[PATCH] jdk7u161-b01 retro-active security patch review
Andrew Hughes
gnu.andrew at redhat.com
Mon Jan 1 02:46:31 UTC 2018
On 20 December 2017 at 19:20, Dmitry Cherepanov <dcherepanov at azul.com> wrote:
> Looks good to me. Thanks.
>
> Dmitry
>
>> On Dec 8, 2017, at 9:11 PM, Andrew Hughes <gnu.andrew at redhat.com> wrote:
>>
>> We have a new release of IcedTea (http://bitly.com/it20612) and a new OpenJDK
>> 7 release, u161-b01, to go with it. This is made from the current state of the
>> OpenJDK 7u repositories plus backports of the new security fixes
>> included in 8u151.
>>
>> The tarball is available here:
>>
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u161-b01.tar.xz
>>
>> The tarball is accompanied by a digital signature available at:
>>
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u161-b01.tar.xz.sig
>>
>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
>> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>>
>> GnuPG >= 2.1 is required to be able to handle this key.
>>
>> SHA256 checksums:
>>
>> 1c9aa68d584eecf661a6a958d330065388846bf80dac62845e3be5f16f2a78ed
>> openjdk7u161-b01.tar.xz
>> fd124d2999f06674179f5049b947d4bac1ef137b04b267e808634a808eba2591
>> openjdk7u161-b01.tar.xz.sig
>>
>> They are listed at
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u161-b01.sha256
>>
>> I've also uploaded the tarball for the missing openjdk7u141-b02
>> release from April 2017:
>>
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u141-b02.tar.xz
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u141-b02.tar.xz.sig
>> https://openjdk-sources.osci.io/openjdk7/openjdk7u141-b02.sha256sum
>>
>> SHA256 checksums:
>>
>> fd91c3631550467d196ea8924f34b149fc40c24ac3a2ef8ba818d2737b84caec
>> openjdk7u141-b02.tar.xz
>> d0b592d064e74e9a2243071b14f4b363ce38fd63c1ca5d1d6510724091494c85
>> openjdk7u141-b02.tar.xz.sig
>>
>> Changes since u151-b01:
>> - S6475361: Attempting to remove help menu from java.awt.MenuBar
>> throws NullPointerException
>> - S6637288: Add OCSP support to PKIX CertPathBuilder implementation
>> - S6854712: Revocation checking enhancements (JEP-124)
>> - S6904367: (coll) IdentityHashMap is resized before exceeding the
>> expected maximum size
>> - S7015157: String "Tabular Navigation" should be rephrased for
>> avoiding mistranslation
>> - S7115744: Do not call File::deleteOnExit in security tests
>> - S7126011: ReverseBuilder.getMatchingCACerts may throws NPE
>> - S7147336: clarification on warning of keytool -printcrl
>> - S7162687: enhance KDC server availability detection
>> - S7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not
>> determine revocation status)
>> - S7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest
>> fails with NullPointerException
>> - S7196382: PKCS11 provider should support 2048-bit DH
>> - S7197672: There are issues with shared data on windows
>> - S7199939: DSA 576 and 640 bit keys fail when initializing for No
>> precomputed parameters
>> - S8002074: Support for AES on SPARC
>> - S8005408: KeyStore API enhancements
>> - S8006863: javadoc cleanup for 8005408
>> - S8006946: PKCS12 test failure due to incorrect alias name
>> - S8006951: Avoid storing duplicate PKCS12 attributes
>> - S8006994: Cleanup PKCS12 tests to ensure streams get closed
>> - S8007483: attributes are ignored when loading keys from a PKCS12 keystore
>> - S8007967: Infinite loop can happen in
>> sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
>> - S8010112: NullPointerException in sun.security.provider.certpath.CertId()
>> - S8012900: CICO ignores AAD in GCM mode (with refactoring from 6996769)
>> - S8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
>> - S8016252: More defensive HashSet.readObject
>> - S8025215: jdk8 l10n resource file translation update 4
>> - S8026943: SQE test jce/Global/Cipher/SameBuffer failed
>> - S8027575: b113 causing a lot of memory allocation and regression
>> for wls_webapp_atomics
>> - S8029659: Keytool, print key algorithm of certificate or key entry
>> - S8029788: Certificate validation - java.lang.ClassCastException
>> - S8031825: OCSP client can't find responder cert if it uses a
>> different subject key id algorithm than responderID
>> - S8033117: PPC64: Adapt to 8002074: Support for AES on SPARC
>> - S8035623: [parfait] JNI exception pending in
>> jdk/src/windows/native/sun/windows/awt_Font.cpp
>> - S8035640: JNU_CHECK_EXCEPTION should support c++ JNI syntax
>> - S8049312: AES/CICO test failed with on several modes
>> - S8050374: More Signature tests
>> - S8057810: New defaults for DSA keys in jarsigner and keytool
>> - S8062552: Support keystore type detection for JKS and PKCS12 keystores
>> - S8068427: Hashtable deserialization reconstitutes table with wrong capacity
>> - S8068881: SIGBUS in C2 compiled method
>> weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory$SimulatedWsdlDefinitions.<init>
>> - S8075484: SocketInputStream.socketRead0 can hang even with soTimeout set
