[PATCH] jdk7u151-b01 retro-active security patch review

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Fri Aug 11 15:13:53 UTC 2017 

Hi,

the ppc part looks good.  Thanks for adapting the ad rules to 
the port in 7.

Best regards,
  Goetz.

> -----Original Message-----
> From: jdk7u-dev [mailto:jdk7u-dev-bounces at openjdk.java.net] On Behalf Of
> Andrew Hughes
> Sent: Freitag, 11. August 2017 03:15
> To: jdk7u-dev <jdk7u-dev at openjdk.java.net>
> Subject: Re: [PATCH] jdk7u151-b01 retro-active security patch review
> 
> On 10 August 2017 at 08:18, Andrew Hughes <gnu.andrew at redhat.com>
> wrote:
> > We have a new release of IcedTea (http://bitly.com/it20610) and a new
> OpenJDK
> > 7 release, u151-b01, to go with it. This is made from the current state of the
> > OpenJDK 7u repositories plus backports of the new security fixes
> > included in 8u141
> > and 8u144.
> >
> > The tarball is available here:
> >
> > https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.tar.xz
> >
> > The tarball is accompanied by a digital signature available at:
> >
> > https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.tar.xz.sig
> >
> > PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> > Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
> >
> > GnuPG >= 2.1 is required to be able to handle this key.
> >
> > SHA256 checksums:
> >
> > 54065d5d465d73c05cce6476cc1cec1d66cc893902e6b363bb03cb7031f9a764
> > openjdk7u151-b01.tar.xz
> > b9b64c7abe6da6c0dd90407e37784314035c230270c5bb77d25523e20425460f
> > openjdk7u151-b01.tar.xz.sig
> >
> > They are listed at
> > https://openjdk-sources.osci.io/openjdk7/openjdk7u151-b01.sha256
> >
> > Changes since u141-b02:
> >   - S7117357: Warnings in sun.instrument, tools and other sun.* classes
> >   - S7117570: Warnings in sun.mangement.* and its subpackages
> >   - S7143230: fix warnings in java.util.jar, sun.tools.jar, zipfs demo, etc.
> >   - S8022440: suppress deprecation warnings in sun.rmi
> >   - S8024069: replace_in_map() should operate on parent maps
> >   - S8026796: Make replace_in_map() on parent maps generic
> >   - S8030787: [Parfait] JNI-related warnings from b119 for
> > jdk/src/share/native/sun/awt/image
> >   - S8030875: Macros for checking and returning on exceptions
> >   - S8031737: CHECK_NULL and CHECK_EXCEPTION macros cleanup
> >   - S8034912: backport of 8031737 to jdk8u breaks linux buld.
> >   - S8035629: [parfait] JNI exc pending in
> > jdk/src/windows/native/sun/windows/ShellFolder2.cpp
> >   - S8037287: Windows build failed after JDK-8030787
> >   - S8048703: ReplacedNodes dumps it's content to tty
> >   - S8080492: [Parfait] Uninitialised variable in
> > jdk/src/java/desktop/windows/native/libawt/
> >   - S8139870: sun.management.LazyCompositeData.isTypeMatched() fails
> > for composite types with items of ArrayType
> >   - S8143377: Test PKCS8Test.java fails
> >   - S8149450: LdapCtx.processReturnCode() throwing Null Pointer Exception
> >   - S8155690: Update libPNG library to the latest up-to-date
> >   - S8156804: Better constraint checking
> >   - S8162461: Hang due to JNI up-call made whilst holding JNI critical lock
> >   - S8163958: Improved garbage collection
> >   - S8165231: java.nio.Bits.unaligned() doesn't return true on ppc
> >   - S8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
> >   - S8167228: Update to libpng 1.6.28
> >   - S8169209: Improved image post-processing steps
> >   - S8169392: Additional jar validation steps
> >   - S8170966: Right parenthesis issue
> >   - S8172204: Better Thread Pool execution
> >   - S8172461: Service Registration Lifecycle
> >   - S8172465: Better handling of channel groups
> >   - S8172469: Transform Transformer Exceptions
> >   - S8173145: Menu is activated after using mnemonic Alt/Key combination
> >   - S8173286: Better reading of text catalogs
> >   - S8173697: Less Active Activations
> >   - S8173770: Image conversion improvements
> >   - S8174098: Better image fetching
> >   - S8174105: Better naming attribution
> >   - S8174113: Better sourcing of code
> >   - S8174164: SafePointNode::_replaced_nodes breaks with irreducible loops
> >   - S8174729: Race Condition in java.lang.reflect.WeakCache
