Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1035957: openjdk-17: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968
55 views
Skip to first unread message
Moritz Mühlenhoff
May 11, 2023, 11:52:24 AM5/11/23
to
Source: openjdk-17
X-Debbugs-CC: te...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-17.
CVE-2023-21930[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via TLS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized creation, deletion or modification access
| to critical data or all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized access to critical
| data or complete access to all Oracle Java SE, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability applies
| to Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. This vulnerability can also be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2023-21937[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Networking). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and
| 22.3.0. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability does not apply to Java
| deployments, typically in servers, that load and run only trusted code
| (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7
| (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21939[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Swing). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Easily exploitable vulnerability allows unauthenticated attacker with
| network access via HTTP to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability can also be exploited by using APIs in the specified
| Component, e.g., through a web service which supplies data to the
| APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21954[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Hotspot). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via multiple protocols to compromise Oracle Java
| SE, Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized access to critical data or
| complete access to all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21967[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via HTTPS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21968[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-21930
https://www.cve.org/CVERecord?id=CVE-2023-21930
[1] https://security-tracker.debian.org/tracker/CVE-2023-21937
https://www.cve.org/CVERecord?id=CVE-2023-21937
[2] https://security-tracker.debian.org/tracker/CVE-2023-21938
https://www.cve.org/CVERecord?id=CVE-2023-21938
[3] https://security-tracker.debian.org/tracker/CVE-2023-21939
https://www.cve.org/CVERecord?id=CVE-2023-21939
[4] https://security-tracker.debian.org/tracker/CVE-2023-21954
https://www.cve.org/CVERecord?id=CVE-2023-21954
[5] https://security-tracker.debian.org/tracker/CVE-2023-21967
https://www.cve.org/CVERecord?id=CVE-2023-21967
[6] https://security-tracker.debian.org/tracker/CVE-2023-21968
https://www.cve.org/CVERecord?id=CVE-2023-21968
Please adjust the affected versions in the BTS as needed.
X-Debbugs-CC: te...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-17.
CVE-2023-21930[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via TLS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized creation, deletion or modification access
| to critical data or all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized access to critical
| data or complete access to all Oracle Java SE, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability applies
| to Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. This vulnerability can also be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2023-21937[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Networking). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and
| 22.3.0. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability does not apply to Java
| deployments, typically in servers, that load and run only trusted code
| (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7
| (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21939[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Swing). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Easily exploitable vulnerability allows unauthenticated attacker with
| network access via HTTP to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability can also be exploited by using APIs in the specified
| Component, e.g., through a web service which supplies data to the
| APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21954[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Hotspot). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via multiple protocols to compromise Oracle Java
| SE, Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized access to critical data or
| complete access to all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21967[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via HTTPS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21968[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-21930
https://www.cve.org/CVERecord?id=CVE-2023-21930
[1] https://security-tracker.debian.org/tracker/CVE-2023-21937
https://www.cve.org/CVERecord?id=CVE-2023-21937
[2] https://security-tracker.debian.org/tracker/CVE-2023-21938
https://www.cve.org/CVERecord?id=CVE-2023-21938
[3] https://security-tracker.debian.org/tracker/CVE-2023-21939
https://www.cve.org/CVERecord?id=CVE-2023-21939
[4] https://security-tracker.debian.org/tracker/CVE-2023-21954
https://www.cve.org/CVERecord?id=CVE-2023-21954
[5] https://security-tracker.debian.org/tracker/CVE-2023-21967
https://www.cve.org/CVERecord?id=CVE-2023-21967
[6] https://security-tracker.debian.org/tracker/CVE-2023-21968
https://www.cve.org/CVERecord?id=CVE-2023-21968
Please adjust the affected versions in the BTS as needed.
Salvatore Bonaccorso
Jun 9, 2023, 3:11:34 PM6/9/23
to
Source: openjdk-17
Source-Version: 17.0.7+7-1
----- Forwarded message from Debian FTP Masters <ftpm...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Jun 2023 13:36:52 +0200
Source: openjdk-17
Architecture: source
Version: 17.0.7+7-1
Distribution: unstable
Urgency: high
Maintainer: OpenJDK Team <openj...@packages.debian.org>
Changed-By: Matthias Klose <do...@debian.org>
Changes:
openjdk-17 (17.0.7+7-1) unstable; urgency=high
.