>> - S8077670: sun/security/krb5/auto/MaxRetries.java may fail with BindException
>> - S8078331: Upgrade JDK to use LittleCMS 2.7
>> - S8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
>> - S8087144: sun/security/krb5/auto/MaxRetries.java fails with Retry
>> count is -1 less
>> - S8136534: Loading JKS keystore using non-null InputStream results
>> in closed stream
>> - S8149411: PKCS12KeyStore cannot extract AES Secret Keys
>> - S8153146: sun/security/krb5/auto/MaxRetries.java failed with timeout
>> - S8157561: Ship the unlimited policy files in JDK Updates
>> - S8158517: Minor optimizations to ISO10126PADDING
>> - S8164846: CertificateException missing cause of underlying exception
>> - S8165543: Better window framing
>> - S8165751: NPE hit with java.security.debug=provider
>> - S8169026: Handle smartcard clean up better
>> - S8169966: Larger AWT menus
>> - S8170218: Improved Font Metrics
>> - S8171252: Improve exception checking
>> - S8171261: Stability fixes for lcms
>> - S8171319: keytool should print out warnings when reading or
>> generating cert/cert req using weak algorithms
>> - S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter
>> - S8174109: Better queuing priorities
>> - S8174966: Unreferenced references
>> - S8175940: More certificate subject checking
>> - S8176536: Improved algorithm constraints checking
>> - S8176751: Better URL connections
>> - S8177569: keytool should not warn if signature algorithm used in
>> cacerts is weak
>> - S8178714: PKIX validator nameConstraints check failing after change 8175940
>> - S8178794: Correct Kerberos ticket grants
>> - S8179084: HotSpot VM fails to start when AggressiveHeap is set
>> - S8179101: Improve algorithm constraints implementation
>> - S8179423: 2 security tests started failing for JDK 1.6.0 u161 b05
>> - S8179564: Missing @bug for tests added with JDK-8165367
>> - S8179998: Clear certificate chain connections
>> - S8180024: Improve construction of objects during deserialization
>> - S8180711: Better invokespecial checks
>> - S8181048: Refactor existing providers to refer to the same
>> constants for default values for key length
>> - S8181100: Better Base Exceptions
>> - S8181323: Better timezone processing
>> - S8181327: Better X processing
>> - S8181370: Better keystore handling
>> - S8181432: Better processing of unresolved permissions
>> - S8181597: Process Proxy presentation
>> - S8181612: More stable connection processing
>> - S8181692: Update storage implementations
>> - S8182879: Add warnings to keytool when using JKS and JCEKS
>> - S8183028: Improve CMS header processing
>> - S8184673: Fix compatibility issue in AlgorithmChecker for 3rd
>> party JCE providers
>> - S8184682: Upgrade compression library
>> - S8184937: LCMS error 13: Couldn't link the profiles
>> - S8185039: Incorrect GPL header causes RE script to miss swap to
>> commercial header for licensee source bundle
>> - S8185040: Incorrect GPL header causes RE script to miss swap to
>> commercial header for licensee source bundle
>> - S8185778: 8u151 L10n resource file update
>> - S8185845: Add SecurityTools.java test library
>> - S8186503: sun/security/tools/jarsigner/DefaultSigalg.java failed
>> after backport to JDK 6/7/8
>> - S8186533: 8u151 L10n resource file update md20
>> - S8191137: keytool fails to format resource strings for keys for
>> some languages after JDK-8171319
>> - S8191840: Update localizations with positional arguments following
>> JDK-8191137
>> - S8191845: [TEST_BUG] Too many new-lines in backport of WeakAlg test
>>
>> As before, the IcedTea release notes (http://bitly.com/it20612) are a
>> useful aid in understanding the relevance of each change, and notably,
>> which are security fixes.
>>
>> Note that 8176536: Improved algorithm constraints checking and
>> its dependants, 8179101 & 8179998, were included in this release
>> after being postponed from the July 2017 u151 release.
>>
>> Webrevs for the new changes:
>>
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017//root/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/corba/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/jaxp/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/jaxws/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/hotspot/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/jdk/
>> http://cr.openjdk.java.net/~andrew/openjdk7/20171017/langtools/
>>
>> Ok to push?
>>
>> Thanks,
>> --
>> Andrew :)
>>
>> Senior Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> Web Site: http://fuseyism.com
>> Twitter: https://twitter.com/gnu_andrew_java
>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
>> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
Thanks. All pushed.
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Web Site: http://fuseyism.com
Twitter: https://twitter.com/gnu_andrew_java
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk7u-dev
mailing list