[SECURITY] IcedTea 2.5.3 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Wed Oct 15 05:29:33 UTC 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.5.x series with
the October 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Note that alternate virtual machines (e.g. CACAO, JamVM) will be
broken by this release, until such a time as they introduce support
for JVM_FindClassFromCaller, a new virtual machine interface function
added by S8015256.

Full details of the release can be found below.

What's New?
New in release 2.5.3 (2014-10-14):

* Security fixes
  - S8015256: Better class accessibility
  - S8022783, CVE-2014-6504: Optimize C2 optimizations
  - S8035162: Service printing service
  - S8035781: Improve equality for annotations
  - S8036805: Correct linker method lookup.
  - S8036810: Correct linker field lookup
  - S8036936: Use local locales
  - S8037066, CVE-2014-6457: Secure transport layer
  - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams
  - S8038364: Use certificate exceptions correctly
  - S8038899: Safer safepoints
  - S8038903: More native monitor monitoring
  - S8038908: Make Signature more robust
  - S8038913: Bolster XML support
  - S8039509, CVE-2014-6512: Wrap sockets more thoroughly
  - S8039533, CVE-2014-6517: Higher resolution resolvers
  - S8041540, CVE-2014-6511: Better use of pages in font processing
  - S8041529: Better parameterization of parameter lists
  - S8041545: Better validation of generated rasters
  - S8041564, CVE-2014-6506: Improved management of logger resources
  - S8041717, CVE-2014-6519: Issue with class file parser
  - S8042609, CVE-2014-6513: Limit splashiness of splash images
  - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord
  - S8044274, CVE-2014-6531: Proper property processing
* Backports
  - S4963723: Implement SHA-224
  - S7044060: Need to support NSA Suite B Cryptography algorithms
  - S7122142: (ann) Race condition between isAnnotationPresent and getAnnotations
  - S7160837: DigestOutputStream does not turn off digest calculation when "close()" is called
  - S8006935: Need to take care of long secret keys in HMAC/PRF compuation
  - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode
  - S8028192: Use of PKCS11-NSS provider in FIPS mode broken
  - S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride
  - S8039396: NPE when writing a class descriptor object to a custom ObjectOutputStream
  - S8042603: 'SafepointPollOffset' was not declared in static member function 'static bool Arguments::check_vm_args_consistency()'
  - S8042850: Extra unused entries in ICU ScriptCodes enum
  - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since 7u71 b01
  - S8053963: (dc) Use DatagramChannel.receive() instead of read() in connect()
  - S8055176: 7u71 l10n resource file translation update
* Bug fixes
  - PR1988: C++ Interpreter should no longer be used on ppc64
  - PR1989: Make jdk_generic_profile.sh handle missing programs better and be more verbose
  - PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2
  - PR2000: Synchronise HEAD tarball paths with release branch paths
  - PR2002: Fix references to hotspot.map following PR2000
  - PR2003: --disable-system-gtk option broken by refactoring in PR1736
  - PR2009: Checksum of policy JAR files changes on every build
  - PR2014: Use version from hotspot.map to create tarball filename
  - PR2015: Update hotspot.map documentation in INSTALL
  - PR2025: LCMS_CFLAGS & LCMS_LIBS should not be used unless SYSTEM_LCMS is enabled
  - RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError (revised comprehensive fix)
  - PR2030, G453612, CA172: ARM hardfloat support for CACAO
* AArch64 port
  - AArch64 C2 instruct for smull
  - Add frame anchor fences.
  - Add MacroAssembler::maybe_isb()
  - Add missing instruction synchronization barriers and cache flushes.
  - Add support for a few simple intrinsics
  - Add support for builtin crc32 instructions
  - Add support for Neon implementation of CRC32
  - All address constants are 48 bits in size.
  - array load must only read 32 bits
  - Define uabs().  Use it everywhere an absolute value is wanted.
  - Fast string comparison
  - Fast String.equals()
  - Fix register usage in generate_verify_oop().
  - Fix thinko in Atomic::xchg_ptr.
  - Fix typo in fsqrts
  - Improve C1 performance improvements in ic_cache checks
  - Performance improvement and ease of use changes pulled from upstream
  - Remove obsolete C1 patching code.
  - Replace hotspot jtreg test suite with tests from jdk7u
  - S8024648: 7141246 breaks Zero port
  - Save intermediate state before removing C1 patching code.
  - Unwind native AArch64 frames.
  - Use 2- and 3-instruction immediate form of movoop and mov_metadata in C2-generated code.
  - Various concurrency fixes.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.3.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.5.3.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.5.3.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.5.3.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (hkp://zimmermann.mayfirst.org)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

44df11ac8e5ace7194e7372ef169909e0dab31d6b2f6bbae9a9c33af2cc54540  icedtea-2.5.3.tar.gz
ac7c1ae97eef2d1c650ab7a21091f71e83a984f37a12c802c0f319f1438b0101  icedtea-2.5.3.tar.gz.sig
f4f2922cfec262496e935f81c1d39af66a789f69aa12d1ceee51bcca8934f1f0  icedtea-2.5.3.tar.xz
ed9b9cbc1237bfbf619e2cccfddf1002901371e94177a8becd85036be1ccf29a  icedtea-2.5.3.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.3.sha256

The following people helped with these releases:

*  Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.5.3.tar.gz


$ tar x -I xz -f icedtea-2.5.3.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.5.3/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20141015/49493aef/signature.asc>

More information about the distro-pkg-dev mailing list