[PATCH] jdk6-b42 retro-active security patch review
Andrew Brygin
abrygin at azul.com
Tue Feb 21 11:44:55 UTC 2017
Hello Dmitry,
the change looks fine to me.
Thanks,
Andrew
On Feb 20, 2017, at 1:02 PM, Dmitry Cherepanov <dcherepanov at azul.com<mailto:dcherepanov at azul.com>> wrote:
Hello,
Here’s backport of security fixes (included in 8u121) to OpenJDK 6.
Changes since jdk6-b41
* Security fixes:
8151934, CVE-2017-3231: Resolve class resolution
8164147, CVE-2017-3261: Improve streaming socket output
8161743, CVE-2017-3252: Provide proper login context
8165071, CVE-2016-2183: Expand TLS support
8168728, CVE-2016-5548: DSA signing improvments
8168714, CVE-2016-5546: Tighten ECDSA validation
8165344, CVE-2017-3272: Update concurrency support
8167223, CVE-2016-5552: URL handling improvements
8156802, CVE-2017-3241: Better constraint checking
8167104, CVE-2017-3289: Additional class construction refinements
8166988, CVE-2017-3253: Improve image processing performance
* Defense-in-depth fixes:
8138725: Add options for Javadoc generation
8140353: Improve signature checking
8158406: Limited Parameter Processing
8158997: JNDI Protocols Switch
8161218: Better bytecode loading
8162577: Standardize logging levels
8162973: Better component components
* Other fixes:
6887710: Jar index should avoid putting META-INF in the INDEX.LIST
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check
8170268: 8u121 L10n resource file update - msgdrop 20
8139565: Restrict certificates with DSA keys less than 1024 bits
8075118: JVM stuck in infinite loop during verification
8160108: Implement Serialization Filtering
8148516: Improve the default strength of EC in JDK
8168861: AnchorCertificates uses hardcoded password for cacerts keystore
8167472: Chrome interop regression with JDK-8148516
8140483: Atomic*FieldUpdaters final fields should be trusted
8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
8167591: Add MD5 to signed JAR restrictions
8167459: Add debug output for indicating if a chosen ciphersuite was legacy
6885204: JSSE should not require Kerberos to be present
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
8169191: (tz) Support tzdata2016i
8165230: RMIConnection addNotificationListeners failing with specific inputs
8166875: (tz) Support tzdata2016g
8151893: Add security property to configure XML Signature secure validation mode
8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU
6858484: If an invalid HMAC XML Signature is validated, all subsequent valid HMAC signatures are invalid
8166878: Connection reset during TLS handshake
8161571: Verifying ECDSA signatures permits trailing bytes
8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property
8168993: JDK8u121 L10n resource file update
6868865: Test: sun/security/tools/jarsigner/oldsig.sh fails under all platforms
8175072: [openjdk6] Kerberos JCK tests fail on systems without krb5.conf file
Webrevs for the changes:
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/root/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/corba/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/hotspot/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/jaxp/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/jaxws/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/jdk/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2017/webrevs/langtools/webrev/
Please review.
Thanks,
Dmitry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/jdk6-dev/attachments/20170221/e0dd2364/attachment.html>
More information about the jdk6-dev
mailing list