# HG changeset patch # User Andrew John Hughes # Date 1372218370 18000 # Node ID 2ab5030e809951d158d8cfde20ab8cacfc70d677 # Parent 7e0d2c785516b1d4870f08d07386c9b6638e95d0 List security fixes and other changes in u21 & u25. 2013-06-25 Andrew John Hughes * NEWS: Add latest security fixes and other changes brought in when syncing with 7u25. diff -r 7e0d2c785516 -r 2ab5030e8099 ChangeLog --- a/ChangeLog Wed Jun 26 03:45:13 2013 +0100 +++ b/ChangeLog Tue Jun 25 22:46:10 2013 -0500 @@ -1,3 +1,8 @@ +2013-06-25 Andrew John Hughes + + * NEWS: Add latest security fixes and other + changes brought in when syncing with 7u25. + 2013-06-25 Andrew John Hughes * Makefile.am: diff -r 7e0d2c785516 -r 2ab5030e8099 NEWS --- a/NEWS Wed Jun 26 03:45:13 2013 +0100 +++ b/NEWS Tue Jun 25 22:46:10 2013 -0500 @@ -12,11 +12,208 @@ New in release 2.3.10 (2013-06-XX): +* Security fixes + - S6741606, CVE-2013-2407: Integrate Apache Santuario + - S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls + - S7170730, CVE-2013-2451: Improve Windows network stack support. + - S8000638, CVE-2013-2450: Improve deserialization + - S8000642, CVE-2013-2446: Better handling of objects for transportation + - S8001032: Restrict object access + - S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers + - S8001034, CVE-2013-1500: Memory management improvements + - S8001038, CVE-2013-2444: Resourcefully handle resources + - S8001043: Clarify definition restrictions + - S8001308: Update display of applet windows + - S8001309: Better handling of annotation interfaces + - S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost + - S8001330, CVE-2013-2443: Improve on checking order + - S8003703, CVE-2013-2412: Update RMI connection dialog box + - S8004288, CVE-2013-2449: (fs) Files.probeContentType problems + - S8004584: Augment applet contextualization + - S8005007: Better glyph processing + - S8006328, CVE-2013-2448: Improve robustness of sound classes + - S8006611: Improve scripting + - S8007467: Improve robustness of JMX internal APIs + - S8007471: Improve MBean notifications + - S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes + - S8007925: Improve cmsStageAllocLabV2ToV4curves + - S8007926: Improve cmsPipelineDup + - S8007927: Improve cmsAllocProfileSequenceDescription + - S8007929: Improve CurvesAlloc + - S8008120, CVE-2013-2457: Improve JMX class checking + - S8008124, CVE-2013-2453: Better compliance testing + - S8008128: Better API coherence for JMX + - S8008132, CVE-2013-2456: Better serialization support + - S8008585: Better JMX data handling + - S8008593: Better URLClassLoader resource management + - S8008603: Improve provision of JMX providers + - S8008607: Better input checking in JMX + - S8008611: Better handling of annotations in JMX + - S8008615: Improve robustness of JMX internal APIs + - S8008623: Better handling of MBeanServers + - S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606 + - S8008982: Adjust JMX for underlying interface changes + - S8009004: Better implementation of RMI connections + - S8009008: Better manage management-api + - S8009013: Better handling of T2K glyphs + - S8009034: Improve resulting notifications in JMX + - S8009038: Improve JMX notification support + - S8009057, CVE-2013-2448: Improve MIDI event handling + - S8009067: Improve storing keys in KeyStore + - S8009071, CVE-2013-2459: Improve shape handling + - S8009235: Improve handling of TSA data + - S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change + - S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields + - S8009654: Improve stability of cmsnamed + - S8010209, CVE-2013-2460: Better provision of factories + - S8011243, CVE-2013-2470: Improve ImagingLib + - S8011248, CVE-2013-2471: Better Component Rasters + - S8011253, CVE-2013-2472: Better Short Component Rasters + - S8011257, CVE-2013-2473: Better Byte Component Rasters + - S8012375, CVE-2013-1571: Improve Javadoc framing + - S8012421: Better positioning of PairPositioning + - S8012438, CVE-2013-2463: Better image validation + - S8012597, CVE-2013-2465: Better