[PATCH] jdk6-b46 retro-active security patch review

Andrew Brygin abrygin at azul.com
Thu Mar 22 05:50:10 UTC 2018 

Hello Dmitry,

the change looks fine to me.

Thanks,
Andrew

> On Mar 15, 2018, at 7:26 PM, Dmitry Cherepanov <dcherepanov at azul.com> wrote:
> 
> Hello,
> 
> Here’s backport of security fixes (included in 8u161) to OpenJDK 6.
> 
> Changes since jdk6-b45
> 
>  * Security fixes:
> 
> 8185292, CVE-2018-2618: Stricter key generation
> 8172525, CVE-2018-2579: Improve key keying case
> 8182601, CVE-2018-2602: Improve usage messages
> 8189284, CVE-2018-2663: More refactoring for deserialization cases
> 8178449, CVE-2018-2588: Improve LDAP logins
> 8186998, CVE-2018-2637: Improve JMX supportive features
> 8186212, CVE-2018-2629: Improve GSS handling
> 8186606, CVE-2018-2633: Improve LDAP lookup robustness
> 8190289, CVE-2018-2677: More refactoring for client deserialization cases
> 8185325, CVE-2018-2641: Improve GTK initialization
> 8182125, CVE-2018-2599: Improve reliability of DNS lookups
> 8182387, CVE-2018-2603: Improve PKCS usage
> 8191142, CVE-2018-2678: More refactoring for naming deserialization cases
> 
>  * Defense-in-depth fixes:
> 
> 8160104: CORBA communication improvements
> 8174756: Extra validation for public keys
> 8176458: Revise default document styling
> 8178458: Better use of certificates in LDAP
> 8178466: Better RSA parameters
> 8179990: Cleaner palette entry handling
> 8180011: Cleaner native graphics device handling
> 8180015: Cleaner AWT robot handling
> 8180020: Improve SymbolHashMap entry handling
> 8180433: Cleaner CLR invocation handling
> 8181664: Improve JVM UTF String handling
> 8186080: Transform XML interfaces
> 8186867: Improve native glyph layouts
> 
>  * Other fixes:
> 
> 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
> 8163237: Restrict the use of EXPORT cipher suites
> 8193683: Increase the number of clones in the CloneableDigest
> 8035105: DNS provider cleanups
> 8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
> 8137255: sun/security/provider/NSASuiteB/TestDSAGenParameterSpec.java timeouts intermittently
> 8148108: Disable Diffie-Hellman keys less than 1024 bits
> 8158116: com/sun/crypto/provider/KeyAgreement/SupportedDHParamGens.java failed with timeout
> 8159240: XSOM parser incorrectly processes type names with whitespaces
> 8170157: Enable unlimited cryptographic policy by default in OracleJDK
> 8170536: Uninitialised memory in set_uintx_flag of attachListener.cpp
> 8178728: Check the AlgorithmParameters in algorithm constraints
> 8185909: Disable JARs signed with DSA keys less than 1024 bits
> 8190266: closed/java/awt/ComponentOrientation/WindowTest.java throws java.util.MissingResourceException.
> 8190449: sun/security/pkcs11/KeyPairGenerator/TestDH2048.java fails on Solaris x64 5.10
> 8190497: DHParameterSpec.getL() returns zero after JDK-8072452
> 8190541: 8u161 L10n resource file update
> 8192793: 8u161 L10n resource file update md20
> 8022532: [parfait] Potential memory leak in gtk2_interface.c
> 8048819: Implement reliability test for DH algorithm
> 6803376: BasicConstraintsExtension does not encode when (ca==false && pathLen<0)
> 8144593: Suppress not recognized property/feature warning messages from SAXParser
> 7196382: PKCS11 provider should support 2048-bit DH
> 8190258: (tz) Support tzdata2017c
> 6804045: DerValue does not accept empty OCTET STRING
> 7199939: DSA 576 and 640 bit keys fail when initializing for No precomputed parameters
> 8028293: Check local configuration for actual ephemeral port range
> 8075286: Additional tests for signature algorithm OIDs and transformation string
> 8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760
> 8147969: Print size of DH keysize when errors are encountered
> 6893704: Potential memory leak in gtk2_interface.c
> 
> Webrevs for the changes:
> 
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/root/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/corba/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/hotspot/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxp/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxws/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jdk/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/langtools/webrev/
> 
> Please review.
> 
> Thanks,
> 
> Dmitry
>

More information about the jdk6-dev mailing list