[SECURITY] IcedTea 1.13.6 for OpenJDK 6 Released!

[Andrew Hughes]

----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello, for those that try to build against giflib-5.1.0, there is a
> need of the attached little tiny patch. It is needed for 1.7.0 too.
> 

Thanks. I'll include it in the next set of releases.

> Cheers
> 
> Fridrich
> 
> 
> 
> 
> On 24/01/15 01:39, Andrew Hughes wrote:
> > The IcedTea project provides a harness to build the source code
> > from OpenJDK using Free Software build tools, along with
> > additional features such as a PulseAudio sound driver, the ability
> > to build against system libraries and support for alternative
> > virtual machines and architectures beyond those supported by
> > OpenJDK.
> > 
> > This release updates our OpenJDK 6 support in the 1.13.x series
> > with the January 2015 security fixes.
> > 
> > If you find an issue with the release, please report it to our bug
> > database (http://icedtea.classpath.org/bugzilla) under the
> > appropriate component. Development discussion takes place on the
> > distro-pkg-dev at openjdk.java.net mailing list and patches are
> > always welcome.
> > 
> > Full details of the release can be found below.
> > 
> > What's New? =========== New in release 1.13.6 (2015-01-23):
> > 
> > * Security fixes - S8046656: Update protocol support - S8047125,
> > CVE-2015-0395: (ref) More phantom object references - S8047130:
> > Fewer escapes from escape analysis - S8048035, CVE-2015-0400:
> > Ensure proper proxy protocols - S8049253: Better GC validation -
> > S8050807, CVE-2015-0383: Better performing performance data
> > handling - S8054367, CVE-2015-0412: More references for endpoints -
> > S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel -
> > S8055309, CVE-2015-0408: RMI needs better transportation
> > considerations - S8055479: TLAB stability - S8055489,
> > CVE-2014-6585: Better substitution formats - S8056264,
> > CVE-2014-6587: Multicast support improvements - S8056276,
> > CVE-2014-6591: Fontmanager feature improvements - S8057555,
> > CVE-2014-6593: Less cryptic cipher suite management - S8058982,
> > CVE-2014-6601: Better verification of an exceptional invokespecial
> > - S8059485, CVE-2015-0410: Resolve parsing ambiguity - S8061210,
> > CVE-2014-3566: Issues in TLS * Import of OpenJDK6 b34 - OJ43:
> > Backport JAX_WS-945; Socket backlog may be limiting lwhs
> > performance - OJ44: Add missing TimeZone test cases included in
> > OpenJDK 7 revision 0. - OJ45: Fix copyright headers on imported
> > files - OJ46: Fix lost Classpath exception - OJ47: Remove @Override
> > annotation on interfaces added by 2015/01/20 security fixes. -
> > OJ48: Fix substitution error. - OJ49: Fix placement of 8023956
> > fix. - OJ50: Fix reference to missing pd_attempt_reserve_memory_at
> > - S4873188: Support TLS 1.1 - S6364329: jstat displays "invalid
> > argument count" with usage - S6461635: [TESTBUG] BasicTests.sh test
> > fails intermittently - S6507067: TimeZone country/area message
> > error - S6545422: [TESTBUG] NativeErrors.java uses wrong path name
> > in exec - S6578647: Undefined requesting URL in
> > java.net.Authenticator.getPasswordAuthentication() - S6585666:
> > Spanish language names not compliant with CLDR - S6587676:
> > Krb5LoginModule failure if useTicketCache=true on Vista - S6608572:
> > Currency change for Malta and Cyprus - S6610748: Dateformat - AM-PM
> > indicator in Finnish appears to be from English - S6627549: ISO
> > 3166 code addition: Saint Barthelemy and Saint Martin - S6631048:
> > Problem when writing on output stream of  HttpURLConnection -
> > S6641309: Wrong Cookie separator used in HttpURLConnection -
> > S6641312: Fix krb5 codes indentation problems - S6645271: Wrong
> > date format for Croatian (hr) locale - S6646611: Incorrect spelling
> > of month name in locale for Belarusian language ("be", "BY") -
> > S6647452: Remove obfuscation, framework and provider
> > self-verification checking - S6653795: C2 intrinsic for
> > Unsafe.getAddress performs pointer sign extension on 32-bit
> > systems - S6659779: HttpURLConnections logger should log tunnel
> > requests - S6670362: HTTP/SPNEGO should work across realms -