image channel verification + - S8012601, CVE-2013-2469: Better validation of image layouts + - S8014281, CVE-2013-2461: Better checking of XML signature + - S8015997: Additional improvement in Javadoc framing * New features - PR1378: Add AArch64 support to Zero * Bug fixes - PR1409: IcedTea 2.3.9 fails to build Zero due to -Werror - PR1410: Icedtea 2.3.9 fails to build using icedtea 1.12.4 +* Backports + - S6720349: (ch) Channels tests depending on hosts inside Sun + - S6736316: Timeout value in java/util/concurrent/locks/Lock/FlakyMutex.java is insufficient + - S6776144: java/lang/ThreadGroup/NullThreadName.java fails with Thread group is not destroyed ,fastdebug LINUX + - S6818464: TEST_BUG: java/util/Timer/KillThread.java failing intermittently + - S6860309: TEST_BUG: Insufficient sleep time in java/lang/Runtime/exec/StreamsSurviveDestroy.java + - S6948101: java/rmi/transport/pinLastArguments/PinLastArguments.java failing intermittently + - S6957683: test/java/util/concurrent/ThreadPoolExecutor/Custom.java failing + - S6963102: Testcase failures sun/tools/jstatd/jstatdExternalRegistry.sh and sun/tools/jstatd/jstatdDefaults.sh + - S6963841: java/util/concurrent/Phaser/Basic.java fails intermittently + - S6965150: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Basic.java takes too long + - S7030573: test/java/io/FileInputStream/LargeFileAvailable.java fails when there is insufficient disk space + - S7032247: java/net/InetAddress/GetLocalHostWithSM.java fails if hostname resolves to loopback address + - S7044870: java/nio/channels/DatagramChannel/SelectWhenRefused.java failed on SUSE Linux 10 + - S7053526: Upgrade JDK 8 to use Little CMS 2.4 + - S7054918: jdk_security1 test target cleanup + - S7055362: jdk_security2 test target cleanup + - S7055363: jdk_security3 test target cleanup + - S7072120: No mac os x support in several regression tests + - S7073295: TEST_BUG: test/java/lang/instrument/ManifestTest.sh causing havoc (win) + - S7076756: TEST_BUG: com/sun/jdi/BreakpointWithFullGC.sh fails to cleanup in Cygwin + - S7076791: closed/javax/swing/JColorChooser/Test6827032.java failed on windows + - S7077259: [TEST_BUG] [macosx] Test work correctly only when default L&F is Metal + - S7084033: TEST_BUG: test/java/lang/ThreadGroup/Stop.java fails intermittently + - S7089131: test/java/lang/invoke/InvokeGenericTest.java does not compile + - S7102106: TEST_BUG: sun/security/util/Oid/S11N.sh should be modified + - S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu + - S7104594: [macosx] Test closed/javax/swing/JFrame/4962534/bug4962534 expects Metal L&F by default + - S7105929: java/util/concurrent/FutureTask/BlockingTaskExecutor.java fails on solaris sparc + - S7124347: [macosx] "java.lang.InternalError: not implemented yet" on call Graphics2D.drawRenderedImage + - S7129800: [macosx] Regression test OverrideRedirectWindowActivationTest fails due to timing issue + - S7132247: java/rmi/registry/readTest/readTest.sh failing with Cygwin + - S7140868: TEST_BUG: jcmd tests need to use -XX:+UsePerfData + - S7142596: RMI JPRT tests are failing + - S7144833: sun/tools/jcmd/jcmd-Defaults.sh failing intermittently + - S7144861: speed up RMI activation tests + - S7147408: [macosx] Add autodelay to fix a regression test + - S7151434: java -jar -XX crashes java launcher + - S7152183: TEST_BUG: java/lang/ProcessBuilder/Basic.java failing intermittently [sol] + - S7152796: TEST_BUG: java/net/Socks/SocksV4Test.java does not terminate + - S7152856: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing on Windows + - S7154113: jcmd, jps and jstat tests failing when there are unknown Java processes on the system + - S7154114: jstat tests failing on non-english locales + - S7161759: TEST_BUG: java/awt/Frame/WindowDragTest/WindowDragTest.java fails to compile, should be modified + - S7162111: TEST_BUG: change tests run in headless mode [macosx] + - S7162385: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing again + - S7175775: Disable SA options in jinfo/Basic.java test until SA updated for new hash