Security fixes in b19 - Re: hg: jdk6/jdk6/jdk: 23 new changesets

Andrew John Hughes ahughes at redhat.com
Tue Apr 6 13:57:00 PDT 2010 

On 6 April 2010 20:40, Joe Darcy <joe.darcy at oracle.com> wrote:
> Joe Darcy wrote:
>>
>> Andrew John Hughes wrote:
>>>
>>> On 6 April 2010 17:34, Joe Darcy <joe.darcy at oracle.com> wrote:
>>>
>>>>
>>>> Andrew John Hughes wrote:
>>>>
>>>>>
>>>>> On 31 March 2010 00:52, Andrew John Hughes <ahughes at redhat.com> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> On 31 March 2010 00:46, Joe Darcy <joe.darcy at oracle.com> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> The latest round of security fixes are now in the OpenJDK 6 master
>>>>>>> repositories.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> And IcedTea6 1.6, 1.7, 1.8, HEAD and IcedTea7 :-)
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Joe, where are the fixes for the HotSpot tree?  See top of
>>>>> http://hg.openjdk.java.net/icedtea/jdk7/hotspot
>>>>>
>>>>>
>>>>>
>>>>
>>>> This time around, all the security fixes were in the jdk repository.
>>>>
>>>> -Joe
>>>>
>>>>
>>>
>>> Err... no they weren't...
>>>
>>> 6626217: Loader-constraint table allows arrays instead of only the
>>> base-classes (CVE-2010-0082)
>>> 6892265: System.arraycopy unable to reference elements beyond
>>> Integer.MAX_VALUE bytes (CVE-2010-0093)
>>> 6894807: No ClassCastException for HashAttributeSet constructors if
>>> run with -Xcomp (CVE-2010-0845)
>>>
>>> and
>>>
>>> 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
>>>
>>> due to a breakage caused by one of the above.
>>>
>>
>> Hmm, let me check into that...
>>
>
> Thanks for catching this; the remaining security fixes are on the way.  (The
> rebasing of the HotSpot repo caused a hiccup in the security integration
> process which will be corrected.)
>
> -Joe
>

Thanks; all seem to be present and correct now.  We just need the fix
I posted (http://mail.openjdk.java.net/pipermail/jdk6-dev/2010-April/001434.html)
so rmid isn't broken.
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the jdk6-dev mailing list