Preparation of update releases (original) (raw)

Volker Simonis volker.simonis at gmail.com
Mon Oct 29 16:20:06 UTC 2018

I couldn't stop thinking about the exact mechanics of this (and future) update releases, so here comes a complete summary and categorization of the changes which have been integrated into 11u as part of the 11.0.1 release.

  1. With the merge of 11.0.1 into jdk11u a total of 103 non-merge, non-tag changes have been brought into jdk11u

8160104: CORBA communication improvements 8163237: Restrict the use of EXPORT cipher suites 8172525: Improve key keying case 8174756: Extra validation for public keys 8174962: Better interface invocations 8175075: Add 3DES to the default disabled algorithm security property 8175932: Improve host instance supports 8176450: Revise default document styling 8178449: Improve LDAP logins 8178458: Better use of certificates in LDAP 8178466: Better RSA parameters 8179533: Cleaner print job handling 8179990: Cleaner palette entry handling 8180011: Cleaner native graphics device handling 8180015: Cleaner AWT robot handling 8180020: Improve SymbolHashMap entry handling 8180869: Cleaner image file reading handling 8180877: More deeply colored ICC spaces 8181664: Improve JVM UTF String handling 8181670: Improve implementation of keystores 8182125: Improve reliability of DNS lookups 8182362: Update CipherOutputStream Usage 8182387: Improve PKCS usage 8182601: Improve usage messages 8183032: Upgrade to LittleCMS 2.9 8185292: Stricter key generation 8185325: Improve GTK initialization 8186032: Disable XML Signatures signed with EC keys less than 224 bits 8186080: Transform XML interfaces 8186212: Improve GSS handling 8186600: Improve property negotiations 8186606: Improve LDAP lookup robustness 8186998: Improve JMX supportive features 8187496: Possible memory leak in java.apple.security.KeychainStore.addItemToKeychain 8189123: More consistent classloading 8189284: More refactoring for deserialization cases 8189969: Manifest better manifest entries 8189977: Improve permission portability 8189981: Improve queuing portability 8189985: Improve tabular data portability 8189989: Improve container portability 8189993: Improve document portability 8189997: Enhance keystore mechanisms 8190227: Forward port 8188880 to JDK10CPU 8190289: More refactoring for client deserialization cases 8190478: Improved interface method selection 8190789: sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java fails after JDK-8186606 8190877: Better handling of abstract classes 8191142: More refactoring for naming deserialization cases 8191239: Improve desktop file usage 8191358: Restore TSA certificate expiration check 8191696: Better mouse positioning 8191907: PPC64 and s390 parts of JDK-8174962: Better interface invocations 8192025: Less referential references 8192030: Better MTSchema support 8192757: Improve stub classes implementation 8192789: Avoid using AtomicReference in sun.security.provider.PolicyFile 8193409: Improve AES supporting classes 8193414: Improvements in MethodType lookups 8193419: Better Internet address support 8194233: Improve support for array handles 8194238: Trying exceptions in MethodHandles 8194534: Manifest better support 8194546: Choosier FileManagers 8195662: Add T6587786.java to problem list before JDK-8195589 is resolved 8195874: Improve jar specification adherence 8196224: Even better Internet address support 8196289: Update src/java.desktop/share/legal/lcms.md for LCMS 2.9 8196897: Improve PRNG support 8196902: Better HTTP Redirection 8197443: ArrayIndexOutOfBoundsException in UcryptoException.getError 8197881: Better StringBuilder support 8197925: Better stack walking 8199110: Address Internet Addresses 8199172: Improve jar attribute checks 8199177: Enhance JNDI lookups 8199226: Improve field accesses 8199547: Exception to Pattern Syntax 8200332: Improve GCM counting 8200648: Make midi code more sound 8200666: Improve LDAP support 8201756: Improve cipher inputs 8202613: Improve TLS connections stability 8202936: Improve script engine support 8203654: Improve cypher state updates 8204497: Better formatting of decimals 8204667: Resources not freed on exception 8205491: adjust reflective access checks 8206473: Revert changes of JDK-8202613 in jdk-cpu and jdk11u-cpu 8206884: Bump update version for jdk11.0.1 cpu forest 8207948: JDK 11 L10n resource file update msg drop 10 8208209: Improve TLS connection stability again 8208268: 11.0.1 b03 java.net bundles - Release Date is wrong 8208350: Disable all DES cipher suites 8208654: Please change jdk 11.0.1 milestone to FCS 8208661: JDK 11.0.1 l10n resource file update 8208754: The fix for JDK-8194534 needs updates 8209916: NPE in SupportedGroupsExtension 8210345: The Japanese message of FileNotFoundException garbled 8210432: Add additional TeliaSonera root certificate 8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth 8211107: LDAPS communication failure with jdk 1.8.0_181 8211731: Reconsider default option for ClassPathURLCheck change done in JDK-8195874

  1. Out of these 103 changes, 71 already have been part of the 11 GA release. These 71 changes have been manually down-portred (or "cherry-picked") into the 11.0.1 repo and now, after the merge, manifest as duplicate changes in the 11u repository (i.e. changes with the same patch and summary, but different hash value). E.g.:

$ hg log -k 8160104 changeset: 51200:6057a7306f29 48418:2c1af559e922 user: msheppar date: Sun Sep 03 16:08:13 2017 +0100 summary: 8160104: CORBA communication improvements Reviewed-by: rriggs, dfuchs

changeset: 48618:592e22777742 48562:c94c352dc400 user: msheppar date: Sun Sep 03 16:08:13 2017 +0100 summary: 8160104: CORBA communication improvements Reviewed-by: rriggs, dfuchs

This is strange, because I would have expected that the closed 11.0.1 repository should have been regularly merged with the 11 stabilization repository until the GA date of 11. This would have been prevented most of these duplicate changes. But instead (for whatever reason) many of these changes have been manually integrated into 11.0.1 after (or before) they were integrated into the 11 repository.

Following a complete list of these 71 change sets:

8160104: CORBA communication improvements 8175932: Improve host instance supports 8180020: Improve SymbolHashMap entry handling 8174962: Better interface invocations 8181664: Improve JVM UTF String handling 8176450: Revise default document styling 8172525: Improve key keying case 8179533: Cleaner print job handling 8180011: Cleaner native graphics device handling 8179990: Cleaner palette entry handling 8180015: Cleaner AWT robot handling 8180869: Cleaner image file reading handling 8180877: More deeply colored ICC spaces 8174756: Extra validation for public keys 8182125: Improve reliability of DNS lookups 8182387: Improve PKCS usage 8182601: Improve usage messages 8186212: Improve GSS handling 8178466: Better RSA parameters 8178449: Improve LDAP logins 8181670: Improve implementation of keystores 8178458: Better use of certificates in LDAP 8186998: Improve JMX supportive features 8186080: Transform XML interfaces 8185325: Improve GTK initialization 8186600: Improve property negotiations 8185292: Stricter key generation 8163237: Restrict the use of EXPORT cipher suites 8190227: Forward port 8188880 to JDK10CPU 8186606: Improve LDAP lookup robustness 8190789: sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java fails after JDK-8186606 8190289: More refactoring for client deserialization cases 8189123: More consistent classloading 8189989: Improve container portability 8190877: Better handling of abstract classes 8191907: PPC64 and s390 parts of JDK-8174962: Better interface invocations 8189284: More refactoring for deserialization cases 8191142: More refactoring for naming deserialization cases 8190478: Improved interface method selection 8189977: Improve permission portability 8183032: Upgrade to LittleCMS 2.9 8187496: Possible memory leak in java.apple.security.KeychainStore.addItemToKeychain 8192789: Avoid using AtomicReference in sun.security.provider.PolicyFile 8191358: Restore TSA certificate expiration check 8192030: Better MTSchema support 8189969: Manifest better manifest entries 8186032: Disable XML Signatures signed with EC keys less than 224 bits 8193414: Improvements in MethodType lookups 8182362: Update CipherOutputStream Usage 8191696: Better mouse positioning 8189997: Enhance keystore mechanisms 8195662: Add T6587786.java to problem list before JDK-8195589 is resolved 8189993: Improve document portability 8193419: Better Internet address support 8192025: Less referential references 8175075: Add 3DES to the default disabled algorithm security property 8194233: Improve support for array handles 8193409: Improve AES supporting classes 8194238: Trying exceptions in MethodHandles 8196289: Update src/java.desktop/share/legal/lcms.md for LCMS 2.9 8191239: Improve desktop file usage 8189981: Improve queuing portability 8196224: Even better Internet address support 8197443: ArrayIndexOutOfBoundsException in UcryptoException.getError 8189985: Improve tabular data portability 8199547: Exception to Pattern Syntax 8200332: Improve GCM counting 8197925: Better stack walking 8200666: Improve LDAP support 8205491: adjust reflective access checks 8207948: JDK 11 L10n resource file update msg drop 10

