Ubuntu
openjdk-6 package

lp:ubuntu/intrepid-updates/openjdk-6

  1. Intrepid (8.10)
  2. intrepid-updates
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/intrepid-updates/openjdk-6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

47. By Matthias Klose

* SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
  - 6626217: Loader-constraint table allows arrays instead of only
    the base-classes.
  - 6633872: Policy/PolicyFile leak dynamic ProtectionDomains.
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups.
  - 6736390: File TOCTOU deserialization vulnerability.
  - 6745393: Inflater/Deflater clone issues.
  - 6887703: Unsigned applet can retrieve the dragged information before drop
    action occur.
  - 6888149: AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error.
  - 6892265: System.arraycopy unable to reference elements beyond
    Integer.MAX_VALUE bytes.
  - 6893947: Deserialization of RMIConnectionImpl objects should enforce
    stricter checks [ZDI-CAN-588].
  - 6893954: Subclasses of InetAddress may incorrectly interpret network
    addresses [ZDI-CAN-603].
  - 6894807: No ClassCastException for HashAttributeSet constructors if run
    with -Xcomp.
  - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly
    encoded CommonName OIDs.
  - 6898739: TLS renegotiation issue.
  - 6899653: Java Runtime CMM readMabCurveData Buffer Overflow Vulnerability.
  - 6902299: Java JAR "unpack200" must verify input parameters.
  - 6904691: Java Applet Trusted Methods Chaining Privilege Escalation
    Vulnerability.
  - 6909597: Java Runtime Environment JPEGImageReader stepX Integer Overflow
    Vulnerability.
  - 6910590: Application can modify command array, in ProcessBuilder.
  - 6914823: Java AWT Library Invalid Index Vulnerability.
  - 6914866: JRE ImagingLib arbitrary code execution vulnerability.
  - 6932480: Crash in CompilerThread/Parser.

46. By Matthias Klose

* Security updates:
  - (CVE-2009-3728) ICC_Profile file existence detection information leak
    (6631533).
  - (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445).
  - (CVE-2009-3881) resurrected classloaders can still have children
    (6636650).
  - (CVE-2009-3882) Numerous static security flaws in Swing (findbugs)
    (6657026).
  - (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138).
  - (CVE-2009-3880) UI logging information leakage (6664512).
  - (CVE-2009-3879) GraphicsConfiguration information leak (6822057).
  - (CVE-2009-3884) zoneinfo file existence information leak (6824265).
  - (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062).
  - (CVE-2009-3873) JPEG Image Writer quantization problem (6862968).
  - (CVE-2009-3875) MessageDigest.isEqual introduces timing attack
    vulnerabilities (6863503).
  - (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser
    denial of service (6864911).
  - (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357).
  - (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643.
  - (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358).

45. By Kees Cook

* SECURITY UPDATE: fix multiple upstream vulnerabilities:
  - CVE-2009-0217 xmlsec1, mono, xml-security-c,
    xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing
    and authentication bypass.
  - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524).
  - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks
    (6801071).
  - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket
    connections (6801497).
  - CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow
    (6823373).
  - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer
    overflow (6830335).
  - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701).
  - CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,
    6656586, 6656610, 6656625, 6657133, 6657619, 6657625, 6657695, 6660049,
    6660539, 6813167).
  - CVE-2009-2476 OpenJDK OpenType checks can be bypassed (6736293).
  - CVE-2009-2690 OpenJDK private variable information disclosure (6777487).
  - CVE-2009-2676 JRE applet launcher vulnerability.

44. By Matthias Klose

* Security Vulnerability Fixes for OpenJDK:
  - 6522586: Enforce limits on Font creation.
  - 6536193: flaw in UTF8XmlOutput.
  - 6610888: Potential use of cleared of incorrect acc in JMX Monitor.
  - 6610896: JMX Monitor handles thread groups incorrectly.
  - 6630639: lightweight HttpServer leaks file descriptors on no-data
    connections.
  - 6632886: Font.createFont can be persuaded to leak temporary files.
  - 6636360: compiler/6595044/Main.java test fails with 64bit java on
    solaris-sparcv9 with SIGSEGV.
  - 6652463: MediaSize constructors allow to redefine the mapping of
    standard MediaSizeName values.
  - 6652929: Font.createFont(int,File) trusts File.getPath.
  - 6656633: getNotificationInfo methods static mutable (findbugs).
  - 6658158: Mutable statics in SAAJ (findbugs).
  - 6658163: txw2.DatatypeWriter.BUILDIN is a mutable static (findbugs).
  - 6691246: Thread context class loader can be set using JMX remote
    ClientNotifForwarded.
  - 6717680: LdapCtx does not close the connection if initialization fails.
  - 6721651: Security problem with out-of-the-box management.
  - 6737315: LDAP serialized data vulnerability.
  - 6792554: Java JAR Pack200 header checks are insufficent.
  - 6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8].
  - 6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp].
  - 6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1].
* Add security patch for the lcms library.
* Add accessibility patches java-access-bridge-security.patch and
  accessible-toolkit.patch.
* Add /usr/lib/jni to the library path. Closes: #517338.

