[PATCH] b41 Release and retro-active security patch review

Andrew Hughes gnu.andrew at redhat.com
Tue Jan 10 05:39:39 UTC 2017 

We have a new release of IcedTea (http://bitly.com/it11313) and a new OpenJDK
6 release, b41, to go with it. This is made from the current state of the OpenJDK 6
repositories plus backports of the new security fixes included in 7u121 & 8u111.

The tarballs are available here:

https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b41-04_jan_2017.tar.gz
https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b41-04_jan_2017.tar.xz

The tarballs are accompanied by digital signatures available at:

https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b41-04_jan_2017.tar.gz.sig
https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b41-04_jan_2017.tar.xz.sig

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

ee91ab48e8493812c9cb0a786eee8620aa0771a4b697e30da29e4b37e3e71a3e  openjdk-6-src-b41-04_jan_2017.tar.gz
c9fe74397d19602234a0a44f16b3a3227c846e23aeb50f6435881178708a1780  openjdk-6-src-b41-04_jan_2017.tar.gz.sig
8e34d451cec65fae8b4304651058ed4dc8d07bd45baa2f49780009097afc1a15  openjdk-6-src-b41-04_jan_2017.tar.xz
ed80190b4a892cd197dbcdb5ffd9cf7605a1596a1322e11648756aed1bb896d3  openjdk-6-src-b41-04_jan_2017.tar.xz.sig

They are listed at https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b41-04_jan_2017.sha256sum

