Mercurial > hg > icedtea6

--- a/ChangeLog	Wed Jul 22 20:38:48 2015 +0100
+++ b/ChangeLog	Wed Jul 22 22:12:32 2015 +0100
@@ -1,3 +1,16 @@
+2015-07-22  Andrew John Hughes  <gnu.andrew@redhat.com>
+
+	* patches/openjdk/8078666-widen_increases.patch:
+	Removed; upstream in b36.
+	* Makefile.am:
+	(OPENJDK_DATE): Bump to b36 creation date;
+	22nd of July, 2015.
+	(OPENJDK_SHA256SUM): Update for b36 tarball.
+	* NEWS: Updated with b36 changes. Remove duplicate
+	issue in 1.13.6 release notes.
+	* patches/openjdk/6956398-ephemeraldhkeysize.patch:
+	Regenerated against b36.
+
 2015-07-20  Andrew John Hughes  <gnu.andrew@redhat.com>

 	* patches/openjdk/8074312-pr2255-support_linux_4.patch:
--- a/Makefile.am	Wed Jul 22 20:38:48 2015 +0100
+++ b/Makefile.am	Wed Jul 22 22:12:32 2015 +0100
@@ -1,7 +1,7 @@
 # Dependencies

-OPENJDK_DATE = 14_apr_2015
-OPENJDK_SHA256SUM = 131cde181fbca08ac4d47bd13f6c3a64806fe2ae2106c03afe7ba651c24a4f9b
+OPENJDK_DATE = 22_jul_2015
+OPENJDK_SHA256SUM = c9df23d208b3b61f5f57c030accca2f7b3218a97bd140668506265ececdf26f4
 OPENJDK_VERSION = b36
 OPENJDK_URL = https://java.net/downloads/openjdk6/

@@ -635,7 +635,6 @@
 	patches/openjdk/8065238-ldap_namingexception_8041451_regression.patch \
 	patches/openjdk/8074761-ldap_empty_optional_params.patch \
 	patches/openjdk/8078654-closettfontfilefunc.patch \
-	patches/openjdk/8078666-widen_increases.patch \
 	patches/openjdk/8081315-giflib_interlacing.patch \
 	patches/openjdk/8087120-zero_gcc5.patch \
 	patches/pr2319-policy_jar_checksum.patch \
--- a/NEWS	Wed Jul 22 20:38:48 2015 +0100
+++ b/NEWS	Wed Jul 22 22:12:32 2015 +0100
@@ -15,7 +15,75 @@
 New in release 1.14.0 (201X-XX-XX):

