[PATCH] jdk6-b46 retro-active security patch review

Dmitry Cherepanov dcherepanov at azul.com
Thu Mar 15 16:26:08 UTC 2018 

Hello,

Here’s backport of security fixes (included in 8u161) to OpenJDK 6.

Changes since jdk6-b45

 * Security fixes:

8185292, CVE-2018-2618: Stricter key generation
8172525, CVE-2018-2579: Improve key keying case
8182601, CVE-2018-2602: Improve usage messages
8189284, CVE-2018-2663: More refactoring for deserialization cases
8178449, CVE-2018-2588: Improve LDAP logins
8186998, CVE-2018-2637: Improve JMX supportive features
8186212, CVE-2018-2629: Improve GSS handling
8186606, CVE-2018-2633: Improve LDAP lookup robustness
8190289, CVE-2018-2677: More refactoring for client deserialization cases
8185325, CVE-2018-2641: Improve GTK initialization
8182125, CVE-2018-2599: Improve reliability of DNS lookups
8182387, CVE-2018-2603: Improve PKCS usage
8191142, CVE-2018-2678: More refactoring for naming deserialization cases

 * Defense-in-depth fixes:

8160104: CORBA communication improvements
8174756: Extra validation for public keys
8176458: Revise default document styling
8178458: Better use of certificates in LDAP
8178466: Better RSA parameters
8179990: Cleaner palette entry handling
8180011: Cleaner native graphics device handling
8180015: Cleaner AWT robot handling
8180020: Improve SymbolHashMap entry handling
8180433: Cleaner CLR invocation handling
8181664: Improve JVM UTF String handling
8186080: Transform XML interfaces
8186867: Improve native glyph layouts

 * Other fixes:

8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
8163237: Restrict the use of EXPORT cipher suites
8193683: Increase the number of clones in the CloneableDigest
8035105: DNS provider cleanups
8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
8137255: sun/security/provider/NSASuiteB/TestDSAGenParameterSpec.java timeouts intermittently
8148108: Disable Diffie-Hellman keys less than 1024 bits
8158116: com/sun/crypto/provider/KeyAgreement/SupportedDHParamGens.java failed with timeout
8159240: XSOM parser incorrectly processes type names with whitespaces
8170157: Enable unlimited cryptographic policy by default in OracleJDK
8170536: Uninitialised memory in set_uintx_flag of attachListener.cpp
8178728: Check the AlgorithmParameters in algorithm constraints
8185909: Disable JARs signed with DSA keys less than 1024 bits
8190266: closed/java/awt/ComponentOrientation/WindowTest.java throws java.util.MissingResourceException.
8190449: sun/security/pkcs11/KeyPairGenerator/TestDH2048.java fails on Solaris x64 5.10
8190497: DHParameterSpec.getL() returns zero after JDK-8072452
8190541: 8u161 L10n resource file update
8192793: 8u161 L10n resource file update md20
8022532: [parfait] Potential memory leak in gtk2_interface.c
8048819: Implement reliability test for DH algorithm
6803376: BasicConstraintsExtension does not encode when (ca==false && pathLen<0)
8144593: Suppress not recognized property/feature warning messages from SAXParser
7196382: PKCS11 provider should support 2048-bit DH
8190258: (tz) Support tzdata2017c
6804045: DerValue does not accept empty OCTET STRING
7199939: DSA 576 and 640 bit keys fail when initializing for No precomputed parameters
8028293: Check local configuration for actual ephemeral port range
8075286: Additional tests for signature algorithm OIDs and transformation string
8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760
8147969: Print size of DH keysize when errors are encountered
6893704: Potential memory leak in gtk2_interface.c

Webrevs for the changes:

http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/root/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/corba/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/hotspot/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxp/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxws/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jdk/webrev/
http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/langtools/webrev/

Please review.

Thanks,

Dmitry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/jdk6-dev/attachments/20180315/afda90c4/attachment.html>

More information about the jdk6-dev mailing list