[PATCH] jdk6-b45 retro-active security patch review

Dmitry Cherepanov dcherepanov at azul.com
Thu Dec 21 16:10:29 UTC 2017 

Hello,

Here’s backport of security fixes (included in 8u151) to OpenJDK 6.

Changes since jdk6-b44

 * Security fixes:

8181612, CVE-2017-10355: More stable connection processing
8169026, CVE-2017-10274: Handle smartcard clean up better
8174966, CVE-2017-10285: Unreferenced references
8180711, CVE-2017-10346: Better invokespecial checks
8181597, CVE-2017-10357: Process Proxy presentation
8181692, CVE-2017-10356: Update storage implementations
8181323, CVE-2017-10347: Better timezone processing
8174109, CVE-2017-10281: Better queuing priorities
8181432, CVE-2017-10348: Better processing of unresolved permissions
8178794, CVE-2017-10388: Correct Kerberos ticket grants
8184682, CVE-2016-9841:   Upgrade compression library
8181370, CVE-2017-10345: Better keystore handling
8181327, CVE-2017-10349: Better X processing
8176751, CVE-2017-10295: Better URL connections

 * Defense-in-depth fixes:

8165543: Better window framing
8169966: Larger AWT menus
8170218: Improved Font Metrics
8171252: Improve exception checking
8175940: More certificate subject checking
8180024: Improve construction of objects during deserialization

 * Other fixes:

8178714: PKIX validator nameConstraints check failing after change 8175940
8185040: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
8179084: HotSpot VM fails to start when AggressiveHeap is set
8181048: Refactor existing providers to refer to the same constants for default values for key length
8185845: Add SecurityTools.java test library
8179423: 2 security tests started failing for JDK 1.6.0 u161 b05
8158517: Minor optimizations to ISO10126PADDING
8057810: New defaults for DSA keys in jarsigner and keytool
8185039: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
8186503: sun/security/tools/jarsigner/DefaultSigalg.java failed after backport to JDK 6/7/8
8179564: Missing @bug for tests added with JDK-8165367
8185778: 8u151 L10n resource file update
4963968: zlib should be upgraded to current version of zlib
8044725: Bug in zlib 1.2.5 prevents inflation of some gzipped files (zlib 1.2.8 port)
8035623: [parfait] JNI exception pending in jdk/src/windows/native/sun/windows/awt_Font.cpp
8157561: Ship the unlimited policy files in JDK Updates
8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
6850720: (process) Use clone(CLONE_VM), not fork, on Linux to avoid swap exhaustion
6866719: Rename execvpe to avoid symbol clash with glibc 2.10
6853336: (process) disable or remove clone-exec feature (6850720)
6868160: (process) Use vfork, not fork, on Linux to avoid swap exhaustion

Note that the following fixes were included into this release after being postponed from July 2017 jdk6-b44

8176536: Improved algorithm constraints checking
8179998: Clear certificate chain connections
8179101: Improve algorithm constraints implementation

Webrevs for the changes:

http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/root/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/corba/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/hotspot/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxp/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxws/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jdk/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/langtools/webrev/

Please review.

Thanks,

Dmitry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/jdk6-dev/attachments/20171221/50db527e/attachment.html>

More information about the jdk6-dev mailing list