[SECURITY] IcedTea 2.5.1 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Wed Jul 16 10:06:01 UTC 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.5.x series with
the July 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 2.5.1 (2014-07-16):

* Security fixes
  - S8029755, CVE-2014-4209: Enhance subject class
  - S8030763: Validate global memory allocation
  - S8031340, CVE-2014-4264: Better TLS/EC management
  - S8031346, CVE-2014-4244: Enhance RSA key handling
  - S8031540: Introduce document horizon
  - S8032536: JVM resolves wrong method in some unusual cases
  - S8033055: Issues in 2d
  - S8033301, CVE-2014-4266: Build more informative InfoBuilder
  - S8034267: Probabilistic native crash
  - S8034272: Do not cram data into CRAM arrays
  - S8034985, CVE-2014-2483: Better form for Lambda Forms
  - S8035004, CVE-2014-4252: Provider provides less service
  - S8035009, CVE-2014-4218: Make Proxy representations consistent
  - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification
  - S8035699, CVE-2014-4268: File choosers should be choosier
  - S8035788. CVE-2014-4221: Provide more consistency for lookups
  - S8035793, CVE-2014-4223: Maximum arity maxed out
  - S8036571: (process) Process process arguments carefully
  - S8036800: Attribute OOM to correct part of code
  - S8037046: Validate libraries to be loaded
  - S8037076, CVE-2014-2490: Check constant pool constants
  - S8037157: Verify <init> call
  - S8037162, CVE-2014-4263: More robust DH exchanges
  - S8037167, CVE-2014-4216: Better method signature resolution
  - S8039520, CVE-2014-4262: More atomicity of atomic updates
* Backports
  - S8001108: an attempt to use "<init>" as a method name should elicit NoSuchMethodException
  - S8001109: arity mismatch on a call to spreader method handle should elicit IllegalArgumentException
  - S8013611: Modal dialog fails to obtain keyboard focus
  - S8013836: getFirstDayOfWeek reports wrong day for pt-BR locale
  - S8019990: IM candidate window appears on the South-East corner of the display.
  - S8023990: Regression: postscript size increase from 6u18
  - S8024283: 10 nashorn tests fail with similar stack trace InternalError with cause being NoClassDefFoundError
  - S8024616: JSR292: lazily initialize core NamedFunctions used for bootstrapping
  - S8025030: Enhance stream handling
  - S8026188: Enhance envelope factory
  - S8027212: java/nio/channels/Selector/SelectAfterRead.java fails intermittently
  - S8028285: RMI Thread can no longer call out to AWT
  - S8029177: [Parfait] warnings from b117 for jdk.src.share.native.com.sun.java.util.jar: JNI exception pending
  - S8031075: [Regression] focus disappears with shift+tab on dialog having one focus component
  - S8032585: JSR292: IllegalAccessError when attempting to invoke protected method from different package
  - S8032686: Issues with method invoke
  - S8033278: Missed access checks for Lookup.unreflect* after 8032585
  - S8033618: Correct logging output
  - S8034926: Attribute classes properly
  - S8035613: With active Securitymanager JAXBContext.newInstance fails
  - S8035834: InetAddress.getLocalHost() can hang after JDK-8030731 was fixed
  - S8035923: Set minor version for hotspot in 7u65 to 65 and build number to b01
  - S8036786: Update jdk7 testlibrary to match jdk8
  - S8036794: Manage JavaScript instances
  - S8039324: Increment hsx 24.65 build to b02 for 7u65-b07
  - S8040156: Increment hsx 24.65 build to b03 for 7u65-b08
  - S8041264: Increment hsx 24.65 build to b04 for 7u65-b09
  - S8042264: 7u65 l10n resource file translation update 1
  - S8042582: Test java/awt/KeyboardFocusmanager/ChangeKFMTest/ChangeKFMTest.html fails on Windows x64
  - S8042590: Running form URL throws NPE
  - S8042789: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader
  - S8043012: (tz) Support tzdata2014c
* Bug fixes
  - PR1853: Revert PR729 from minor release
  - PR1864: PCSC + OpenJDK 1.7 crash on Fedora 20
  - PR1867: Turn the infinality patch off by default
  - PR1868: Avoid x86 workaround when running Zero rather than a JIT
* AArch64 port
  - Common frame handling for C1/C2 which correctly handle all frame sizes
  - Fix register misuse in verify_method_data_pointer
  - Fix register usage in generate_verify_oop().
  - Restrict default ReservedCodeCacheSize to 128M
  - Use explicit barrier instructions in C1.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.1.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.5.1.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.5.1.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.5.1.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

06483c252099d41e33eade8ceee9231a15ba1e9594f90e2d32943d17c8802acd  icedtea-2.5.1.tar.gz
ce9aad813b3e1fd2d08ad1755e973e22271eb13a3cbff612b8f6e6660301d2fa  icedtea-2.5.1.tar.gz.sig
9471b4e143807df75655d113618dafcdc1a67d3183364fceaaf139014b778913  icedtea-2.5.1.tar.xz
3633fa56b0c0e1f4ef91f93cf5025f06d90d03bcdbc8beaf0476007815a2cfd6  icedtea-2.5.1.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.1.sha256

The following people helped with these releases:

* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.5.1.tar.gz


$ tar x -I xz -f icedtea-2.5.1.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.5.1/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
Andrew :)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140716/59fd9af8/signature.asc>

More information about the distro-pkg-dev mailing list