[PATCH] jdk7u91-b01 retro-active security patch review

Martin Buchholz martinrb at google.com
Wed Oct 28 21:58:08 UTC 2015 

Hi Andrew, thanks for your hard work.

We will probably use these changes, and do a fair amount of testing.  But
that will take a while, probably too long for you to wait on us for review.

I recently did a "mega-commit", and published a hg mq directory in addition
to webrev.

These kinds of changes are "unreviewable", but let's try...
Looking at
http://cr.openjdk.java.net/~andrew/openjdk7/20151020/jdk/
I see ancient changes like this, which is probably unintentional, so maybe
your webrev-generation script needs adjustment:

rev 640 : 6730743
<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6730743>: (tz)
Support tzdata2008e
Reviewed-by: okutsu



On Wed, Oct 28, 2015 at 2:32 PM, Andrew Hughes <gnu.andrew at redhat.com>
wrote:

> We have a new release of IcedTea [0] and a new OpenJDK 7 release, u91-b01,
> to go with it. This is made from the current state of the OpenJDK 7u
> repositories plus backports of the new security fixes included in 8u65.
>
> Release tarballs for u91-b01 will follow.
>
> Changes since u85-b02:
> * Security fixes
>   - S8048030, CVE-2015-4734: Expectations should be consistent
>   - S8068842, CVE-2015-4803: Better JAXP data handling
>   - S8076339, CVE-2015-4903: Better handling of remote object invocation
>   - S8076383, CVE-2015-4835: Better CORBA exception handling
>   - S8076387, CVE-2015-4882: Better CORBA value handling
>   - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency
>   - S8076413, CVE-2015-4883: Better JRMP message handling
>   - S8078427, CVE-2015-4842: More supportive home environment
>   - S8078440: Safer managed types
>   - S8080541: More direct property handling
>   - S8080688, CVE-2015-4860: Service for DGC services
>   - S8081760: Better group dynamics
>   - S8086092, CVE-2015-4840: More palette improvements
>   - S8086733, CVE-2015-4893: Improve namespace handling
>   - S8087350: Improve array conversions
>   - S8103671, CVE-2015-4805: More objective stream classes
>   - S8103675: Better Binary searches
>   - S8130078, CVE-2015-4911: Document better processing
>   - S8130193, CVE-2015-4806: Improve HTTP connections
>   - S8130864: Better server identity handling
>   - S8130891, CVE-2015-4843: (bf) More direct buffering
>   - S8131291, CVE-2015-4872: Perfect parameter patterning
>   - S8132042, CVE-2015-4844: Preserve layout presentation
> * Other changes in OpenJDK 7 u91 build 0
>   - S6854417: TESTBUG: java/util/regex/RegExTest.java fails intermittently
>   - S6966259: Make PrincipalName and Realm immutable
>   - S8005226:
> java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails
> intermittently
>   - S8014097: add doPrivileged methods with limited privilege scope
>   - S8021191: Add isAuthorized check to limited doPrivileged methods
>   - S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is
> corrupt
>   - S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the
> information about the domain combiner of the stack ACC
>   - S8076506: Increment minor version of HSx for 7u91 and initialize the
> build number
>   - S8078822: 8068842 fix missed one new file
> PrimeNumberSequenceGenerator.java
>   - S8079323: Serialization compatibility for Templates: need to exclude
> Hashtable from serialization
>   - S8087118: Remove missing package from java.security files
>   - S8098547: (tz) Support tzdata2015e
>   - S8130253: ObjectStreamClass.getFields too restrictive
>   - S8133321: (tz) Support tzdata2015f
>   - S8135043: ObjectStreamClass.getField(String) too restrictive
> * Changes in OpenJDK 7 u91 build 1
>   - S8072932: Test fails with java.security.AccessControlException: access
> denied ("java.security.SecurityPermission" "getDomainCombiner")
>
> Webrevs for the new changes:
>
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/root/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/corba/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/jaxp/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/jaxws/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/hotspot/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/jdk/
> http://cr.openjdk.java.net/~andrew/openjdk7/20151020/langtools/
>
> Once approved, I'll push these to the OpenJDK 7u repository.
>
> [0] http://bitly.com/it20602
>
> Thanks,
> --
> Andrew :)
>
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
>
> PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
>
>

More information about the jdk7u-dev mailing list