[SECURITY] IcedTea 2.5.4 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Thu Jan 22 13:27:45 UTC 2015

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.5.x series with
the January 2015 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 2.5.4 (2015-01-21):

* Security fixes
  - S8046656: Update protocol support
  - S8047125, CVE-2015-0395: (ref) More phantom object references
  - S8047130: Fewer escapes from escape analysis
  - S8048035, CVE-2015-0400: Ensure proper proxy protocols
  - S8049253: Better GC validation
  - S8050807, CVE-2015-0383: Better performing performance data handling
  - S8054367, CVE-2015-0412: More references for endpoints
  - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel
  - S8055309, CVE-2015-0408: RMI needs better transportation considerations
  - S8055479: TLAB stability
  - S8055489, CVE-2014-6585: Better substitution formats
  - S8056264, CVE-2014-6587: Multicast support improvements
  - S8056276, CVE-2014-6591: Fontmanager feature improvements
  - S8057555, CVE-2014-6593: Less cryptic cipher suite management
  - S8058982, CVE-2014-6601: Better verification of an exceptional invokespecial
  - S8059485, CVE-2015-0410: Resolve parsing ambiguity
  - S8061210, CVE-2014-3566: Issues in TLS
* Backports
  - S6461635: [TESTBUG] BasicTests.sh test fails intermittently
  - S6545422: [TESTBUG] NativeErrors.java uses wrong path name in exec
  - S6653795: C2 intrinsic for Unsafe.getAddress performs pointer sign extension on 32-bit systems
  - S7028073: The currency symbol for Peru is wrong
  - S7047033: (smartcardio) Card.disconnect(boolean reset) does not reset when reset is true
  - S7183753: [TEST] Some colon in the diff for this test
  - S7077119, PR2165, G534118: remove past transition dates from CurrencyData.properties file
  - S7085757: Currency Data: ISO 4217 Amendment 152
  - S7169142: CookieHandler does not work with localhost
  - S7172012, PR2067: Make test-in-build an option (Queens)
  - S7185456: (ann) Optimize Annotation handling in java/sun.reflect.* code for small number of annotations
  - S7195759: ISO 4217 Amendment 154
  - S8000897, RH1155012: VM crash in CompileBroker
  - S8001105: findVirtual of Object[].clone produces internal error
  - S8005232: (JEP-149) Class Instance size reduction
  - S8006748: getISO3Country() returns wrong value
  - S8012026: [macosx] Component.getMousePosition() does not work in an applet on MacOS
  - S8015421: NegativeArraySizeException occurs in ChunkedOutputStream() with Integer.MAX_VALUE
  - S8020190, PR2160, RH1176718: Fatal: Bug in native code: jfieldID must match object
  - S8021121: ISO 4217 Amendment Number 156
  - S8021372: NetworkInterface.getNetworkInterfaces() returns duplicate hardware address
  - S8022721: TEST_BUG: AnnotationTypeDeadlockTest.java throws java.lang.IllegalStateException: unexpected condition
  - S8025051: Update resource files for TimeZone display names
  - S8026792: HOTSPOT: licensee reports a JDK8 build failure after 8005849/8005008 fixes integrated.
  - S8027359: XML parser returns incorrect parsing results
  - S8028623, PR2112, RH1168693: SA: hash codes in SymbolTable mismatching java_lang_String::hash_code for extended characters.
  - S8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
  - S8028726: (prefs) Check src/solaris/native/java/util/FileSystemPreferences.c for JNI pending exceptions
  - S8029153: [TESTBUG] test/compiler/7141637/SpreadNullArg.java fails because it expects NullPointerException
  - S8031046: Native Windows ccache might still get unsupported ticket
  - S8031502: JSR292: IncompatibleClassChangeError in LambdaForm for CharSequence.toString() method handle type converter
  - S8032078: [macosx] CPlatformWindow.setWindowState throws RuntimeException, if windowState=ICONIFIED|MAXIMIZED_BOTH
  - S8032669: Mouse release not being delivered to Swing component in 7u45
  - S8032788: ImageIcon constructor throws an NPE and hangs when passed a null String parameter
  - S8032909: XSLT string-length returns incorrect length when string includes complementary chars
  - S8034200: Test java/net/CookieHandler/LocalHostCookie.java fails after fix of JDK-7169142
  - S8036863: Update jdk7 testlibrary to match jdk8 in hotspot
  - S8040168: Set hotspot version to hs24.66 and build to b01 for 7u66
  - S8040617: [macosx] Large JTable cell results in a OutOfMemoryException
  - S8041132: Increment hsx 24.66 build to b02 for 7u66-b09
  - S8041408: Increment hsx 24.55 build to b04 for 7u55-b34
  - S8041572: [macosx] huge native memory leak in AWTWindow.m
  - S8041990: [macosx] Language specific keys does not work in applets when opened outside the browser
  - S8043610: Sorting columns in JFileChooser fails with AppContext NPE