> >   - S8174770: Check registry registration location
> >   - S8174873: Improved certificate procesing
> >   - S8175097: [TESTBUG] 8174164 fix missed the test
> >   - S8175106: Higher quality DSA operations
> >   - S8175110: Higher quality ECDSA operations
> >   - S8175251: Failed to load RSA private key from pkcs12
> >   - S8176055: JMX diagnostic improvements
> >   - S8176067: Proper directory lookup processing
> >   - S8176731: JCK tests in api/javax_xml/transform/ spec conformance
> > started failing after 8172469
> >   - S8176760: Better handling of PKCS8 material
> >   - S8176769: Remove accidental spec change in jdk8u
> >   - S8177449: (tz) Support tzdata2017b
> >   - S8178135: Additional elliptic curve support
> >   - S8178996: [macos] JComboBox doesn't display popup in mixed JavaFX
> > Swing Application on 8u131 and Mac OS 10.12
> >   - S8179014: JFileChooser with Windows look and feel crashes on win 10
> >   - S8179887: Build failure with glibc >= 2.24: error: 'int
> > readdir_r(DIR*, dirent*, dirent**)' is deprecated
> >   - S8180582: The bind to rmiregistry is rejected by registryFilter
> > even though registryFilter is set
> >   - S8181420: PPC: Image conversion improvements
> >   - S8181591: 8u141 L10n resource file update
> >   - S8182054: Improve wsdl support
> >   - S8184119: Incorrect return processing for the LF editor of
> > MethodHandles.permuteArguments
> >   - S8184993: Jar file verification failing with SecurityException:
> > digest missing xxx
> >   - S8185501: Missing import in JAXP code
> >   - S8185502: No overflow operator on OpenJDK 7
> >   - S8185716: OpenJDK 7 PPC64 port uses a different ins_encode format in
> ppc.ad
> >
> > Webrevs for the new changes:
> >
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/root/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/corba/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jaxp/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jaxws/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/hotspot/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/jdk/
> > http://cr.openjdk.java.net/~andrew/openjdk7/20170718/langtools/
> >
> > Ok to push?
> > --
> > Andrew :)
> >
> > Senior Free Java Software Engineer
> > Red Hat, Inc. (http://www.redhat.com)
> >
> > Web Site: http://fuseyism.com
> > Twitter: https://twitter.com/gnu_andrew_java
> > PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> > Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
> 
> For ease of review, it's worth noting that these updates are listed in
> three sections in the IcedTea release blog (http://bitly.com/it20611);
> Security Fixes, Import of OpenJDK 7 u151 build 0 and
> Import of OpenJDK 7 u151 build 1, along with links to the appropriate bugs.
> 
> Bugs in build 0 with IDs smaller than S8139870 are earlier bugs which
> form pre-requisites for applying the patches below. These patches were
> already included in versions of OpenJDK 8 prior to 8u141, but not OpenJDK 7.
> 
> The copies of the changesets in the IcedTea repositories may also come
> in useful, in seeing the order the changes were applied:
> 
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/hotspot/
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jaxp/
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jaxws/
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/jdk/
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.6/langtools/
> 
> e.g. the order there makes it clear that 7117357 & 7117570 were applied
> so that 8139870 would apply cleanly.
> 
> Also, note that 8176536: Improved algorithm constraints checking and
> its dependants, 8179101 & 8179998, have not been backported in this
> update due to time constraints. These changes turn off server-side
> SHA-1 certificate use for certificates in the OpenJDK certificate
> authority. We plan to include these between now and October, giving
> this significant change more time for testing.
> 
> Thanks,
> --
> Andrew :)
> 
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> Web Site: http://fuseyism.com
> Twitter: https://twitter.com/gnu_andrew_java
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk7u-dev mailing list