[1.8, 1.9, 1.10 APPROVAL] Regression due to BEAST fix in last security update

Deepak Bhole dbhole at redhat.com
Fri Dec 23 08:20:07 PST 2011 

* Dr Andrew John Hughes <ahughes at redhat.com> [2011-12-22 20:23]:
> I'd like to apply the attached OpenJDK patch to our release branches -
> 1.8, 1.9 and 1.10.  The patch is a simple one line change which fixes
> a regression caused by the last security update, specifically the fix
> for the BEAST SSL flaw.  See:
> 
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725
> 
> for details.  The length can be 0 on entering AppOutputStream.write
> and the security fix did not handle this case.  7 and 8 handle this
> case by returning early, due to an earlier cleanup fix during the
> 7 development cycle:
> 
> 6697270: Inputstream dosent behave correct
> Summary: do not try to read zero byte from a InputStream, and do always return
> immediately for zero byte reading in a InputStream implementation.
> http://hg.openjdk.java.net/jdk7u/jdk7u-dev-gate/jdk/rev/6bdbb2f5c763
> 
> The fix is now in HEAD.
> Ok for 1.8, 1.9 and 1.10 (with accompanying ChangeLog/NEWS updates as in HEAD)?

Approved.

Thanks,
Deepak

> -- 
> Andrew :)
> 
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

> # HG changeset patch
> # User robm
> # Date 1324518632 0
> # Node ID cb20ed4b953add8f2443831a0552640efca53ab7
> # Parent  6b46f3c7c97cb060f88b196171b95d33bff80b7c
> 7103725: REGRESSION - 6u29 breaks ssl connectivity using TLS_DH_anon_WITH_AES_128_CBC_SHA
> Summary: resolving an issue with 7064341.
> Reviewed-by: wetmore, coffeys
> 
> diff -r 6b46f3c7c97c -r cb20ed4b953a src/share/classes/sun/security/ssl/AppOutputStream.java
> --- openjdk/jdk/src/share/classes/sun/security/ssl/AppOutputStream.java	Wed Nov 16 13:14:57 2011 +0000
> +++ openjdk/jdk/src/share/classes/sun/security/ssl/AppOutputStream.java	Thu Dec 22 01:50:32 2011 +0000
> @@ -90,7 +90,8 @@
>              do {
>                  int howmuch;
>                  if (isFirstRecordOfThePayload && c.needToSplitPayload()) {
> -                    howmuch = Math.min(0x01, r.availableDataBytes());
> +                    howmuch = (len == 0) ? 0 : Math.min(
> +                        0x01, r.availableDataBytes());
>                  } else {
>                      howmuch = Math.min(len, r.availableDataBytes());
>                  }

More information about the distro-pkg-dev mailing list