openjdk team mailing list archive

Thread
Date
[Bug 1642420] Re: Enable OpenJDK update through uscan

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1642420@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 May 2017 23:40:49 -0000
Reply-to: Bug 1642420 <1642420@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package openjdk-7 -
7u131-2.6.9-0ubuntu0.14.04.1

---------------
openjdk-7 (7u131-2.6.9-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * IcedTea release 2.6.9 (based on 7u131):
  * Security fixes
    - S8167110, CVE-2017-3514: Windows peering issue.
    - S8163528, CVE-2017-3511: Better library loading.
    - S8169011, CVE-2017-3526: Resizing XML parse trees.
    - S8163520, CVE-2017-3509: Reuse cache entries.
    - S8171533, CVE-2017-3544: Better email transfer.
    - S8170222, CVE-2017-3533: Better transfers of files.
    - S8171121, CVE-2017-3539: Enhancing jar checking.
    - S8172299: Improve class processing.
  * debian/compat: updated from 5 to 9.
  * debian/watch: using watch version 4 to download both icedtea and
    icedtea-sound. LP: #1642420.
  * debian/repack: simplified tarball download.
  * debian/rules:
    - removed 8u121 patches as they have been applied to 7u131.
    - building icedtea-sound on build/ directory
    - replaced 'dh_strip -k' calls by dh_prep
    - have the 'build' rule depend on 'debian/control' rule to force
      failure if debian/control gets regenerated.
    - added file 'security/blacklisted.cert' to be copied to etc dir
      (introduced by S8011402).
    - simplified build dependencies.
    - removed jtreg's xvfb-run call since icedtea takes care of calling it.
    - removed window manager as there are no additional significant failures
      on the jdk tests when not running one.
    - re-enabled jdk jtreg tests.
    - removed lpia arch.
    - use fonts-wqy-microhei and fonts-wqy-zenhei instead of transitional
      package names.
    - drop Recommends on obsolete GNOME libraries so they are not in a
      default GNOME desktop installation (Simon McVittie). Closes: #850270.
      + sun.net.spi.DefaultProxySelector prefers libglib2.0-0 (>= 2.24)
        over obsolete libgconf2-4.
      + sun.nio.fs.GnomeFileTypeDetector prefers libglib2.0-0 (>= 2.24)
        over libgnomevfs-2-0.
      + sun.xawt.awt_Desktop prefers libgtk2.0-0 (>= 2.14) over
        libgnomevfs2-0.
  * debian/control.in: added static build dependencies as their previous
    selection logic in debian/rules is no longer required.
  * debian/control: regenerated.
  * debian/patches/icedtea-sound.diff: removed, now packing icedtea-sound
    1.0.1 which includes those fixes.
  * debian/upstream/signing-key.asc: add new signing key.

 -- Tiago Stürmer Daitx <tiago.daitx@xxxxxxxxxxxxx>  Mon, 08 May 2017
23:02:52 +0000

** Changed in: openjdk-7 (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3509

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3511

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3514

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3526

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3533

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3539

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-3544

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1642420

Title:
  Enable OpenJDK update through uscan

Status in openjdk-7 package in Ubuntu:
  Fix Released

Bug description:
  In order to make OpenJDK 7 updates easier uscan/watch file should be
  enabled.

  The OpenJDK 7 package is comprised of tarballs for IcedTea, JamVM,
  IcedTea sound, and OpenJDK modules (the OpenJDK "root", corba,
  hotspot, jaxp, jaxws, jdk, and langtools).

  Both IcedTea and IcedTea-sound provide a PGP signature while the
  tarballs for OpenJDK modules and JamVM do NOT provide a PGP signature
  upstream.

  Fortunately - IcedTea can do a sha256 checksum on both OpenJDK modules
  and JamVM tarballs if they are kept pristine. Additionally the OpenJDK
  modules would have to be uncompressed in a specific tree format, which
  is not supported by MUT. Given those restrictions it is better to pack
  these pristine tarballs inside their own orig tarball.

  The proposed format is:
  - keep the icedtea tarball pristine as the orig tarball file.
  - keep the icedtea-sound tarball pristine as the "orig-icedtea-sound" module tarball.
  - use a script (debian/repack) to download the OpenJDK modules + JamVM and put their tarballs under a single "orig-drops" module tarball.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1642420/+subscriptions
References

[Bug 1642420] [NEW] Enable OpenJDK update through uscan
From: Tiago Stürmer Daitx, 2016-11-16