> > S6716626: Integrate contributed language and country names for NL -
> > S6720866: Slow performance using HttpURLConnection for upload -
> > S6726695: HttpURLConnection shoul support 'Expect: 100-continue'
> > headers for PUT - S6729881: Compiler warning in networking native
> > code - S6765491: Krb5LoginModule a little too restrictive, and the
> > doc is not clear. - S6776102:
> > sun/util/resources/TimeZone/Bug6317929.java test failed against
> > 6u12b01 and passed against 6u11b03 - S6786276:
> > Locale.getISOCountries() still contains country code "CS" -
> > S6792180: Enhance to reject weak algorithms or conform to crypto
> > recommendations - S6811297: Add more logging to HTTP protocol
> > handler - S6822460: support self-issued certificate - S6830658:
> > Changeset 67e5d3e41b5b breaks the fastdebug build in NativeCreds.c
> > - S6835668: Use of /usr/include/linux/ files creates a dependence
> > on kernel-headers - S6855297: Windows build breaks after 6811297 -
> > S6856856: NPE in HTTP protocol handler logging - S6868106:
> > Ukrainian currency has wrong format - S6870908: reopen bug 4244752:
> > month names in Estonian should be lowercase - S6873931: New Turkish
> > currency since 2009 - S6882594: Remove static dependancy on NTLM
> > authentication - S6899503: Security code issue using Verisign root
> > certificate - S6910489: Slovenia Locale, wrong firstDayOfWeek
> > number - S6911104: Tests do not work with CYGWIN: tools, sun/tools,
> > and com/sun/tools - S6914413: abbreviation name for November is not
> > correct in be_BY - S6916787: Ukrainian currency name needs to be
> > fixed - S6919624: minimalDaysInFirstWeek ressource for hungarian is
> > wrong - S6931564: Incorrect display name of Locale for south
> > africa - S6931566: NetworkInterface is not working when interface
> > name is more than 15 characters long - S6938454: 2 new testcases
> > for  bug: Unable to determine generic type in program that compiles
> > under Java 6 - S6938454: Unable to determine generic type in
> > program that compiles under Java 6 - S6945604: wrong error message
> > in CardImpl.java - S6962617: Testcase changes, cleanup of problem
> > list for jdk_tools targets - S6964714: NetworkInterface
> > getInetAddresses enumerates IPv6 addresses if
> > java.net.preferIPvStack property set - S6967937: Scope id no longer
> > being set after 6931566 - S6972374:
> > NetworkInterface.getNetworkInterfaces throws
> > "java.net.SocketException" on Solaris zone - S6976117:
> > SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets
> > without TLSv1.1 enabled - S7001720: copyright templates not
> > rebranded - S7019267: Currency Display Names are not localized into
> > pt_BR. - S7020583: Some currency names are missing in some locales
> > - S7020960: CurrencyNames_sr_RS.properties is missing. - S7022269:
> > clean up fscanf usage in Linux networking native code - S7025837:
> > fix plural currency display names in sr_Latn_(BA|ME|RS).properties
> > - S7028073: The currency symbol for Peru is wrong - S7035555: 4/4
> > attach/BasicTests.sh needs another tweak for Cygwin - S7036025:
> > java.security.AccessControlException when creating JFileChooser in
> > signed applet - S7036905: [de] dem - the german mark display name
> > is incorrect - S7047033: (smartcardio) Card.disconnect(boolean
> > reset) does not reset when reset is true - S7066203: Update
> > currency data to the latest ISO 4217 standard - S7077119: remove
> > past transition dates from CurrencyData.properties file - S7085757:
> > Currency Data: ISO 4217 Amendment 152 - S7122142, RH1151372: (ann)
> > Race condition between isAnnotationPresent and getAnnotations -
> > S7153184: NullPointerException when calling
> > SSLEngineImpl.getSupportedCipherSuites - S7161796, RH1151372:
> > PhaseStringOpts::fetch_static_field tries to fetch field from the
> > Klass instead of the mirror - S7171028: dots are missed in the
> > datetime for Slovanian - S7174244: NPE in
> > Krb5ProxyImpl.getServerKeys() - S7185456: (ann) Optimize Annotation
> > handling in java/sun.reflect.* code for small number of
> > annotations - S7189611: Venezuela current Currency should be Bs.F.
