openjfx: CVE-2017-10086 CVE-2017-10114

Debian Bug report logs - #870860
openjfx: CVE-2017-10086 CVE-2017-10114

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Sat, 05 Aug 2017 21:58:53 +0200

Source: openjfx
Version: 8u131-b11-1
Severity: grave
Tags: upstream security

Hi,

the following vulnerabilities were published for openjfx.

CVE-2017-10086[0] and CVE-2017-10114[1].

Unfortunately it's no more details possilby know as shared via [2],
which states that the supported versions vulnerable are 7u141 and
8u131. The severity is probably as well overrated for this bugreport
and a DSA not deserved. But bug should help tracking the fix for
future unstable upload.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10086
[1] https://security-tracker.debian.org/tracker/CVE-2017-10114
[2] http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html#JAVA

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 870860@bugs.debian.org

Cc: carnil@debian.org

Subject: Re: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Mon, 2 Oct 2017 15:08:51 +0200

On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote:
> Source: openjfx
> Version: 8u131-b11-1
> Severity: grave
> Tags: upstream security
> 
> Hi,
> 
> the following vulnerabilities were published for openjfx.
> 
> CVE-2017-10086[0] and CVE-2017-10114[1].
> 
> Unfortunately it's no more details possilby know as shared via [2],
> which states that the supported versions vulnerable are 7u141 and
> 8u131. The severity is probably as well overrated for this bugreport
> and a DSA not deserved. But bug should help tracking the fix for
> future unstable upload.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10086
> [1] https://security-tracker.debian.org/tracker/CVE-2017-10114
> [2] http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html#JAVA
> 
> Please adjust the affected versions in the BTS as needed.

Java maintainers, shall we follow the procedures for openjdk and
rebase to a new upstream release in stretch?

Cheers,
        Moritz

Message #15 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 870860@bugs.debian.org

Cc: carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Mon, 2 Oct 2017 17:09:29 +0200

Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit :

> Java maintainers, shall we follow the procedures for openjdk and
> rebase to a new upstream release in stretch?

Yes please, that's the only sustainable solution for openjfx. I'll
prepare the update for unstable first and I'll let you know when I'm
ready for a stable-security update.

Emmanuel Bourg

Message #20 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: 870860@bugs.debian.org, carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Mon, 2 Oct 2017 19:04:32 +0200

On Mon, Oct 02, 2017 at 05:09:29PM +0200, Emmanuel Bourg wrote:
> Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit :
> 
> > Java maintainers, shall we follow the procedures for openjdk and
> > rebase to a new upstream release in stretch?
> 
> Yes please, that's the only sustainable solution for openjfx. I'll
> prepare the update for unstable first and I'll let you know when I'm
> ready for a stable-security update.

Ok, sounds good.

Cheers,
        Moritz

Message #23 received at 870860@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 870860@bugs.debian.org, 870860-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the openjfx package

Date: Wed, 04 Oct 2017 14:25:17 +0000

tag 870860 + pending
thanks

Some bugs in the openjfx package are closed in revision
dfe93fb33fae53308d4650fb9aec02dccf563796 in branch 'master' by
Emmanuel Bourg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/openjfx.git/commit/?id=dfe93fb

Commit message:

    New upstream release (Closes: #870860)

Message #33 received at 870860-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 870860-close@bugs.debian.org

