Package "openjdk-7-jdk"

  openjdk-7 (7u151-2.6.11-2ubuntu0.14.04.1) trusty-security; urgency=medium

  * Backport to 14.04.
  * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch:
    the S8144028 fix was incomplete and followed up by S8145438; without it
    aarch64 JVM can fail with "Internal Error, failed: Field too big for
    insn".

 -- Tiago Stürmer Daitx <email address hidden> Tue, 21 Nov 2017 02:10:21 +0000

  openjdk-7 (7u151-2.6.11-0ubuntu1.14.04.1) trusty-security; urgency=medium

  * IcedTea release 2.6.11 (based on 7u151). Closes: #869816.
  * Security fixes:
    - S8163958, CVE-2017-10102: Improved garbage collection.
    - S8167228: Update to libpng 1.6.28.
    - S8169209, CVE-2017-10053: Improved image post-processing steps.
    - S8169392, CVE-2017-10067: Additional jar validation steps.
    - S8170966, CVE-2017-10081: Right parenthesis issue.
    - S8172204, CVE-2017-10087: Better Thread Pool execution.
    - S8172461, CVE-2017-10089: Service Registration Lifecycle.
    - S8172465, CVE-2017-10090: Better handling of channel groups.
    - S8172469, CVE-2017-10096: Transform Transformer Exceptions.
    - S8173286, CVE-2017-10101: Better reading of text catalogs.
    - S8173697, CVE-2017-10107: Less Active Activations.
    - S8173770, CVE-2017-10074: Image conversion improvements.
    - S8174098, CVE-2017-10110: Better image fetching.
    - S8174105, CVE-2017-10108: Better naming attribution.
    - S8174113, CVE-2017-10109: Better sourcing of code.
    - S8174770: Check registry registration location.
    - S8174873: Improved certificate processing.
    - S8175106, CVE-2017-10115: Higher quality DSA operations.
    - S8175110, CVE-2017-10118: Higher quality ECDSA operations.
    - S8176055: JMX diagnostic improvements.
    - S8176067, CVE-2017-10116: Proper directory lookup processing.
    - S8176760, CVE-2017-10135: Better handling of PKCS8 material.
    - S8178135, CVE-2017-10176: Additional elliptic curve support.
    - S8181420, CVE-2017-10074: PPC: Image conversion improvements.
    - S8182054, CVE-2017-10243: Improve wsdl support.
    - S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements.
    - S8184119, CVE-2017-10111: Incorrect return processing for the LF editor
      of MethodHandles.permuteArguments.
  * d/control.in:
    - remove @bd_compress@ dependency.
    - replace @bd_autotools@ with fixed dependencies.
  * d/control.tests: package to hold all tests artifacts and logs.
  * d/repack: fixed and simplified download script.
  * d/rules:
    - include openjdk-7-tests package on Ubuntu derivatives only.
    - only save the full jtreg results when the openjdk-7-tests package
      is being built, otherwise stick to old behaviour (keep compressed
      test summaries + failed test results). Closes: #863007, #865533.
    - only run the long jdk testsuite when default vm is a hotspot.
    - only run the full testsuite for zero alternative vm on very fast
      systems, otherwise stick to the hotspot testsuite to avoid long
      build times.
    - try /etc/os-release before lsb-release; allow distrel to be set
      from the command line.
    - remove with_nss as all supported releases have it now.
    - remove gcc/g++ configurations for EOL releases.
    - keep libjpeg8 dependency on wheezy, replace it with libjpeg62-turbo
      on other Debian releases and libjpeg-turbo8 on Ubuntu. Closes: #766601.
    - remove old logic to depend on libcupsys2.
    - always set rhino_source, all supported releases have dpkg > 1.16.2.
    - remove bd_compress and pkg_compress as they haven't been used for
      quite a while.
    - remove with_wgy_zenhai logic, lenny is EOL.
    - remove bd_autotools logic if/then, call dh_autoreconf and
      dh_autoreconf_clean.
    - simplify bootstrap dependency logic and remove EOL releases.
    - remove EOL releases from gcc/g++ dependency logic.
    - remove unused jamvm_defaults and simplify jamvm_archs logic.
    - use ttf-indic-fonts for trusty, otherwise stick to fonts-indic.
    - have build rule depend on debian/control in order to fail if it
      is ever regenerated at build time.
    - patch configure after dh_autoreconf call to include additional
      /usr/lib/jvm directories; setting DEB_HOST_ARCH=alpha to check
      if patches apply correctly fails because alpha requires a jdk for
      bootstrap and IcedTea does not look into our usual directories.
  * d/p/fontconfig-arphic-uming.diff: removed, not used since lenny.
  * d/p/jdk-getAccessibleValue.diff: libatk-wrapper-java: File selection
    dialog not refreshed when changing directory. Kindly provided by
    Samuel Thibault. Closes: #827741.
  * d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
    deleted, included in IcedTea 2.6.10.
  * d/p/kfreebsd-support-jdk.diff: updated, was failing to apply due to
    jdk changes in NetworkInterface.c.
  * d/p/sec-webrev-8u131-*.patch: deleted, included in IcedTea 2.6.10.
  * d/p/zero-sparc.diff: commented out chaitin.hpp hunk #1 as that #ifdef
    has been removed by JDK-8011621 (backported by IcedTea 2.6.10); this
    was also backported to 7u131 through JDK-8160961 but then backed out,
    better keep the hunk in case IcedTea decides to back it out as well.

