Created by Matthias Klose on 2010-07-13 and last modified on 2017-02-08
Get this branch:
bzr branch lp:~openjdk/openjdk/openjdk7
Members of OpenJDK can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information


Recent revisions

612. By Matthias Klose on 2017-02-08

  * Remove obsolete changelog entries from previous release.

611. By Matthias Klose on 2017-02-08

  * Remove obsolete changelog entries from previous release.

610. By Matthias Klose on 2017-02-08

openjdk-7 (7u121-2.6.8-2) experimental; urgency=high

  [ Tiago Stürmer Daitx ]
  * Security fixes from 8u121:
    - S8167104, CVE-2017-3289: Custom class constructor code can bypass the
      required call to super.init allowing for uninitialized objects to be
    - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
      dispose() on a CMenuComponentmultiple times.
    - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
      extraneous bytes added to them whereas the signature is supposed to be
    - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
      sections to be 2^32-1 bytes long so these should not be uncompressed
      unless the user explicitly requests it.
    - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
      leak information about k.
    - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
      deserialize responses from an LDAP server when an LDAP context is
    - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
      users or external applications would interpret them leading to possible
      security issues.
    - S8168705, CVE-2016-5547: A value from an InputStream is read directly
      into the size argument of a new byte[] without validation.
    - S8164147, CVE-2017-3261: An integer overflow exists in
      SocketOutputStream which can lead to memorydisclosure.
    - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
      dispatch HTTP GET requests where the invoker does not have permission.
    - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
      long running sessions are allowed.
  * Missing
    - S8165344, CVE-2017-3272: A protected field can be leveraged into type
    - S8156802, CVE-2017-3241: RMI deserialization should limit the types
      deserialized to prevent attacks that could escape the sandbox.
  * Ignored
    - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may
      leak information about k.

 -- Matthias Klose <email address hidden> Tue, 07 Feb 2017 11:09:39 +0100

609. By Matthias Klose on 2017-02-07

openjdk-7 (7u121-2.6.8-1) experimental; urgency=medium

  * IcedTea release 2.6.8 (based on 7u121):

 -- Matthias Klose <email address hidden> Mon, 14 Nov 2016 13:38:40 +0100

608. By Matthias Klose on 2016-11-14

 - upload 7u111-2.6.7-3

607. By Matthias Klose on 2016-11-05

  [ Tiago Stürmer Daitx ]
  * Don't use precompiled header files on arm64.
  * Update the sec-webrev-8u111-S8159503.hotspot patch.

606. By Matthias Klose on 2016-11-04

  [ Tiago Stürmer Daitx ]
  * Backported security fixes from 8u111:
    - CVE-2016-5568, S8158993: Service Menu services.
    - CVE-2016-5582, S8160591: Improve internal array handling.
    - CVE-2016-5573, S8159519: Reformat JDWP messages.
    - CVE-2016-5597, S8160838: Better HTTP service.
    - CVE-2016-5554, S8157739: Classloader Consistency Checking.
    - CVE-2016-5542, S8155973: Tighten jar checks.
  * debian/rules:
    - removed lcms version 1 option as no current release uses that, lcms2
      is now default.
    - removed in-tree/system lcms selection to always use system's lcms.
    - removed all cacao references except for the transitional cacao package.
    - updated jtreg tests to use othervm.
    - simplified rhino and libcups dependency selection.
  * debian/buildwatch.sh: updated to stop it if no 'make' process is running,
    as it probably means that the build failed - otherwise buildwatch keeps
    the builder alive until it exits after the timer (3 hours by default)
  * debian/control.in: removed cacao references.
  * debian/README.source: removed cacao references.
  * debian/patches/cacao-armv4.diff: deleted file.
  * Makefile.am: remove -samevm
  * debian/patches/it-jamvm-8158260-unsafe-methods.patch: fix JAMVM
    after the introduction of two new Unsafe methods in the OpenJDK
    hotspot. Closes: #833933. (LP: #1611598)

605. By Matthias Klose on 2016-11-04

 - check-in remaining changes for 7u111-2.6.7-1 upload

604. By Matthias Klose on 2016-05-04

openjdk-7 (7u101-2.6.6-2) experimental; urgency=medium

  * Configure with --disable-arm32-jit, broken by the security update.

 -- Matthias Klose <email address hidden> Sat, 23 Apr 2016 02:28:28 +0200

603. By Matthias Klose on 2016-05-04

openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium

  [ Tiago Stürmer Daitx ]
  * IcedTea release 2.6.6 (based on 7u101):
  * Security fixes
    - S8129952, CVE-2016-0686: Ensure thread consistency
    - S8132051, CVE-2016-0687: Better byte behavior
    - S8138593, CVE-2016-0695: Make DSA more fair
    - S8139008: Better state table management
    - S8143167, CVE-2016-3425: Better buffering of XML strings
    - S8144430, CVE-2016-3427: Improve JMX connections
    - S8146494: Better ligature substitution
    - S8146498: Better device table adjustments
  * debian/patches/jdk-8152335-improve-methodhandle-consistency.patch:
    removed, fix is upstream since 2.6.5

  [ Matthias Klose ]
  * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas
    Beckmann). Closes: #821858.

 -- Matthias Klose <email address hidden> Fri, 22 Apr 2016 21:14:22 +0200

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.