[PATCH] jdk7u111-b01 retro-active security patch review

Andrew Hughes gnu.andrew at redhat.com
Fri Jul 29 17:55:22 UTC 2016 

We have a new release of IcedTea (http://bitly.com/it20607) and a new OpenJDK
7 release, u111-b01, to go with it. This is made from the current state of the
OpenJDK 7u repositories plus backports of the new security fixes included in 8u101.

The tarball is available here:

https://java.net/projects/openjdk7/downloads/download/openjdk7u111-b01.tar.xz

SHA256 checksum:

53a0d7f8edcc35b6f26e1772a92b4e486dcd2a6ff5d67b6b558145f10ebb2b9b  openjdk7u111-b01.tar.xz

Changes since u101-b00:

* Security fixes
  - S8079718, CVE-2016-3458: IIOP Input Stream Hooking
  - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only)
  - S8147771: Construction of static protection domains under Javax custom policy
  - S8148872, CVE-2016-3500: Complete name checking
  - S8149962, CVE-2016-3508: Better delineation of XML processing
  - S8150752: Share Class Data
  - S8151925: Font reference improvements
  - S8152479, CVE-2016-3550: Coded byte streams
  - S8155981, CVE-2016-3606: Bolster bytecode verification
  - S8155985, CVE-2016-3598: Persistent Parameter Processing
  - S8158571, CVE-2016-3610: Additional method handle validation
* OpenJDK 7 u111 build 0
  - S6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
  - S7060849: Eliminate pack200 build warnings
  - S7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
  - S7069870: Parts of the JDK erroneously rely on generic array initializers with diamond
  - S7102686: Restructure timestamp code so that jars and modules can more easily share the same code
  - S7105780: Add SSLSocket client/SSLEngine server to templates directory
  - S7142339: PKCS7.java is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done
  - S7152582: PKCS11 tests should use the NSS libraries available in the OS
  - S7192202: Make sure keytool prints both unknown and unparseable extensions
  - S7194449: String resources for Key Tool and Policy Tool should be in their respective packages
  - S7196855: autotest.sh fails on ubuntu because libsoftokn.so not found
  - S7200682: TEST_BUG: keytool/autotest.sh still has problems with libsoftokn.so
  - S8002306: (se) Selector.open fails if invoked with thread interrupt status set [win]
  - S8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
  - S8019341: Update CookieHttpsClientTest to use the newer framework.
  - S8022228: Intermittent test failures in sun/security/ssl/javax/net/ssl/NewAPIs
  - S8022439: Fix lint warnings in sun.security.ec
  - S8022594: Potential deadlock in <clinit> of sun.nio.ch.Util/IOUtil
  - S8023546: sun/security/mscapi/ShortRSAKey1024.sh fails intermittently
  - S8036612: [parfait] JNI exception pending in jdk/src/windows/native/sun/security/mscapi/security.cpp
  - S8037557: test SessionCacheSizeTests.java timeout
  - S8038837: Add support to jarsigner for specifying timestamp hash algorithm
  - S8079410: Hotspot version to share the same update and build version from JDK
  - S8130735: javax.swing.TimerQueue: timer fires late when another timer starts
  - S8139436: sun.security.mscapi.KeyStore might load incomplete data
  - S8144313: Test SessionTimeOutTests can be timeout
  - S8146387: Test SSLSession/SessionCacheSizeTests socket accept timed out
  - S8146669: Test SessionTimeOutTests fails intermittently
  - S8146993: Several javax/management/remote/mandatory regression tests fail after JDK-8138811
  - S8147857: [TEST] RMIConnector logs attribute names incorrectly
  - S8151841: Build needs additional flags to compile with GCC 6
  - S8151876: (tz) Support tzdata2016d
  - S8157077: 8u101 L10n resource file updates
  - S8161262: Fix jdk build with gcc 4.1.2: -fno-strict-overflow not known.
* OpenJDK 7 u111 build 1
  - S7081817: test/sun/security/provider/certpath/X509CertPath/IllegalCertificates.java failing
  - S8140344: add support for 3 digit update release numbers
  - S8145017: Add support for 3 digit hotspot minor version numbers
  - S8162344: The API changes made by CR 7064075 need to be reverted

Webrevs for the new changes:
 
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/root/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/corba/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/jaxp/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/jaxws/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/hotspot/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/jdk/
http://cr.openjdk.java.net/~andrew/openjdk7/20160719/langtools/

Included are the GCC 6 fix previously posted [0] and the amended version of S8161262 [1].

Once approved, I'll push these to the OpenJDK 7 repository.

[0] http://mail.openjdk.java.net/pipermail/jdk7u-dev/2016-July/010583.html
[1] http://mail.openjdk.java.net/pipermail/jdk7u-dev/2016-July/010594.html
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk7u-dev mailing list