  - S8044603: Increment minor version of HSx for 7u71 and initialize the build number
  - S8046343: (smartcardio) CardTerminal.connect('direct') does not work on MacOSX
  - S8049250: Need a flag to invert the Card.disconnect(reset) argument
  - S8049343: (tz) Support tzdata2014g
  - S8049758: Increment minor version of HSx for 7u75 and initialize the build number
  - S8050485: super() in a try block in a ctor causes VerifyError
  - S8051359: JPopupMenu creation in headless mode with JDK9b23 causes NPE
  - S8051614: smartcardio TCK tests fail due to lack of 'reset' permission
  - S8055222: Currency update needed for ISO 4217 Amendment #159
  - S8056211: api/java_awt/Event/InputMethodEvent/serial/index.html#Input[serial2002] failure
  - S8057184: JCK8's api/javax_swing/JDesktopPane/descriptions.html#getset failed with GTKLookAndFeel on Linux and Solaris
  - S8058715: stability issues when being launched as an embedded JVM via JNI
  - S8059206: (tz) Support tzdata2014i
  - S8060474: Resolve more parsing ambiguity
  - S8061685: Increment hsx 24.75 build to b02 for 7u75-b06
  - S8061785: [TEST_BUG] serviceability/sa/jmap-hashcode/Test8028623.java has utf8 character corrupted by earlier merge
  - S8061826: Part of JDK-8060474 should be reverted
  - S8062561: Test bug8055304 fails if file system default directory has read access
  - S8062807: Exporting RMI objects fails when run under restrictive SecurityManager
  - S8064300: Increment hsx 24.75 build to b03 for 7u75-b06
  - S8064560: (tz) Support tzdata2014j
  - S8065608: 7u75 l10n resource file translation update
  - S8065787: Increment hsx 24.75 build to b04 for 7u75-b10
  - S8066747: Backing out Japanese translation change in awt_ja.properties
  - S8067364, PR2145, RH114622: Printing to Postscript doesn't support dieresis
* Bug fixes
  - PR2064: Unset OS before running OpenJDK build
  - PR2069: Type-punning warnings still evident on RHEL 5
  - PR2094, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure
  - PR2123: SunEC provider crashes when built using system NSS
  - PR2124: Synchronise elliptic curves in sun.security.ec.NamedCurve with those listed by NSS
  - PR2135: Race condition in SunEC provider with system NSS
  - PR2161: RHEL 6 has a version of GIO which meets the version criteria, but has no g_settings_*
  - PR2032: CACAO lacks JVM_FindClassFromCaller introduced by security patch in 2.5.3
* JamVM
  - PR2050: JamVM lacks JVM_FindClassFromCaller introduced by security patch in 2.5.3
  - PR2171: JamVM builds with executable stack, causing failures on SELinux & PaX kernels
* AArch64 port
  - Use the IcedTea7 fork version rather than the one based on HotSpot 25.
  - Add arch-specific processing of tmp1 register needed for d/f2i
  - Add char_array_equals intrinsic
  - Add CNEG and CNEGW to macro assembler.
  - Add frame anchor fences.
  - Add missing instruction synchronization barriers and cache flushes.
  - Add some memory barriers for object creation and runtime calls.
  - Add support for A53 multiply accumulate
  - Add support for AES Intrinsics
  - Add support for pipeline scheduling
  - Add support for String.indexOf intrinsic
  - Added make rules to allow aarch64-x86 hybrid build to progress
  - Added missing aarch64-specific include
  - Added missing aarch64-specific make file
  - Added missing changes for debug code
  - Added missing inline method
  - Added missing shared global UseCRC32Intrinsics
  - Added pd global UseVectoredExceptions
  - Add local method to redirect to AbstractAssembler::relocate
  - Add missing declarations for CRC32 methods
  - Add missing include
  - Add missing special case code for aarch64
  - Add rules to assemble .S files
  - Add support for storing aarch64 call format
  - Add wrapper method to avoid dependency on not yet defined code buffer class
  - Added missing endif
  - Allow for 0x400 aligned offsets for byte_map_base
  - Array load must only read 32 bits
  - A more efficient sequence for C1_MacroAssembler::float_cmp.
  - Backout 8c8b5e62e624 and instead move .S rule from zeroshark.make to rules.make
  - Backout additional changes made in ec6a6772fed6, which revert parts of the PPC/AIX port and IcedTea fixes.
  - Call ICache::invalidate_range() from Relocation::pd_set_data_value().
  - Changed klass oop encode to heap oop encode
  - Changed Method* to methodOop
  - Correct assert to allow for AArch64
  - Correct for difference in include hierarchy
  - Correct typos
  - Corrected error in disassembler code
  - Corrected include
  - Corrected include path
  - Corrected pipeline class for countTrailingZerosL
  - Corrected type
  - Corrected typo
  - Correct includes
  - Correct Method to methdoOopDesc
  - Define uabs().  Use it everywhere an absolute value is wanted.
