[SECURITY] IcedTea 1.13.8 for OpenJDK 6 Released!

Andrew Hughes gnu.andrew at redhat.com
Thu Jul 30 20:14:26 UTC 2015 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with
the July 2015 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
===========
New in release 1.13.8 (2015-07-29):

* Security fixes
  - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites
  - S8067694, CVE-2015-2625: Improved certification checking
  - S8071715, CVE-2015-4760: Tune font layout engine
  - S8071731: Better scaling for C1
  - S8072490: Better font morphing redux
  - S8072887: Better font handling improvements
  - S8073334: Improved font substitutions
  - S8073773: Presume path preparedness
  - S8073894: Getting to the root of certificate chains
  - S8074330: Set font anchors more solidly
  - S8074335: Substitute for substitution formats
  - S8074865, CVE-2015-2601: General crypto resilience changes
  - S8074871: Adjust device table handling
  - S8075374, CVE-2015-4748: Responding to OCSP responses
  - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling
  - S8075738: Better multi-JVM sharing
  - S8075838: Method for typing MethodTypes
  - S8075853, CVE-2015-2621: Proxy for MBean proxies
  - S8076328, CVE-2015-4000: Enforce key exchange constraints
  - S8076376, CVE-2015-2628: Enhance IIOP operations
  - S8076397, CVE-2015-4731: Better MBean connections
  - S8076401, CVE-2015-2590: Serialize OIS data
  - S8076405, CVE-2015-4732: Improve serial serialization
  - S8076409, CVE-2015-4733: Reinforce RMI framework
  - S8077520, CVE-2015-2632: Morph tables into improved form
  - PR2488, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
* Import of OpenJDK6 b36
  - OJ58: Allow OpenJDK to build on PaX-enabled kernels
  - OJ59: Only apply PaX-marking when needed by a running PaX kernel
  - OJ60, PR2484: Disable export ciphers by default
  - OJ61: Remove translation strings for ErrorMsg.JAXP_INVALID_ATTR_VALUE_ERR which doesn't exist in OpenJDK 6
  - OJ62, PR2552: Restrict key size of RSA certificates to >= 1024
  - OJ63: Remove @Override annotation on interfaces added by 2015/07/14 security fixes.
  - S6787645: CRL validation code should permit some clock skew when checking validity of CRLs
  - S6996365: Evaluate the priorities of cipher suites
  - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
  - S8007142: Add utility classes for writing better multiprocess tests in jtreg
  - S8008089: Delete OS dependent check in JdkFinder.getExecutable()
  - S8024861: Incomplete token triggers GSS-API NullPointerException
  - S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
  - S8036786: Update jdk7 testlibrary to match jdk8
  - S8042205: javax/management/monitor/*: some tests didn't  get all the notifications
  - S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine
  - S8043200, PR2485: Decrease the preference mode of RC4 in the enabled cipher suite list
  - S8043201: Deprecate RC4 in SunJSSE provider
  - S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
  - S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
  - S8050158: Introduce system property to maintain RC4 preference order
  - S8062923: XSL: Run-time internal error in 'substring()'
  - S8062924: XSL: wrong answer from substring() function
  - S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
  - S8065764: javax/management/monitor/CounterMonitorTest.java hangs
  - S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
  - S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
  - S8073385: Bad error message on parsing illegal character in XML attribute
  - S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
  - S8074297: substring in XSLT returns wrong character if string contains supplementary chars
  - S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
  - S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
  - S8075667: (tz) Support tzdata2015b
  - S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
  - S8077685: (tz) Support tzdata2015d
  - S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
  - S8078439: SPNEGO auth fails if client proposes MS krb5 OID
  - S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
  - S8080318: jdk8u51 l10n resource file translation update
  - S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
  - S8081775: two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
* Backports
  - S4890063, PR2306, RH1214835: HPROF: default text truncated when using doe=n option
  - S6562614, PR2555: Compiler warnings for gettimeofday in Inet4/Inet6AddressImpl.c
  - S6956398, PR2486: make ephemeral DH key match the length of the certificate key
  - S6989466, PR2555: Miscellaneous compiler warnings in java/lang, java/util, java/io, sun/misc native code
  - S6991580, PR2309: IPv6 Nameservers in resolv.conf throws NumberFormatException
  - S6997561, PR2479: A request for better error handling in JNDI
  - S7007905, PR2298: javazic produces wrong line numbers
  - S7017176, PR2479: Several JNDI tests are mssing GPL header
  - S7058708, PR2298: Eliminate JDK build tools build warnings
  - S7069870, PR2298: Parts of the JDK erroneously rely on generic array initializers with diamond
  - S7090844, PR2298: Support a timezone whose offset is changed more than once in the future
  - S7094377, PR2479: Com.sun.jndi.ldap.read.timeout doesn't work with ldaps.
  - S7133138, PR2298: Improve io performance around timezone lookups
  - S7170638, PR2495: Use DTRACE_PROBE[N] in JNI Set and SetStatic Field.
  - S8000487, PR2479: Java JNDI connection library on ldap conn is not honoring configured timeout
  - S8011709, PR2510: [parfait] False positive: memory leak in jdk/src/share/native/sun/font/layout/CanonShaping.cpp
  - S8023052, PR2510: JVM crash in native layout
  - S8039921, PR2468: SHA1WithDSA with key > 1024 bits not working
  - S8041451, PR2480: com.sun.jndi.ldap.Connection:ReadTimeout should abandon ldap request
  - S8042855, PR2510: [parfait] Potential null pointer dereference in IndicLayoutEngine.cpp
  - S8042857, PR2479: 14 stuck threads waiting for notification on LDAPRequest
  - S8065238, PR2479: javax.naming.NamingException after upgrade to JDK 8
  - S8074761, PR2469: Empty optional parameters of LDAP query are not interpreted as empty
  - S8078654, PR2334: CloseTTFontFileFunc callback should be removed
  - S8081315, PR2406: Avoid giflib interlacing workaround with giflib 5.0.0 on
  - S8081475, PR2495: SystemTap does not work when JDK is compiled with GCC 5
  - S8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
 * Bug fixes
  - PR2319: Checksum of policy JAR files changes on every build
  - PR2340: Fail early if there is no native HotSpot JIT & all other options are disabled
  - PR2342: Update README & INSTALL files
  - PR2360: Ensure all stamp targets have aliases
  - PR2391: Make elliptic curve removal optional
  - PR2460: Policy JAR files should be timestamped with the date of the policy file they hold
  - PR2481, RH489586, RH1236619: OpenJDK can't handle spaces in zone names in /etc/sysconfig/clock
  - PR2486: JSSE server is still limited to 768-bit DHE
  - PR2508, G541462: Only apply PaX markings by default on running PaX kernels
  - PR2556, G390663: Update Gentoo font configuration and allow font directory to be specified
  - PR2559: generated directory gets confused with generated alias
  - PR2565: Replace ipv4-mapped-ipv6-addresses.patch with upstream fix 6882910
* CACAO
  - PR829: Raise javadoc and JAVAC_FLAGS memory limits for CACAO
* JamVM
  - PR2522: Add executable stack markings to callNative.S on JamVM

