[ubuntu/lucid] openjdk-6 6b18~pre4-0ubuntu1 (Accepted)

Matthias Klose doko at ubuntu.com
Wed Mar 31 03:50:33 BST 2010 

openjdk-6 (6b18~pre4-0ubuntu1) lucid; urgency=low

  [ Matthias Klose ]
  * Update IcedTea6 form the 1.8 branch.
  * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
    - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299).
    - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors
      if run with -Xcomp (6894807).
    - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability
      (6899653).
    - (CVE-2010-0082): Loader-constraint table allows arrays instead of
      only the base-classes (6626217).
    - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret
      network addresses (6893954) [ZDI-CAN-603].
    - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390).
    - (CVE-2010-0091): Unsigned applet can retrieve the dragged information
      before drop action occurs (6887703).
    - (CVE-2010-0088): Inflater/Deflater clone issues (6745393).
    - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains
      (6633872).
    - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR
      error (6888149).
    - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should
      enforce stricter checks (6893947) [ZDI-CAN-588].
    - (CVE-2010-0093): System.arraycopy unable to reference elements
      beyond Integer.MAX_VALUE bytes (6892265).
    - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation
      Vulnerability (6904691).
    - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823).
    - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability
      (6914866).
    - (CVE-2009-3555): TLS: MITM attacks via session renegotiation.
    - 6639665: ThreadGroup finalizer allows creation of false root
      ThreadGroups.
    - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly.
      encoded CommonName OIDs.
    - 6910590: Application can modify command array in ProcessBuilder.
    - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability.
    - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
    - 6898739: TLS renegotiation issue.

  [ Torsten Werner ]
  * Switch off IPV6_V6ONLY for IN6_IS_ADDR_UNSPECIFIED addresses, too.
    (Closes: #575163)

Date: Wed, 31 Mar 2010 02:34:04 +0200
Changed-By: Matthias Klose <doko at ubuntu.com>
Maintainer: OpenJDK Team <openjdk at lists.launchpad.net>
Signed-By: Matthias Klose <matthias.klose at canonical.com>
https://launchpad.net/ubuntu/lucid/+source/openjdk-6/6b18~pre4-0ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 31 Mar 2010 02:34:04 +0200
Source: openjdk-6
Binary: openjdk-6-jdk openjdk-6-jre-headless openjdk-6-jre openjdk-6-jre-lib openjdk-6-demo openjdk-6-source openjdk-6-doc openjdk-6-dbg icedtea6-plugin icedtea-6-jre-cacao openjdk-6-jre-zero
Architecture: source
Version: 6b18~pre4-0ubuntu1
Distribution: lucid
Urgency: low
Maintainer: OpenJDK Team <openjdk at lists.launchpad.net>
Changed-By: Matthias Klose <doko at ubuntu.com>
Description: 
 icedtea-6-jre-cacao - Alternative JVM for OpenJDK, using Cacao
 icedtea6-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a
 openjdk-6-dbg - Java runtime based on OpenJDK (debugging symbols)
 openjdk-6-demo - Java runtime based on OpenJDK (demos and examples)
 openjdk-6-doc - OpenJDK Development Kit (JDK) documentation
 openjdk-6-jdk - OpenJDK Development Kit (JDK)
 openjdk-6-jre - OpenJDK Java runtime, using ${vm:Name}
 openjdk-6-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless)
 openjdk-6-jre-lib - OpenJDK Java runtime (architecture independent libraries)
 openjdk-6-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
 openjdk-6-source - OpenJDK Development Kit (JDK) source files
Closes: 575163
Changes: 
 openjdk-6 (6b18~pre4-0ubuntu1) lucid; urgency=low
 .
   [ Matthias Klose ]
   * Update IcedTea6 form the 1.8 branch.
   * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
     - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299).
     - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors
       if run with -Xcomp (6894807).
     - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability
       (6899653).
     - (CVE-2010-0082): Loader-constraint table allows arrays instead of
       only the base-classes (6626217).
     - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret
       network addresses (6893954) [ZDI-CAN-603].
     - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390).
     - (CVE-2010-0091): Unsigned applet can retrieve the dragged information
       before drop action occurs (6887703).
     - (CVE-2010-0088): Inflater/Deflater clone issues (6745393).
     - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains
       (6633872).
     - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR
       error (6888149).
     - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should
       enforce stricter checks (6893947) [ZDI-CAN-588].
     - (CVE-2010-0093): System.arraycopy unable to reference elements
       beyond Integer.MAX_VALUE bytes (6892265).
     - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation
       Vulnerability (6904691).
     - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823).
     - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability
       (6914866).
     - (CVE-2009-3555): TLS: MITM attacks via session renegotiation.
     - 6639665: ThreadGroup finalizer allows creation of false root
       ThreadGroups.
     - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly.
       encoded CommonName OIDs.
     - 6910590: Application can modify command array in ProcessBuilder.
     - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability.
     - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
     - 6898739: TLS renegotiation issue.
 .
   [ Torsten Werner ]
   * Switch off IPV6_V6ONLY for IN6_IS_ADDR_UNSPECIFIED addresses, too.
     (Closes: #575163)
Checksums-Sha1: 
 787b6061ec17e82d8e87e01f2455ec8f87c27912 2404 openjdk-6_6b18~pre4-0ubuntu1.dsc
 382e3e1bc5aa92e5c6de7419771d82087533ea91 68289400 openjdk-6_6b18~pre4.orig.tar.gz
 a6cb970764de2e0aff3d5b25c170deb7936f14a4 120725 openjdk-6_6b18~pre4-0ubuntu1.diff.gz
Checksums-Sha256: 
 7d2623394181d7498b5e84012882933f984aeeba246886a35e903baff429bb11 2404 openjdk-6_6b18~pre4-0ubuntu1.dsc
 e648cc3830d0c8947c2fa2386a234560e857104bfaefaf58fe5ef1a0baabbfd4 68289400 openjdk-6_6b18~pre4.orig.tar.gz
 ff5237bb486e8042772a0eb0b88a4326a23bc60281e599c0a15cd41021e68621 120725 openjdk-6_6b18~pre4-0ubuntu1.diff.gz
Files: 
 a9fd47f436297a445bb39d3635955935 2404 java optional openjdk-6_6b18~pre4-0ubuntu1.dsc
 849a1e1703631a4f22d02343ab564369 68289400 java optional openjdk-6_6b18~pre4.orig.tar.gz
 73af507855a916fa224259fba6bcabc3 120725 java optional openjdk-6_6b18~pre4-0ubuntu1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuytV4ACgkQStlRaw+TLJxg6QCfYBSqDmjdCy2DNoKnThonFDs6
L3AAoK6rHIUFTdJqJQeftR3F2q+2AvHL
=TlWJ
-----END PGP SIGNATURE-----

More information about the Lucid-changes mailing list