[PATCH] jdk6-b46 retro-active security patch review

Dmitry Cherepanov dcherepanov at azul.com
Thu Mar 22 13:12:27 UTC 2018 

Thanks. The repositories have been updated (added new tag jdk6-b46).

Dmitry

> On Mar 22, 2018, at 8:50 AM, Andrew Brygin <abrygin at azul.com> wrote:
> 
> Hello Dmitry,
> 
> the change looks fine to me.
> 
> Thanks,
> Andrew
> 
>> On Mar 15, 2018, at 7:26 PM, Dmitry Cherepanov <dcherepanov at azul.com> wrote:
>> 
>> Hello,
>> 
>> Here’s backport of security fixes (included in 8u161) to OpenJDK 6.
>> 
>> Changes since jdk6-b45
>> 
>> * Security fixes:
>> 
>> 8185292, CVE-2018-2618: Stricter key generation
>> 8172525, CVE-2018-2579: Improve key keying case
>> 8182601, CVE-2018-2602: Improve usage messages
>> 8189284, CVE-2018-2663: More refactoring for deserialization cases
>> 8178449, CVE-2018-2588: Improve LDAP logins
>> 8186998, CVE-2018-2637: Improve JMX supportive features
>> 8186212, CVE-2018-2629: Improve GSS handling
>> 8186606, CVE-2018-2633: Improve LDAP lookup robustness
>> 8190289, CVE-2018-2677: More refactoring for client deserialization cases
>> 8185325, CVE-2018-2641: Improve GTK initialization
>> 8182125, CVE-2018-2599: Improve reliability of DNS lookups
>> 8182387, CVE-2018-2603: Improve PKCS usage
>> 8191142, CVE-2018-2678: More refactoring for naming deserialization cases
>> 
>> * Defense-in-depth fixes:
>> 
>> 8160104: CORBA communication improvements
>> 8174756: Extra validation for public keys
>> 8176458: Revise default document styling
>> 8178458: Better use of certificates in LDAP
>> 8178466: Better RSA parameters
>> 8179990: Cleaner palette entry handling
>> 8180011: Cleaner native graphics device handling
>> 8180015: Cleaner AWT robot handling
>> 8180020: Improve SymbolHashMap entry handling
>> 8180433: Cleaner CLR invocation handling
>> 8181664: Improve JVM UTF String handling
>> 8186080: Transform XML interfaces
>> 8186867: Improve native glyph layouts
>> 
>> * Other fixes:
>> 
>> 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
>> 8163237: Restrict the use of EXPORT cipher suites
>> 8193683: Increase the number of clones in the CloneableDigest
>> 8035105: DNS provider cleanups
>> 8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
>> 8137255: sun/security/provider/NSASuiteB/TestDSAGenParameterSpec.java timeouts intermittently
>> 8148108: Disable Diffie-Hellman keys less than 1024 bits
>> 8158116: com/sun/crypto/provider/KeyAgreement/SupportedDHParamGens.java failed with timeout
>> 8159240: XSOM parser incorrectly processes type names with whitespaces
>> 8170157: Enable unlimited cryptographic policy by default in OracleJDK
>> 8170536: Uninitialised memory in set_uintx_flag of attachListener.cpp
>> 8178728: Check the AlgorithmParameters in algorithm constraints
>> 8185909: Disable JARs signed with DSA keys less than 1024 bits
>> 8190266: closed/java/awt/ComponentOrientation/WindowTest.java throws java.util.MissingResourceException.
>> 8190449: sun/security/pkcs11/KeyPairGenerator/TestDH2048.java fails on Solaris x64 5.10
>> 8190497: DHParameterSpec.getL() returns zero after JDK-8072452
>> 8190541: 8u161 L10n resource file update
>> 8192793: 8u161 L10n resource file update md20
>> 8022532: [parfait] Potential memory leak in gtk2_interface.c
>> 8048819: Implement reliability test for DH algorithm
>> 6803376: BasicConstraintsExtension does not encode when (ca==false && pathLen<0)
>> 8144593: Suppress not recognized property/feature warning messages from SAXParser
>> 7196382: PKCS11 provider should support 2048-bit DH
>> 8190258: (tz) Support tzdata2017c
>> 6804045: DerValue does not accept empty OCTET STRING
>> 7199939: DSA 576 and 640 bit keys fail when initializing for No precomputed parameters
>> 8028293: Check local configuration for actual ephemeral port range
>> 8075286: Additional tests for signature algorithm OIDs and transformation string
>> 8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760
>> 8147969: Print size of DH keysize when errors are encountered
>> 6893704: Potential memory leak in gtk2_interface.c
>> 
>> Webrevs for the changes:
>> 
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/root/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/corba/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/hotspot/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxp/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jaxws/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/jdk/webrev/
>> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Jan_2018/webrevs/langtools/webrev/
>> 
>> Please review.
>> 
>> Thanks,
>> 
>> Dmitry
>> 
>

More information about the jdk6-dev mailing list