[PATCH] jdk6-b45 retro-active security patch review

Dmitry Cherepanov dcherepanov at azul.com
Mon Dec 25 10:30:01 UTC 2017 

Thanks. The repositories have been updated (added new tag jdk6-b45).

Dmitry

> On Dec 25, 2017, at 1:00 PM, Andrew Brygin <abrygin at azul.com> wrote:
> 
> Hello Dmitry,
> 
> the change looks fine to me.
> 
> Thanks,
> Andrew
> 
>> On Dec 21, 2017, at 7:10 PM, Dmitry Cherepanov <dcherepanov at azul.com> wrote:
>> 
>> Hello,
>> 
>> Here’s backport of security fixes (included in 8u151) to OpenJDK 6.
>> 
>> Changes since jdk6-b44
>> 
>> * Security fixes:
>> 
>> 8181612, CVE-2017-10355: More stable connection processing
>> 8169026, CVE-2017-10274: Handle smartcard clean up better
>> 8174966, CVE-2017-10285: Unreferenced references
>> 8180711, CVE-2017-10346: Better invokespecial checks
>> 8181597, CVE-2017-10357: Process Proxy presentation
>> 8181692, CVE-2017-10356: Update storage implementations
>> 8181323, CVE-2017-10347: Better timezone processing
>> 8174109, CVE-2017-10281: Better queuing priorities
>> 8181432, CVE-2017-10348: Better processing of unresolved permissions
>> 8178794, CVE-2017-10388: Correct Kerberos ticket grants
>> 8184682, CVE-2016-9841:   Upgrade compression library
>> 8181370, CVE-2017-10345: Better keystore handling
>> 8181327, CVE-2017-10349: Better X processing
>> 8176751, CVE-2017-10295: Better URL connections
>> 
>> * Defense-in-depth fixes:
>> 
>> 8165543: Better window framing
>> 8169966: Larger AWT menus
>> 8170218: Improved Font Metrics
>> 8171252: Improve exception checking
>> 8175940: More certificate subject checking
>> 8180024: Improve construction of objects during deserialization
>> 
>> * Other fixes:
>> 
>> 8178714: PKIX validator nameConstraints check failing after change 8175940
>> 8185040: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
>> 8179084: HotSpot VM fails to start when AggressiveHeap is set
>> 8181048: Refactor existing providers to refer to the same constants for default values for key length
>> 8185845: Add SecurityTools.java test library
>> 8179423: 2 security tests started failing for JDK 1.6.0 u161 b05
>> 8158517: Minor optimizations to ISO10126PADDING
>> 8057810: New defaults for DSA keys in jarsigner and keytool
>> 8185039: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
>> 8186503: sun/security/tools/jarsigner/DefaultSigalg.java failed after backport to JDK 6/7/8
>> 8179564: Missing @bug for tests added with JDK-8165367
>> 8185778: 8u151 L10n resource file update
>> 4963968: zlib should be upgraded to current version of zlib
>> 8044725: Bug in zlib 1.2.5 prevents inflation of some gzipped files (zlib 1.2.8 port)
>> 8035623: [parfait] JNI exception pending in jdk/src/windows/native/sun/windows/awt_Font.cpp
>> 8157561: Ship the unlimited policy files in JDK Updates
>> 8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
>> 6850720: (process) Use clone(CLONE_VM), not fork, on Linux to avoid swap exhaustion
>> 6866719: Rename execvpe to avoid symbol clash with glibc 2.10
>> 6853336: (process) disable or remove clone-exec feature (6850720)
>> 6868160: (process) Use vfork, not fork, on Linux to avoid swap exhaustion
>> 
>> Note that the following fixes were included into this release after being postponed from July 2017 jdk6-b44
>> 
>> 8176536: Improved algorithm constraints checking
>> 8179998: Clear certificate chain connections
>> 8179101: Improve algorithm constraints implementation
>> 
>> Webrevs for the changes:
>> 
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/root/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/corba/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/hotspot/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxp/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxws/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jdk/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/langtools/webrev/
>> 
>> Please review.
>> 
>> Thanks,
>> 
>> Dmitry
>> 
>

More information about the jdk6-dev mailing list