[SECURITY] IcedTea 2.4.8 for OpenJDK 7 Released
Andrew Hughes
gnu_andrew at member.fsf.org
Wed Jul 23 18:32:54 UTC 2014
The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.
This release updates our OpenJDK 7 support in the 2.4.x series with
the July 2014 security fixes.
Please note that this will be the *FINAL* release in the 2.4.x series.
Users are encouraged to upgrade to the 2.5.x series as soon as
possible. There will NOT be a 2.4.x update for the October 2014
security fixes.
If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.
Full details of the release can be found below.
What's New?
===========
New in release 2.4.8 (2014-07-23):
* Security fixes
- S8029755, CVE-2014-4209: Enhance subject class
- S8030763: Validate global memory allocation
- S8031340, CVE-2014-4264: Better TLS/EC management
- S8031346, CVE-2014-4244: Enhance RSA key handling
- S8031540: Introduce document horizon
- S8032536: JVM resolves wrong method in some unusual cases
- S8033055: Issues in 2d
- S8033301, CVE-2014-4266: Build more informative InfoBuilder
- S8034267: Probabilistic native crash
- S8034272: Do not cram data into CRAM arrays
- S8034985, CVE-2014-2483: Better form for Lambda Forms
- S8035004, CVE-2014-4252: Provider provides less service
- S8035009, CVE-2014-4218: Make Proxy representations consistent
- S8035119, CVE-2014-4219: Fix exceptions to bytecode verification
- S8035699, CVE-2014-4268: File choosers should be choosier
- S8035788. CVE-2014-4221: Provide more consistency for lookups
- S8035793, CVE-2014-4223: Maximum arity maxed out
- S8036571: (process) Process process arguments carefully
- S8036800: Attribute OOM to correct part of code
- S8037046: Validate libraries to be loaded
- S8037076, CVE-2014-2490: Check constant pool constants
- S8037157: Verify <init> call
- S8037162, CVE-2014-4263: More robust DH exchanges
- S8037167, CVE-2014-4216: Better method signature resolution
- S8039520, CVE-2014-4262: More atomicity of atomic updates
* Backports
- S5049299: (process) Use posix_spawn, not fork, on S10 to avoid swap exhaustion
- S6571600: JNI use results in UnsatisfiedLinkError looking for libmawt.so
- S7131153: GetDC called way too many times - causes bad performance.
- S7190349: [macosx] Text (Label) is incorrectly drawn with a rotated g2d
- S8001108: an attempt to use "<init>" as a method name should elicit NoSuchMethodException
- S8001109: arity mismatch on a call to spreader method handle should elicit IllegalArgumentException
- S8008118: (process) Possible null pointer dereference in jdk/src/solaris/native/java/lang/UNIXProcess_md.c
- S8013611: Modal dialog fails to obtain keyboard focus
- S8013809: deadlock in SSLSocketImpl between between write and close
- S8013836: getFirstDayOfWeek reports wrong day for pt-BR locale
- S8014460: Need to check for non-empty EXT_LIBS_PATH before using it
- S8019853: Break logging and AWT circular dependency
- S8019990: IM candidate window appears on the South-East corner of the display.
- S8020191: System.getProperty("os.name") returns "Windows NT (unknown)" on Windows 8.1
- S8022452: Hotspot needs to know about Windows 8.1 and Windows Server 2012 R2
- S8023990: Regression: postscript size increase from 6u18
- S8024283: 10 nashorn tests fail with similar stack trace InternalError with cause being NoClassDefFoundError
- S8024616: JSR292: lazily initialize core NamedFunctions used for bootstrapping
- S8024648: 7141246 & 8016131 break Zero port (AArch64 only)
- S8024830: SEGV in org.apache.lucene.codecs.compressing.CompressingTermVectorsReader.get
- S8025588: [macosx] Frozen AppKit thread in 7u40
- S8026404: Logging in Applet can trigger ACE: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")
- S8026705: [TEST_BUG] java/beans/Introspector/TestTypeResolver.java failed
- S8027196: Increment minor version of HSx for 7u55 and initialize the build number
- S8027212: java/nio/channels/Selector/SelectAfterRead.java fails intermittently
- S8028285: RMI Thread can no longer call out to AWT
- S8029177: [Parfait] warnings from b117 for jdk.src.share.native.com.sun.java.util.jar: JNI exception pending
- S8030655: Regression: 14_01 Security fix 8024306 causes test failures
- S8030813: Signed applet fails to load when CRLs are stored in an LDAP directory
- S8030822: (tz) Support tzdata2013i
- S8031050: (thread) Change Thread initialization so that thread name is set before invoking SecurityManager
- S8031075: [Regression] focus disappears with shift+tab on dialog having one focus component
- S8031462: Fonts with morx tables are broken with latest ICU fixes
- S8032585: JSR292: IllegalAccessError when attempting to invoke protected method from different package
- S8032740: Need to create SE Embedded Source Bundles in 7 Release
- S8033278: Missed access checks for Lookup.unreflect* after 8032585
- S8034772: JDK-8028795 brought a specification change to 7u55 release and caused JCK7 signature test failure
- S8035283: Second phase of branch shortening doesn't account for loop alignment
- S8035613: With active Securitymanager JAXBContext.newInstance fails
- S8035618: Four api/org_omg/CORBA TCK tests fail under plugin only
- S8036147: Increment hsx 24.55 build to b02 for 7u55-b11
- S8036786: Update jdk7 testlibrary to match jdk8
- S8036837: Increment hsx 24.55 build to b03 for 7u55-b12
- S8037012: (tz) Support tzdata2014a
- S8038306: (tz) Support tzdata2014b
- S8038392: Generating prelink cache breaks JAVA 'jinfo' utility normal behavior
- S8042264: 7u65 l10n resource file translation update 1
- S8042582: Test java/awt/KeyboardFocusmanager/ChangeKFMTest/ChangeKFMTest.html fails on Windows x64
- S8042590: Running form URL throws NPE
- S8042789: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader
- S8043012: (tz) Support tzdata2014c
* Bug fixes
- Fix accidental reversion of PR1188 for armel
- PR1781: NSS PKCS11 provider fails to handle multipart AES encryption
- PR1830: Drop version requirement for LCMS 2
- PR1833, RH1022017: Report elliptic curves supported by NSS, not the SunEC library
- RH905128: [CRASH] OpenJDK-1.7.0 while using NSS security provider and kerberos
* AArch64 port
- AArch64 C2 instruct for smull
- Add a constructor as a conversion from Register - RegSet. Use it.