Changes since b40 (including both CPU fixes and any upstreamed changes):
  - S4787377: VK_STOP key on Solaris generates wrong Key Code
  - S4947220: (process)Runtime.exec() cannot invoke applications with unicode parameters(win)
  - S5036807: Pressing action keys "STOP/AGAIN/COMPOSE" generates keycode of F11/F12 keys.
  - S5099725: AWT doesn't seem to handle MappingNotify events under X11.
  - S5100701: Toolkit.getLockingKeyState() does not work on XToolkit, but works on Motif
  - S6324292: keytool -help is unhelpful
  - S6464022: Memory leak in JOptionPane.createDialog
  - S6501385: ColorChooser demo - two elemets have same mnemonic in it locale, GTK L&F
  - S6535697: keytool can be more flexible on format of PEM-encoded X.509 certificates
  - S6561126: keytool should use larger default keysize for keypairs
  - S6566218: l10n of 6476932
  - S6606396: Notepad and Stylepad demos don't run in Japanese locale.
  - S6608456: need API to define RepaintManager per components hierarchy
  - S6624200: Regression test fails: test/closed/javax/swing/JMenuItem/4654927/bug4654927.java
  - S6675400: "Details" in English has to be "Details" in German
  - S6680988: KeyEvent is still missing VK values for many keyboards
  - S6683775: Painting artifacts is seen when panel is made setOpaque(false) for a translucent window
  - S6693507: There are unnecessary compilation warnings in the com.sun.java.swing.plaf.motif package
  - S6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
  - S6711676: Numpad keys trigger more than one KeyEvent.
  - S6719382: Printing of AWT components on windows is not working
  - S6726866: Repainting artifacts when resizing or dragging JInternalFrames in non-opaque toplevel
  - S6727661: Code improvement and warnings removing from the swing/plaf packages
  - S6727662: Code improvement and warnings removing from swing packages
  - S6794764: Translucent windows are completely repainted on every paint event, on Windows
  - S6796710: Html content in JEditorPane is overlapping on swing components while resizing the application. [TEST FRAMEWORK ONLY]
  - S6802846: jarsigner needs enhanced cert validation(options)
  - S6867657: Many JSN tests do not run under cygwin
  - S6870812: enhance security tools to use ECC algorithms
  - S6871299: Shift+Tab no longer generates a KEY_TYPED event; used to with JRE 1.5
  - S6871847: AlgorithmId.get("SHA256withECDSA") not available
  - S6882559: new JEditorPane("text/plain","") fails for null context class loader
  - S6894719: (launcher)The option -no-jre-restrict-search is expected when -jre-no-restrict-search is documented.
  - S6901170: HttpCookie parsing of version and max-age mis-handled
  - S6911129: These tests do not work with CYGWIN: java/lang
  - S6922482: keytool's help on -file always shows 'output file'
  - S6923681: Jarsigner crashes during timestamping
  - S6939248: Jarsigner can't extract Extended Key Usage from Timestamp Reply correctly
  - S6959252: convert the anonymous arrays to named arrays in Java List Resource files
  - S6969683: Generify ResolverConfiguration codes
  - S6980510: Fix for 6959252 broke JConsole mnemonic keys
  - S6982840: sun/security/tools/jarsigner/emptymanifest.sh fails
  - S6987827: security/util/Resources.java needs improvement
  - S6988163: sun.security.util.Resources dup and a keytool doc typo
  - S7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
  - S7013850: Please change the mnemonic assignment system to avoid translation issue
  - S7017818: NLS: JConsoleResources.java cannot be handled by translation team
  - S7019937: Translatability bug - Remove Unused String - String ID , read end of file
  - S7019938: Translatability bug - Remove Unused String - String ID can not specify Principal with a
  - S7019940: Translatability bug - Remove unused string - String ID: provided null name
  - S7019942: Translatability bug - String ID: trustedCertEntry,
  - S7019945: Translatability bug - Translatability issue - String ID: * has NOT been verified! In order to veri
  - S7019947: Translatability bug - Translatability issue - String ID: * The integrity of the information stored i
  - S7019949: Translatability bug - Translatability issue - String ID: * you must provide your keystore password.
  - S7020531: test: java/security/cert/CertificateFactory/openssl/OpenSSLCert.java file not closed after run
  - S7021693: [ja, zh_CN] jconsole throws exception and fail to start in ja and zh_CN locales
  - S7022005: [ja,zh_CN] javadoc, part of navigation bar in generated html are not translated.
  - S7024118: possible hardcoded mnemonic for JFileChooser metal and motif l&f
  - S7025267: NLS: t13y fix for 7021689 [ja] Notepad demo throws NPE
  - S7028447: security-related resources Chinese translation errors
  - S7028490: better suggestion for jarsigner when TSA is not accessible
  - S7030174: Jarsigner should accept TSACert with an HTTPS id-ad-timeStamping SIA
  - S7032018: The file list in JFileChooser does not have an accessible name
  - S7032436: When running with the Nimbus look and feel, the JFileChooser does not display mnemonics
  - S7034259: [all] incorrect mnemonic keys in JCP automatic update advanced settings dialog.
  - S7034940: message drop 2 translation integration
  - S7035843: [zh_CN, ja] JConsole mnemonic keys don't work
  - S7038803: [CCJK] Incorrect mnemonic key (0) is displayed on cancel button on messagedialog of JOptionPane
  - S7038807: [CCJK] OK button on message dialog of JOptionpane is not translated
  - S7040228: [zh_TW] extra (C) on cancel button on File Chooser dialog
  - S7040257: [pt_BR,fr] Print dialog has duplicate mnemonic key.
  - S7042323: [sv, de, es, it] Print dialog has duplicate mnemonic key
  - S7042475: [ja,zh_CN] extra mnemonic key in jconsole
  - S7043548: message drop 3 translation integration
  - S7045132: sun.security.util.Resources_pt_BR.java translation error
  - S7045184: GTK L&F doesn't have hotkeys in jdk7 b141, while b139 has.
  - S7062969: java -help still shows http://java.sun.com/javase/reference
  - S7090158: Networking Libraries don't build with javac -Werror
  - S7090832: Some locale info are not localized for some languages.
  - S7093156: NLS Please change the mnemonic assignment system to avoid translation issue (Swing files)
  - S7102686: Restructure timestamp code so that jars and modules can more easily share the same code
  - S7109085: Test use hotkeys not intended for Mac
  - S7116786: RFE: Detailed information on VerifyErrors
