Mercurial > hg > icedtea6-hg
changeset 3207:7efdfbf5b4f3
Update to b36 tarball.
Changes in b36:
- OPENJDK6-58: Allow OpenJDK to build on PaX-enabled kernels
- OPENJDK6-59: Only apply PaX-marking when needed by a running PaX kernel
- OPENJDK6-60, PR2484: Disable export ciphers by default
- OPENJDK6-61: Remove translation strings for ErrorMsg.JAXP_INVALID_ATTR_VALUE_ERR which doesn't exist in OpenJDK 6
- OPENJDK6-62, PR2552: Restrict key size of RSA certificates to >= 1024
- OPENJDK6-63: Remove @Override annotation on interfaces added by 2015/07/14 security fixes.
- S6787645: CRL validation code should permit some clock skew when checking validity of CRLs
- S6996365: Evaluate the priorities of cipher suites
- S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
- S8007142: Add utility classes for writing better multiprocess tests in jtreg
- S8008089: Delete OS dependent check in JdkFinder.getExecutable()
- S8024861: Incomplete token triggers GSS-API NullPointerException
- S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
- S8036786: Update jdk7 testlibrary to match jdk8
- S8042205: javax/management/monitor/*: some tests didn't get all the notifications
- S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine
- S8043200, PR2485: Decrease the preference mode of RC4 in the enabled cipher suite list
- S8043201: Deprecate RC4 in SunJSSE provider
- S8043202: Prohibit RC4 cipher suites
- S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
- S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
- S8050158: Introduce system property to maintain RC4 preference order
- S8062923: XSL: Run-time internal error in 'substring()'
- S8062924: XSL: wrong answer from substring() function
- S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
- S8065764: javax/management/monitor/CounterMonitorTest.java hangs
- S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
- S8067694: Improved certification checking
- S8071715: Tune font layout engine
- S8071731: Better scaling for C1
- S8072490: Better font morphing redux
- S8072887: Better font handling improvements
- S8073334: Improved font substitutions
- S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
- S8073385: Bad error message on parsing illegal character in XML attribute
- S8073773: Presume path preparedness
- S8073894: Getting to the root of certificate chains
- S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
- S8074297: substring in XSLT returns wrong character if string contains supplementary chars
- S8074312: Enable hotspot builds on 4.x Linux kernels
- S8074330: Set font anchors more solidly
- S8074335: Substitute for substitution formats
- S8074865: General crypto resilience changes
- S8074871: Adjust device table handling
- S8075374: Responding to OCSP responses
- S8075378: JNDI DnsClient Exception Handling
- S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
- S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
- S8075667: (tz) Support tzdata2015b
- S8075738: Better multi-JVM sharing
- S8075838: Method for typing MethodTypes
- S8075853: Proxy for MBean proxies
- S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
- S8076328: Enforce key exchange constraints
- S8076376: Enhance IIOP operations
- S8076397: Better MBean connections
- S8076401: Serialize OIS data
- S8076405: Improve serial serialization
- S8076409: Reinforce RMI framework
- S8077520: Morph tables into improved form
- S8077685: (tz) Support tzdata2015d
- S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
- S8078439: SPNEGO auth fails if client proposes MS krb5 OID
- S8078666: JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
- S8080318: jdk8u51 l10n resource file translation update
- S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
- S8081775: two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
2015-07-22 Andrew John Hughes <gnu.andrew@redhat.com>
* patches/openjdk/8078666-widen_increases.patch:
Removed; upstream in b36.
* Makefile.am:
(OPENJDK_DATE): Bump to b36 creation date;
22nd of July, 2015.
(OPENJDK_SHA256SUM): Update for b36 tarball.
* NEWS: Updated with b36 changes. Remove duplicate
issue in 1.13.6 release notes.
