Preparation of update releases

Volker Simonis volker.simonis at gmail.com
Mon Oct 29 16:20:06 UTC 2018 

I couldn't stop thinking about the exact mechanics of this (and
future) update releases, so here comes a complete summary and
categorization of the changes which have been integrated into 11u as
part of the 11.0.1 release.

1. With the merge of  11.0.1 into jdk11u a total of 103 non-merge,
non-tag changes have been brought into jdk11u

8160104: CORBA communication improvements
8163237: Restrict the use of EXPORT cipher suites
8172525: Improve key keying case
8174756: Extra validation for public keys
8174962: Better interface invocations
8175075: Add 3DES to the default disabled algorithm security property
8175932: Improve host instance supports
8176450: Revise default document styling
8178449: Improve LDAP logins
8178458: Better use of certificates in LDAP
8178466: Better RSA parameters
8179533: Cleaner print job handling
8179990: Cleaner palette entry handling
8180011: Cleaner native graphics device handling
8180015: Cleaner AWT robot handling
8180020: Improve SymbolHashMap entry handling
8180869: Cleaner image file reading handling
8180877: More deeply colored ICC spaces
8181664: Improve JVM UTF String handling
8181670: Improve implementation of keystores
8182125: Improve reliability of DNS lookups
8182362: Update CipherOutputStream Usage
8182387: Improve PKCS usage
8182601: Improve usage messages
8183032: Upgrade to LittleCMS 2.9
8185292: Stricter key generation
8185325: Improve GTK initialization
8186032: Disable XML Signatures signed with EC keys less than 224 bits
8186080: Transform XML interfaces
8186212: Improve GSS handling
8186600: Improve property negotiations
8186606: Improve LDAP lookup robustness
8186998: Improve JMX supportive features
8187496: Possible memory leak in
java.apple.security.KeychainStore.addItemToKeychain
8189123: More consistent classloading
8189284: More refactoring for deserialization cases
8189969: Manifest better manifest entries
8189977: Improve permission portability
8189981: Improve queuing portability
8189985: Improve tabular data portability
8189989: Improve container portability
8189993: Improve document portability
8189997: Enhance keystore mechanisms
8190227: Forward port 8188880 to JDK10CPU
8190289: More refactoring for client deserialization cases
8190478: Improved interface method selection
8190789: sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java
fails after JDK-8186606
8190877: Better handling of abstract classes
8191142: More refactoring for naming deserialization cases
8191239: Improve desktop file usage
8191358: Restore TSA certificate expiration check
8191696: Better mouse positioning
8191907: PPC64 and s390 parts of JDK-8174962: Better interface invocations
8192025: Less referential references
8192030: Better MTSchema support
8192757: Improve stub classes implementation
8192789: Avoid using AtomicReference in sun.security.provider.PolicyFile
8193409: Improve AES supporting classes
8193414: Improvements in MethodType lookups
8193419: Better Internet address support
8194233: Improve support for array handles
8194238: Trying exceptions in MethodHandles
8194534: Manifest better support
8194546: Choosier FileManagers
8195662: Add T6587786.java to problem list before JDK-8195589 is resolved
8195874: Improve jar specification adherence
8196224: Even better Internet address support
8196289: Update src/java.desktop/share/legal/lcms.md for LCMS 2.9
8196897: Improve PRNG support
8196902: Better HTTP Redirection
8197443: ArrayIndexOutOfBoundsException in UcryptoException.getError
8197881: Better StringBuilder support
8197925: Better stack walking
8199110: Address Internet Addresses
8199172: Improve jar attribute checks
8199177: Enhance JNDI lookups
8199226: Improve field accesses
8199547: Exception to Pattern Syntax
8200332: Improve GCM counting
8200648: Make midi code more sound
8200666: Improve LDAP support
8201756: Improve cipher inputs
8202613: Improve TLS connections stability
8202936: Improve script engine support
8203654: Improve cypher state updates
8204497: Better formatting of decimals
8204667: Resources not freed on exception
8205491: adjust reflective access checks
8206473: Revert changes of JDK-8202613 in jdk-cpu and jdk11u-cpu
8206884: Bump update version for jdk11.0.1 cpu forest
8207948: JDK 11 L10n resource file update msg drop 10
8208209: Improve TLS connection stability again
8208268: 11.0.1 b03 java.net bundles - Release Date is wrong
8208350: Disable all DES cipher suites
8208654: Please change jdk 11.0.1 milestone to FCS
8208661: JDK 11.0.1 l10n resource file update
8208754: The fix for JDK-8194534 needs updates
8209916: NPE in SupportedGroupsExtension
8210345: The Japanese message of FileNotFoundException garbled
8210432: Add additional TeliaSonera root certificate
8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the
client side with mutual auth
8211107: LDAPS communication failure with jdk 1.8.0_181
8211731: Reconsider default option for ClassPathURLCheck change done
in JDK-8195874

