Univention Corporate Server 4.1 erratum 381 (security)

Multiple vulnerabilities have been discovered in the implementation
of the Java platform. In Univention Corporate Server OpenJDK is
used instead of Oracle Java. This erratum updates OpenJDK to the
released based on the Oracle update 7u121.
* A protected field can be leveraged into type confusion (CVE-2017-3272)
* Custom class constructor code can bypass the required call to super.init
  allowing for uninitialized objects to be     created (CVE-2017-3289)
* RMI deserialization should limit the types deserialized to prevent
  attacks that could escape the sandbox (CVE-2017-3241)
* It is possible to corrupt memory by calling dispose() on a
  CMenuComponentmultiple times (CVE-2017-3260)
* ECDSA will accept signatures that have various extraneous bytes added
  to them whereas the signature is supposed to be unique (CVE-2016-5546)
* The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes
  long so these should not be uncompressed unless the user explicitly
  requests it (CVE-2017-3253)
* DSA signing exhibits a timing bias that mayi leak information about k
  (CVE-2016-5548)
* ECDSA signing exhibits a timing bias that may leak information about k
  (CVE-2016-5549)
* LdapLoginModule incorrectly tries to deserialize responses from an LDAP
  server when an LDAP context is expected (CVE-2017-3252)
* Parsing of URLs can be inconsistent with how users or external
  applications would interpret them leading to possible security issues
  (CVE-2016-5552)
* A value from an InputStream is read directly into the size argument of
  a new byte[] without validation (CVE-2016-5547)
* An integer overflow exists in SocketOutputStream which can lead to
  memorydisclosure (CVE-2017-3261)
* Under some circumstances URLClassLoader will dispatch HTTP GET requests
  where the invoker does not have permission (CVE-2017-3231)
* 3DES can be exploited for block collisions when long running sessions
  are allowed (CVE-2016-2183)