[PATCH] b36 Release and retro-active security patch review

Andrew Hughes gnu.andrew at redhat.com
Thu Jul 30 21:02:41 UTC 2015 

----- Original Message -----
> We have a new release of IcedTea [0] and a new OpenJDK 6 release, b36
> to go with it. This is made from the current state of the OpenJDK 6
> repositories plus backports of the new security fixes included in 7u85
> & 8u51.
> 
> The tarballs are available here:
> 
> https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b36-22_jul_2015.tar.gz
> https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b36-22_jul_2015.tar.xz
>  
> SHA256 checksums:
>  
> 9616b2365734ad34b0837dc99ba604513f9a12b602aadfdf334e46f9d59dac55
> openjdk-6-src-b36-22_jul_2015.tar.gz
> c9df23d208b3b61f5f57c030accca2f7b3218a97bd140668506265ececdf26f4
> openjdk-6-src-b36-22_jul_2015.tar.xz
> 
> Changes since b36 (including both CPU fixes and upstreamed changes):
> 
> * Security fixes
>   - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites
>   - S8067694, CVE-2015-2625: Improved certification checking
>   - S8071715, CVE-2015-4760: Tune font layout engine
>   - S8071731: Better scaling for C1
>   - S8072490: Better font morphing redux
>   - S8072887: Better font handling improvements
>   - S8073334: Improved font substitutions
>   - S8073773: Presume path preparedness
>   - S8073894: Getting to the root of certificate chains
>   - S8074330: Set font anchors more solidly
>   - S8074335: Substitute for substitution formats
>   - S8074865, CVE-2015-2601: General crypto resilience changes
>   - S8074871: Adjust device table handling
>   - S8075374, CVE-2015-4748: Responding to OCSP responses
>   - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling
>   - S8075738: Better multi-JVM sharing
>   - S8075838: Method for typing MethodTypes
>   - S8075853, CVE-2015-2621: Proxy for MBean proxies
>   - S8076328, CVE-2015-4000: Enforce key exchange constraints
>   - S8076376, CVE-2015-2628: Enhance IIOP operations
>   - S8076397, CVE-2015-4731: Better MBean connections
>   - S8076401, CVE-2015-2590: Serialize OIS data
>   - S8076405, CVE-2015-4732: Improve serial serialization
>   - S8076409, CVE-2015-4733: Reinforce RMI framework
>   - S8077520, CVE-2015-2632: Morph tables into improved form
>   - PR2488, CVE-2015-4000: Make jdk8 mode the default for
>   jdk.tls.ephemeralDHKeySize

Copy and paste error; PR2488 is IcedTea-only as it depends on the backport
of S6956398, PR2486: make ephemeral DH key match the length of the certificate key.
b37 maybe?

OJ60 should be under security fixes really. It's a fix for the FREAK
issue; CVE-2015-0204: Disable export ciphers by default
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the jdk6-dev mailing list