  - Defn of BIND does not need to use __ macro
  - Delete dead code.
  - Disassembler library should be built as hsdis-aarch64.so
  - Don't test arraycopy routines when using AArch64 simulator
  - Emit_int64 is renamed
  - Ensure byte_map_base can be loaded using adrp with no need for following ldr
  - Ensure C1 static call stub employs absolute move to allow patching
  - Ensure C2 static calls use correct call adddress in static stub reloc
  - Ensure perm gen size is not rounded down to zero
  - Ensure rmethod is reloaded from stack when interpreter makes non leaf VM call
  - Ensure we pick up hsdis-aarch64.so if BUILTIN_SIM is true
  - Fix couple of mistakes in generate of method handle dispatch
  - Fix cut and paste-o in header
  - Fixed another typo
  - Fixed error in include
  - Fixed hsdis for aarch64 native or simulated
  - Fixed various typos and omissions
  - Fixed various typos, overlooked cases and wrong accessors
  - Fix error introduced into profiling code
  - Fix guarantee failure in synchronizer.cpp
  - Fix more errors introduced into interpreter profile counter increment
  - Fix relocations
  - Fix several small typos
  - Fix some typos
  - Fix thinko in Atomic::xchg_ptr.
  - Fix typo
  - Fix up aarch64-specific patching code
  - Fix up crc32 support
  - Fix various typos
  - Get rid of unnecessary declaration
  - Guess at how to implement C1 deoptimize_trap generator
  - Initial cut of aarch64 code pulled from jdk8 tree
  - Make aarch64-x86 hybrid build use correct paths
  - Make hsdis handle aarch64 native case
  - Make static stubs load methodOop in cpool to avoid problems at GC
  - Miscellaneous bug fixes.
  - Missing change needed to support aarch64 build
  - Modified make files to support aarch64 build
  - Modified shared src to support full aarch64 backport
  - Moved fields which need access from java to top level
  - Need to actually return the adapter code size
  - Need to pass CFLAGS when assembling .S files using CC_COMPILE
  - Need to use class handle not class
  - Provide missing CRC32 methods
  - Reload rcpool register after a VM call in case a permgen GC has moved the cache
  - Relocated aarch64 vtable generate code to conform to jdk7
  - Remove comment to avoid breaking macro
  - Removed aarch64 compiled_IC implementation to conform to jdk7
  - Removed metaspaceShared code to conform to jdk7
  - Removed redundant field use_XOR_for_compressed_class_base
  - Removed some errors in signal handling code
  - Removed undefined metadata case
  - Remove redundant bracket
  - Remove support for volatile load/store rules in ad file
  - Renamed emit_int32 to emit_long and added local emit_long64 in place of missing emit_int64
  - Restored missing open brace
  - Restored several load_heap_oop calls lost in translation
  - Restore working x86 build
  - Reverted aarch64 architecture description (ad) file to conform to jdk7
  - Reverted aarch64 c1_xxx files to conform to jdk7
  - Reverted aarch64 c2 globals to conform to jdk7
  - Reverted aarch64 frame code to conform to jdk7
  - Reverted aarch64 runtime code to conform to jdk7
  - Reverted aarch64 stubs code to conform to jdk7
  - Reverted aarch64 template interpreter code to conform to jdk7
  - Reverted aarch64 vm structs code to conform to jdk7
  - Reverted aarch64 vm version code to conform to jdk7
  - Reverted aarch64 vtable stubs code to conform to jdk7
  - Reverted assembler_aarch64.cpp/hpp to conform to jdk7
  - Reverted bytecodeInterpreter_aarch64 to conform to jdk7
  - Reverted global defs code to conform to jdk7
  - Reverted instr cache code to conform to jdk7
  - Reverted interpreter code to conform to jdk7
  - Reverted interpreter masm code to conform to jdk7
  - Reverted jni code to conform to jdk7
  - Reverted method handles code to conform to jdk7
  - Reverted native instr code to conform to jdk7
  - Reverted os_cpu/linux_aarch64 code to conform to jdk7
  - Reverted reloc info code to conform to jdk7
  - Revert Method:: etc to methodOopDesc:: etc
  - Scripts to build aarch64-x86 hybrid and aarch64 native debug images
  - Some errors revealed when building debug image
  - Temporarily disable running test_gamma
  - Tidy up allocation prefetch
  - Use correct post-increment size in repne_scanw
  - Use membar rules and delete special case volatile rules
  - Use method register to access counter increment field
  - Use movoop in C1 ic_call to keep verifier happy
  - Use os::malloc to allocate the register map.
  - Use the correct return value from the VM resolve call
  - Use TLS for ThreadLocalStorage::thread()
  - Various changes to accommodate inclusion of ppc port in icedtea7
  - Various concurrency fixes.
  - Work around weird compiler issue