> > - S7195759: ISO 4217 Amendment 154 - S7199066: Typo in method name
> > - S7201205: Add Makefile configuration option to build with
> > unlimited crypto in OpenJDK. - S8005232: (JEP-149) Class Instance
> > size reduction - S8006748: getISO3Country() returns wrong value -
> > S8013836: getFirstDayOfWeek reports wrong day for pt-BR locale -
> > S8015421: NegativeArraySizeException occurs in
> > ChunkedOutputStream() with Integer.MAX_VALUE - S8015570: Use long
> > comparison in Rule.getRules(). - S8021121: ISO 4217 Amendment
> > Number 156 - S8021372: NetworkInterface.getNetworkInterfaces()
> > returns duplicate hardware address - S8022721: TEST_BUG:
> > AnnotationTypeDeadlockTest.java throws
> > java.lang.IllegalStateException: unexpected condition - S8023956:
> > Provide a work-around to broken Linux 32 bit "Exec Shield" using CS
> > for NX emulation (crashing with SI_KERNEL) - S8025051: Update
> > resource files for TimeZone display names - S8026772:
> > test/sun/util/resources/TimeZone/Bug6317929.java failing -
> > S8027359: XML parser returns incorrect parsing results - S8027370:
> > Support tzdata2013h - S8027695: There should be a space before %
> > sign in Swedish locale - S8028627: Unsynchronized code path from
> > javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store
> > codebase mappings - S8028726: (prefs) Check
> > src/solaris/native/java/util/FileSystemPreferences.c for JNI
> > pending exceptions - S8029153: [TESTBUG]
> > test/compiler/7141637/SpreadNullArg.java fails because it expects
> > NullPointerException - S8029318: Native Windows ccache still reads
> > DES tickets - S8030822: (tz) Support tzdata2013i - S8031046: Native
> > Windows ccache might still get unsupported ticket - S8032788:
> > ImageIcon constructor throws an NPE and hangs when passed a null
> > String parameter - S8032909: XSLT string-length returns incorrect
> > length when string includes complementary chars - S8035613: With
> > active Securitymanager JAXBContext.newInstance fails - S8037012:
> > (tz) Support tzdata2014a - S8038306: (tz) Support tzdata2014b -
> > S8040617: [macosx] Large JTable cell results in a
> > OutOfMemoryException - S8041990: [macosx] Language specific keys
> > does not work in applets when opened outside the browser -
> > S8043012: (tz) Support tzdata2014c - S8046343: (smartcardio)
> > CardTerminal.connect('direct') does not work on MacOSX - S8049250:
> > Need a flag to invert the Card.disconnect(reset) argument -
> > S8049343: (tz) Support tzdata2014g - S8050485: super() in a try
> > block in a ctor causes VerifyError - S8051012: Regression in
> > verifier for <init> method call from inside of a branch - S8051614:
> > smartcardio TCK tests fail due to lack of 'reset' permission -
> > S8054367: More references for endpoints - S8055222: Currency update
> > needed for ISO 4217 Amendment #159 - S8056211:
> > api/java_awt/Event/InputMethodEvent/serial/index.html#Input[serial2002]
> > failure - S8058715: stability issues when being launched as an
> > embedded JVM via JNI - S8059206: (tz) Support tzdata2014i -
> > S8060474: Resolve more parsing ambiguity - S8061826: Part of
> > JDK-8060474 should be reverted - S8062561: Test bug8055304 fails if
> > file system default directory has read access - S8062807: Exporting
> > RMI objects fails when run under restrictive SecurityManager -
> > S8064560: (tz) Support tzdata2014j * Backports - OJ51, PR2187: Sync
> > patch for 4873188 with 7 version - OJ52, PR2185: Application of
> > 6786276 introduces compatibility issue - OJ53, PR2181:
> > strict-aliasing warnings issued on PPC32 - OJ54, PR2182: 6911104
> > reintroduces test fragment removed in existing 6964018 backport -
> > S6730740, PR2186: Fix for 6729881 has apparently broken several 64
> > bit tests:  "Bad address" - S7031830, PR2183: bad_record_mac
> > failure on TLSv1.2 enabled connection with SSLEngine - S8000897,
> > PR2173, RH1155012: VM crash in CompileBroker - S8020190, PR2174,
> > RH1176718: Fatal: Bug in native code: jfieldID must match object -