* OpenJDK 17.0.7 release, build 7.
- CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939,
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968.
- Release notes:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-April/021899.html
.
[ Vladimir Petko ]
* Refresh patches.
* debian/copyright: Convert to machine readable format.
* Update watch file.
* Update tag and version handling in the rules file.
* debian/JB-jre-headless.postinst.in: trigger ca-certificates-java after
the JRE is set up.
* d/control: add jtreg6 dependencies, regenerate control.
* d/rules: only compile google tests when with_check is enabled, disable them
for bullseye and jammy.
* d/rules: always use jtreg6.
* d/p/exclude-broken-tests.patch: add OpenJDK 17 failures.
* d/p/*: add patches for jtreg tests:
- disable-thumb-assertion.patch: fix JDK-8305481.
- update-assertion-for-armhf.patch: fix JDK-8305480.
- misalign-pointer-for-armhf.patch: packaging-specific patch to fix test
- failure introduced by d/p/m68k-support.diff.
- log-generated-classes-test.patch: workaround JDK-8166162.
- update-permission-test.patch: add security permissions for testng 7.
- ldap-timeout-test-use-ip.patch, test-use-ip-address.patch: Ubuntu-specific
- patches to workaround missing DNS resolver on the build machines.
- exclude_broken_tests.patch: quarantine failing tests.
* d/t/{jdk,hotspot,jaxp,lantools}: run tier1 and tier2 jtreg tests only,
* add test options from OpenJDK Makefile, patch problem list to exclude
architecture-specific failing tests.
* d/t/*: fix test environment: add missing -nativepath (LP: #2001563).
* d/t/jdk: provide dbus session for the window manager (LP: #2001576).
* d/t/jtreg-autopkgtest.in: pass JTREG home to locate junit.jar, regenerate
* d/t/jtreg-autopkgtest.sh (LP: #2016206).
* d/rules: pack external debug symbols with build-id, do not strip JVM shared
libraries (LP: #2012326, LP: #2016739).
* drop d/p/{jaw-classpath.diff, jaw-optional.diff}: the atk wrapper is
disabled and these patches cause class data sharing tests to fail.
LP: #2016194.
Checksums-Sha1:
43a78086bbdcec3106d577bc2fb540daac07b353 4522 openjdk-17_17.0.7+7-1.dsc
38706ac1090cc214adc67f294b936f6222a6fe16 61894896 openjdk-17_17.0.7+7.orig.tar.xz
3467e46f8b96733412718bf9e43e3cf33aed1c8d 199104 openjdk-17_17.0.7+7-1.debian.tar.xz
77d309d1f93490bea26b4bbcd8aeb6e846bc2764 15621 openjdk-17_17.0.7+7-1_source.buildinfo
Checksums-Sha256:
e6b80ffc98e25e95f0f6e6bdb5452e27504d8b5bfa354fc282c1133d5938606a 4522 openjdk-17_17.0.7+7-1.dsc
54979d3108824cb1ff03063f9d00154395eeb6aa37153f1e3d990bd3064fe65f 61894896 openjdk-17_17.0.7+7.orig.tar.xz
e921593bfb589d616cd511275bc6e400bfb3ec3d1fd71d9c7881f2d7ae111c18 199104 openjdk-17_17.0.7+7-1.debian.tar.xz
6a8390158c41bfea88ad6f9731fffbce0c9a04ff756d79de14da17b7b5cd8ae4 15621 openjdk-17_17.0.7+7-1_source.buildinfo
Files:
3d4eae81da92046e8b9c05737156795b 4522 java optional openjdk-17_17.0.7+7-1.dsc
31686ecebc0181d2fce168e83c6f4791 61894896 java optional openjdk-17_17.0.7+7.orig.tar.xz
3dc12f5f83c48a32040eb8b0e68faafc 199104 java optional openjdk-17_17.0.7+7-1.debian.tar.xz