  - S7124171: 7u4 l10n message update related to Mac OS X port
  - S7125055: ContentHandler.getContent API changed in error
  - S7132247: java/rmi/registry/readTest/readTest.sh failing with Cygwin
  - S7142339: PKCS7.java is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done
  - S7145375: 7u4 l10n message update related to langtools
  - S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing on windows
  - S7146099: NLS: [de,es,it,ko,pt_BR]launcher_**.properties, double backslash issue.
  - S7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
  - S7158712: Synth Property "ComboBox.popupInsets" is ignored
  - S7169226: NLS: Please change the mnemonic assignment system for windows and motif properties
  - S7174970: NLS [ccjk] Extra mnemonic keys at standard filechooserdialog (open and save) in metal L&F
  - S7175367: NLS: 7u6 message drop10 integration
  - S7176894: back out LocaleNames_xx.properties files from 7u6 message drop10
  - S7178145: Change constMethodOop::_exception_table to optionally inlined u2 table.
  - S7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
  - S7181632: nsk classLoad001_14 failure and CompileTheWorld crash after 7178145.
  - S7182226: NLS: jdk7u6 message drop20 integration
  - S7183203: ShortRSAKeynnn.sh tests intermittent failure
  - S7187051: ShortRSAKeynnn.sh tests should do cleanup before start test
  - S7194449: String resources for Key Tool and Policy Tool should be in their respective packages
  - S8000626: Implement dead key detection for KeyEvent on Linux
  - S8000897: VM crash in CompileBroker
  - S8003890: corelibs test scripts should pass TESTVMOPTS
  - S8008764: 7uX l10n resource file translation update
  - S8009168: accessibility.properties syntax issue
  - S8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
  - S8010297: Missing isLoggable() checks in logging code
  - S8010782: clean up source files containing carriage return characters
  - S8014048: Online user guide of jconsole points incorrect link
  - S8014431: cleanup warnings indicated by the -Wunused-value compiler option on linux
  - S8015265: revise the fix for 8007037
  - S8016579: (process) IOException thrown by ProcessBuilder.start() method is incorrectly encoded
  - S8019541: 7u40 l10n resource file translation update
  - S8020708: NLS mnemonics missing in SwingSet2/JInternalFrame demo
  - S8023338: Update jarsigner to encourage timestamping
  - S8024302: Clarify jar verifications
  - S8024756: method grouping tabs are not selectable
  - S8026741: jdk8 l10n resource file translation update 5
  - S8027787: 7u51 l10n resource file translation update 1
  - S8030698: Several GUI labels in jconsole need correction
  - S8030878: JConsole issues meaningless message if SSL connection fails
  - S8035988: 7u60 l10n resource file translation update 1
  - S8038837: Add support to jarsigner for specifying timestamp hash algorithm
  - S8048147: Privilege tests with JAAS Subject.doAs
  - S8048357: PKCS basic tests
  - S8049171: Additional tests for jarsigner's warnings
  - S8049480: Current versions of Java can't verify jars signed and timestamped with Java 9
  - S8055176: 7u71 l10n resource file translation update
  - S8057530: (process) Runtime.exec throws garbled message in jp locale
  - S8059177: jdk8u40 l10n resource file translation update 1
  - S8065609: 7u76 l10n resource file translation update
  - S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given
  - S8077953: [TEST_BUG] com/sun/management/OperatingSystemMXBean/TestTotalSwap.java Compilation failed after JDK-8077387
  - S8078628: Zero build fails with pre-compiled headers disabled
  - S8080628: No mnemonics on Open and Save buttons in JFileChooser
  - S8083601: jdk8u60 l10n resource file translation update 2
  - S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString
  - S8142926: OutputAnalyzer's shouldXXX() calls return this
  - S8143134: L10n resource file translation update
  - S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General
  - S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline
  - S8150611: Security problem on sun.misc.resources.Messages*
  - S8151921: Improved page resolution
  - S8155968: Update command line options
  - S8155973: Tighten jar checks
  - S8157077: 8u101 L10n resource file updates
  - S8157176: Improved classfile parsing
  - S8157653: [Parfait] Uninitialised variable in awt_Font.cpp
  - S8157739: Classloader Consistency Checking
  - S8157749: Improve handling of DNS error replies
  - S8157753: Audio replay enhancement
  - S8158302: Handle contextual glyph substitutions
  - S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559
  - S8158993: Service Menu services
  - S8159495: Fix index offsets
  - S8159503: Amend Annotation Actions
  - S8159511: Stack map validation
  - S8159515: Improve indy validation
  - S8159519: Reformat JDWP messages
  - S8159684: (tz) Support tzdata2016f
  - S8160090: Better signature handling in pack200
  - S8160094: Improve pack200 layout
  - S8160591: Improve internal array handling
  - S8160838: Better HTTP service
  - S8162411: Service Menu services 2
  - S8162419: closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968
  - S8162511: 8u111 L10n resource file updates
  - S8162792: Remove constraint DSA keySize < 1024 from jdk.jar.disabledAlgorithms in jdk8
  - S8164452: 8u111 L10n resource file update - msgdrop 20
  - S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
  - S8166381: Back out changes to the java.security file to not disable MD5
  - S8169448: OpenJDK 6 fails to build without pre-compiled headers
  - S8171415: Remove Java 7 features from testlibrary
  - S8171954: Add stubs for sun.security.tools.KeyTool and sun.security.tools.JarSigner
  - S8172159: Remove @Override annotation on interfaces added by b41 updates
  - S8172252: Remove over-zealous switch to for-each loop in SortingFocusTraversalPolicy

Webrevs for the new changes:
 
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/root/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/corba/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/jaxp/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/jaxws/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/hotspot/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/jdk/
http://cr.openjdk.java.net/~andrew/openjdk6/20161018/langtools/

Ok to push?

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk6-dev mailing list