Subject: Bug#870860: fixed in openjfx 8u141-b14-1

Date: Wed, 04 Oct 2017 18:27:10 +0000

Source: openjfx
Source-Version: 8u141-b14-1

We believe that the bug you reported is fixed in the latest version of
openjfx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated openjfx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Oct 2017 20:01:06 +0200
Source: openjfx
Binary: openjfx libopenjfx-java libopenjfx-jni libopenjfx-java-doc openjfx-source
Architecture: source
Version: 8u141-b14-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libopenjfx-java - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
 libopenjfx-java-doc - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
 libopenjfx-jni - JavaFX/OpenJFX 8 - Rich client application platform for Java (nat
 openjfx    - JavaFX/OpenJFX 8 - Rich client application platform for Java
 openjfx-source - JavaFX/OpenJFX 8 - Rich client application platform for Java (sou
Closes: 849419 853593 857464 870860 872619
Changes:
 openjfx (8u141-b14-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release:
     - Fixes CVE-2017-10086 and CVE-2017-10114 (Closes: #870860)
   * Fixed the build failure with GCC 7 (Closes: #853593)
   * Use the gold linker with memory saving options to avoid build failures
     caused by lack of RAM (Closes: #857464)
   * Fixed a build failure on powerpc caused by a different ucontext_t definition
   * Backported a fix for accented characters in textfields (Closes: #872619)
   * libopenjfx-java now suggests installing openjfx (Closes: #849419)
   * Added lintian overrides to remove the warnings related to the js files
   * Disabled the buildSrc tests to work around a Gradle bug
   * Standards-Version updated to 4.1.1
Checksums-Sha1:
 309e8b634f31ba7a76b4c51745f4bb78506bd6e5 2763 openjfx_8u141-b14-1.dsc
 560907d3dc44c5331844d57bf6310331fd8332c5 46838256 openjfx_8u141-b14.orig.tar.xz
 fbbda017d9b3660ad421c37f46d6d6abf79c7306 17016 openjfx_8u141-b14-1.debian.tar.xz
 0dced11444788413a914ad293a6d178dd0a473a9 21501 openjfx_8u141-b14-1_source.buildinfo
Checksums-Sha256:
 98642e9bb3dcdea25ad7935bbb25a4c6d97cf1a1a28f8dee19249de12534d764 2763 openjfx_8u141-b14-1.dsc
 0c4160938394fcea61937a29618f055ee6686a48be27b82bc32830289741799f 46838256 openjfx_8u141-b14.orig.tar.xz
 4252729dc1fb05db1b45b84a8cbd8b4e2eaf8a71e024a1a7e085ea6f914d8998 17016 openjfx_8u141-b14-1.debian.tar.xz
 717d2d6e41225f954a4a92d439f83c935232d20b5607ce5f18a6aca75618868b 21501 openjfx_8u141-b14-1_source.buildinfo
Files:
 390fb89d02b88201ceed6159d7d416bb 2763 java optional openjfx_8u141-b14-1.dsc
 cf2a3a76cec883ee57fbce565ee77f39 46838256 java optional openjfx_8u141-b14.orig.tar.xz
 2a5022178703e5691f4178e357a7a40d 17016 java optional openjfx_8u141-b14-1.debian.tar.xz
 0583b499eff4ee2c910d3ad71700cd80 21501 java optional openjfx_8u141-b14-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlnVIg0SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsUBQP/2ZK4sq9h0rITUvKoGLGvo8XPu6Eu1fj
bFKS/l/qNJv2ixZxEw4c1ssS8VpjEtHxmD2ssT3gpzohJpunup2C0Zsycq6Ha/It
285azlVkcunHSyqxFzMRJPq6JdWW9geaagVNqcsty+J5cXWir6Dech0D09TAFUCt
pKFn0lo9ewXS55+QsBAUyfV+TayjAd/z94LGuGafc9iLjHS2wkEfIdUIYWDG8gZQ
o3UQgIv9GzW+lZ6WfP8NNu0A4v5U1FCztljMbrZWUnnn5TzdypcRwMAo8ORScOb8
c8JcwL3M1IduLtXlquc0PHoEXV5biGzjkOzkXzd9n14ZgrTd22KKr7+rk5gDWUPQ
b7W7imLOwNqJqjlgJVnmX6n1ujdqSbrWPdEwx2IA0mGpsqnDjZYvrBo0MJxOKs5d
nOswNNSGcJa5IWznROknx73hnyavxXDN56tEClP5jngR7A+xMPE99+SszhqyPlui
B6a59T2YoRSXsmIAzoanbt+0QhrFcFI3V/6XNRceUuKDJ50y0URwInM5SwylwGxg
kfAq7dMD//3rcpuxTngKNyaeigWN81cAlN9QGqFi3QxEyHJh/NJ/WbJYjwGTjHgn
Ou1Y41blVnMGhM4RAqXo15lfVtNJah0X+k3ROCD5I4pMMcqSGmBLXtkp3w5gs8eE
yOWPdx/qIKxa
=2l94
-----END PGP SIGNATURE-----

Message #38 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 870860@bugs.debian.org

Cc: carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Fri, 6 Oct 2017 16:27:02 +0200

Hi,

Quick update on openjfx: the package is back on track, as of version
8u141-b14-3 I eventually managed to get it to build on both amd64 and
i386 in unstable for the first time since January. If the tests go well
I'll prepare the security update next week.

Emmanuel Bourg

Message #43 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>, 870860@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Fri, 6 Oct 2017 16:29:24 +0200

On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote:
> Hi,
> 
> Quick update on openjfx: the package is back on track, as of version
> 8u141-b14-3 I eventually managed to get it to build on both amd64 and
> i386 in unstable for the first time since January. If the tests go well
> I'll prepare the security update next week.

Thanks.

Cheers,
        Moritz

Message #48 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 870860@bugs.debian.org

Cc: carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Tue, 17 Oct 2017 16:30:16 +0200

I ran the Oracle JavaFX demos with the new version and it worked fine
(except the media player but this isn't a regression, something is
probably misconfigured on my machine).

Should I proceed with the upload, or do you want to do it directly?

Emmanuel Bourg

Message #53 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: 870860@bugs.debian.org, carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Tue, 17 Oct 2017 17:20:45 +0200

On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote:
> I ran the Oracle JavaFX demos with the new version and it worked fine
> (except the media player but this isn't a regression, something is
> probably misconfigured on my machine).
> 
> Should I proceed with the upload, or do you want to do it directly?

Please go ahead with the upload. I'll also test this with mediathekview 
(which is the only reverse dependency in stretch IIRC). Unfortunately 
it's geoblocked, so one can't test unless you have a German IP address :-/

Cheers,
        Moritz

Message #58 received at 870860@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 870860@bugs.debian.org, Emmanuel Bourg <ebourg@apache.org>, carnil@debian.org

Subject: Re: Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Date: Tue, 17 Oct 2017 17:57:23 +0200

[Message part 1 (text/plain, inline)]

Am 17.10.2017 um 17:20 schrieb Moritz Muehlenhoff:
> On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote:
>> I ran the Oracle JavaFX demos with the new version and it worked fine
>> (except the media player but this isn't a regression, something is
>> probably misconfigured on my machine).
>>
>> Should I proceed with the upload, or do you want to do it directly?
> 
> Please go ahead with the upload. I'll also test this with mediathekview 
> (which is the only reverse dependency in stretch IIRC). Unfortunately 
> it's geoblocked, so one can't test unless you have a German IP address :-/

There are some streams that are not geoblocked and there is also ARTE.FR. :)

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.