Debian Security Advisory

DLA-1886-2 openjdk-7 -- LTS security update

Date Reported:
23 Aug 2019
Affected Packages:
openjdk-7
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 935082, Bug 750400.
More information:

The latest security update of openjdk-7 caused a regression when applications relied on elliptic curve algorithms to establish SSL connections. Several duplicate classes were removed from rt.jar by the upstream developers of OpenJDK because they were also present in sunec.jar. However Debian never shipped the SunEC security provider in OpenJDK 7.

The issue was resolved by building sunec.jar and its corresponding native library libsunec.so from source. In order to build these libraries from source, an update of nss to version 2:3.26-1+debu8u6 is required.

Updates for the amd64 architecture are already available, new packages for i386, armel and armhf will be available within the next 24 hours.

For Debian 8 Jessie, this problem has been fixed in version 7u231-2.6.19-1~deb8u2.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS