[SECURITY] IcedTea 1.13.7 for OpenJDK 6 Released!

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 15 01:57:59 UTC 2015 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with
the April 2015 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
===========

New in release 1.13.7 (2015-04-14):

* Security fixes
  - S8059064: Better G1 log caching
  - S8060461: Fix for JDK-8042609 uncovers additional issue
  - S8064601, CVE-2015-0480: Improve jar file handling
  - S8065286: Fewer subtable substitutions
  - S8065291: Improved font lookups
  - S8066479: Better certificate chain validation
  - S8067050: Better font consistency checking
  - S8067684: Better font substitutions
  - S8067699, CVE-2015-0469: Better glyph storage
  - S8068320, CVE-2015-0477: Limit applet requests
  - S8068720, CVE-2015-0488: Better certificate options checking
  - S8069198: Upgrade image library
  - S8071726, CVE-2015-0478: Better RSA optimizations
  - S8071818: Better vectorization on SPARC
  - S8071931, CVE-2015-0460: Return of the phantom menace
* Import of OpenJDK6 b35
  - OJ55: Synchronise whitespace in TimeZoneNames files with OpenJDK 7 versions.
  - OJ56: Update 3rd party readme and license for LibPNG v 1.6.16
  - OJ57: Remove mistakenly added patching fragment
  - S6672144: HttpURLConnection.getInputStream sends POST request after failed chunked
  - S6989721: awt native code compiler warnings
  - S7088287: libpng need to be updated.
  - S7090424: TestGlyphVectorLayout failed automately with java.lang.StackOverflowError
  - S7170655: Frame size does not follow font size change with XToolkit
  - S7176479: G1: JVM crashes on T5-8 system with 1.5 TB heap
  - S8019623: Lack of synchronization in AppContext.getAppContext()
  - S8040790: [TEST_BUG] tools/javac/innerClassFile/Driver.sh fails to cleanup files after it
  - S8043123: Hard crash with access violation exception when blitting to very large image
  - S8051359: JPopupMenu creation in headless mode with JDK9b23 causes NPE
  - S8064454: [TEST_BUG] Test tools/javac/innerClassFile/Driver.sh fails for Mac and Linux
  - S8065072: sun/net/www/http/HttpClient/StreamingRetry.java failed intermittently
  - S8065709: Deadlock in awt/logging apparently introduced by 8019623
  - S8072042: (tz) Support tzdata2015a
  - S8074662: Update 3rd party readme and license for LibPNG v 1.6.16
  - S8075211: [TEST_BUG] Test sun/net/www/http/HttpClient/StreamingRetry.java fails with compilation error
* Backports
  - S6584008, PR2195, RH1173326: jvmtiStringPrimitiveCallback should not be invoked when string value is null
  - S7199862, PR2198: Make sure that a connection is still alive when retrieved from KeepAliveCache in certain cases
  - S8074312, PR2255: Enable hotspot builds on Linux 4.x
* Bug fixes
  - PR2197: jhat man page has broken URL
  - PR2201: Support giflib 5.1.0
  - PR2211: DGifCloseFile call should check the return value, not the error code, for failure
  - PR2226: giflib 5.1 conditional excludes 6.0, 7.0, etc.
  - PR2294: Auto-generated jconsole.desktop and policytool.desktop should not be included in release tarball

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.xz.sig

    PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.tar.xz.sig.ec

and the new key is:

    PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
    Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

SHA256 checksums:

1cd6dc97d729eaae8d3a102010934f171752eeb50046f609c2f3d6b0cf29fa45  icedtea6-1.13.7.tar.gz
f380e1fe2a1cf1a8feb8ea26fbad5cfc4c4a12b0da1b28467b6cdab4b73cb0c8  icedtea6-1.13.7.tar.gz.sig
f2b161bccb9bb3de06bdb7e046565272b53149cf865a123ceaa87d1793df96ab  icedtea6-1.13.7.tar.gz.sig.ec
a5ca64ae94ec27d28be91f4f0624164f9b4e6e92e417e52b296556005142183b  icedtea6-1.13.7.tar.xz
0c2c0dc60422eaef7cd30f019c9af370252a818e2d42128d6d9ab1902ba0bca7  icedtea6-1.13.7.tar.xz.sig
db51815eb42b72fcde286c2a68669c7007c2b4f2ddf832306c4715dd26b1e9bf  icedtea6-1.13.7.tar.xz.sig.ec

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.7.sha256

The following people helped with these releases:

*  Andrew Hughes (all backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.7.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.7.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.7/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150415/8153b0e4/signature-0001.asc>

More information about the distro-pkg-dev mailing list