----- Original Message ----- > We have a new release of IcedTea [0] and a new OpenJDK 6 release, b37 > to go with it. This is made from the current state of the OpenJDK 6 > repositories plus backports of the new security fixes included in 7u91 > & 8u65. > > The tarballs are available here: > > https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.gz > https://java.net/projects/openjdk6/downloads/download/openjdk-6-src-b37-11_nov_2015.tar.xz > > SHA256 checksums: > > 4526a1d7b34f2c3939d6f5eb083365350b56125c07a63f6eeed0e5fa43df1f47 > openjdk-6-src-b37-11_nov_2015.tar.gz > 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d > openjdk-6-src-b37-11_nov_2015.tar.xz > > Changes since b37 (including both CPU fixes and upstreamed changes): > > * Security fixes > - S8048030, CVE-2015-4734: Expectations should be consistent > - S8068842, CVE-2015-4803: Better JAXP data handling > - S8076339, CVE-2015-4903: Better handling of remote object invocation > - S8076383, CVE-2015-4835: Better CORBA exception handling > - S8076387, CVE-2015-4882: Better CORBA value handling > - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency > - S8076413, CVE-2015-4883: Better JRMP message handling > - S8078427, CVE-2015-4842: More supportive home environment > - S8078440: Safer managed types > - S8080541: More direct property handling > - S8080688, CVE-2015-4860: Service for DGC services > - S8081760: Better group dynamics > - S8086733, CVE-2015-4893: Improve namespace handling > - S8087350: Improve array conversions > - S8103671, CVE-2015-4805: More objective stream classes > - S8103675: Better Binary searches > - S8130078, CVE-2015-4911: Document better processing > - S8130193, CVE-2015-4806: Improve HTTP connections > - S8130864: Better server identity handling > - S8130891, CVE-2015-4843: (bf) More direct buffering > - S8131291, CVE-2015-4872: Perfect parameter patterning > - S8132042, CVE-2015-4844: Preserve layout presentation > * Import of OpenJDK6 b37 > - OJ64: Backport hashtable to map changes from jaxp > - OJ65: Remove @Override annotation on interfaces added by 2015/10/20 > security fixes > - OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5 > test infrastructure) > - OJ67: Fix copyright headers on imported files > - OJ68: Ensure SharedSecrets are initialised > - S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well > - S6590930: reed/write does not match for ccache > - S6648972: KDCReq.init always read padata > - S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding > problem > - S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed > on all non-windows platforms > - S6710360: export Kerberos session key to applications > - S6733095: Failure when SPNEGO request non-Mutual > - S6785456: Read Kerberos setting from Windows environment variables > - S6821190: more InquireType values for ExtendedGSSContext > - S6843127: krb5 should not try to access unavailable kdc too often > - S6844193: support max_retries in krb5.conf > - S6844907: krb5 etype order should be from strong to weak > - S6844909: support allow_weak_crypto in krb5.conf > - S6849275: enhance krb5 reg tests > - S6853328: Support OK-AS-DELEGATE flag > - S6854308: more ktab options > - S6856069: PrincipalName.clone() does not invoke super.clone() > - S6857795: krb5.conf ignored if system properties on realm and kdc are > provided > - S6857802: GSS getRemainingInitLifetime method returns milliseconds not > seconds > - S6858589: more changes to Config on system properties > - S6862679: ESC: AD Authentication with user with umlauts fails > - S6877357: IPv6 address does not work > - S6888701: Change all template java source files to a .java-template file > suffix > - S6893158: AP_REQ check should use key version number > - S6907425: JCK Kerberos tests fail since b77 > - S6919610: KeyTabInputStream uses static field for per-instance value > - S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with > pre-authentication > - S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false) > - S6950546: "ktab -d name etype" to "ktab -d name [-e etype] [kvno | all | > old]" > - S6951366: kerberos login failure on win2008 with AD set to win2000 compat > mode > - S6952519: kdc_timeout is not being honoured when using TCP > - S6959292: regression: cannot login if session key and preauth does not > use the same etype > - S6960894: Better AS-REQ creation and processing > - S6966259: Make PrincipalName and Realm immutable > - S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest > started to fail since jdk7 b102 > - S6984764: kerberos fails if service side keytab is generated using JDK > ktab > - S6997740: ktab entry related test compilation error > - S7018928: test failure: sun/security/krb5/auto/SSL.java > - S7032354: no-addresses should not be used on acceptor side > - S7061379: [Kerberos] Cross-realm authentication fails, due to nameType > problem > - S7142596: RMI JPRT tests are failing > - S7157610: NullPointerException occurs when parsing XML doc > - S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds() > - S7197159: accept different kvno if there no match > - S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but > exception not reported > - S8005226: > java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java > fails intermittently > - S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails > intermittently-doesn't retry enough times > - S8014097: add doPrivileged methods with limited privilege scope > - S8021191: Add isAuthorized check to limited doPrivileged methods > - S8022213: Intermittent test failures in java/net/URLClassLoader > - S8028583: Add helper methods to test libraries > - S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt > - S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX > - S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the > information about the domain combiner of the stack ACC > - S8072932: Test fails with java.security.AccessControlException: access > denied ("java.security.SecurityPermission" "getDomainCombiner") > - S8078822: 8068842 fix missed one new file > PrimeNumberSequenceGenerator.java > - S8079323: Serialization compatibility for Templates: need to exclude > Hashtable from serialization > - S8087118: Remove missing package from java.security files > - S8098547: (tz) Support tzdata2015e > - S8130253: ObjectStreamClass.getFields too restrictive > - S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress > - S8133321: (tz) Support tzdata2015f > - S8135043: ObjectStreamClass.getField(String) too restrictive > > The number of Kerberos changes are related to the need to safely > backport S8048030, CVE-2015-4734: Expectations should be consistent. > Many are marked in the OpenJDK bug database as having already been > backported to the proprietary JDK 6 codebase maintained by Oracle, > and our IcedTea-based packages with these changes have passed the TCK. > > The hope is that this will mean that a number of long-standing > Kerberos bugs are also indirectly fixed in this release. In particular, > our testing shows that the crypto defaults for Kerberos connections > are now more secure, using AES256 rather than the obsolete RC4. Such > a change mirrors the TLS changes made in the July update. > > Webrevs for the new changes: > > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/root/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/corba/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxp/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jaxws/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/hotspot/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/jdk/ > http://cr.openjdk.java.net/~andrew/openjdk6/20151020/langtools/ > > Once approved, I'll push these to the OpenJDK 6 repository. > > [0] http://bitly.com/it11309 > > Thanks, > -- > Andrew :) > > Senior Free Java Software Engineer > Red Hat, Inc. (http://www.redhat.com) > > PGP Key: ed25519/35964222 (hkp://keys.gnupg.net) > Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 > > PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net) > Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07 > >
Ping? -- Andrew :) Senior Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
