lp://staging/ubuntu/karmic-security/openjdk-6
- Get this branch:
- bzr branch lp://staging/ubuntu/karmic-security/openjdk-6
Branch merges
Related source package recipes
Related bugs
Related blueprints
Branch information
Recent revisions
- 101. By Steve Beattie
-
* IcedTea6 1.9.7 release.
- SECURITY UPDATE:
+ S4421494, CVE-2010-4476: infinite loop while parsing double literal.
+ S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
+ S6907662, CVE-2010-4465: Swing timer-based security manager bypass
+ S6994263, CVE-2010-4472: Untrusted code allowed to replace
DSIG/C14N implementation
+ S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
+ S6983554, CVE-2010-4450: Launcher incorrect processing of
empty library path entries
+ S6985453, CVE-2010-4471: Java2D font-related system property leak
+ S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
+ RH677332, CVE-2011-0706: Multiple signers privilege escalation
- Bug fixes
+ RH676659: Pass -export-dynamic flag to linker using -Wl,
as option in gcc 4.6+ is broken
+ G344659: Fix issue when building on SPARC
+ Fix latent JAXP bug caused by missing import
* dropped patch due to different fix applied upstream:
- debian/patches/ hotspot- sparc-fix. diff
* debian/patches/ hotspot- fix_added_ define. patch: added to fix
redefinition added by patch for S6878713
* Makefile.{am,in}: don't use stage1 build for zerovm, bootstrap
zerovm instead to compensate for
http://icedtea. classpath. org/bugzilla/ show_bug. cgi?id= 631 - 100. By Steve Beattie
-
* IcedTea6 1.9.5 release.
- CVE-2011-0025: IcedTea jarfile signature verification bypass. - 99. By Matthias Klose
-
* IcedTea6 1.9.4 release.
- CVE-2010-4351: IcedTea JNLP SecurityManager bypass. - 96. By Matthias Klose
-
* IcedTea6 1.8.1 release.
- Fix security flaw in NetX that allows arbitrary unsigned apps to set
any java property.
- Fix security flaw in NetX that allows unsigned code to access any file
on the machine (accessible to the user) and write to it.
* openjdk-6-jre: Recommend ttf-dejavu-extra. LP: #569396.
* Don't build the plugin on sparc for hardy and jaunty releases. - 94. By Matthias Klose
-
* SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
- (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299).
- (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors
if run with -Xcomp (6894807).
- (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability
(6899653).
- (CVE-2010-0082): Loader-constraint table allows arrays instead of
only the base-classes (6626217).
- (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret
network addresses (6893954) [ZDI-CAN-603].
- (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390).
- (CVE-2010-0091): Unsigned applet can retrieve the dragged information
before drop action occurs (6887703).
- (CVE-2010-0088): Inflater/Deflater clone issues (6745393).
- (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains
(6633872).
- (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR
error (6888149).
- (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should
enforce stricter checks (6893947) [ZDI-CAN-588].
- (CVE-2010-0093): System.arraycopy unable to reference elements
beyond Integer.MAX_VALUE bytes (6892265).
- (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation
Vulnerability (6904691).
- (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823).
- (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability
(6914866).
- (CVE-2009-3555): TLS: MITM attacks via session renegotiation.
- 6639665: ThreadGroup finalizer allows creation of false root
ThreadGroups.
- 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly.
encoded CommonName OIDs.
- 6910590: Application can modify command array in ProcessBuilder.
- 6909597: JPEGImageReader stepX Integer Overflow Vulnerability.
- 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
- 6898739: TLS renegotiation issue.
* Build-depend on x11-xkb-utils. - 93. By Matthias Klose
-
* Security updates:
- (CVE-2009-3728) ICC_Profile file existence detection information leak
(6631533).
- (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445).
- (CVE-2009-3881) resurrected classloaders can still have children
(6636650).
- (CVE-2009-3882) Numerous static security flaws in Swing (findbugs)
(6657026).
- (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138).
- (CVE-2009-3880) UI logging information leakage (6664512).
- (CVE-2009-3879) GraphicsConfiguration information leak (6822057).
- (CVE-2009-3884) zoneinfo file existence information leak (6824265).
- (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062).
- (CVE-2009-3873) JPEG Image Writer quantization problem (6862968).
- (CVE-2009-3875) MessageDigest.isEqual introduces timing attack
vulnerabilities (6863503).
- (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser
denial of service (6864911).
- (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357).
- (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643.
- (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358). - 92. By Matthias Klose
-
[Matthias Klose]
* On armel and powerpc, build an additional VM using shark in the
openjdk-6-jre-zero package (java -shark <args>). Requires llvm-2.6.
* Hide the desktop menu entry for WebStart. LP: #222180.
* Don't provide java-virtual-machine anymore. [Edward Nevill]
* Avoid stack overflows in the arm interpreter.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/natty/openjdk-6