The tarballs can be downloaded from:


We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:


These are produced using my public key. See details below.

      PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
      Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

I'm transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:


and the new key is:

    PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
    Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

SHA256 checksums:

5301b9a8592af2cf8e3e7a3650e5e1fe744c6d2de7f8ff78080b2eeae86a9800  icedtea-2.5.4.tar.gz
379388e05eeb2076fad256c95e8045f5b83ce18f9aac4f9d3875eafe840cb6e6  icedtea-2.5.4.tar.gz.sig
3d34129aa9c85f7e0cf8a90b8456a750a05951928d32ca00170dcb7b02ef5b05  icedtea-2.5.4.tar.gz.sig.ec
1b50f5c42417c899e0dc831351470557c504c4e648f72cc621be9318c215ffda  icedtea-2.5.4.tar.xz
c86eeaefb7c7b6e869c24933da07882a2779d045b1d6b05d77f36ac7a089aeb0  icedtea-2.5.4.tar.xz.sig
defd356e7dc9f93bc692246ebae28bdf58e5ebadfdfa74296062630fd6866715  icedtea-2.5.4.tar.xz.sig.ec

The checksums can be downloaded from:


The following people helped with these releases:

* Andrew Dinn (AArch64 backport)
* Andrew Hughes (all backports & other bug fixes, release management)
* Robert Lougher (JamVM build fix)
* Xerxes Rånby (CACAO build fix)
* Pavel Tisnovsky (executable stack issue with JamVM)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.5.4.tar.gz


$ tar x -I xz -f icedtea-2.5.4.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.5.4/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150122/919ec78a/signature-0001.asc>

More information about the distro-pkg-dev mailing list