USN 3366-1 introduced a regression in OpenJDK 8.
Software Description:
- openjdk-8: Open Source Java implementation
Details:
USN-3366-1 fixed vulnerabilities in OpenJDK 8. Unfortunately, that
update introduced a regression that caused some valid JAR files to
fail validation. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the JPEGImageReader class in OpenJDK would
incorrectly read unused image data. An attacker could use this to
specially construct a jpeg image file that when opened by a Java
application would cause a denial of service. (CVE-2017-10053)
It was discovered that the JAR verifier in OpenJDK did not properly
handle archives containing files missing digests. An attacker could
use this to modify the signed contents of a JAR file. (CVE-2017-10067)
It was discovered that integer overflows existed in the Hotspot
component of OpenJDK when generating range check loop predicates. An
attacker ...
The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: openjdk-8-jre 8u131-b11-2ubuntu1.17.04.3 openjdk-8-jre-headless 8u131-b11-2ubuntu1.17.04.3 openjdk-8-jre-zero 8u131-b11-2ubuntu1.17.04.3 Ubuntu 16.04 LTS: openjdk-8-jre 8u131-b11-2ubuntu1.16.04.3 openjdk-8-jre-headless 8u131-b11-2ubuntu1.16.04.3 openjdk-8-jre-jamvm 8u131-b11-2ubuntu1.16.04.3 openjdk-8-jre-zero 8u131-b11-2ubuntu1.16.04.3 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.
https://ubuntu.com/security/notices/USN-3366-2
https://ubuntu.com/security/notices/USN-3366-1
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1707082
Get the latest Linux and open source security news straight to your inbox.