[SECURITY] IcedTea 2.4.7 for OpenJDK 7 Released

Andrew Hughes gnu_andrew at member.fsf.org
Wed Apr 16 04:33:10 UTC 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.4.x series with
the April 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 2.4.7 (2014-04-15):

* Security fixes
  - S8023046: Enhance splashscreen support
  - S8025005: Enhance CORBA initializations
  - S8025010, CVE-2014-2412: Enhance AWT contexts
  - S8025030, CVE-2014-2414: Enhance stream handling
  - S8025152, CVE-2014-0458: Enhance activation set up
  - S8026067: Enhance signed jar verification
  - S8026163, CVE-2014-2427: Enhance media provisioning
  - S8026188, CVE-2014-2423: Enhance envelope factory
  - S8026200: Enhance RowSet Factory
  - S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling
  - S8026736, CVE-2014-2398: Enhance Javadoc pages
  - S8026797, CVE-2014-0451: Enhance data transfers
  - S8026801, CVE-2014-0452: Enhance endpoint addressing
  - S8027766, CVE-2014-0453: Enhance RSA processing
  - S8027775: Enhance ICU code.
  - S8027841, CVE-2014-0429: Enhance pixel manipulations
  - S8028385: Enhance RowSet Factory
  - S8029282, CVE-2014-2403: Enhance CharInfo set up
  - S8029286: Enhance subject delegation
  - S8029699: Update Poller demo
  - S8029730: Improve audio device additions
  - S8029735: Enhance service mgmt natives
  - S8029740, CVE-2014-0446: Enhance handling of loggers
  - S8029745, CVE-2014-0454: Enhance algorithm checking
  - S8029750: Enhance LCMS color processing (in-tree LCMS)
  - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg)
  - S8029844, CVE-2014-0455: Enhance argument validation
  - S8029854, CVE-2014-2421: Enhance JPEG decodings
  - S8029858, CVE-2014-0456: Enhance array copies
  - S8030731, CVE-2014-0460: Improve name service robustness
  - S8031330: Refactor ObjectFactory
  - S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS)
  - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng)
  - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader
  - S8031395: Enhance LDAP processing
  - S8032686, CVE-2014-2413: Issues with method invoke
  - S8033618, CVE-2014-1876: Correct logging output
  - S8034926, CVE-2014-2397: Attribute classes properly
  - S8036794, CVE-2014-0461: Manage JavaScript instances
* Backports
  - S8004145: New improved hgforest.sh, ctrl-c now properly terminates mercurial processes.
  - S8007625: race with nested repos in /common/bin/hgforest.sh
  - S8011178: improve common/bin/hgforest.sh python detection (MacOS)
  - S8011342: hgforest.sh : 'python --version' not supported on older python
  - S8011350: hgforest.sh uses non-POSIX sh features that may fail with some shells
  - S8024200: handle hg wrapper with space after #!
  - S8025796: hgforest.sh could trigger unbuffered output from hg without complicated machinations
  - S8028388: 9 jaxws tests failed in nightly build with java.lang.ClassCastException
  - S8031477: [macosx] Loading AWT native library fails
  - S8032370: No "Truncated file" warning from IIOReadWarningListener on JPEGImageReader
  - S8035834: InetAddress.getLocalHost() can hang after JDK-8030731 was fixed
* Bug fixes
  - PR1393: JPEG support in build is broken on non-system-libjpeg builds
  - PR1726: configure fails looking for ecj.jar before even trying to find javac
  - Red Hat local: Fix for repo with path statting with / .
  - Remove unused hgforest script

The tarballs can be downloaded from:


We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:


These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

754350cbd704b22b7ba3d14c8283eb2d896d137824f95a9e6a2b34678658ade1  icedtea-2.4.7.tar.gz
92a1ac08f3bdb1f0bca58a6528020ca0d7e7e720ad438743133de9d0b3bf875d  icedtea-2.4.7.tar.gz.sig
b66973bef7808f8fb03be64e44d312ea2d13590a68a6a4e6690dbcdd1947459d  icedtea-2.4.7.tar.xz
6766d3fcd0e2b7c167bcb217e2a7c03b6582b84b5a246d71601b5d7863c60ba7  icedtea-2.4.7.tar.xz.sig

The checksums can be downloaded from:


The following people helped with these releases:

* Andrew Haley (hgforest.sh path with leading '/' fix)
* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.4.7.tar.gz


$ tar x -I xz -f icedtea-2.4.7.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.4.7/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140416/598add35/signature.asc>

More information about the distro-pkg-dev mailing list