Your message dated Mon, 20 Nov 2017 21:10:54 +0000 with message-id <e1egtlc-0006w6...@fasolo.debian.org> and subject line Bug#881764: fixed in openjdk-7 7u151-2.6.11-2 has caused the Debian Bug report #881764, regarding openjdk-7: several vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881764 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openjdk-7 Version: 7u151-2.6.11-1 Severity: serious Hi, The last round of vulnerabilities for OpenJDK hasn't been fixed in openjdk-7 yet. It'd be good to get an updated package in experimental so it can be pushed to jessie and wheezy. Thanks, Emilio -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (800, 'unstable'), (700, 'experimental'), (650, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: openjdk-7 Source-Version: 7u151-2.6.11-2 We believe that the bug you reported is fixed in the latest version of openjdk-7, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthias Klose <d...@ubuntu.com> (supplier of updated openjdk-7 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 20 Nov 2017 21:24:32 +0100 Source: openjdk-7 Binary: openjdk-7-jdk openjdk-7-jre-headless openjdk-7-jre openjdk-7-jre-lib openjdk-7-demo openjdk-7-source openjdk-7-doc openjdk-7-dbg icedtea-7-jre-jamvm openjdk-7-jre-zero Architecture: source Version: 7u151-2.6.11-2 Distribution: experimental Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Matthias Klose <d...@ubuntu.com> Description: icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM openjdk-7-dbg - Java runtime based on OpenJDK (debugging symbols) openjdk-7-demo - Java runtime based on OpenJDK (demos and examples) openjdk-7-doc - OpenJDK Development Kit (JDK) documentation openjdk-7-jdk - OpenJDK Development Kit (JDK) openjdk-7-jre - OpenJDK Java runtime, using openjdk-7-jre-headless - OpenJDK Java runtime, using (headless) openjdk-7-jre-lib - OpenJDK Java runtime (architecture independent libraries) openjdk-7-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark openjdk-7-source - OpenJDK Development Kit (JDK) source files Closes: 881764 Changes: openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backport of 8u151 security fixes. Closes: #881764. * Security patches: - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. - CVE-2017-10346, S8180711: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. - CVE-2017-10355, S8181612: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. - CVE-2016-9841, S8184682: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused template breaks builds with gcc-6 due to macro conflict. * debian/rules: try /etc/os-release before lsb-release; allows one to check if patches still apply cleanly across distros from the command line by setting distrel. Checksums-Sha1: 85475db18f3a31f1e03f527867d84c2ada2f7134 4693 openjdk-7_7u151-2.6.11-2.dsc 3ee99d032c540b99b4662c5a07e45777e5926947 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz 45d1d472cbc21b158131f8693305d2186ba46c19 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo Checksums-Sha256: d3fb92001698a9b7017ce15a4f54b4d801c646a09ee2116dac81545d3efd99fe 4693 openjdk-7_7u151-2.6.11-2.dsc 113ff457e519c784862338bcd9102068254acc1e1c64532224616de6c1c36c28 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz 4eb7a0afa51503e9e48eceebb726a64fe68370bcd81f06568de8a98d86570a99 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo Files: edf1d04573ff0bce254d1222a30dc666 4693 java optional openjdk-7_7u151-2.6.11-2.dsc 63a9edef331635a16a12d08b5b50c5c7 194216 java optional openjdk-7_7u151-2.6.11-2.debian.tar.xz afa858d26c0dccec58ad5067ffa85038 16089 java optional openjdk-7_7u151-2.6.11-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAloTOoIQHGRva29AdWJ1 bnR1LmNvbQAKCRC9fqpgd4+m9ZMqD/0aBCrigg63DCNQkhRYSoEEGHpJ+xgd8Vmx UVgW+17C+dLslt1iXYtynumdTXE5uFbhH5i7Rc1HfudeBDjA0jIV4kDejKHr596e a6/zM3U7+qjFaojOCVW17XjG4jK1EefJy6U7VD02r4Qz2NgCb67n4XLKKlFuT9Ej eDZg3T69B+Cb9+asHgNoHF3szD6PSDE+6KW7vg3VI5gL8BsLOjRpzYjw7j6pywjj NzAtwhcEbAkN9LR3vuZwJAD13soKf9McIGqPofII+MPaOeZXxg+0uOJ2bLVI8ebR fROF0Ylm5kGFnc/EK/rEwCB0pTuZpjm9WHWYvwRfFTPaQbeIL6E+Tsg/Q7g4yjal MWAn7wM4LA1kHiXKhU3U0v3VcmvkbOjW4iHKC3LK6Q095QmSuCjdKp9Pz8849RTy 4IYSCOIsS2lV6km5gt4qbW/ugR9XqqGz9nbQkWFAs8vpexeZvlLrOX7gwJ782XQk NEtiYf9l0STO/zwKEdqYKyEes0FiNLhPAiGqdA+C/AfF0AhpaQyVZJz3FFe6OAD1 Li/h3+sREZ1g+GCIxzpEjg9LcuahK9maIbiBerHx07BsqoC1CoPAAX2rZBWT+YbD fFV6aUwR+5Z7tkFhNTnE76Zh2i7doEnoqkp7KCENn4FCXB8+Af97nDWiyyUCR1gR 2c/O0vHIhg== =Et3U -----END PGP SIGNATURE-----
--- End Message ---
