[PATCH] jdk7u151-b01 retro-active security patch review

Andrew Hughes gnu.andrew at redhat.com
Fri Aug 11 01:14:47 UTC 2017 

On 10 August 2017 at 08:18, Andrew Hughes <gnu.andrew at redhat.com> wrote:
> We have a new release of IcedTea (http://bitly.com/it20610) and a new OpenJDK
> 7 release, u151-b01, to go with it. This is made from the current state of the
> OpenJDK 7u repositories plus backports of the new security fixes
> included in 8u141
> and 8u144.
>
> The tarball is available here:
>
> https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.tar.xz
>
> The tarball is accompanied by a digital signature available at:
>
> https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.tar.xz.sig
>
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
> GnuPG >= 2.1 is required to be able to handle this key.
>
> SHA256 checksums:
>
> 54065d5d465d73c05cce6476cc1cec1d66cc893902e6b363bb03cb7031f9a764
> openjdk7u151-b01.tar.xz
> b9b64c7abe6da6c0dd90407e37784314035c230270c5bb77d25523e20425460f
> openjdk7u151-b01.tar.xz.sig
>
> They are listed at
> https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.sha256
>
> Changes since u141-b02:
>   - S7117357: Warnings in sun.instrument, tools and other sun.* classes
>   - S7117570: Warnings in sun.mangement.* and its subpackages
>   - S7143230: fix warnings in java.util.jar, sun.tools.jar, zipfs demo, etc.
>   - S8022440: suppress deprecation warnings in sun.rmi
>   - S8024069: replace_in_map() should operate on parent maps
>   - S8026796: Make replace_in_map() on parent maps generic
>   - S8030787: [Parfait] JNI-related warnings from b119 for
> jdk/src/share/native/sun/awt/image
>   - S8030875: Macros for checking and returning on exceptions
>   - S8031737: CHECK_NULL and CHECK_EXCEPTION macros cleanup
>   - S8034912: backport of 8031737 to jdk8u breaks linux buld.
>   - S8035629: [parfait] JNI exc pending in
> jdk/src/windows/native/sun/windows/ShellFolder2.cpp
>   - S8037287: Windows build failed after JDK-8030787
>   - S8048703: ReplacedNodes dumps it's content to tty
>   - S8080492: [Parfait] Uninitialised variable in
> jdk/src/java/desktop/windows/native/libawt/
>   - S8139870: sun.management.LazyCompositeData.isTypeMatched() fails
> for composite types with items of ArrayType
>   - S8143377: Test PKCS8Test.java fails
>   - S8149450: LdapCtx.processReturnCode() throwing Null Pointer Exception
>   - S8155690: Update libPNG library to the latest up-to-date
>   - S8156804: Better constraint checking
>   - S8162461: Hang due to JNI up-call made whilst holding JNI critical lock
>   - S8163958: Improved garbage collection
>   - S8165231: java.nio.Bits.unaligned() doesn't return true on ppc
>   - S8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
>   - S8167228: Update to libpng 1.6.28
>   - S8169209: Improved image post-processing steps
>   - S8169392: Additional jar validation steps
>   - S8170966: Right parenthesis issue
>   - S8172204: Better Thread Pool execution
>   - S8172461: Service Registration Lifecycle
>   - S8172465: Better handling of channel groups
>   - S8172469: Transform Transformer Exceptions
>   - S8173145: Menu is activated after using mnemonic Alt/Key combination
>   - S8173286: Better reading of text catalogs
>   - S8173697: Less Active Activations
>   - S8173770: Image conversion improvements
>   - S8174098: Better image fetching
>   - S8174105: Better naming attribution
>   - S8174113: Better sourcing of code
>   - S8174164: SafePointNode::_replaced_nodes breaks with irreducible loops
>   - S8174729: Race Condition in java.lang.reflect.WeakCache
>   - S8174770: Check registry registration location
>   - S8174873: Improved certificate procesing
>   - S8175097: [TESTBUG] 8174164 fix missed the test
>   - S8175106: Higher quality DSA operations
>   - S8175110: Higher quality ECDSA operations
>   - S8175251: Failed to load RSA private key from pkcs12
>   - S8176055: JMX diagnostic improvements
>   - S8176067: Proper directory lookup processing
>   - S8176731: JCK tests in api/javax_xml/transform/ spec conformance
> started failing after 8172469
>   - S8176760: Better handling of PKCS8 material
>   - S8176769: Remove accidental spec change in jdk8u
>   - S8177449: (tz) Support tzdata2017b
>   - S8178135: Additional elliptic curve support
>   - S8178996: [macos] JComboBox doesn't display popup in mixed JavaFX
> Swing Application on 8u131 and Mac OS 10.12
>   - S8179014: JFileChooser with Windows look and feel crashes on win 10
>   - S8179887: Build failure with glibc >= 2.24: error: 'int
> readdir_r(DIR*, dirent*, dirent**)' is deprecated
>   - S8180582: The bind to rmiregistry is rejected by registryFilter
> even though registryFilter is set
>   - S8181420: PPC: Image conversion improvements
>   - S8181591: 8u141 L10n resource file update
>   - S8182054: Improve wsdl support
>   - S8184119: Incorrect return processing for the LF editor of
> MethodHandles.permuteArguments
>   - S8184993: Jar file verification failing with SecurityException:
> digest missing xxx
>   - S8185501: Missing import in JAXP code
>   - S8185502: No overflow operator on OpenJDK 7
>   - S8185716: OpenJDK 7 PPC64 port uses a different ins_encode format in ppc.ad
>
> Webrevs for the new changes:
>
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/root/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/corba/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jaxp/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jaxws/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/hotspot/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jdk/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170718/langtools/
>
> Ok to push?
> --
> Andrew :)
>
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Web Site: http://fuseyism.com
> Twitter: https://twitter.com/gnu_andrew_java
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

For ease of review, it's worth noting that these updates are listed in
three sections in the IcedTea release blog (http://bitly.com/it20611);
Security Fixes, Import of OpenJDK 7 u151 build 0 and
Import of OpenJDK 7 u151 build 1, along with links to the appropriate bugs.

Bugs in build 0 with IDs smaller than S8139870 are earlier bugs which
form pre-requisites for applying the patches below. These patches were
already included in versions of OpenJDK 8 prior to 8u141, but not OpenJDK 7.

The copies of the changesets in the IcedTea repositories may also come
in useful, in seeing the order the changes were applied:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/hotspot/
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jaxp/
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jaxws/
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jdk/
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/langtools/

e.g. the order there makes it clear that 7117357 & 7117570 were applied
so that 8139870 would apply cleanly.

Also, note that 8176536: Improved algorithm constraints checking and
its dependants, 8179101 & 8179998, have not been backported in this
update due to time constraints. These changes turn off server-side
SHA-1 certificate use for certificates in the OpenJDK certificate
authority. We plan to include these between now and October, giving
this significant change more time for testing.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Web Site: http://fuseyism.com
Twitter: https://twitter.com/gnu_andrew_java
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk7u-dev mailing list