Debian Bug report logs -
#870860
openjfx: CVE-2017-10086 CVE-2017-10114
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 5 Aug 2017 20:00:05 UTC
Severity: grave
Tags: security, upstream
Found in version openjfx/8u131-b11-1
Fixed in version openjfx/8u141-b14-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Sat, 05 Aug 2017 20:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 05 Aug 2017 20:00:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjfx
Version: 8u131-b11-1
Severity: grave
Tags: upstream security
Hi,
the following vulnerabilities were published for openjfx.
CVE-2017-10086[0] and CVE-2017-10114[1].
Unfortunately it's no more details possilby know as shared via [2],
which states that the supported versions vulnerable are 7u141 and
8u131. The severity is probably as well overrated for this bugreport
and a DSA not deserved. But bug should help tracking the fix for
future unstable upload.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10086
[1] https://security-tracker.debian.org/tracker/CVE-2017-10114
[2] http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html#JAVA
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Mon, 02 Oct 2017 13:09:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 02 Oct 2017 13:09:16 GMT) (full text, mbox, link).
Message #10 received at 870860@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote:
> Source: openjfx
> Version: 8u131-b11-1
> Severity: grave
> Tags: upstream security
>
> Hi,
>
> the following vulnerabilities were published for openjfx.
>
> CVE-2017-10086[0] and CVE-2017-10114[1].
>
> Unfortunately it's no more details possilby know as shared via [2],
> which states that the supported versions vulnerable are 7u141 and
> 8u131. The severity is probably as well overrated for this bugreport
> and a DSA not deserved. But bug should help tracking the fix for
> future unstable upload.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10086
> [1] https://security-tracker.debian.org/tracker/CVE-2017-10114
> [2] http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html#JAVA
>
> Please adjust the affected versions in the BTS as needed.
Java maintainers, shall we follow the procedures for openjdk and
rebase to a new upstream release in stretch?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Mon, 02 Oct 2017 15:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 02 Oct 2017 15:18:05 GMT) (full text, mbox, link).
Message #15 received at 870860@bugs.debian.org (full text, mbox, reply):
Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit :
> Java maintainers, shall we follow the procedures for openjdk and
> rebase to a new upstream release in stretch?
Yes please, that's the only sustainable solution for openjfx. I'll
prepare the update for unstable first and I'll let you know when I'm
ready for a stable-security update.
Emmanuel Bourg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Mon, 02 Oct 2017 17:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 02 Oct 2017 17:09:02 GMT) (full text, mbox, link).
Message #20 received at 870860@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 02, 2017 at 05:09:29PM +0200, Emmanuel Bourg wrote:
> Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit :
>
> > Java maintainers, shall we follow the procedures for openjdk and
> > rebase to a new upstream release in stretch?
>
> Yes please, that's the only sustainable solution for openjfx. I'll
> prepare the update for unstable first and I'll let you know when I'm
> ready for a stable-security update.
Ok, sounds good.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Wed, 04 Oct 2017 14:27:07 GMT) (full text, mbox, link).
Message #23 received at 870860@bugs.debian.org (full text, mbox, reply):
tag 870860 + pending
thanks
Some bugs in the openjfx package are closed in revision
dfe93fb33fae53308d4650fb9aec02dccf563796 in branch 'master' by
Emmanuel Bourg
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/openjfx.git/commit/?id=dfe93fb
Commit message:
New upstream release (Closes: #870860)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org
.
(Wed, 04 Oct 2017 14:27:23 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#870860.
(Wed, 04 Oct 2017 14:27:30 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Wed, 04 Oct 2017 18:30:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 04 Oct 2017 18:30:12 GMT) (full text, mbox, link).
Message #33 received at 870860-close@bugs.debian.org (full text, mbox, reply):
Source: openjfx
Source-Version: 8u141-b14-1
We believe that the bug you reported is fixed in the latest version of
openjfx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated openjfx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Oct 2017 20:01:06 +0200
Source: openjfx
Binary: openjfx libopenjfx-java libopenjfx-jni libopenjfx-java-doc openjfx-source
Architecture: source
Version: 8u141-b14-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libopenjfx-java - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
libopenjfx-java-doc - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
libopenjfx-jni - JavaFX/OpenJFX 8 - Rich client application platform for Java (nat
openjfx - JavaFX/OpenJFX 8 - Rich client application platform for Java
openjfx-source - JavaFX/OpenJFX 8 - Rich client application platform for Java (sou
Closes: 849419 853593 857464 870860 872619
Changes:
openjfx (8u141-b14-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- Fixes CVE-2017-10086 and CVE-2017-10114 (Closes: #870860)
* Fixed the build failure with GCC 7 (Closes: #853593)
* Use the gold linker with memory saving options to avoid build failures
caused by lack of RAM (Closes: #857464)
* Fixed a build failure on powerpc caused by a different ucontext_t definition