2. Out of these 103 changes, 71 already have been part of the 11 GA
release. These 71 changes have been manually down-portred (or
"cherry-picked") into the 11.0.1 repo and now, after the merge,
manifest as duplicate changes in the 11u repository (i.e. changes with
the same patch and summary, but different hash value). E.g.:

$ hg log -k 8160104
changeset:   51200:6057a7306f29 48418:2c1af559e922
user:        msheppar
date:        Sun Sep 03 16:08:13 2017 +0100
summary:     8160104: CORBA communication improvements
Reviewed-by: rriggs, dfuchs

changeset:   48618:592e22777742 48562:c94c352dc400
user:        msheppar
date:        Sun Sep 03 16:08:13 2017 +0100
summary:     8160104: CORBA communication improvements
Reviewed-by: rriggs, dfuchs

This is strange, because I would have expected that the closed 11.0.1
repository should have been regularly merged with the 11 stabilization
repository until the GA date of 11. This would have been prevented
most of these duplicate changes. But instead (for whatever reason)
many of these changes have been manually integrated into 11.0.1 after
(or before) they were integrated into the 11 repository.

Following a complete list of these 71 change sets:

8160104: CORBA communication improvements
8175932: Improve host instance supports
8180020: Improve SymbolHashMap entry handling
8174962: Better interface invocations
8181664: Improve JVM UTF String handling
8176450: Revise default document styling
8172525: Improve key keying case
8179533: Cleaner print job handling
8180011: Cleaner native graphics device handling
8179990: Cleaner palette entry handling
8180015: Cleaner AWT robot handling
8180869: Cleaner image file reading handling
8180877: More deeply colored ICC spaces
8174756: Extra validation for public keys
8182125: Improve reliability of DNS lookups
8182387: Improve PKCS usage
8182601: Improve usage messages
8186212: Improve GSS handling
8178466: Better RSA parameters
8178449: Improve LDAP logins
8181670: Improve implementation of keystores
8178458: Better use of certificates in LDAP
8186998: Improve JMX supportive features
8186080: Transform XML interfaces
8185325: Improve GTK initialization
8186600: Improve property negotiations
8185292: Stricter key generation
8163237: Restrict the use of EXPORT cipher suites
8190227: Forward port 8188880 to JDK10CPU
8186606: Improve LDAP lookup robustness
8190789: sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java
fails after JDK-8186606
8190289: More refactoring for client deserialization cases
8189123: More consistent classloading
8189989: Improve container portability
8190877: Better handling of abstract classes
8191907: PPC64 and s390 parts of JDK-8174962: Better interface invocations
8189284: More refactoring for deserialization cases
8191142: More refactoring for naming deserialization cases
8190478: Improved interface method selection
8189977: Improve permission portability
8183032: Upgrade to LittleCMS 2.9
8187496: Possible memory leak in
java.apple.security.KeychainStore.addItemToKeychain
8192789: Avoid using AtomicReference in sun.security.provider.PolicyFile
8191358: Restore TSA certificate expiration check
8192030: Better MTSchema support
8189969: Manifest better manifest entries
8186032: Disable XML Signatures signed with EC keys less than 224 bits
8193414: Improvements in MethodType lookups
8182362: Update CipherOutputStream Usage
8191696: Better mouse positioning
8189997: Enhance keystore mechanisms
8195662: Add T6587786.java to problem list before JDK-8195589 is resolved
8189993: Improve document portability
8193419: Better Internet address support
8192025: Less referential references
8175075: Add 3DES to the default disabled algorithm security property
8194233: Improve support for array handles
8193409: Improve AES supporting classes
8194238: Trying exceptions in MethodHandles
8196289: Update src/java.desktop/share/legal/lcms.md for LCMS 2.9
8191239: Improve desktop file usage
8189981: Improve queuing portability
8196224: Even better Internet address support
8197443: ArrayIndexOutOfBoundsException in UcryptoException.getError
8189985: Improve tabular data portability
8199547: Exception to Pattern Syntax
8200332: Improve GCM counting
8197925: Better stack walking
8200666: Improve LDAP support
8205491: adjust reflective access checks
8207948: JDK 11 L10n resource file update msg drop 10