> > S8028623, PR2177, RH1168693: SA: hash codes in SymbolTable
> > mismatching java_lang_String::hash_code for extended characters. -
> > S8061785, PR2177: [TEST_BUG]
> > serviceability/sa/jmap-hashcode/Test8028623.java has utf8 character
> > corrupted by earlier merge * Bug fixes - PR1831: Drop version
> > requirement for LCMS 2 - PR1832, RH1022017: Report elliptic curves
> > supported by NSS, not the SunEC library - PR2033:
> > patches/ecj/jaxws-getdtdtype.patch no longer applies since removal
> > of JAXWS drop - PR2062: Unset OS before running OpenJDK build -
> > PR2070: Type-punning warnings still evident on RHEL 5 - PR2082:
> > Cast should use same type as GCDrainStackTargetSize (uintx). -
> > PR2096, RH1163501: 2048-bit DH upper bound too small for Fedora
> > infrastructure - PR2125: Synchronise elliptic curves in
> > sun.security.ec.NamedCurve with those listed by NSS - PR2179: Avoid
> > x86 workaround when running Zero rather than a JIT - PR2180: Old
> > autotools dislike $(builddir)/fsg.sh * CACAO - PR2184: CACAO lacks
> > JVM_FindClassFromCaller introduced by security patch in 1.13.6 *
> > JamVM - PR2190: JamVM lacks JVM_FindClassFromCaller introduced by
> > security patch in 1.13.6
> > 
> > The tarballs can be downloaded from:
> > 
> > http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.gz
> >
> > 
> http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.xz
> > 
> > We provide both gzip and xz tarballs, so that those who are able to
> > make use of the smaller tarball produced by xz may do so.
> > 
> > The tarballs are accompanied by digital signatures available at:
> > 
> > http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.gz.sig
> >
> > 
> http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.xz.sig
> > 
> > These are produced using my public key. See details below.
> > 
> > PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net) Fingerprint = EC5A
> > 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> > 
> > I'm transitioning to the use of a new key for signing releases
> > over the next year. Signatures made with this key are available
> > at:
> > 
> > http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.gz.sig.ec
> >
> > 
> http://icedtea.classpath.org/download/source/icedtea6-1.13.6.tar.xz.sig.ec
> > 
> > and the new key is:
> > 
> > PGP Key: ed25519/35964222 (hkp://keys.gnupg.net) Fingerprint = 5132
> > 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
> > 
> > SHA256 checksums:
> > 
> > eb06a1e9a16f6473ffac4072c753e8e0fd1c39ad00016bcbd984534a93189e52
> > icedtea6-1.13.6.tar.gz
> > 1e62fe97d4a6dfe641373889534741ec5f06d268e2ea14a8f4ff505560e1c3f8
> > icedtea6-1.13.6.tar.gz.sig
> > 356edb04945690e216f0569e9dc8afd8f55c2a0dfc8816a904e63506220cb523
> > icedtea6-1.13.6.tar.gz.sig.ec
> > 2090f3a9e4b045073f8fcd147848e3b94b389fa2740b20ded4c5d2398f1b4c99
> > icedtea6-1.13.6.tar.xz
> > ac02dc6515afcf2aac2d731e56b7aa6c987e98b7c7a9ed214e4e4a08d2b21528
> > icedtea6-1.13.6.tar.xz.sig
> > 1fa7b55a960cbf3db4000e170c95b3e78413fef45655609de05f55a7c5012347
> > icedtea6-1.13.6.tar.xz.sig.ec
> > 
> > The checksums can be downloaded from:
> > 
> > http://icedtea.classpath.org/download/source/icedtea6-1.13.6.sha256
> >
> > 
> > 
> > The following people helped with these releases:
> > 
> > * Andrew Dinn (backport of S8047125) * Andrew Hughes (all other
> > backports, release management)
> > 
> > We would also like to thank the bug reporters and testers!
> > 
> > To get started:
> > 
> > $ tar xzf icedtea6-1.13.6.tar.gz
> > 
> > or:
> > 
> > $ tar x -I xz -f icedtea6-1.13.6.tar.xz
> > 
> > then:
> > 
> > $ mkdir icedtea-build $ cd icedtea-build $
> > ../icedtea6-1.13.6/configure $ make
> > 
> > Full build requirements and instructions are available in the
> > INSTALL file.
> > 
> > Happy hacking!
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iEYEARECAAYFAlTFUpEACgkQu9a1imXPdA/2ZQCfTm4+HXQ2c9RJZFLirGyf4Gi3
> li0Ani1v9GcoWD7aQHj+lnBlHCEF5gNy
> =XMNi
> -----END PGP SIGNATURE-----
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07