-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Jul 2016 13:00:12 +0200
Source: openjdk-8
Binary: openjdk-8-jdk-headless openjdk-8-jre-headless openjdk-8-jdk
openjdk-8-jre openjdk-8-demo openjdk-8-source openjdk-8-doc openjdk-8-dbg
openjdk-8-jre-jamvm openjdk-8-jre-zero
Architecture: source
Version: 8u102-b14-2
Distribution: unstable
Urgency: medium
Maintainer: OpenJDK Team <open...@lists.launchpad.net>
Changed-By: Matthias Klose <d...@ubuntu.com>
Description:
openjdk-8-dbg - Java runtime based on OpenJDK (debugging symbols)
openjdk-8-demo - Java runtime based on OpenJDK (demos and examples)
openjdk-8-doc - OpenJDK Development Kit (JDK) documentation
openjdk-8-jdk - OpenJDK Development Kit (JDK)
openjdk-8-jdk-headless - OpenJDK Development Kit (JDK) (headless)
openjdk-8-jre - OpenJDK Java runtime, using ${vm:Name}
openjdk-8-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless)
openjdk-8-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
openjdk-8-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
openjdk-8-source - OpenJDK Development Kit (JDK) source files
Changes:
openjdk-8 (8u102-b14-2) unstable; urgency=medium
.
* Update AArch64 and KFreeBSD patches.
.
openjdk-8 (8u102-b14-1) unstable; urgency=medium
.
* Update to 8u101-b14, including security fixes:
* IIOP Input Stream Hooking. CVE-2016-3458:
defaultReadObject is not forbidden in readObject in subclasses of
InputStreamHook which provides leverage to deserialize malicious objects
if a reference to the input stream can be obtained separately.
* Complete name checking. S8148872, CVE-2016-3500:
In some cases raw names in XML data are not checked for length limits
allowing for DoS attacks.
* Better delineation of XML processing. S8149962, CVE-2016-3508:
Denial of service measures do not take newline characters into account.
This can be used to conduct attacks like the billion laughs DoS.
* Coded byte streams. S8152479, CVE-2016-3550:
A fuzzed class file triggers an integer overflow in array access.
* Clean up lookup visibility. S8154475, CVE-2016-3587:
A fast path change allowed access to MH.invokeBasic via the public lookup
object. MH.iB does not do full type checking which can be used to create
type confusion.
* Bolster bytecode verification. S8155981, CVE-2016-3606:
The bytecode verifier checks that any classes' <init> method calls
super.<init> before returning. There is a way to bypass this requirement
which allows creating subclasses of classes that are not intended to be
extended.
* Persistent Parameter Processing. S8155985, CVE-2016-3598:
TOCTOU issue with types List passed into dropArguments() which can be used
to cause type confusion.
* Additional method handle validation. S8158571, CVE-2016-3610:
MHs.filterReturnValue does not check the filter parameter list size.
The single expected parameter is put in the last parameter position for
the filter MH allowing for type confusion.
* Enforce GCM limits. S8146514:
In GCM the counter should not be allowed to wrap (per the spec), since that
plus exposing the encrypted data could lead to leaking information.
* Construction of static protection domains. S8147771:
SubjectDomainCombiner does not honor the staticPermission field and will
create ProtectionDomains that vary with the system policy which may allow
unexpected permission sets.
* Share Class Data. S8150752:
Additional verification of AppCDS archives is required to prevent an
attacker from creating a type confusion situation.
* Enforce update ordering. S8149070:
If the GCM methods update() and updateAAD() are used out of order, the
security of the system can be weakened and an exception should be thrown
to warn the developer.
* Constrain AppCDS behavior. S8153312:
AppCDS does not create classloader constraints upon reloading classes
which could allow class spoofing under some circumstances.
Checksums-Sha1:
5a3ca188c675e3c57cab6fa7469a7fc60eee72ff 4479 openjdk-8_8u102-b14-2.dsc
2ad59442493ba04165b32d3f27e8eb31b3f8acbb 228444
openjdk-8_8u102-b14-2.debian.tar.xz
Checksums-Sha256:
cbf037cbac3642dc87fa164bbe853901f5fd43cc5090daf258a58bfc06fe0a92 4479
openjdk-8_8u102-b14-2.dsc
39e4a055d7940d316c868c30378ece39cfa7a97816c50152081198ad16c13463 228444
openjdk-8_8u102-b14-2.debian.tar.xz
Files:
e12b02b301450b7995bd471388385716 4479 java optional openjdk-8_8u102-b14-2.dsc
4699c5bb03114aa284b215acede8909d 228444 java optional
openjdk-8_8u102-b14-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXl0zPAAoJEL1+qmB3j6b1YG4QAJfA6aWC/ctsM1+jC0oqq2Rc
XURZcvWVuSl3CJQ8wsMWQXGU4WPVZx/GlYgzue3xgsykfQZINvTx2ndqxRfE8YKk
hnhip3phoMmGhK5CcjXabJq14QvsvDBc+9DWw4jVCac81FtixXpwVxXPae4oUXqD
yhGKkXH1MPOnHWcBrey9zB/2DXNyE13l9kiqIJMfi+8xeeGHoLZqHt9LUW5G2PLO
JkX0A+USVuX/4jVIE7XDnTl1p/yXa0epCrd4WLuJJEXeyYxji3Z/KdgjImwv4o1q
TygwTfkSSId302PdjNYWdvWjbwLzwLz+ZPiLZlgNRq37IpGCkiKRj0kFONORDKxE
Euo9S96/eL8jIdtnqXlxkuFG6/M5DFi+F2lWV0M/QX+Y7ZlitFYKGlrFzvOcTtLv
/GIOMDFBoY1l7A339obtS+dHIJ2cVLF6IzrHgitW1lWITBD/+6V7GMJJgGyxSyaN
FG/3UOeeaWNe5NPVMwQfsDhaOgyOJVMWQ33FfH9ZYCljcBH9Y7TDAiqie5vydATk
8lhWH4EcX2WFPOxHkmCmqYZ42wXIFOQkiYAkeo2cVRd6jq+dDy49liKlea2vRrxI
lTMtUcmIJi0Q56jvn4wF/XIlfVbd7+Kll1n4O1Q9KWTK1cdHIg1WcPNOaEvop6la
qx1V+athU4HDX7GVfci8
=CyiN
-----END PGP SIGNATURE-----