- Add RegSet::operator+=.
- Add support for a few simple intrinsics
- Add support for builtin crc32 instructions
- Add support for CRC32 intrinsic
- Add support for Neon implementation of CRC32
- All address constants are 48 bits in size.
- C1: Fix offset overflow when profiling.
- Common frame handling for C1/C2 which correctly handle all frame sizes
- Correct costs for operations with shifts.
- Correct OptoAssembly for prologs and epilogs.
- Delete useless instruction.
- Don't use any form of _call_VM_leaf when we're calling a stub.
- Fast string comparison
- Fast String.equals()
- Fix a tonne of bogus comments.
- Fix biased locking and enable as default
- Fix instruction size from 8 to 4
- Fix opto assembly for shifts.
- Fix register misuse in verify_method_data_pointer
- Fix register usage in generate_verify_oop().
- Implement various locked memory operations.
- Improve C1 performance improvements in ic_cache checks
- Improve code generation for pop(), as suggested by Edward Nevill.
- Improvements to safepoint polling
- Make code entry alignment 64 for C2
- Minor optimisation for divide by 2
- New cost model for instruction selection.
- Offsets in lookupswitch instructions should be signed.
- Optimise addressing of card table byte map base
- Optimise C2 entry point verification
- Optimise long divide by 2
- Performance improvement and ease of use changes pulled from upstream
- Preserve callee save FP registers around call to java code
- Remove obsolete C1 patching code.
- Remove special-case handling of division arguments. AArch64 doesn't need it.
- Remove unnecessary memory barriers around CAS operations
- Restore sp from sender sp, r13 in crc32 code
- Restrict default ReservedCodeCacheSize to 128M
- Rewrite CAS operations to be more conservative
- Save intermediate state before removing C1 patching code.
- Tidy up register usage in push/pop instructions.
- Tidy up stack frame handling.
- Use 2- and 3-instruction immediate form of movoop and mov_metadata in C2-generated code.
- Use an explicit set of registers rather than a bitmap for psh and pop operations.
- Use explicit barrier instructions in C1.
- Use gcc __clear_cache instead of doing it ourselves
The tarballs can be downloaded from:
http://icedtea.classpath.org/download/source/icedtea-2.4.8.tar.gz
http://icedtea.classpath.org/download/source/icedtea-2.4.8.tar.xz
We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.
The tarballs are accompanied by digital signatures available at:
http://icedtea.classpath.org/download/source/icedtea-2.4.8.tar.gz.sig
http://icedtea.classpath.org/download/source/icedtea-2.4.8.tar.xz.sig
These are produced using my public key. See details below.
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
SHA256 checksums:
5bb6ece0ca8f2022056a2e455330c5324d1c110b278dbf5af5e9d48babebcd40 icedtea-2.4.8.tar.gz
59b280c9d342db45c3f810bfdf002806f14faabac1c7fd5c6d2c28cecd13f9d2 icedtea-2.4.8.tar.gz.sig
3fa64e2e92b08fb69eaec72a85ee3322efb1cfacc65e15b5b7fdef4abbdd17a2 icedtea-2.4.8.tar.xz
60c060fa3e438f338128f616f7b8d23ff15d5642e8d1547bb7e026121e7affc8 icedtea-2.4.8.tar.xz.sig
The checksums can be downloaded from:
http://icedtea.classpath.org/download/source/icedtea-2.4.8.sha256
The following people helped with these releases:
* Andrew Hughes (all backports & bug fixes, release management)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea-2.4.8.tar.gz
or:
$ tar x -I xz -f icedtea-2.4.8.tar.xz
then:
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.4.8/configure
$ make
Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
--
Andrew :)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140723/14af0c5b/signature.asc>
More information about the distro-pkg-dev
mailing list