and String count/offset + - S7178649: TEST BUG: BadKdc3.java needs improvement to ignore the unlikely but possible timeout + - S7183203: ShortRSAKeynnn.sh tests intermittent failure + - S7183753: [TEST] Some colon in the diff for this test + - S7184943: fix failing test com/sun/jndi/rmi/registry/RegistryContext/UnbindIdempotent.java + - S7184946: fix failing test com/sun/jndi/rmi/registry/RegistryContext/ContextWithNullProperties.java + - S7185340: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Leaky.java failing intermittently [win] + - S7186111: fix bugs in java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup + - S7187882: TEST_BUG: java/rmi/activation/checkusage/CheckUsage.java fails intermittently + - S7193219: JComboBox serialization fails in JDK 1.7 + - S7194032: update tests for upcoming changes for jtreg + - S7194035: update tests for upcoming changes for jtreg + - S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout + - S7199637: TEST_BUG: add serialization tests to jdk7u problem list for macosx + - S8000817: Reinstate accidentally removed sleep() from ProcessBuilder/Basic.java + - S8001161: mac: EmbeddedFrame doesn't become active window + - S8001621: Update awk scripts that check output from jps/jcmd + - S8002070: Remove the stack search for a resource bundle for Logger to use + - S8002297: sun/net/www/protocol/http/StackTraceTest.java fails intermittently + - S8002313: TEST_BUG : jdk/test/java/security/Security/ClassLoaderDeadlock/ClassLoaderDeadlock.java should run in headless mode + - S8003597: TEST_BUG: Eliminate dependency on javaweb from closed net tests + - S8003982: new test javax/swing/AncestorNotifier/7193219/bug7193219.java failed on macosx + - S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported + - S8004748: clean up @build tags in RMI tests + - S8004925: java/net/Socks/SocksV4Test.java failing on all platforms + - S8005290: remove -showversion from RMI test library subprocess mechanism + - S8005556: java/net/Socks/SocksV4Test.java is missing @run tag + - S8005646: TEST_BUG: java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup leaves process running + - S8005920: After pressing combination Windows Key and M key, the frame, the instruction and the dialog can't be minimized. + - S8005932: Java 7 on mac os x only provides text clipboard formats + - S8006120: Provide "Server JRE" for 7u train + - S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X + - S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails intermittently-doesn't retry enough times + - S8006536: [launcher] removes trailing slashes on arguments + - S8006560: java/net/ipv6tests/B6521014.java fails intermittently + - S8006564: Test sun/security/util/Oid/S11N.sh fails with timeout on Linux 32-bit + - S8006669: sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/PostThruProxy.sh fails on mac + - S8007515: TEST_BUG: update ProblemList.txt and TEST.ROOT in jdk7u-dev to match jdk8 + - S8007699: Move some tests from test/sun/security/provider/certpath/X509CertPath to closed repo + - S8008223: java/net/BindException/Test.java fails rarely + - S8008249: Sync ICU into JDK : + - S8008379: TEST_BUG: Fail automatically with java.lang.NullPointerException. + - S8008815: [TEST_BUG] Add back tests to the Problemlist files post the jdk7u -> 7u-cpu test sync up + - S8009165: Fix for 8008817 needs revision + - S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03 + - S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing. + - S8009530: ICU Kern table support broken + - S8009610: Blacklist certificate used with malware. + - S8009634: TEST_BUG: sun/misc/Version/Version.java handle 2 digit minor in VM version + - S8009750: javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java should run in other vm mode + - S8009987: (tz) Support tzdata2013b + - S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail + - S8009999: Test sun/tools/jcmd/jcmd-f.sh failing after JDK-8008820 + - S8010009: [macosx] Unable type into online word games on MacOSX + - S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive + - S8010166: TEST_BUG: fix for 8009634 overlooks possible version strings (sun/misc/Version/Version.java) + - S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build + - S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod + - S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance + - S8010939: Deadlock in LogManager + - S8011139: (reflect) Revise checking in getEnclosingClass + - S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows + - S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined + - S8011557: Improve reflection utility classes + - S8011695: [tck-red] Application can not be run, the Security Warning dialog is gray. + - S8011806: 7u25-b05 hotspot fastdebug build failure + - S8011896: Add check for invalid offset for new AccessControlContext isAuthorized field + - S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows + - S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05 + - S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris + - S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21 + - S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus + - S8012453: (process) Runtime.exec(String) fails if command contains spaces [win] + - S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer + - S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07 + - S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext() + - S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout + - S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup + - S8014205: Most of the Swing dialogs are blank on one win7 MUI + - S8014423: [macosx] The scrollbar's block increment performs incorrectly + - S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09 + - S8014618: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement + - S8014676: Java debugger may fail to run + - S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10 + - S8014745: Provide a switch to allow stack walk search of resource bundle + - S8014968: OCSP and CRL connection timeout is set to four hours by default New in release 2.3.9 (2013-04-21): @@ -174,7 +371,6 @@ - S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number - S8001124: jdk7u ProblemList.txt updates (10/2012) - - S8001242: Improve RMI HTTP conformance - S8001808: Create a test for 8000327 - S8001876: Create regtest for 8000283 - S8002068: Build broken: corba code changes unable to use new JDK 7 classes @@ -751,7 +947,6 @@ - S6330863: vm/gc/InfiniteList.java fails intermittently due to timeout - S6351654: (tz) java.util.TimeZone.setDefault() should be controlled by a security manager - S6484965: G1: piggy-back liveness accounting phase on marking - - S6484982: G1: process references during evacuation pauses - S6505523: NullPointerException in BasicTreeUI when a node is removed by expansion listener - S6593758: RFE: Enhance GC ergonomics to dynamically choose ParallelGCThreads - S6636110: unaligned stackpointer leads to crash during deoptimization @@ -770,7 +965,6 @@ - S7005808: G1: re-enable ReduceInitialCardMarks for G1 - S7009098: SA cannot open core files larger than 2GB on Linux 32-bit - S7010561: Tab text position with Synth based LaF is different to Java 5/6 - - S7012206: ~20 tools tests failing due to -XX:-UsePerfData default in Java SE Embedded - S7013347: allow crypto functions to be called inline to enhance performance - S7017458: (cal) Multithreaded deserialization of Calendar leads to ClassCastException - S7021322: assert(object_end <= top()) failed: Object crosses promotion LAB boundary @@ -1451,7 +1645,6 @@ - S7043847: NTML impl of SaslServer throws UnsupportedOperationException from (un)wrap method - S7043987: 3/3 JVMTI FollowReferences is slow - S7044486: open jdk repos have files with incorrect copyright headers, which can end up in src bundles - - S7044738: Loop unroll optimization causes incorrect result - S7045232: G1: pool names are inconsistent with other collectors (don't have 'Space') - S7045330: G1: Simplify/fix the HeapRegionSeq class - S7045514: SPARC assembly code for JSR 292 ricochet frames