[SECURITY] IcedTea 2.6.1 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Tue Jul 21 18:57:53 UTC 2015 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the July 2015 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
===========
New in release 2.6.1 (2015-07-21):

* Security fixes
  - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites
  - S8067694, CVE-2015-2625: Improved certification checking
  - S8071715, CVE-2015-4760: Tune font layout engine
  - S8071731: Better scaling for C1
  - S8072490: Better font morphing redux
  - S8072887: Better font handling improvements
  - S8073334: Improved font substitutions
  - S8073773: Presume path preparedness
  - S8073894: Getting to the root of certificate chains
  - S8074330: Set font anchors more solidly
  - S8074335: Substitute for substitution formats
  - S8074865, CVE-2015-2601: General crypto resilience changes
  - S8074871: Adjust device table handling
  - S8075374, CVE-2015-4748: Responding to OCSP responses
  - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling
  - S8075738: Better multi-JVM sharing
  - S8075833, CVE-2015-2613: Straighter Elliptic Curves
  - S8075838: Method for typing MethodTypes
  - S8075853, CVE-2015-2621: Proxy for MBean proxies
  - S8076328, CVE-2015-4000: Enforce key exchange constraints
  - S8076376, CVE-2015-2628: Enhance IIOP operations
  - S8076397, CVE-2015-4731: Better MBean connections
  - S8076401, CVE-2015-2590: Serialize OIS data
  - S8076405, CVE-2015-4732: Improve serial serialization
  - S8076409, CVE-2015-4733: Reinforce RMI framework
  - S8077520, CVE-2015-2632: Morph tables into improved form
  - PR2487, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
* OpenJDK
  - S7124253: [macosx] Flavor change notification not coming
  - S8007219: [macosx] Frame size reverts meaning of maximized attribute if frame size close to display
  - S8013581: [macosx] Key Bindings break with awt GraphicsEnvironment setFullScreenWindow
  - S8014464: Update jcheck for OpenJDK 7
  - S8020210: [macosx] JVM crashes in CWrapper$NSWindow.screen(long)
  - S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
  - S8027561: [macosx] Cleanup "may not respond to selector" warnings in native code
  - S8029868: Fix KSS issues in sun.lwawt.macosx
  - S8042205: javax/management/monitor/*: some tests didn't  get all the notifications
  - S8043201: Deprecate RC4 in SunJSSE provider
  - S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
  - S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
  - S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
  - S8065764: javax/management/monitor/CounterMonitorTest.java hangs
  - S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
  - S8068674: Increment minor version of HSx for 7u85 and initialize the build number
  - S8071668: [macosx] Clipboard does not work with 3rd parties Clipboard Managers
  - S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
  - S8073385: Bad error message on parsing illegal character in XML attribute
  - S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
  - S8074297: substring in XSLT returns wrong character if string contains supplementary chars
  - S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
  - S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
  - S8075667: (tz) Support tzdata2015b
  - S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
  - S8077685: (tz) Support tzdata2015d
  - S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
  - S8078439: SPNEGO auth fails if client proposes MS krb5 OID
  - S8078529: Increment the build value to b02 for hs24.85 in 7u85
  - S8078562: Add modified dates
  - S8080318: jdk8u51 l10n resource file translation update
  - S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
  - S8081622: Increment the build value to b03 for hs24.85 in 7u85
  - S8081775: two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
  - OJ01: Allow OpenJDK to build on PaX-enabled kernels
  - OJ02: Fix build where PAX_COMMAND is not specified
  - OJ03: Only apply PaX-marking when needed by a running PaX kernel
  - OJ04: Revert introduction of lambda expression in sun.lwawt.macosx.LWCToolkit
  - OJ05: Fix mistake in 8075374 backport
* Backports
  - S8087120, RH1206656, PR2553: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
* Bug fixes
  - PR2501: libjavasctp.so doesn't need to link against libdl when linking against libsctp
  - PR2502: Remove -fno-tree-vectorize workaround now http://gcc.gnu.org/PR63341 is fixed
  - PR2503: Add existence check for all optional dependencies in jdk_generic_profile.sh
  - PR2521: Systems with a GLib without libgio segfault when obtaining proxy information

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea-2.6.1.tar.xz.sig.ec

and the new key is:

    PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
    Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

SHA256 checksums:

491866e57199b0bc99d716be3eabaab97d9f6a698d1a652d748baeddeedfe963  icedtea-2.6.1.tar.gz
8c16de4a0cd2301fb63aebe393d2c715a077f992ee1f97a5bf626d4b69162b22  icedtea-2.6.1.tar.gz.sig
fd5813b6b3fb0f2f973bfe247daa460a64bae1483330ebfe162e62d2d80712e3  icedtea-2.6.1.tar.gz.sig.ec
cce4fac1e729690e986ef6f6d1c47b507f622a61da33d57d2b0a8c12e23e2068  icedtea-2.6.1.tar.xz
dd894de3b06f90ef5e12618ccc971811388b440ff0d00151fdabe3c35b64e7f4  icedtea-2.6.1.tar.xz.sig
144af57a421f941c50d01c3a6a527e9bc90f78fc621bd1c5af5b73272e7fe851  icedtea-2.6.1.tar.xz.sig.ec

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.1.sha256

The following people helped with these releases:

* Andrew Hughes (all backports, bug fixes & release management)
* Omair Majid (OJ5)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.1.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.1.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.1/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150721/549d717e/signature.asc>

More information about the distro-pkg-dev mailing list