3. The remaining 32 changes can be divided into three categories. 6 of
them are publicly visible, non-security changes which have been
manually downported from jdk 12 to 11.0.1. They can be found in JBS
with the query suggested by Kevin (i.e. "project = JDK AND resolution
= Fixed AND fixVersion = 11.0.1 AND (labels is EMPTY OR labels not in
(hgupdate-sync))")

8211107: LDAPS communication failure with jdk 1.8.0_181
8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the
client side with mutual auth
8209916: NPE in SupportedGroupsExtension
8210432: Add additional TeliaSonera root certificate
8210345: The Japanese message of FileNotFoundException garbled.
8208350: Disable all DES cipher suites

Notice that the query actually lists one more change "8211237: Oracle
JDK builds for "11.0.1" should indicate they are "LTS"" but this
change is apparently only for the "Oracle JDK" and was not integrated
into the OpenJDK. Not sure how that can be detected from looking at
the issue in JBS (maybe because its component is "infrastructure"?),
but JDK-8211237 is definitely not in the the jdk11u repository!

4. This leaves us with the remaining 26 changes of which 18 have been
communicated and discussed on the vulnerability list:

8208754: The fix for JDK-8194534 needs updates
8194534: Manifest better support
8194546: Choosier FileManagers
8211731: Reconsider default option for ClassPathURLCheck change done
in JDK-8195874
8195874: Improve jar specification adherence
8196897: Improve PRNG support
8196902: Better HTTP Redirection
8197881: Better StringBuilder support
8199110: Address Internet Addresses
8199172: Improve jar attribute checks
8199177: Enhance JNDI lookups
8199226: Improve field accesses
8200648: Make midi code more sound
8201756: Improve cipher inputs
8202936: Improve script engine support
8203654: Improve cypher state updates
8204497: Better formatting of decimals
8208209: Improve TLS connection stability again

5. Finally, 11.0.1 contained 8 more changes which were actually not
considered "security relevant" because they have not been discussed on
the vulnerability list but which were "closed" (i.e. invisible) to
externals in the Java Bug System:

8192757: Improve stub classes implementation
8202613: Improve TLS connections stability
8204667: Resources not freed on exception
8206473: Revert changes of JDK-8202613 in jdk-cpu and jdk11u-cpu
8206884: Bump update version for jdk11.0.1 cpu forest
8208268: 11.0.1 b03 java.net bundles - Release Date is wrong
8208654: Please change jdk 11.0.1 milestone to FCS
8208661: JDK 11.0.1 l10n resource file update

Notice that the issue for "8204667: Resources not freed on exception"
was changed to "open" after 11.0.1 was released, during the discussion
on this email thread.

This summary shows that it is virtually impossible for an external
party to prepare a security update which will be feature-wise on-par
with the security updates merged by Oracle into the OpenJDK - even if
the the corresponding party has full access to the planned security
patches circulated on the vulnerability list.

It also makes it clear that after Oracle will stop contributing its
security updates to the OpenJDK (e.g. for 11.0.3) the Oracle JDK will
start to diverge considerably from the corresponding Java version in
the OpenJDK (e.g. Oracle JDK 11.0.4 will probably have dozens of
changes which are not in OpenJDK 11.0.4). While Oracle has the
possibility to pull in all the changes of an OpenJDK updates release,
this is impossible for the community for Oracle JDK changes. I don't
know if this is desired, but it is a matter of fact.

Regards,
Volker
On Wed, Oct 24, 2018 at 9:05 PM Volker Simonis <volker.simonis at gmail.com> wrote:
>
> Andrew Haley <aph at redhat.com> schrieb am Mi. 24. Okt. 2018 um 17:02:
>>
>> On 10/24/2018 01:42 PM, Rob McKenna wrote:
>> > 2) non-vuln closed issues may need to be distributed along with the vulns
>> > on vuln-dev.
>>
>> Indeed. This has been a problem for a little while now. It's hard for
>> me, as an outsider, to make any meaningful distinction between a non-
>> vuln and a vuln closed issue, but we get one and not the other.
>
>
> The easiest and most practical solution would be to grant members of the Vulnerability Group access to the security repos. I don’t see any principle problem with such a solution because there’s nothing in these repos that members of the Vulnerability Group are not allowed to see. So it can only be technical problems which prevent such a solution and technical problems should be easy to solve :)
>
>>
>> --
>> Andrew Haley
>> Java Platform Lead Engineer
>> Red Hat UK Ltd. <https://www.redhat.com>
>> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the jdk-updates-dev mailing list