +0200] Moritz Muehlenhoff <jmm@debian.org>: + + * Rebuild for jessie-security + +7u171-2.6.13-1 [Mon, 02 Apr 2018 10:36:32 +0200] Matthias Klose <doko@ubuntu.com>: + + [ Tiago Stürmer Daitx ] + * IcedTea release 2.6.13 (based on 7u171). Closes: #891330. + * Security fixes: + - S8160104: CORBA communication improvements + - S8172525, CVE-2018-2579: Improve key keying case + - S8174756: Extra validation for public keys + - S8175932: Improve host instance supports + - S8176458: Revise default document styling + - S8178449, CVE-2018-2588: Improve LDAP logins + - S8178458: Better use of certificates in LDAP + - S8178466: Better RSA parameters + - S8179536: Cleaner print job handling + - S8179990: Cleaner palette entry handling + - S8180011: Cleaner native graphics device handling + - S8180015: Cleaner AWT robot handling + - S8180020: Improve SymbolHashMap entry handling + - S8180433: Cleaner CLR invocation handling + - S8180877: More deeply colored ICC spaces + - S8181664: Improve JVM UTF String handling + - S8181670: Improve implementation of keystores + - S8182125, CVE-2018-2599: Improve reliability of DNS lookups + - S8182387, CVE-2018-2603: Improve PKCS usage + - S8182601, CVE-2018-2602: Improve usage messages + - S8185292, CVE-2018-2618: Stricter key generation + - S8185325, CVE-2018-2641: Improve GTK initialization + - S8186080: Transform XML interfaces + - S8186212, CVE-2018-2629: Improve GSS handling + - S8186600, CVE-2018-2634: Improve property negotiations + - S8186606, CVE-2018-2633: Improve LDAP lookup robustness + - S8186867: Improve native glyph layouts + - S8186998, CVE-2018-2637: Improve JMX supportive features + - S8189284, CVE-2018-2663: More refactoring for deserialization cases + - S8190289, CVE-2018-2677: More refactoring for client deserialization cases + - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases + * Remove multiarch-support pre-dependency. Closes: #887858. + + [ Matthias Klose ] + * Bump standards version. + * Disable bootstrap on sid/buster, gcj is removed. + * Remove Damien Raude-Morvan as uploader. Closes: #889378. + +7u161-2.6.12-1 [Thu, 07 Dec 2017 09:12:51 +0100] Matthias Klose <doko@ubuntu.com>: + + * IcedTea release 2.6.12 (based on 7u161). + * Disable Hotspot workaround for Exec Shield (Debian only). + Addresses: #876051. * Build-depend on g++-4.7 on wheezy. This is the default on some architectures such as amd64 or i386, but not on armhf or armel, which default to 4.6. There the build was working before because @@ -13,15 +62,19 @@ and that in turn depends on g++-4.7. However since we have disabled the bootstrap build now, g++-4.7 is no longer installed on arm* builds, causing the build failure which couldn't be seen - on amd64. - -7u151-2.6.11-2~deb7u2 [Mon, 20 Nov 2017 23:00:27 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: - - * Non-maintainer upload by the LTS team. - * Backport to wheezy. + on amd64 (Emilio Pozuelo Monfort). + +7u151-2.6.11-3 [Thu, 23 Nov 2017 16:37:21 +0100] Matthias Klose <doko@ubuntu.com>: + + [ Matthias Klose ] * Disable bootstrap on wheezy, it currently fails due to the last round - of 8u151 security patches. - * Use deb7u2 version as deb7u1 was used by mistake for the jessie update. + of 8u151 security patches (Emilio Pozuelo Monfort). + + [ Tiago Stürmer Daitx ] + * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch: + the S8144028 fix was incomplete and followed up by S8145438; without it + aarch64 JVM can fail with "Internal Error, failed: Field too big for + insn". 7u151-2.6.11-2 [Mon, 20 Nov 2017 21:24:32 +0100] Matthias Klose <doko@ubuntu.com>:
<http://errata.software-univention.de/ucs/4.2/386.html>