jdk7u131-b00 retro-active security patch review
Lindenmaier, Goetz
goetz.lindenmaier at sap.com
Sun Feb 19 17:59:12 UTC 2017
Hi,
I did a build on AIX and ran some tests. Also I looked through a large
part of the webrev, which looks good.
So I'm fine with this change.
Best regards,
Goetz
> -----Original Message-----
> From: jdk7u-dev [mailto:jdk7u-dev-bounces at openjdk.java.net] On Behalf Of
> Andrew Hughes
> Sent: Dienstag, 14. Februar 2017 07:23
> To: jdk7u-dev <jdk7u-dev at openjdk.java.net>
> Subject: [PATCH] jdk7u131-b00 retro-active security patch review
>
> We have a new release of IcedTea (http://bitly.com/it20609) and a new
> OpenJDK
> 7 release, u131-b00, to go with it. This is made from the current state of the
> OpenJDK 7u repositories plus backports of the new security fixes included in
> 8u121.
>
> The tarball is available here:
>
> https://java.net/projects/openjdk7/downloads/download/openjdk7u131-
> b00.tar.xz
>
> The tarball is accompanied by a digital signature available at:
>
> https://java.net/projects/openjdk7/downloads/download/openjdk7u131-
> b00.tar.xz.sig
>
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
> GnuPG >= 2.1 is required to be able to handle this key.
>
> SHA256 checksums:
>
> 56af58591a3ed7aa136172cb08254cadf3e01055f421a9305d10403206526bda
> openjdk7u131-b00.tar.xz
> 7f9760e48d9711f22c4cc3346a175f180bceb4c452b43e192094a761afa2b24d
> openjdk7u131-b00.tar.xz.sig
>
> They are listed at
> https://java.net/projects/openjdk7/downloads/download/openjdk7u131-
> b00.sha256
>
> Changes since u121-b00:
>
> * Security fixes
> - S8138725: Add options for Javadoc generation
> - S8140353: Improve signature checking
> - S8151934, CVE-2017-3231: Resolve class resolution
> - S8156804, CVE-2017-3241: Better constraint checking
> - S8158406: Limited Parameter Processing
> - S8158997: JNDI Protocols Switch
> - S8159507: RuntimeVisibleAnnotation validation
> - S8161218: Better bytecode loading
> - S8161743, CVE-2017-3252: Provide proper login context
> - S8162577: Standardize logging levels
> - S8162973: Better component components
> - S8164143, CVE-2017-3260: Improve components for menu items
> - S8164147, CVE-2017-3261: Improve streaming socket output
> - S8165071, CVE-2016-2183: Expand TLS support
> - S8165344, CVE-2017-3272: Update concurrency support
> - S8166988, CVE-2017-3253: Improve image processing performance
> - S8167104, CVE-2017-3289: Additional class construction refinements
> - S8167223, CVE-2016-5552: URL handling improvements
> - S8168705, CVE-2016-5547: Better ObjectIdentifier validation
> - S8168714, CVE-2016-5546: Tighten ECDSA validation
> - S8168728, CVE-2016-5548: DSA signing improvments
> - S8168724, CVE-2016-5549: ECDSA signing improvments
> * Other fixes
> - S6253144: Long narrowing conversion should describe the algorithm used
> and implied "risks"
> - S6328537: Improve javadocs for Socket class by adding references to
> SocketOptions
> - S6978886: javadoc shows stacktrace after print error resulting from disk
> full
> - S6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory
> - S6996372: synchronizing handshaking hash
> - S7027045: (doc) java/awt/Window.java has several typos in javadoc
> - S7054969: Null-check-in-finally pattern in java/security documentation
> - S7072353: JNDI libraries do not build with javac -Xlint:all -Werror
> - S7075563: Broken link in "javax.swing.SwingWorker"
> - S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11
> - S7088502: Security libraries don't build with javac -Werror
> - S7092447: Clarify the default locale used in each locale sensitive operation
> - S7093640: Enable client-side TLS 1.2 by default
> - S7103570: AtomicIntegerFieldUpdater does not work when
> SecurityManager is installed
> - S7117360: Warnings in java.util.concurrent.atomic package
> - S7117465: Warning cleanup for IMF classes
> - S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error
> - S8000418: javadoc should used a standard "generated by javadoc" string
> - S8000666: javadoc should write directly to Writer instead of composing
> strings
> - S8000673: remove dead code from HtmlWriter and subtypes
> - S8000970: break out auxiliary classes that will prevent multi-core
> compilation of the JDK
> - S8001669: javadoc internal DocletAbortException should set cause when
> appropriate
> - S8008949: javadoc stopped copying doc-files
> - S8011402: Move blacklisting certificate logic from hard code to data
> - S8011547: Update XML Signature implementation to Apache Santuario
> 1.5.4
> - S8012288: XML DSig API allows wrong tag names and extra elements in
> SignedInfo
> - S8016217: More javadoc warnings
> - S8017325: Cleanup of the javadoc <code> tag in java.security.cert
> - S8017326: Cleanup of the javadoc <code> tag in java.security.spec
> - S8019772: Fix doclint issues in javax.crypto and javax.security subpackages
> - S8020557: javadoc cleanup in javax.security
> - S8020688: Broken links in documentation at
> http://docs.oracle.com/javase/6/docs/api/index.