43. By Kees Cook

* SECURITY UPDATE: multiple upstream vulnerabilities.
  - upstream fixes, thanks to Bernhard R. Link:
    - patches/icedtea-4486841.patch fixes CVE-2008-5351:
       UTF-8 decoder accepts non-shortest form sequences,
    - patches/icedtea-6484091.patch fixes CVE-2008-5350:
       allows to list files within the user home directory,
    - patches/icedtea-6497740.patch fixes CVE-2008-5349:
       RSA public key length denial-of-service,
    - patches/icedtea-6588160.patch fixes CVE-2008-5348:
       Denial-Of-Service in kerberos authentication,
    - patches/icedtea-6592792.patch fixes CVE-2008-5347:
       applet privilege escalation via JAX package access,
    - patches/icedtea-6721753.patch fixes CVE-2008-5360:
       temporary files have guessable file names,
    - patches/icedtea-6726779.patch fixes CVE-2008-5359:
       Buffer overflow in image processing,
    - patches/icedtea-6733959.patch fixes CVE-2008-5354:
       Privilege escalation in command line applications,
    - patches/icedtea-6734167.patch fixes CVE-2008-5353:
       calender object deserialization allows privilege escalation,
    - patches/icedtea-6755943.patch fixes CVE-2008-5352:
       Jar200 Decompression buffer overflow,
    - patches/icedtea-6766136.patch fixes CVE-2008-5358:
       Buffer Overflow in GIF image processing.
* add debian/patches/donotdelete.diff:
  fix MultipleJRE.sh to remove the link in the error-path, otherwise
  the test-suite removes the whole build/*/j2sdk-image directory on error.

42. By Matthias Klose

* Make the dependency on ca-certificates-java unversioned.
* Merge from IcedTea:
  - plugin/icedtea/netscape/javascript/JSObject.java: Make
    long constructor public.

41. By Matthias Klose

* Update IcedTea build infrastructure (20081024).
  - Add --pkgversion=<package version> configure option.
  - IcedTeaPlugin fixes.
  - Fix xjc regressions.
* openjdk-jre-headless: Depend on ca-certificates-java.
* Configure with --pkgversion=<package version> to encode the package
  version in the -version output and in vm dumps.
* cacao: Handle VM options Xverify:all and Xverify:none.

40. By Matthias Klose

* Update IcedTea build infrastructure (20081019).
  - plugin fix (Make applet size factors doubles instead of ints).
* Don't fail the build when the jtreg summary is missing.
* openjdk-6-source-files: Fix priority and section of the binary package.
* Fix section of the plugin package.

39. By Matthias Klose

* Update IcedTea build infrastructure (20081018).
  - Fix LiveConnect issues in the web plugin. LP: #282762.
  - Fail the build, if patches don't apply.
* Show xvfb and xauth failures in the build log, when running the testsuites.
* Kill processes which still hang after running the testsuite. Closes: #493339.
* Run the testsuite in parallel, reducing build time.
* openjdk-headless: Depend instead of recommending tzdata-java.

38. By Matthias Klose

* icedtea6-plugin: Versioned conflict with icedtea-gcjwebplugin. LP: #184299.
* Don't configure --with-alt-jar=/usr/bin/fastjar on hotspot archs
  and cacao builds. Working around a problem generating rt.jar. Manually
  add the netscape/javascript files in zero builds.
* Update IcedTea build infrastructure (20081017).
  - configury updates.
  - IcedTeaPlugin update.
* openjdk-6-jdk: Suggest visualvm.
* Remove cacao patches found in cacao 0.99.4~20081012.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/openjdk-6
This branch contains Public information 
Everyone can see this information.

Subscribers