PING01: [PATCH] b37 Release and retro-active security patch review
Andrew Hughes
gnu.andrew at redhat.com
Tue Nov 24 00:57:42 UTC 2015
----- Original Message -----
> We have a new release of IcedTea [0] and a new OpenJDK 6 release, b37
> to go with it. This is made from the current state of the OpenJDK 6
> repositories plus backports of the new security fixes included in 7u91
> & 8u65.
>
> The tarballs are available here:
>
> https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.gz
> https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.xz
>
> SHA256 checksums:
>
> 4526a1d7b34f2c3939d6f5eb083365350b56125c07a63f6eeed0e5fa43df1f47
> openjdk-6-src-b37-11_nov_2015.tar.gz
> 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d
> openjdk-6-src-b37-11_nov_2015.tar.xz
>
> Changes since b37 (including both CPU fixes and upstreamed changes):
>
> * Security fixes
> - S8048030, CVE-2015-4734: Expectations should be consistent
> - S8068842, CVE-2015-4803: Better JAXP data handling
> - S8076339, CVE-2015-4903: Better handling of remote object invocation
> - S8076383, CVE-2015-4835: Better CORBA exception handling
> - S8076387, CVE-2015-4882: Better CORBA value handling
> - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency
> - S8076413, CVE-2015-4883: Better JRMP message handling
> - S8078427, CVE-2015-4842: More supportive home environment
> - S8078440: Safer managed types
> - S8080541: More direct property handling
> - S8080688, CVE-2015-4860: Service for DGC services
> - S8081760: Better group dynamics
> - S8086733, CVE-2015-4893: Improve namespace handling
> - S8087350: Improve array conversions
> - S8103671, CVE-2015-4805: More objective stream classes
> - S8103675: Better Binary searches
> - S8130078, CVE-2015-4911: Document better processing
> - S8130193, CVE-2015-4806: Improve HTTP connections
> - S8130864: Better server identity handling
> - S8130891, CVE-2015-4843: (bf) More direct buffering
> - S8131291, CVE-2015-4872: Perfect parameter patterning
> - S8132042, CVE-2015-4844: Preserve layout presentation
> * Import of OpenJDK6 b37
> - OJ64: Backport hashtable to map changes from jaxp
> - OJ65: Remove @Override annotation on interfaces added by 2015/10/20
> security fixes
> - OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5
> test infrastructure)
> - OJ67: Fix copyright headers on imported files
> - OJ68: Ensure SharedSecrets are initialised
> - S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well
> - S6590930: reed/write does not match for ccache
> - S6648972: KDCReq.init always read padata
> - S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding
> problem
> - S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed
> on all non-windows platforms
> - S6710360: export Kerberos session key to applications
> - S6733095: Failure when SPNEGO request non-Mutual
> - S6785456: Read Kerberos setting from Windows environment variables
> - S6821190: more InquireType values for ExtendedGSSContext
> - S6843127: krb5 should not try to access unavailable kdc too often
> - S6844193: support max_retries in krb5.conf
> - S6844907: krb5 etype order should be from strong to weak
> - S6844909: support allow_weak_crypto in krb5.conf
> - S6849275: enhance krb5 reg tests
> - S6853328: Support OK-AS-DELEGATE flag
> - S6854308: more ktab options
> - S6856069: PrincipalName.clone() does not invoke super.clone()
> - S6857795: krb5.conf ignored if system properties on realm and kdc are
> provided
> - S6857802: GSS getRemainingInitLifetime method returns milliseconds not
> seconds
> - S6858589: more changes to Config on system properties
> - S6862679: ESC: AD Authentication with user with umlauts fails
> - S6877357: IPv6 address does not work
> - S6888701: Change all template java source files to a .java-template file
> suffix
> - S6893158: AP_REQ check should use key version number
> - S6907425: JCK Kerberos tests fail since b77
> - S6919610: KeyTabInputStream uses static field for per-instance value
> - S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with
> pre-authentication
> - S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
> - S6950546: "ktab -d name etype" to "ktab -d name [-e etype] [kvno | all |
> old]"
> - S6951366: kerberos login failure on win2008 with AD set to win2000 compat
> mode
> - S6952519: kdc_timeout is not being honoured when using TCP
> - S6959292: regression: cannot login if session key and preauth does not
> use the same etype
> - S6960894: Better AS-REQ creation and processing
> - S6966259: Make PrincipalName and Realm immutable
> - S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest
> started to fail since jdk7 b102
> - S6984764: kerberos fails if service side keytab is generated using JDK
> ktab
> - S6997740: ktab entry related test compilation error
> - S7018928: test failure: sun/security/krb5/auto/SSL.java
> - S7032354: no-addresses should not be used on acceptor side
> - S7061379: [Kerberos] Cross-realm authentication fails, due to nameType
> problem
> - S7142596: RMI JPRT tests are failing
> - S7157610: NullPointerException occurs when parsing XML doc
> - S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds()
> - S7197159: accept different kvno if there no match
> - S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but
> exception not reported
> - S8005226:
> java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java
> fails intermittently
> - S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails
> intermittently-doesn't retry enough times
> - S8014097: add doPrivileged methods with limited privilege scope
> - S8021191: Add isAuthorized check to limited doPrivileged methods
> - S8022213: Intermittent test failures in java/net/URLClassLoader
> - S8028583: Add helper methods to test libraries
> - S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
> - S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX
> - S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the
> information about the domain combiner of the stack ACC
> - S8072932: Test fails with java.security.AccessControlException: access
> denied ("java.security.SecurityPermission" "getDomainCombiner")
> - S8078822: 8068842 fix missed one new file
> PrimeNumberSequenceGenerator.java
> - S8079323: Serialization compatibility for Templates: need to exclude
> Hashtable from serialization
> - S8087118: Remove missing package from java.security files
> - S8098547: (tz) Support tzdata2015e
> - S8130253: ObjectStreamClass.getFields too restrictive
> - S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress
> - S8133321: (tz) Support tzdata2015f
> - S8135043: ObjectStreamClass.getField(String) too restrictive
>
> The number of Kerberos changes are related to the need to safely
> backport S8048030, CVE-2015-4734: Expectations should be consistent.
> Many are marked in the OpenJDK bug database as having already been
> backported to the proprietary JDK 6 codebase maintained by Oracle,
> and our IcedTea-based packages with these changes have passed the TCK.
>
> The hope is that this will mean that a number of long-standing
> Kerberos bugs are also indirectly fixed in this release. In particular,
> our testing shows that the crypto defaults for Kerberos connections
> are now more secure, using AES256 rather than the obsolete RC4. Such
> a change mirrors the TLS changes made in the July update.
>
> Webrevs for the new changes:
>
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/root/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/corba/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxp/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxws/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/hotspot/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jdk/
> http://cr.openjdk.java.net/~andrew/openjdk6/20151020/langtools/
>
> Once approved, I'll push these to the OpenJDK 6 repository.
>
> [0] http://bitly.com/it11309
>
> Thanks,
> --
> Andrew :)
>
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
> PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>
>
Ping?
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the jdk6-dev
mailing list