 * Security fixes
+  - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites
+  - S8067694, CVE-2015-2625: Improved certification checking
+  - S8071715, CVE-2015-4760: Tune font layout engine
+  - S8071731: Better scaling for C1
+  - S8072490: Better font morphing redux
+  - S8072887: Better font handling improvements
+  - S8073334: Improved font substitutions
+  - S8073773: Presume path preparedness
+  - S8073894: Getting to the root of certificate chains
+  - S8074330: Set font anchors more solidly
+  - S8074335: Substitute for substitution formats
+  - S8074865, CVE-2015-2601: General crypto resilience changes
+  - S8074871: Adjust device table handling
+  - S8075374, CVE-2015-4748: Responding to OCSP responses
+  - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling
+  - S8075738: Better multi-JVM sharing
+  - S8075833, CVE-2015-2613: Straighter Elliptic Curves
+  - S8075838: Method for typing MethodTypes
+  - S8075853, CVE-2015-2621: Proxy for MBean proxies
+  - S8076328, CVE-2015-4000: Enforce key exchange constraints
+  - S8076376, CVE-2015-2628: Enhance IIOP operations
+  - S8076397, CVE-2015-4731: Better MBean connections
+  - S8076401, CVE-2015-2590: Serialize OIS data
+  - S8076405, CVE-2015-4732: Improve serial serialization
+  - S8076409, CVE-2015-4733: Reinforce RMI framework
+  - S8077520, CVE-2015-2632: Morph tables into improved form
   - PR2488, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
+* Import of OpenJDK6 b36
+  - OJ58: Allow OpenJDK to build on PaX-enabled kernels
+  - OJ59: Only apply PaX-marking when needed by a running PaX kernel
+  - OJ60, PR2484: Disable export ciphers by default
+  - OJ61: Remove translation strings for ErrorMsg.JAXP_INVALID_ATTR_VALUE_ERR which doesn't exist in OpenJDK 6
+  - OJ62, PR2552: Restrict key size of RSA certificates to >= 1024
+  - OJ63: Remove @Override annotation on interfaces added by 2015/07/14 security fixes.
+  - S6787645: CRL validation code should permit some clock skew when checking validity of CRLs
+  - S6996365: Evaluate the priorities of cipher suites
+  - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
+  - S8007142: Add utility classes for writing better multiprocess tests in jtreg
+  - S8008089: Delete OS dependent check in JdkFinder.getExecutable()
+  - S8024861: Incomplete token triggers GSS-API NullPointerException
+  - S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
+  - S8036786: Update jdk7 testlibrary to match jdk8
+  - S8042205: javax/management/monitor/*: some tests didn't  get all the notifications
+  - S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine
+  - S8043200, PR2485: Decrease the preference mode of RC4 in the enabled cipher suite list
+  - S8043201: Deprecate RC4 in SunJSSE provider
+  - S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
+  - S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
+  - S8050158: Introduce system property to maintain RC4 preference order
+  - S8062923: XSL: Run-time internal error in 'substring()'
+  - S8062924: XSL: wrong answer from substring() function
+  - S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
+  - S8065764: javax/management/monitor/CounterMonitorTest.java hangs
+  - S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
+  - S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
+  - S8073385: Bad error message on parsing illegal character in XML attribute
+  - S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
+  - S8074297: substring in XSLT returns wrong character if string contains supplementary chars
+  - S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
+  - S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
+  - S8075667: (tz) Support tzdata2015b
+  - S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
+  - S8077685: (tz) Support tzdata2015d
+  - S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
+  - S8078439: SPNEGO auth fails if client proposes MS krb5 OID
+  - S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
+  - S8080318: jdk8u51 l10n resource file translation update
+  - S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
+  - S8081775: two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
 * Backports
   - S4890063, PR2306, RH1214835: HPROF: default text truncated when using doe=n option
   - S6562614, PR2555: Compiler warnings for gettimeofday in Inet4/Inet6AddressImpl.c
@@ -48,7 +116,6 @@
   - S8065238, PR2479: javax.naming.NamingException after upgrade to JDK 8
   - S8074761, PR2469: Empty optional parameters of LDAP query are not interpreted as empty
   - S8078654, PR2334: CloseTTFontFileFunc callback should be removed
-  - S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
   - S8081315, PR2406: Avoid giflib interlacing workaround with giflib 5.0.0 on
   - S8081475, PR2495: SystemTap does not work when JDK is compiled with GCC 5
   - S8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
@@ -260,7 +327,6 @@
   - S8050485: super() in a try block in a ctor causes VerifyError
   - S8051012: Regression in verifier for <init> method call from inside of a branch
   - S8051614: smartcardio TCK tests fail due to lack of 'reset' permission
-  - S8054367: More references for endpoints
   - S8055222: Currency update needed for ISO 4217 Amendment #159
   - S8056211: api/java_awt/Event/InputMethodEvent/serial/index.html#Input[serial2002] failure
   - S8058715: stability issues when being launched as an embedded JVM via JNI
--- a/patches/openjdk/6956398-ephemeraldhkeysize.patch	Wed Jul 22 20:38:48 2015 +0100
+++ b/patches/openjdk/6956398-ephemeraldhkeysize.patch	Wed Jul 22 22:12:32 2015 +0100
@@ -8,20 +8,21 @@
 Reviewed-by: weijun

 diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-04-10 16:39:22.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-07-22 02:13:30.458962919 +0100
-@@ -47,6 +47,8 @@
+--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-07-20 17:24:47.000000000 +0100
++++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-07-22 21:02:12.190511032 +0100
+@@ -48,7 +48,9 @@

  import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;

++import sun.security.action.GetPropertyAction;
+ import sun.security.util.AlgorithmConstraints;
 +import sun.security.util.KeyUtil;
-+import sun.security.action.GetPropertyAction;
+ import sun.security.util.LegacyAlgorithmConstraints;
  import sun.security.ssl.HandshakeMessage.*;
  import sun.security.ssl.CipherSuite.*;
- import static sun.security.ssl.CipherSuite.*;
-@@ -97,6 +99,50 @@
-
-     private SupportedEllipticCurvesExtension supportedCurves;
+@@ -106,6 +108,50 @@
+                     LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
+                     new SSLAlgorithmDecomposer());