d35cbe4ca8487b48527cb0673a16e377 15621 java optional openjdk-17_17.0.7+7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmSDPlwQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9RSuEACasTMv7CDSFc+/MBRQsq31WjGqzWAA/Yd5
C8geSHhKe+Qm/KzszIC1pKYspudn6eemVP8fsu3PSxes6zu0ccYbTjMoT/7Mo7qe
nDnb9KXAmhXY2wyPPXW+8OPvZUCdfppR5Nb/1muogTcdkW3Yte1dMyfDaTQCsW9J
qlnmb07obwK06bzrYEAcc17/J2Q4+/YEJUFFHenR+lU31XQ2V9F+0W4vSs6PPR5w
maY+Gf/dksoPE3m4YMiJvWP9jtl9NFo5qoh3bPccP00S6Aaovi+Em5yxMOGJ0KcJ
9nIJ7kErtE2sNokOY32XVTDWodCq6L74bD5FF0UMpCHj4WCxGLAwzkUly2b6N2cq
oD8MtQYaYwFS0cfr+svmD8FaOLcJ2TNiT3XfOCGDKKhvn24rF/qco8Z9f+1ub105
Qu6cZ5zVEsjAt1JM/iCvF2pXSy5EfEmqrpzmyXnPqytfBkYcj9qNiNZIchNX+TwB
1y5XcLmfIhBMlXWMEhHfszeBTWbU52wXmk5h6s29A4HygnlC80+mHHsgS3FoTUZ+
hwzQxenGwq6s+FnWnHnyyy5bgTleqPHwpbo8MwR8qPi7wCFcje4AaZPwpJcmdIMU
CygCAk8yyyOohFR20C4AizQpiKBJedFW1zWemwiiOiu+hCTF+n+OABZn6mqbwJs8
2igybMAZFw==
=cR7a
-----END PGP SIGNATURE-----
----- End forwarded message -----
Source-Version: 17.0.7+7-1
----- Forwarded message from Debian FTP Masters <ftpm...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Jun 2023 13:36:52 +0200
Source: openjdk-17
Architecture: source
Version: 17.0.7+7-1
Distribution: unstable
Urgency: high
Maintainer: OpenJDK Team <openj...@packages.debian.org>
Changed-By: Matthias Klose <do...@debian.org>
Changes:
openjdk-17 (17.0.7+7-1) unstable; urgency=high
.
* OpenJDK 17.0.7 release, build 7.
- CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939,
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968.
- Release notes:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-April/021899.html
.
[ Vladimir Petko ]
* Refresh patches.
* debian/copyright: Convert to machine readable format.
* Update watch file.
* Update tag and version handling in the rules file.
* debian/JB-jre-headless.postinst.in: trigger ca-certificates-java after
the JRE is set up.
* d/control: add jtreg6 dependencies, regenerate control.
* d/rules: only compile google tests when with_check is enabled, disable them
for bullseye and jammy.
* d/rules: always use jtreg6.
* d/p/exclude-broken-tests.patch: add OpenJDK 17 failures.
* d/p/*: add patches for jtreg tests:
- disable-thumb-assertion.patch: fix JDK-8305481.
- update-assertion-for-armhf.patch: fix JDK-8305480.
- misalign-pointer-for-armhf.patch: packaging-specific patch to fix test
- failure introduced by d/p/m68k-support.diff.
- log-generated-classes-test.patch: workaround JDK-8166162.
- update-permission-test.patch: add security permissions for testng 7.
- ldap-timeout-test-use-ip.patch, test-use-ip-address.patch: Ubuntu-specific
- patches to workaround missing DNS resolver on the build machines.
- exclude_broken_tests.patch: quarantine failing tests.
* d/t/{jdk,hotspot,jaxp,lantools}: run tier1 and tier2 jtreg tests only,
* add test options from OpenJDK Makefile, patch problem list to exclude
architecture-specific failing tests.
* d/t/*: fix test environment: add missing -nativepath (LP: #2001563).
* d/t/jdk: provide dbus session for the window manager (LP: #2001576).
