Hide Forgot
The RPMS of oepnJDKs in rhel7 and rpms od openJDK8 in rhel6 have list of java.security sums, which decide when to override this config file and when not. Unluckily in latest updates, the latest java.security was missed. As result, openjdk7 7.2, openjdk8 7.2 and 7.3 and openjdk8 6.8 did not overwritten old java.security. As consequence, RC4 is NOT in the disabledAlgorithms as it shold be by default. I'm not able to judge how serious flaw this is, so I will open other bugs for possible z stream udpates based on resolution here. The fix(+test) is as follows: http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/?h=f25&id=b3fb2a4865e8d41330321d902070ab8f29c894e7
They weren't missed, there hasn't been a change to java.security since: changeset: 11549:f94285e53b66 user: igerasim date: Tue Dec 15 16:20:09 2015 +0300 summary: 8144773: Further reduce use of MD5 in the January 2016 CPU. An update was missed as part of bug 1302385 for java-1.7.0-openjdk and that's the only one I'm aware of being reported. On RHEL 7.2, I see no rpmnew files for java.security. Are you actually seeing issues with java-1.8.0-openjdk?
Yes I do. The same md5sum as is missing in fedora is missing in rhel7.3 In 7.2 different chesum is missing (currentMd5sum=134a37a84983b620f4d8d51a550c0c38) but missing. Thats why the component is jdk8 and not jdk7. jdk7 i affected only in 7.3
Ok, you're not distinguishing here between what is actually a bug and what is nice to have to keep them in sync. In 7.3, removeSunEcProvider-RH1154143.patch was removed which will have changed the java.security there. Hence 134a37a84983b620f4d8d51a550c0c38 needs to be added there so java.security is replaced with the one with SunEC in. The addition of 134a37a84983b620f4d8d51a550c0c38 to 7.2 and the new checksum to 7.3 is good future-proofing, but it's not a bug fix. Hopefully, the new check will catch them earlier. Certainly, none of this is related to the July 2016 CPU but comes from feature changes in RHEL 7.3.
Also, I'm not sure what this bug is for, now you've committed this using bug 1295754, the tapset bug.
(In reply to Andrew John Hughes from comment #5) > Also, I'm not sure what this bug is for, now you've committed this using bug > 1295754, the tapset bug. You may noticed that it is not built.
(In reply to Andrew John Hughes from comment #4) > Ok, you're not distinguishing here between what is actually a bug and what > is nice to have to keep them in sync. > > In 7.3, removeSunEcProvider-RH1154143.patch was removed which will have > changed the java.security there. Hence 134a37a84983b620f4d8d51a550c0c38 > needs to be added there so java.security is replaced with the one with SunEC > in. > > The addition of 134a37a84983b620f4d8d51a550c0c38 to 7.2 and the new checksum > to 7.3 is good future-proofing, but it's not a bug fix. > > Hopefully, the new check will catch them earlier. Thats why I pushed the checks to all possibly affected packages. IMO better to have few more (valid) sums, then miss important one. > > Certainly, none of this is related to the July 2016 CPU but comes from > feature changes in RHEL 7.3. Well the changes necessary to make the test pass in 7.2 are a bit discouraging. http://pkgs.devel.redhat.com/cgit/rpms/java-1.8.0-openjdk/commit/?h=rhel-7.2&id=bd5e5e468ca48b261d285259ab6cf9fc0aead497 (note there is one more compared to 7.3) Thats what this bug is for. to decide if the missing checkusm in currently live packages may have some bad consequences. ANd to fix it if fix it at all. Thank you for confirming that the changes are not CPU related!