  1. The remaining 32 changes can be divided into three categories. 6 of them are publicly visible, non-security changes which have been manually downported from jdk 12 to 11.0.1. They can be found in JBS with the query suggested by Kevin (i.e. "project = JDK AND resolution = Fixed AND fixVersion = 11.0.1 AND (labels is EMPTY OR labels not in (hgupdate-sync))")

8211107: LDAPS communication failure with jdk 1.8.0_181 8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth 8209916: NPE in SupportedGroupsExtension 8210432: Add additional TeliaSonera root certificate 8210345: The Japanese message of FileNotFoundException garbled. 8208350: Disable all DES cipher suites

Notice that the query actually lists one more change "8211237: Oracle JDK builds for "11.0.1" should indicate they are "LTS"" but this change is apparently only for the "Oracle JDK" and was not integrated into the OpenJDK. Not sure how that can be detected from looking at the issue in JBS (maybe because its component is "infrastructure"?), but JDK-8211237 is definitely not in the the jdk11u repository!

  1. This leaves us with the remaining 26 changes of which 18 have been communicated and discussed on the vulnerability list:

8208754: The fix for JDK-8194534 needs updates 8194534: Manifest better support 8194546: Choosier FileManagers 8211731: Reconsider default option for ClassPathURLCheck change done in JDK-8195874 8195874: Improve jar specification adherence 8196897: Improve PRNG support 8196902: Better HTTP Redirection 8197881: Better StringBuilder support 8199110: Address Internet Addresses 8199172: Improve jar attribute checks 8199177: Enhance JNDI lookups 8199226: Improve field accesses 8200648: Make midi code more sound 8201756: Improve cipher inputs 8202936: Improve script engine support 8203654: Improve cypher state updates 8204497: Better formatting of decimals 8208209: Improve TLS connection stability again

  1. Finally, 11.0.1 contained 8 more changes which were actually not considered "security relevant" because they have not been discussed on the vulnerability list but which were "closed" (i.e. invisible) to externals in the Java Bug System:

8192757: Improve stub classes implementation 8202613: Improve TLS connections stability 8204667: Resources not freed on exception 8206473: Revert changes of JDK-8202613 in jdk-cpu and jdk11u-cpu 8206884: Bump update version for jdk11.0.1 cpu forest 8208268: 11.0.1 b03 java.net bundles - Release Date is wrong 8208654: Please change jdk 11.0.1 milestone to FCS 8208661: JDK 11.0.1 l10n resource file update

Notice that the issue for "8204667: Resources not freed on exception" was changed to "open" after 11.0.1 was released, during the discussion on this email thread.

This summary shows that it is virtually impossible for an external party to prepare a security update which will be feature-wise on-par with the security updates merged by Oracle into the OpenJDK - even if the the corresponding party has full access to the planned security patches circulated on the vulnerability list.

It also makes it clear that after Oracle will stop contributing its security updates to the OpenJDK (e.g. for 11.0.3) the Oracle JDK will start to diverge considerably from the corresponding Java version in the OpenJDK (e.g. Oracle JDK 11.0.4 will probably have dozens of changes which are not in OpenJDK 11.0.4). While Oracle has the possibility to pull in all the changes of an OpenJDK updates release, this is impossible for the community for Oracle JDK changes. I don't know if this is desired, but it is a matter of fact.

Regards, Volker On Wed, Oct 24, 2018 at 9:05 PM Volker Simonis <volker.simonis at gmail.com> wrote:

Andrew Haley <aph at redhat.com> schrieb am Mi. 24. Okt. 2018 um 17:02:

On 10/24/2018 01:42 PM, Rob McKenna wrote: > 2) non-vuln closed issues may need to be distributed along with the vulns > on vuln-dev. Indeed. This has been a problem for a little while now. It's hard for me, as an outsider, to make any meaningful distinction between a non- vuln and a vuln closed issue, but we get one and not the other. The easiest and most practical solution would be to grant members of the Vulnerability Group access to the security repos. I don’t see any principle problem with such a solution because there’s nothing in these repos that members of the Vulnerability Group are not allowed to see. So it can only be technical problems which prevent such a solution and technical problems should be easy to solve :)

-- Andrew Haley Java Platform Lead Engineer Red Hat UK Ltd. <https://www.redhat.com> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the jdk-updates-dev mailing list