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.xz.sig

    PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
        Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.tar.xz.sig.ec

and the new key is:

    PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
        Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

05fd1584e458ddaaf1d464842431dbcbcbaf7f9ef9f92f9cebaa180ccbbc5d1b  icedtea6-1.13.8.tar.gz
27fe15966c69d40f3ccec392b6725aafe81fcbd14fd698067a46eff23cb94620  icedtea6-1.13.8.tar.gz.sig
1af0e21b109b58d27ce063696b42f1cdded0f829f51440f716540bec138355ed  icedtea6-1.13.8.tar.gz.sig.ec
fcbc623957e393a00d6189cb88288fed21c21860485092ea7719a12fbbc00adb  icedtea6-1.13.8.tar.xz
95dad7fbcb133e461e557fbe343f0cf27aeb2972cce58ad9184c71e0bc9431c1  icedtea6-1.13.8.tar.xz.sig
2b4f32188d5631c0bc3f0168099cd903b09f7b6832b82c2060b6b8003de1567c  icedtea6-1.13.8.tar.xz.sig.ec

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.13.8.sha256

The following people helped with these releases:

* James Le Cuirot (PR829 CACAO work)
* Andrew Hughes (all backports and other bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.8.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.8.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.8/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150730/b1b5cded/signature-0001.asc>

More information about the distro-pkg-dev mailing list