[SECURITY] IcedTea 1.13.5 for OpenJDK 6 Released!

Andrew Hughes gnu.andrew at redhat.com
Tue Oct 14 21:58:57 UTC 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with
the October 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 1.13.5 (2014-10-14):

* Security fixes
  - S8015256: Better class accessibility
  - S8022783, CVE-2014-6504: Optimize C2 optimizations
  - S8035162: Service printing service
  - S8035781: Improve equality for annotations
  - S8036805: Correct linker method lookup.
  - S8036810: Correct linker field lookup
  - S8037066, CVE-2014-6457: Secure transport layer
  - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams
  - S8038899: Safer safepoints
  - S8038903: More native monitor monitoring
  - S8038908: Make Signature more robust
  - S8038913: Bolster XML support
  - S8039509, CVE-2014-6512: Wrap sockets more thoroughly
  - S8039533, CVE-2014-6517: Higher resolution resolvers
  - S8041540, CVE-2014-6511: Better use of pages in font processing
  - S8041545: Better validation of generated rasters
  - S8041564, CVE-2014-6506: Improved management of logger resources
  - S8041717, CVE-2014-6519: Issue with class file parser
  - S8042609, CVE-2014-6513: Limit splashiness of splash images
  - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord
  - S8044274, CVE-2014-6531: Proper property processing
* Import of OpenJDK6 b33
  - OJ37: OpenJDK6-b32 cannot be built on Windows
  - OJ39: Handle fonts with the non-canonical processing flag set
  - OJ41: OpenJDK6 should be compatible with Windows SDK 7.1
  - OJ42: Remove @Override annotation on interfaces added by 2014/10/14 security fixes.
  - S6967684: httpserver using a non thread-safe SimpleDateFormat
  - S7033534: Two tests fail just against jdk7 b136
  - S7160837: DigestOutputStream does not turn off digest calculation when "close()" is called
  - S7172149: ArrayIndexOutOfBoundsException from Signature.verify
  - S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build
  - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode
  - S8028192: Use of PKCS11-NSS provider in FIPS mode broken
  - S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride
  - S8039396: NPE when writing a class descriptor object to a custom ObjectOutputStream
  - S8042603: 'SafepointPollOffset' was not declared in static member function 'static bool Arguments::check_vm_args_consistency()'
  - S8042850: Extra unused entries in ICU ScriptCodes enum
  - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since 7u71 b01
  - S8053963: (dc) Use DatagramChannel.receive() instead of read() in connect()
* Backports
  - S4963723: Implement SHA-224
  - S6578658: Request for raw RSA (NONEwithRSA) Signature support in SunMSCAPI
  - S6753664: Support SHA256 (and higher) in SunMSCAPI
  - S7033170: Cipher.getMaxAllowedKeyLength(String) throws NoSuchAlgorithmException
  - S7044060: Need to support NSA Suite B Cryptography algorithms
  - S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
  - S7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
  - S8006935: Need to take care of long secret keys in HMAC/PRF compuation
  - S8017173, PR1688: XMLCipher with RSA_OAEP Key Transport algorithm can't be instantiated
  - S8049480: Current versions of Java can't verify jars signed and timestamped with Java 9
* Bug fixes
  - PR1904: [REGRESSION] Bug reports now lack IcedTea version & distribution packaging information
  - PR1967: Move to new OpenJDK bug URL format

The tarballs can be downloaded from:


We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:


These are produced using my public key. See details below.

    PGP Key: 248BDC07 (hkp://zimmermann.mayfirst.org)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

7bc21b8fa532c44279591372a77a76ae5976f54ae02ea8bdcd3dd7740511f1cb  icedtea6-1.13.5.tar.gz
daf5b5132e73091af7bdf1040ae234773fa62c4ee8600a4abfdb7b2db205ce3a  icedtea6-1.13.5.tar.gz.sig
3579852895dcce8dcb0277b221c5b27d57baf7e642e9cbb92c1b67d9af9e2cbb  icedtea6-1.13.5.tar.xz
8b5de1b8c814d9743c7531ad58e0cb1de1c40e56c7f2315ae01c45c36faa20f1  icedtea6-1.13.5.tar.xz.sig

The checksums can be downloaded from:


The following people helped with these releases:

* Andrew Hughes (all backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.5.tar.gz


$ tar x -I xz -f icedtea6-1.13.5.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.5/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (hkp://zimmermann.mayfirst.org)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20141014/4a8c38dc/signature.asc>

More information about the distro-pkg-dev mailing list