* patches/openjdk/6956398-ephemeraldhkeysize.patch:
Regenerated against b36.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Wed, 22 Jul 2015 22:12:32 +0100 |
parents | 7f74162f5403 |
children | 6457627bec31 |
files | ChangeLog Makefile.am NEWS patches/openjdk/6956398-ephemeraldhkeysize.patch patches/openjdk/8078666-widen_increases.patch |
diffstat | 5 files changed, 98 insertions(+), 64 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Jul 22 20:38:48 2015 +0100 +++ b/ChangeLog Wed Jul 22 22:12:32 2015 +0100 @@ -1,3 +1,16 @@ +2015-07-22 Andrew John Hughes <gnu.andrew@redhat.com> + + * patches/openjdk/8078666-widen_increases.patch: + Removed; upstream in b36. + * Makefile.am: + (OPENJDK_DATE): Bump to b36 creation date; + 22nd of July, 2015. + (OPENJDK_SHA256SUM): Update for b36 tarball. + * NEWS: Updated with b36 changes. Remove duplicate + issue in 1.13.6 release notes. + * patches/openjdk/6956398-ephemeraldhkeysize.patch: + Regenerated against b36. + 2015-07-20 Andrew John Hughes <gnu.andrew@redhat.com> * patches/openjdk/8074312-pr2255-support_linux_4.patch:
--- a/Makefile.am Wed Jul 22 20:38:48 2015 +0100 +++ b/Makefile.am Wed Jul 22 22:12:32 2015 +0100 @@ -1,7 +1,7 @@ # Dependencies -OPENJDK_DATE = 14_apr_2015 -OPENJDK_SHA256SUM = 131cde181fbca08ac4d47bd13f6c3a64806fe2ae2106c03afe7ba651c24a4f9b +OPENJDK_DATE = 22_jul_2015 +OPENJDK_SHA256SUM = c9df23d208b3b61f5f57c030accca2f7b3218a97bd140668506265ececdf26f4 OPENJDK_VERSION = b36 OPENJDK_URL = https://java.net/downloads/openjdk6/ @@ -635,7 +635,6 @@ patches/openjdk/8065238-ldap_namingexception_8041451_regression.patch \ patches/openjdk/8074761-ldap_empty_optional_params.patch \ patches/openjdk/8078654-closettfontfilefunc.patch \ - patches/openjdk/8078666-widen_increases.patch \ patches/openjdk/8081315-giflib_interlacing.patch \ patches/openjdk/8087120-zero_gcc5.patch \ patches/pr2319-policy_jar_checksum.patch \
--- a/NEWS Wed Jul 22 20:38:48 2015 +0100 +++ b/NEWS Wed Jul 22 22:12:32 2015 +0100 @@ -15,7 +15,75 @@ New in release 1.14.0 (201X-XX-XX): * Security fixes + - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites + - S8067694, CVE-2015-2625: Improved certification checking + - S8071715, CVE-2015-4760: Tune font layout engine + - S8071731: Better scaling for C1 + - S8072490: Better font morphing redux + - S8072887: Better font handling improvements + - S8073334: Improved font substitutions + - S8073773: Presume path preparedness + - S8073894: Getting to the root of certificate chains + - S8074330: Set font anchors more solidly + - S8074335: Substitute for substitution formats + - S8074865, CVE-2015-2601: General crypto resilience changes + - S8074871: Adjust device table handling + - S8075374, CVE-2015-4748: Responding to OCSP responses + - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling + - S8075738: Better multi-JVM sharing + - S8075833, CVE-2015-2613: Straighter Elliptic Curves + - S8075838: Method for typing MethodTypes + - S8075853, CVE-2015-2621: Proxy for MBean proxies + - S8076328, CVE-2015-4000: Enforce key exchange constraints + - S8076376, CVE-2015-2628: Enhance IIOP operations + - S8076397, CVE-2015-4731: Better MBean connections + - S8076401, CVE-2015-2590: Serialize OIS data + - S8076405, CVE-2015-4732: Improve serial serialization + - S8076409, CVE-2015-4733: Reinforce RMI framework + - S8077520, CVE-2015-2632: Morph tables into improved form - PR2488, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize +* Import of OpenJDK6 b36 + - OJ58: Allow OpenJDK to build on PaX-enabled kernels + - OJ59: Only apply PaX-marking when needed by a running PaX kernel + - OJ60, PR2484: Disable export ciphers by default + - OJ61: Remove translation strings for ErrorMsg.JAXP_INVALID_ATTR_VALUE_ERR which doesn't exist in OpenJDK 6 + - OJ62, PR2552: Restrict key size of RSA certificates to >= 1024 + - OJ63: Remove @Override annotation on interfaces added by 2015/07/14 security fixes. + - S6787645: CRL validation code should permit some clock skew when checking validity of CRLs + - S6996365: Evaluate the priorities of cipher suites + - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key + - S8007142: Add utility classes for writing better multiprocess tests in jtreg + - S8008089: Delete OS dependent check in JdkFinder.getExecutable() + - S8024861: Incomplete token triggers GSS-API NullPointerException + - S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector + - S8036786: Update jdk7 testlibrary to match jdk8 + - S8042205: javax/management/monitor/*: some tests didn't get all the notifications + - S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine + - S8043200, PR2485: Decrease the preference mode of RC4 in the enabled cipher suite list + - S8043201: Deprecate RC4 in SunJSSE provider + - S8046817: JDK 8 schemagen tool does not generate xsd files for enum types + - S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred + - S8050158: Introduce system property to maintain RC4 preference order + - S8062923: XSL: Run-time internal error in 'substring()' + - S8062924: XSL: wrong answer from substring() function + - S8064546: CipherInputStream throws BadPaddingException if stream is not fully read + - S8065764: javax/management/monitor/CounterMonitorTest.java hangs + - S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs + - S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed + - S8073385: Bad error message on parsing illegal character in XML attribute + - S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc + - S8074297: substring in XSLT returns wrong character if string contains supplementary chars + - S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env. + - S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env. + - S8075667: (tz) Support tzdata2015b + - S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297 + - S8077685: (tz) Support tzdata2015d + - S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException + - S8078439: SPNEGO auth fails if client proposes MS krb5 OID + - S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases" + - S8080318: jdk8u51 l10n resource file translation update + - S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies + - S8081775: two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12 * Backports - S4890063, PR2306, RH1214835: HPROF: default text truncated when using doe=n option - S6562614, PR2555: Compiler warnings for gettimeofday in Inet4/Inet6AddressImpl.c @@ -48,7 +116,6 @@ - S8065238, PR2479: javax.naming.NamingException after upgrade to JDK 8 - S8074761, PR2469: Empty optional parameters of LDAP query are not interpreted as empty - S8078654, PR2334: CloseTTFontFileFunc callback should be removed - - S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases" - S8081315, PR2406: Avoid giflib interlacing workaround with giflib 5.0.0 on - S8081475, PR2495: SystemTap does not work when JDK is compiled with GCC 5 - S8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms. @@ -260,7 +327,6 @@ - S8050485: super() in a try block in a ctor causes VerifyError - S8051012: Regression in verifier for <init> method call from inside of a branch - S8051614: smartcardio TCK tests fail due to lack of 'reset' permission - - S8054367: More references for endpoints - S8055222: Currency update needed for ISO 4217 Amendment #159 - S8056211: api/java_awt/Event/InputMethodEvent/serial/index.html#Input[serial2002] failure - S8058715: stability issues when being launched as an embedded JVM via JNI
--- a/patches/openjdk/6956398-ephemeraldhkeysize.patch Wed Jul 22 20:38:48 2015 +0100 +++ b/patches/openjdk/6956398-ephemeraldhkeysize.patch Wed Jul 22 22:12:32 2015 +0100 @@ -8,20 +8,21 @@ Reviewed-by: weijun diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-04-10 16:39:22.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-07-22 02:13:30.458962919 +0100 -@@ -47,6 +47,8 @@ +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-07-20 17:24:47.000000000 +0100 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-07-22 21:02:12.190511032 +0100 +@@ -48,7 +48,9 @@ import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager; ++import sun.security.action.GetPropertyAction; + import sun.security.util.AlgorithmConstraints; +import sun.security.util.KeyUtil; -+import sun.security.action.GetPropertyAction; + import sun.security.util.LegacyAlgorithmConstraints; import sun.security.ssl.HandshakeMessage.