[PATCH] b37 Release and retro-active security patch review
Andrew Hughes
gnu.andrew at redhat.com
Wed Nov 18 19:33:10 UTC 2015
We have a new release of IcedTea [0] and a new OpenJDK 6 release, b37
to go with it. This is made from the current state of the OpenJDK 6
repositories plus backports of the new security fixes included in 7u91
& 8u65.
The tarballs are available here:
https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.gz
https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.xz
SHA256 checksums:
4526a1d7b34f2c3939d6f5eb083365350b56125c07a63f6eeed0e5fa43df1f47 openjdk-6-src-b37-11_nov_2015.tar.gz
462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d openjdk-6-src-b37-11_nov_2015.tar.xz
Changes since b37 (including both CPU fixes and upstreamed changes):
* Security fixes
- S8048030, CVE-2015-4734: Expectations should be consistent
- S8068842, CVE-2015-4803: Better JAXP data handling
- S8076339, CVE-2015-4903: Better handling of remote object invocation
- S8076383, CVE-2015-4835: Better CORBA exception handling
- S8076387, CVE-2015-4882: Better CORBA value handling
- S8076392, CVE-2015-4881: Improve IIOPInputStream consistency
- S8076413, CVE-2015-4883: Better JRMP message handling
- S8078427, CVE-2015-4842: More supportive home environment
- S8078440: Safer managed types
- S8080541: More direct property handling
- S8080688, CVE-2015-4860: Service for DGC services
- S8081760: Better group dynamics
- S8086733, CVE-2015-4893: Improve namespace handling
- S8087350: Improve array conversions
- S8103671, CVE-2015-4805: More objective stream classes
- S8103675: Better Binary searches
- S8130078, CVE-2015-4911: Document better processing
- S8130193, CVE-2015-4806: Improve HTTP connections
- S8130864: Better server identity handling
- S8130891, CVE-2015-4843: (bf) More direct buffering
- S8131291, CVE-2015-4872: Perfect parameter patterning
- S8132042, CVE-2015-4844: Preserve layout presentation
* Import of OpenJDK6 b37
- OJ64: Backport hashtable to map changes from jaxp
- OJ65: Remove @Override annotation on interfaces added by 2015/10/20 security fixes
- OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5 test infrastructure)
- OJ67: Fix copyright headers on imported files
- OJ68: Ensure SharedSecrets are initialised
- S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well
- S6590930: reed/write does not match for ccache
- S6648972: KDCReq.init always read padata
- S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding problem
- S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed on all non-windows platforms
- S6710360: export Kerberos session key to applications
- S6733095: Failure when SPNEGO request non-Mutual
- S6785456: Read Kerberos setting from Windows environment variables
- S6821190: more InquireType values for ExtendedGSSContext
- S6843127: krb5 should not try to access unavailable kdc too often
- S6844193: support max_retries in krb5.conf
- S6844907: krb5 etype order should be from strong to weak
- S6844909: support allow_weak_crypto in krb5.conf
- S6849275: enhance krb5 reg tests
- S6853328: Support OK-AS-DELEGATE flag
- S6854308: more ktab options
- S6856069: PrincipalName.clone() does not invoke super.clone()
- S6857795: krb5.conf ignored if system properties on realm and kdc are provided
- S6857802: GSS getRemainingInitLifetime method returns milliseconds not seconds
- S6858589: more changes to Config on system properties
- S6862679: ESC: AD Authentication with user with umlauts fails
- S6877357: IPv6 address does not work
- S6888701: Change all template java source files to a .java-template file suffix
- S6893158: AP_REQ check should use key version number
- S6907425: JCK Kerberos tests fail since b77
- S6919610: KeyTabInputStream uses static field for per-instance value
- S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with pre-authentication
- S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
- S6950546: "ktab -d name etype" to "ktab -d name [-e etype] [kvno | all | old]"
- S6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
- S6952519: kdc_timeout is not being honoured when using TCP
- S6959292: regression: cannot login if session key and preauth does not use the same etype
- S6960894: Better AS-REQ creation and processing
- S6966259: Make PrincipalName and Realm immutable
- S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
- S6984764: kerberos fails if service side keytab is generated using JDK ktab
- S6997740: ktab entry related test compilation error
- S7018928: test failure: sun/security/krb5/auto/SSL.java
- S7032354: no-addresses should not be used on acceptor side
- S7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
- S7142596: RMI JPRT tests are failing
- S7157610: NullPointerException occurs when parsing XML doc
- S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds()
- S7197159: accept different kvno if there no match
- S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
- S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
- S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails intermittently-doesn't retry enough times
- S8014097: add doPrivileged methods with limited privilege scope
- S8021191: Add isAuthorized check to limited doPrivileged methods
- S8022213: Intermittent test failures in java/net/URLClassLoader
- S8028583: Add helper methods to test libraries
- S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
- S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX
- S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
- S8072932: Test fails with java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getDomainCombiner")
- S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
- S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
- S8087118: Remove missing package from java.security files
- S8098547: (tz) Support tzdata2015e
- S8130253: ObjectStreamClass.getFields too restrictive
- S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress
- S8133321: (tz) Support tzdata2015f
- S8135043: ObjectStreamClass.getField(String) too restrictive
The number of Kerberos changes are related to the need to safely
backport S8048030, CVE-2015-4734: Expectations should be consistent.
Many are marked in the OpenJDK bug database as having already been
backported to the proprietary JDK 6 codebase maintained by Oracle,
and our IcedTea-based packages with these changes have passed the TCK.
The hope is that this will mean that a number of long-standing
Kerberos bugs are also indirectly fixed in this release. In particular,
our testing shows that the crypto defaults for Kerberos connections
are now more secure, using AES256 rather than the obsolete RC4. Such
a change mirrors the TLS changes made in the July update.
Webrevs for the new changes:
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/root/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/corba/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxp/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxws/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/hotspot/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jdk/
http://cr.openjdk.java.net/~andrew/openjdk6/20151020/langtools/
Once approved, I'll push these to the OpenJDK 6 repository.
[0] http://bitly.com/it11309
Thanks,
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the jdk6-dev
mailing list