* d/t/jtreg-autopkgtest.in: pass JTREG home to locate junit.jar, regenerate
* d/t/jtreg-autopkgtest.sh (LP: #2016206).
* d/rules: pack external debug symbols with build-id, do not strip JVM shared
libraries (LP: #2012326, LP: #2016739).
* drop d/p/{jaw-classpath.diff, jaw-optional.diff}: the atk wrapper is
disabled and these patches cause class data sharing tests to fail.
LP: #2016194.
Checksums-Sha1:
43a78086bbdcec3106d577bc2fb540daac07b353 4522 openjdk-17_17.0.7+7-1.dsc
38706ac1090cc214adc67f294b936f6222a6fe16 61894896 openjdk-17_17.0.7+7.orig.tar.xz
3467e46f8b96733412718bf9e43e3cf33aed1c8d 199104 openjdk-17_17.0.7+7-1.debian.tar.xz
77d309d1f93490bea26b4bbcd8aeb6e846bc2764 15621 openjdk-17_17.0.7+7-1_source.buildinfo
Checksums-Sha256:
e6b80ffc98e25e95f0f6e6bdb5452e27504d8b5bfa354fc282c1133d5938606a 4522 openjdk-17_17.0.7+7-1.dsc
54979d3108824cb1ff03063f9d00154395eeb6aa37153f1e3d990bd3064fe65f 61894896 openjdk-17_17.0.7+7.orig.tar.xz
e921593bfb589d616cd511275bc6e400bfb3ec3d1fd71d9c7881f2d7ae111c18 199104 openjdk-17_17.0.7+7-1.debian.tar.xz
6a8390158c41bfea88ad6f9731fffbce0c9a04ff756d79de14da17b7b5cd8ae4 15621 openjdk-17_17.0.7+7-1_source.buildinfo
Files:
3d4eae81da92046e8b9c05737156795b 4522 java optional openjdk-17_17.0.7+7-1.dsc
31686ecebc0181d2fce168e83c6f4791 61894896 java optional openjdk-17_17.0.7+7.orig.tar.xz
3dc12f5f83c48a32040eb8b0e68faafc 199104 java optional openjdk-17_17.0.7+7-1.debian.tar.xz
d35cbe4ca8487b48527cb0673a16e377 15621 java optional openjdk-17_17.0.7+7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmSDPlwQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9RSuEACasTMv7CDSFc+/MBRQsq31WjGqzWAA/Yd5
C8geSHhKe+Qm/KzszIC1pKYspudn6eemVP8fsu3PSxes6zu0ccYbTjMoT/7Mo7qe
nDnb9KXAmhXY2wyPPXW+8OPvZUCdfppR5Nb/1muogTcdkW3Yte1dMyfDaTQCsW9J
qlnmb07obwK06bzrYEAcc17/J2Q4+/YEJUFFHenR+lU31XQ2V9F+0W4vSs6PPR5w
maY+Gf/dksoPE3m4YMiJvWP9jtl9NFo5qoh3bPccP00S6Aaovi+Em5yxMOGJ0KcJ
9nIJ7kErtE2sNokOY32XVTDWodCq6L74bD5FF0UMpCHj4WCxGLAwzkUly2b6N2cq
oD8MtQYaYwFS0cfr+svmD8FaOLcJ2TNiT3XfOCGDKKhvn24rF/qco8Z9f+1ub105
Qu6cZ5zVEsjAt1JM/iCvF2pXSy5EfEmqrpzmyXnPqytfBkYcj9qNiNZIchNX+TwB
1y5XcLmfIhBMlXWMEhHfszeBTWbU52wXmk5h6s29A4HygnlC80+mHHsgS3FoTUZ+
hwzQxenGwq6s+FnWnHnyyy5bgTleqPHwpbo8MwR8qPi7wCFcje4AaZPwpJcmdIMU
CygCAk8yyyOohFR20C4AizQpiKBJedFW1zWemwiiOiu+hCTF+n+OABZn6mqbwJs8
2igybMAZFw==
=cR7a
-----END PGP SIGNATURE-----
----- End forwarded message -----
0 new messages