*; import sun.security.ssl.CipherSuite.*; - import static sun.security.ssl.CipherSuite.*; -@@ -97,6 +99,50 @@ - - private SupportedEllipticCurvesExtension supportedCurves; +@@ -106,6 +108,50 @@ + LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, + new SSLAlgorithmDecomposer()); + // Flag to use smart ephemeral DH key which size matches the corresponding + // authentication key @@ -70,7 +71,7 @@ /* * Constructor ... use the keys found in the auth context. */ -@@ -875,7 +921,7 @@ +@@ -898,7 +944,7 @@ return false; } } else if (keyExchange == K_DHE_RSA) { @@ -79,7 +80,7 @@ } else if (keyExchange == K_ECDHE_RSA) { if (setupEphemeralECDHKeys() == false) { return false; -@@ -887,7 +933,8 @@ +@@ -910,7 +956,8 @@ if (setupPrivateKeyAndChain("DSA") == false) { return false; } @@ -89,7 +90,7 @@ break; case K_ECDHE_ECDSA: // need EC cert signed using EC -@@ -921,7 +968,7 @@ +@@ -944,7 +991,7 @@ break; case K_DH_ANON: // no certs needed for anonymous @@ -98,7 +99,7 @@ break; case K_ECDH_ANON: // no certs needed for anonymous -@@ -962,15 +1009,70 @@ +@@ -985,15 +1032,70 @@ * Acquire some "ephemeral" Diffie-Hellman keys for this handshake. * We don't reuse these, for improved forward secrecy. */ @@ -176,7 +177,7 @@ } // Setup the ephemeral ECDH parameters. -@@ -1448,4 +1550,100 @@ +@@ -1483,4 +1585,100 @@ session.setPeerCertificates(peerCerts); } @@ -279,7 +280,7 @@ } diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java --- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2015-07-22 02:10:13.262400236 +0100 ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2015-07-22 21:01:02.635723436 +0100 @@ -0,0 +1,477 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
--- a/patches/openjdk/8078666-widen_increases.patch Wed Jul 22 20:38:48 2015 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,45 +0,0 @@ -# HG changeset patch -# User sgehwolf -# Date 1430335428 25200 -# Wed Apr 29 12:23:48 2015 -0700 -# Node ID 1628564d58261aada17d5291f7b21d1b5cdf04bd -# Parent 2f4cec4539aac96c4ee3b30483bb050180d040a0 -8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases" -Summary: do the math on the unsigned type where overflows are well defined -Reviewed-by: kvn, aph - -diff -r 2f4cec4539aa -r 1628564d5826 src/share/vm/opto/type.cpp ---- openjdk/hotspot/src/share/vm/opto/type.cpp Fri Apr 03 17:22:23 2015 +0100 -+++ openjdk/hotspot/src/share/vm/opto/type.cpp Wed Apr 29 12:23:48 2015 -0700 -@@ -1077,11 +1077,11 @@ - // Certain normalizations keep us sane when comparing types. - // The 'SMALLINT' covers constants and also CC and its relatives. - if (lo <= hi) { -- if ((juint)(hi - lo) <= SMALLINT) w = Type::WidenMin; -- if ((juint)(hi - lo) >= max_juint) w = Type::WidenMax; // TypeInt::INT -+ if (((juint)hi - lo) <= SMALLINT) w = Type::WidenMin; -+ if (((juint)hi - lo) >= max_juint) w = Type::WidenMax; // TypeInt::INT - } else { -- if ((juint)(lo - hi) <= SMALLINT) w = Type::WidenMin; -- if ((juint)(lo - hi) >= max_juint) w = Type::WidenMin; // dual TypeInt::INT -+ if (((juint)lo - hi) <= SMALLINT) w = Type::WidenMin; -+ if (((juint)lo - hi) >= max_juint) w = Type::WidenMin; // dual TypeInt::INT - } - return w; - } -@@ -1332,11 +1332,11 @@ - // Certain normalizations keep us sane when comparing types. - // The 'SMALLINT' covers constants. - if (lo <= hi) { -- if ((julong)(hi - lo) <= SMALLINT) w = Type::WidenMin; -- if ((julong)(hi - lo) >= max_julong) w = Type::WidenMax; // TypeLong::LONG -+ if (((julong)hi - lo) <= SMALLINT) w = Type::WidenMin; -+ if (((julong)hi - lo) >= max_julong) w = Type::WidenMax; // TypeLong::LONG - } else { -- if ((julong)(lo - hi) <= SMALLINT) w = Type::WidenMin; -- if ((julong)(lo - hi) >= max_julong) w = Type::WidenMin; // dual TypeLong::LONG -+ if (((julong)lo - hi) <= SMALLINT) w = Type::WidenMin; -+ if (((julong)lo - hi) >= max_julong) w = Type::WidenMin; // dual TypeLong::LONG - } - return w; - }