[SECURITY] IcedTea 2.6.3 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Fri Nov 13 08:27:09 UTC 2015

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
an additional October 2015 security fix from OpenJDK 7 u91.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What’s New?
New in release 2.6.3 (2015-11-13):

* Security fixes
  - S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed
* Backports
  - S8133196, PR2712, RH1251935: HTTPS hostname invalid issue with InetAddress
  - S8140620, PR2710: Find and load default.sf2 as the default soundbank on Linux

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.xz.sig.ec

and the new key is:

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

89183993d3dd794b4e2a428a8a0a35f1ce77c4ae64563e53f3a08c058ea134cc  icedtea-2.6.3.tar.gz
2d1b8e71739cc0d3c0afbab61a2093fb501ffa28b92f6d2630c684ae9ac48551  icedtea-2.6.3.tar.gz.sig
d89fea821068d38f1ca9e34bbc08ca1f6da985589d7064d7a5734d66dfd20c4f  icedtea-2.6.3.tar.gz.sig.ec
df38aa10b4d30f3bae089dcc72f4c32fb2385cb541491791c12829960f53c612  icedtea-2.6.3.tar.xz
b7c377c64bcc20865a063b397b4c1cd44dad782a433d6da0ce89b690e54a6c94  icedtea-2.6.3.tar.xz.sig
f9373d52f121b97330f77e06064753eca949e703a5b32e501a70fd1dd8f007c0  icedtea-2.6.3.tar.xz.sig.ec

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.3.sha256

The following people helped with these releases:

* Andrew Hughes (all backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.3.tar.gz


$ tar x -I xz -f icedtea-2.6.3.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.3/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20151113/42b9b3c0/signature.asc>

More information about the distro-pkg-dev mailing list