 -- Tiago Stürmer Daitx <email address hidden> Thu, 18 May 2017 02:53:34 +0000

  openjdk-7 (7u131-2.6.9-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126)
    - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
      fix "IllegalArgumentException: jdk.tls.namedGroups" backported
      from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c

 -- Tiago Stürmer Daitx <email address hidden> Wed, 17 May 2017 00:39:54 +0000

  openjdk-7 (7u131-2.6.9-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * IcedTea release 2.6.9 (based on 7u131):
  * Security fixes
    - S8167110, CVE-2017-3514: Windows peering issue.
    - S8163528, CVE-2017-3511: Better library loading.
    - S8169011, CVE-2017-3526: Resizing XML parse trees.
    - S8163520, CVE-2017-3509: Reuse cache entries.
    - S8171533, CVE-2017-3544: Better email transfer.
    - S8170222, CVE-2017-3533: Better transfers of files.
    - S8171121, CVE-2017-3539: Enhancing jar checking.
    - S8172299: Improve class processing.
  * debian/compat: updated from 5 to 9.
  * debian/watch: using watch version 4 to download both icedtea and
    icedtea-sound. LP: #1642420.
  * debian/repack: simplified tarball download.
  * debian/rules:
    - removed 8u121 patches as they have been applied to 7u131.
    - building icedtea-sound on build/ directory
    - replaced 'dh_strip -k' calls by dh_prep
    - have the 'build' rule depend on 'debian/control' rule to force
      failure if debian/control gets regenerated.
    - added file 'security/blacklisted.cert' to be copied to etc dir
      (introduced by S8011402).
    - simplified build dependencies.
    - removed jtreg's xvfb-run call since icedtea takes care of calling it.
    - removed window manager as there are no additional significant failures
      on the jdk tests when not running one.
    - re-enabled jdk jtreg tests.
    - removed lpia arch.
    - use fonts-wqy-microhei and fonts-wqy-zenhei instead of transitional
      package names.
    - drop Recommends on obsolete GNOME libraries so they are not in a
      default GNOME desktop installation (Simon McVittie). Closes: #850270.
      + sun.net.spi.DefaultProxySelector prefers libglib2.0-0 (>= 2.24)
        over obsolete libgconf2-4.
      + sun.nio.fs.GnomeFileTypeDetector prefers libglib2.0-0 (>= 2.24)
        over libgnomevfs-2-0.
      + sun.xawt.awt_Desktop prefers libgtk2.0-0 (>= 2.14) over
        libgnomevfs2-0.
  * debian/control.in: added static build dependencies as their previous
    selection logic in debian/rules is no longer required.
  * debian/control: regenerated.
  * debian/patches/icedtea-sound.diff: removed, now packing icedtea-sound
    1.0.1 which includes those fixes.
  * debian/upstream/signing-key.asc: add new signing key.

 -- Tiago Stürmer Daitx <email address hidden> Mon, 08 May 2017 23:02:52 +0000

  openjdk-7 (7u121-2.6.8-1ubuntu0.14.04.3) trusty-security; urgency=medium

  * Security fixes from 8u121:
    - S8167104, CVE-2017-3289: Custom class constructor code can bypass the
      required call to super.init allowing for uninitialized objects to be
      created.
    - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
      dispose() on a CMenuComponentmultiple times.
    - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
      extraneous bytes added to them whereas the signature is supposed to be
      unique.
    - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
      sections to be 2^32-1 bytes long so these should not be uncompressed
      unless the user explicitly requests it.
    - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
      leak information about k.
    - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
      deserialize responses from an LDAP server when an LDAP context is
      expected.
    - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
      users or external applications would interpret them leading to possible
      security issues.
    - S8168705, CVE-2016-5547: A value from an InputStream is read directly
      into the size argument of a new byte[] without validation.
    - S8164147, CVE-2017-3261: An integer overflow exists in
      SocketOutputStream which can lead to memorydisclosure.
    - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
      dispatch HTTP GET requests where the invoker does not have permission.
    - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
      long running sessions are allowed.
    - S8165344, CVE-2017-3272: A protected field can be leveraged into type
      confusion.
    - S8156802, CVE-2017-3241: RMI deserialization should limit the types
      deserialized to prevent attacks that could escape the sandbox.

 -- Tiago Stürmer Daitx <email address hidden> Tue, 07 Feb 2017 17:55:31 +0000