* Backported a fix for accented characters in textfields (Closes: #872619)
* libopenjfx-java now suggests installing openjfx (Closes: #849419)
* Added lintian overrides to remove the warnings related to the js files
* Disabled the buildSrc tests to work around a Gradle bug
* Standards-Version updated to 4.1.1
Checksums-Sha1:
309e8b634f31ba7a76b4c51745f4bb78506bd6e5 2763 openjfx_8u141-b14-1.dsc
560907d3dc44c5331844d57bf6310331fd8332c5 46838256 openjfx_8u141-b14.orig.tar.xz
fbbda017d9b3660ad421c37f46d6d6abf79c7306 17016 openjfx_8u141-b14-1.debian.tar.xz
0dced11444788413a914ad293a6d178dd0a473a9 21501 openjfx_8u141-b14-1_source.buildinfo
Checksums-Sha256:
98642e9bb3dcdea25ad7935bbb25a4c6d97cf1a1a28f8dee19249de12534d764 2763 openjfx_8u141-b14-1.dsc
0c4160938394fcea61937a29618f055ee6686a48be27b82bc32830289741799f 46838256 openjfx_8u141-b14.orig.tar.xz
4252729dc1fb05db1b45b84a8cbd8b4e2eaf8a71e024a1a7e085ea6f914d8998 17016 openjfx_8u141-b14-1.debian.tar.xz
717d2d6e41225f954a4a92d439f83c935232d20b5607ce5f18a6aca75618868b 21501 openjfx_8u141-b14-1_source.buildinfo
Files:
390fb89d02b88201ceed6159d7d416bb 2763 java optional openjfx_8u141-b14-1.dsc
cf2a3a76cec883ee57fbce565ee77f39 46838256 java optional openjfx_8u141-b14.orig.tar.xz
2a5022178703e5691f4178e357a7a40d 17016 java optional openjfx_8u141-b14-1.debian.tar.xz
0583b499eff4ee2c910d3ad71700cd80 21501 java optional openjfx_8u141-b14-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlnVIg0SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsUBQP/2ZK4sq9h0rITUvKoGLGvo8XPu6Eu1fj
bFKS/l/qNJv2ixZxEw4c1ssS8VpjEtHxmD2ssT3gpzohJpunup2C0Zsycq6Ha/It
285azlVkcunHSyqxFzMRJPq6JdWW9geaagVNqcsty+J5cXWir6Dech0D09TAFUCt
pKFn0lo9ewXS55+QsBAUyfV+TayjAd/z94LGuGafc9iLjHS2wkEfIdUIYWDG8gZQ
o3UQgIv9GzW+lZ6WfP8NNu0A4v5U1FCztljMbrZWUnnn5TzdypcRwMAo8ORScOb8
c8JcwL3M1IduLtXlquc0PHoEXV5biGzjkOzkXzd9n14ZgrTd22KKr7+rk5gDWUPQ
b7W7imLOwNqJqjlgJVnmX6n1ujdqSbrWPdEwx2IA0mGpsqnDjZYvrBo0MJxOKs5d
nOswNNSGcJa5IWznROknx73hnyavxXDN56tEClP5jngR7A+xMPE99+SszhqyPlui
B6a59T2YoRSXsmIAzoanbt+0QhrFcFI3V/6XNRceUuKDJ50y0URwInM5SwylwGxg
kfAq7dMD//3rcpuxTngKNyaeigWN81cAlN9QGqFi3QxEyHJh/NJ/WbJYjwGTjHgn
Ou1Y41blVnMGhM4RAqXo15lfVtNJah0X+k3ROCD5I4pMMcqSGmBLXtkp3w5gs8eE
yOWPdx/qIKxa
=2l94
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Fri, 06 Oct 2017 14:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>, 870860@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 06 Oct 2017 14:30:03 GMT) (full text, mbox, link).
Message #38 received at 870860@bugs.debian.org (full text, mbox, reply):
Hi,
Quick update on openjfx: the package is back on track, as of version
8u141-b14-3 I eventually managed to get it to build on both amd64 and
i386 in unstable for the first time since January. If the tests go well
I'll prepare the security update next week.
Emmanuel Bourg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Fri, 06 Oct 2017 14:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 06 Oct 2017 14:33:03 GMT) (full text, mbox, link).
Message #43 received at 870860@bugs.debian.org (full text, mbox, reply):
On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote:
> Hi,
>
> Quick update on openjfx: the package is back on track, as of version
> 8u141-b14-3 I eventually managed to get it to build on both amd64 and
> i386 in unstable for the first time since January. If the tests go well
> I'll prepare the security update next week.
Thanks.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Tue, 17 Oct 2017 14:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 17 Oct 2017 14:33:09 GMT) (full text, mbox, link).
Message #48 received at 870860@bugs.debian.org (full text, mbox, reply):
I ran the Oracle JavaFX demos with the new version and it worked fine
(except the media player but this isn't a regression, something is
probably misconfigured on my machine).
Should I proceed with the upload, or do you want to do it directly?
Emmanuel Bourg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Tue, 17 Oct 2017 15:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 17 Oct 2017 15:24:03 GMT) (full text, mbox, link).
Message #53 received at 870860@bugs.debian.org (full text, mbox, reply):
On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote:
> I ran the Oracle JavaFX demos with the new version and it worked fine
> (except the media player but this isn't a regression, something is
> probably misconfigured on my machine).
>
> Should I proceed with the upload, or do you want to do it directly?
Please go ahead with the upload. I'll also test this with mediathekview
(which is the only reverse dependency in stretch IIRC). Unfortunately
it's geoblocked, so one can't test unless you have a German IP address :-/
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#870860
; Package src:openjfx
.
(Tue, 17 Oct 2017 16:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 17 Oct 2017 16:00:03 GMT) (full text, mbox, link).
Message #58 received at 870860@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 17.10.2017 um 17:20 schrieb Moritz Muehlenhoff:
> On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote:
>> I ran the Oracle JavaFX demos with the new version and it worked fine
>> (except the media player but this isn't a regression, something is
>> probably misconfigured on my machine).
>>
>> Should I proceed with the upload, or do you want to do it directly?
>
> Please go ahead with the upload. I'll also test this with mediathekview
> (which is the only reverse dependency in stretch IIRC). Unfortunately
> it's geoblocked, so one can't test unless you have a German IP address :-/
There are some streams that are not geoblocked and there is also ARTE.FR. :)
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 15 Nov 2017 07:30:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.