> - S8021108: Clean up doclint warnings and errors in java.text package
> - S8021417: Fix doclint issues in java.util.concurrent
> - S8021833: javadoc cleanup in java.net
> - S8022120: JCK test
> api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails
> - S8022175: Fix doclint warnings in javax.print
> - S8022406: Fix doclint issues in java.beans
> - S8022746: List of spelling errors in API doc
> - S8024779: [macosx] SwingNode crashes on exit
> - S8025085: [javadoc] some errors in javax/swing
> - S8025218: [javadoc] some errors in java/awt classes
> - S8025249: [javadoc] fix some javadoc errors in javax/swing/
> - S8025409: Fix javadoc comments errors and warning reported by doclint
> report
> - S8026021: more fix of javadoc errors and warnings reported by doclint,
> see the description
> - S8037099: [macosx] Remove all references to GC from native OBJ-C code
> - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID
> attribute value is empty String
> - S8038349: Signing XML with DSA throws Exception when key is larger than
> 1024 bits
> - S8049244: XML Signature performance issue caused by unbuffered
> signature data
> - S8049432: New tests for TLS property jdk.tls.client.protocols
> - S8050893: (smartcardio) Invert reset argument in tests in
> sun/security/smartcardio
> - S8059212: Modify sun/security/smartcardio manual regression tests so
> that they do not just fail if no cardreader found
> - S8068279: (typo in the spec)
> javax.script.ScriptEngineFactory.getLanguageName
> - S8068491: Update the protocol for references of docs.oracle.com to
> HTTPS.
> - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be
> updated for JDK-8061210
> - S8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u
> - S8139565: Restrict certificates with DSA keys less than 1024 bits
> - S8140422: Add mechanism to allow non default root CAs to be not subject
> to algorithm restrictions
> - S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of
> direct class check
> - S8143959: Certificates requiring blacklisting
> - S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks
> - S8148516: Improve the default strength of EC in JDK
> - S8149029: Secure validation of XML based digital signature always enabled
> when checking wrapping attacks
> - S8151893: Add security property to configure XML Signature secure
> validation mode
> - S8155760: Implement Serialization Filtering
> - S8156802: Better constraint checking
> - S8161228: URL objects with custom protocol handlers have port changed
> after deserializing
> - S8161571: Verifying ECDSA signatures permits trailing bytes
> - S8163304: jarsigner -verbose -verify should print the algorithms used to
> sign the jar
> - S8164908: ReflectionFactory support for IIOP and custom serialization
> - S8165230: RMIConnection addNotificationListeners failing with specific
> inputs
> - S8166393: disabledAlgorithms property should not be strictly parsed
> - S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is
> very fast (Trackpad, Retina only)
> - S8166739: Improve extensibility of ObjectInputFilter information passed to
> the filter
> - S8166875: (tz) Support tzdata2016g
> - S8166878: Connection reset during TLS handshake
> - S8167356: Follow up fix for jdk8 backport of 8164143. Changes for
> CMenuComponent.m were missed
> - S8167459: Add debug output for indicating if a chosen ciphersuite was
> legacy
> - S8167472: Chrome interop regression with JDK-8148516
> - S8167591: Add MD5 to signed JAR restrictions
> - S8168861: AnchorCertificates uses hardcoded password for cacerts
> keystore
> - S8168993: JDK8u121 L10n resource file update
> - S8169191: (tz) Support tzdata2016i
> - S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for
> January CPU
> - S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304
> - S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms
> property
> - S8170268: 8u121 L10n resource file update - msgdrop 20
> - S8173622: Backport of 7180907 is incomplete
> - S8173849: Fix use of java.util.Base64 in test cases
> - S8173854: [TEST] Update DHEKeySizing test case following 8076328 &
> 8081760
>
> Webrevs for the new changes:
>
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/root/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/corba/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/jaxp/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/jaxws/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/hotspot/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/jdk/
> http://cr.openjdk.java.net/~andrew/openjdk7/20170117/langtools/
>
> Ok to push?
> --
> Andrew :)
>
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Web Site: http://fuseyism.com
> Twitter: https://twitter.com/gnu_andrew_java
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
More information about the jdk7u-dev
mailing list