Univention Bugzilla – Bug 51206
openjdk-8: Multiple issues (4.4)
Last modified: 2020-05-06 14:40:08 CEST
New Debian openjdk-8 8u252-b09-1~deb9u1 fixes: This update addresses the following issues: * Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) * Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) * Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) * Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) * Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) * Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) * CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) * Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) * Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)
--- mirror/ftp/4.4/unmaintained/4.4-4/source/openjdk-8_8u242-b08-1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/openjdk-8_8u252-b09-1~deb9u1.dsc @@ -1,10 +1,96 @@ -8u242-b08-1~deb9u1 [Mon, 10 Feb 2020 12:38:09 +0000] Moritz Muehlenhoff <jmm@debian.org>: +8u252-b09-1~deb9u1 [Fri, 24 Apr 2020 13:11:49 +0000] Moritz Muehlenhoff <jmm@debian.org>: * Rebuild for stretch-security +8u252-b09-1 [Wed, 15 Apr 2020 15:38:21 +0200] Matthias Klose <doko@ubuntu.com>: + + * Update to OpenJDK 8u252-b09 (GA). Updated aarch32 to 8u252-b08 (no + hotspot changes between b08 and b09). + * Security fixes + - JDK-8223898, CVE-2020-2754: Forward references to Nashorn + - JDK-8223904, CVE-2020-2755: Improve Nashorn matching + - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs + - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues + - JDK-8225603: Enhancement for big integers + - JDK-8227542: Manifest improved jar headers + - JDK-8231415, CVE-2020-2773: Better signatures in XML + - JDK-8233250: Better X11 rendering + - JDK-8233410: Better Build Scripting + - JDK-8234027: Better JCEKS key support + - JDK-8234408, CVE-2020-2781: Improve TLS session handling + - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers + - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers + - JDK-8235274, CVE-2020-2805: Enhance typing of methods + - JDK-8236201, CVE-2020-2830: Better Scanner conversions + - JDK-8238960: linux-i586 builds are inconsistent as the newly build + jdk is not able to reserve enough space for object heap + * Other changes + - JDK-8005819: Support cross-realm MSSFU + - JDK-8022263: use same Clang warnings on BSD as on Linux + - JDK-8038631: Create wrapper for awt.Robot with additional functionality + - JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex + assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor + is invalid + - JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and + some unit tests + - JDK-8068184: Fix for JDK-8032832 caused a deadlock + - JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature + - JDK-8132130: some docs cleanup + - JDK-8135318: CMS wrong max_eden_size for check_gc_overhead_limit + - JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods + is not optimal + - JDK-8144446: Automate the Marlin crash test + - JDK-8144526: Remove Marlin logging use of deleted internal API + - JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats + - JDK-8144654: Improve Marlin logging + - JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with + huge coordinates and round joins + - JDK-8166976: TestCipherPBECons has wrong @run line + - JDK-8167409: Invalid value passed to critical JNI function + - JDK-8181872: C1: possible overflow when strength reducing integer multiply + by constant + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191227: issues with unsafe handle resolution + - JDK-8197441: Signature#initSign/initVerify for an invalid + private/public key fails with ClassCastException for SunPKCS11 provider + - JDK-8204152: SignedObject throws NullPointerException for null keys with + an initialized Signature object + - JDK-8215756: Memory leaks in the AWT on macOS + - JDK-8216472: (se) Stack overflow during selection operation leads to crash + - JDK-8219244: NMT: Change ThreadSafepointState's allocation type from + mtInternal to mtThread + - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected + exceptions + - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts + test + - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test + - JDK-8229022: BufferedReader performance can be improved by using + StringBuilder + - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC + - JDK-8229872: (fs) Increase buffer size used with getmntent + - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey + cause Exception + - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type + - JDK-8235744: PIT: + test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in + linux-x64 + - JDK-8235904: Infinite loop when rendering huge lines + - JDK-8236179: C1 register allocation error with T_ADDRESS + - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read + - JDK-8240521: Revert backport of 8231584: Deadlock with + ClassLoader.findLibrary and System.loadLibrary call + - JDK-8241296: Segfault in JNIHandleBlock::oops_do() + - JDK-8241307: Marlin renderer should not be the default in 8u252 + * Build using GCC 9 in unstable. Closes: #944184. + +8u252-b07-1 [Thu, 26 Mar 2020 12:57:56 +0100] Matthias Klose <doko@ubuntu.com>: + + * Update to 8u252-b07 (early access build). + * Update ARM32 and AArch64 hotspot to 8u252-b06. + * Build using GCC 9 in recent releases. + 8u242-b08-1 [Thu, 06 Feb 2020 19:12:24 +0100] Thorsten Glaser <tg@mirbsd.de>: - * Team upload. * Merge changes from 8u242-b08-0ubuntu3 back into Debian * Fix nocheck profile (no profile support) for wheezy * Version !nocheck default-jre-headless build dependency @@ -15,7 +101,6 @@ 8u242-b08-0ubuntu3 [Fri, 17 Jan 2020 17:37:33 +0000] Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>: - * Sync packages with 8u242-b08: * OpenJDK 8u242-b08 build (release). - S8226352, CVE-2020-2590: Improve Kerberos interop capabilities - S8228548, CVE-2020-2593: Normalize normalization for all <http://10.200.17.11/4.4-4/#884597326658765954>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-4] b972d00fb6 Bug #51206: openjdk-8 8u252-b09-1~deb9u1 doc/errata/staging/openjdk-8.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+)
<http://errata.software-univention.de/ucs/4.4/580.html>