 +    // Flag to use smart ephemeral DH key which size matches the corresponding
 +    // authentication key
@@ -70,7 +71,7 @@
      /*
       * Constructor ... use the keys found in the auth context.
       */
-@@ -875,7 +921,7 @@
+@@ -898,7 +944,7 @@
                      return false;
                  }
              } else if (keyExchange == K_DHE_RSA) {
@@ -79,7 +80,7 @@
              } else if (keyExchange == K_ECDHE_RSA) {
                  if (setupEphemeralECDHKeys() == false) {
                      return false;
-@@ -887,7 +933,8 @@
+@@ -910,7 +956,8 @@
              if (setupPrivateKeyAndChain("DSA") == false) {
                  return false;
              }
@@ -89,7 +90,7 @@
              break;
          case K_ECDHE_ECDSA:
              // need EC cert signed using EC
-@@ -921,7 +968,7 @@
+@@ -944,7 +991,7 @@
              break;
          case K_DH_ANON:
              // no certs needed for anonymous
@@ -98,7 +99,7 @@
              break;
          case K_ECDH_ANON:
              // no certs needed for anonymous
-@@ -962,15 +1009,70 @@
+@@ -985,15 +1032,70 @@
       * Acquire some "ephemeral" Diffie-Hellman  keys for this handshake.
       * We don't reuse these, for improved forward secrecy.
       */
@@ -176,7 +177,7 @@
      }

      // Setup the ephemeral ECDH parameters.
-@@ -1448,4 +1550,100 @@
+@@ -1483,4 +1585,100 @@

          session.setPeerCertificates(peerCerts);
      }
@@ -279,7 +280,7 @@
  }
 diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
 --- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	2015-07-22 02:10:13.262400236 +0100
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	2015-07-22 21:01:02.635723436 +0100
 @@ -0,0 +1,477 @@
 +/*
 + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
--- a/patches/openjdk/8078666-widen_increases.patch	Wed Jul 22 20:38:48 2015 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,45 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1430335428 25200
-#      Wed Apr 29 12:23:48 2015 -0700
-# Node ID 1628564d58261aada17d5291f7b21d1b5cdf04bd
-# Parent  2f4cec4539aac96c4ee3b30483bb050180d040a0
-8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
-Summary: do the math on the unsigned type where overflows are well defined
-Reviewed-by: kvn, aph
-
-diff -r 2f4cec4539aa -r 1628564d5826 src/share/vm/opto/type.cpp
---- openjdk/hotspot/src/share/vm/opto/type.cpp	Fri Apr 03 17:22:23 2015 +0100
-+++ openjdk/hotspot/src/share/vm/opto/type.cpp	Wed Apr 29 12:23:48 2015 -0700
-@@ -1077,11 +1077,11 @@
-   // Certain normalizations keep us sane when comparing types.
-   // The 'SMALLINT' covers constants and also CC and its relatives.
-   if (lo <= hi) {
--    if ((juint)(hi - lo) <= SMALLINT)  w = Type::WidenMin;
--    if ((juint)(hi - lo) >= max_juint) w = Type::WidenMax; // TypeInt::INT
-+    if (((juint)hi - lo) <= SMALLINT)  w = Type::WidenMin;
-+    if (((juint)hi - lo) >= max_juint) w = Type::WidenMax; // TypeInt::INT
-   } else {
--    if ((juint)(lo - hi) <= SMALLINT)  w = Type::WidenMin;
--    if ((juint)(lo - hi) >= max_juint) w = Type::WidenMin; // dual TypeInt::INT
-+    if (((juint)lo - hi) <= SMALLINT)  w = Type::WidenMin;
-+    if (((juint)lo - hi) >= max_juint) w = Type::WidenMin; // dual TypeInt::INT
-   }
-   return w;
- }
-@@ -1332,11 +1332,11 @@
-   // Certain normalizations keep us sane when comparing types.
-   // The 'SMALLINT' covers constants.
-   if (lo <= hi) {
--    if ((julong)(hi - lo) <= SMALLINT)   w = Type::WidenMin;
--    if ((julong)(hi - lo) >= max_julong) w = Type::WidenMax; // TypeLong::LONG
-+    if (((julong)hi - lo) <= SMALLINT)   w = Type::WidenMin;
-+    if (((julong)hi - lo) >= max_julong) w = Type::WidenMax; // TypeLong::LONG
-   } else {
--    if ((julong)(lo - hi) <= SMALLINT)   w = Type::WidenMin;
--    if ((julong)(lo - hi) >= max_julong) w = Type::WidenMin; // dual TypeLong::LONG
-+    if (((julong)lo - hi) <= SMALLINT)   w = Type::WidenMin;
-+    if (((julong)lo - hi) >= max_julong) w = Type::WidenMin; // dual TypeLong::LONG
-   }
-   return w;
- }