[SECURITY] IcedTea 2.6.2 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Fri Oct 23 05:45:13 UTC 2015

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the October 2015 security fixes from OpenJDK 7 u91.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 2.6.2 (2015-10-22):

* Security fixes
  - S8048030, CVE-2015-4734: Expectations should be consistent
  - S8068842, CVE-2015-4803: Better JAXP data handling
  - S8076339, CVE-2015-4903: Better handling of remote object invocation
  - S8076383, CVE-2015-4835: Better CORBA exception handling
  - S8076387, CVE-2015-4882: Better CORBA value handling
  - S8076392. CVE-2015-4881: Improve IIOPInputStream consistency
  - S8076413, CVE-2015-4883: Better JRMP message handling
  - S8078427, CVE-2015-4842: More supportive home environment
  - S8078440: Safer managed types
  - S8080541: More direct property handling
  - S8080688, CVE-2015-4860: Service for DGC services
  - S8081760: Better group dynamics
  - S8086092, CVE-2015-4840: More palette improvements
  - S8086733, CVE-2015-4893: Improve namespace handling
  - S8087350: Improve array conversions
  - S8103671, CVE-2015-4805: More objective stream classes
  - S8103675: Better Binary searches
  - S8130078, CVE-2015-4911: Document better processing
  - S8130193, CVE-2015-4806: Improve HTTP connections
  - S8130864: Better server identity handling
  - S8130891, CVE-2015-4843: (bf) More direct buffering
  - S8131291, CVE-2015-4872: Perfect parameter patterning
  - S8132042, CVE-2015-4844: Preserve layout presentation
* Import of OpenJDK 7 u85 build 2
  - S8133968: Revert 8014464 on OpenJDK 7
  - S8133993: [TEST_BUG] Make CipherInputStreamExceptions compile on OpenJDK 7
  - S8134248: Fix recently backported tests to work with OpenJDK 7u
  - S8134610: Mac OS X build fails after July 2015 CPU
  - S8134618: test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java has bad license header
* Import of OpenJDK 7 u91 build 1
  - S6854417: TESTBUG: java/util/regex/RegExTest.java fails intermittently
  - S6966259: Make PrincipalName and Realm immutable
  - S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
  - S8014097: add doPrivileged methods with limited privilege scope
  - S8021191: Add isAuthorized check to limited doPrivileged methods
  - S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
  - S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
  - S8072932: Test fails with java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getDomainCombiner")
  - S8076506: Increment minor version of HSx for 7u91 and initialize the build number
  - S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
  - S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
  - S8087118: Remove missing package from java.security files
  - S8098547: (tz) Support tzdata2015e
  - S8130253: ObjectStreamClass.getFields too restrictive
  - S8133321: (tz) Support tzdata2015f
  - S8135043: ObjectStreamClass.getField(String) too restrictive
* Backports
  - S6880559, PR2674: Enable PKCS11 64-bit windows builds
  - S6904403, PR2674: assert(f == k->has_finalizer(),"inconsistent has_finalizer") with debug VM
  - S7011441, PR2674: jndi/ldap/Connection.java needs to avoid spurious wakeup
  - S7059542, PR2674: JNDI name operations should be locale independent
  - S7105461, PR2571: Large JTables are not rendered correctly with Xrender pipeline
  - S7105883, PR2560: JDWP: agent crash if there exists a ThreadGroup with null name
  - S7107611, PR2674: sun.security.pkcs11.SessionManager is scalability blocker
  - S7127066, PR2674: Class verifier accepts an invalid class file
  - S7150092, PR2674: NTLM authentication fail if user specified a different realm
  - S7150134, PR2571: JCK api/java_awt/Graphics/index.html#DrawLine fails with OOM for jdk8 with XRender pipeline
  - S7152582, PR2674: PKCS11 tests should use the NSS libraries available in the OS
  - S7156085, PR2674: ArrayIndexOutOfBoundsException throws in UTF8Reader of SAXParser
  - S7177045, PR2674: Rework the TestProviderLeak.java regression test, it is too fragile to low memory errors.
  - S7190945, PR2674: pkcs11 problem loading NSS libs on Ubuntu
  - S8005226, PR2674: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
  - S8009438, PR2674: sun/security/pkcs11/Secmod tests failing on Ubuntu 12.04
  - S8011709, PR2509: [parfait] False positive: memory leak in jdk/src/share/native/sun/font/layout/CanonShaping.cpp
  - S8012971, PR2674: PKCS11Test hiding exception failures
  - S8016105, PR2560: Add complementary RETURN_NULL allocation macros in allocation.hpp
  - S8020424, PR2674: The NSS version should be detected before running crypto tests
  - S8020443, PR2674: Frame is not created on the specified GraphicsDevice with two monitors
  - S8021897, PR2560: EXCEPTION_ACCESS_VIOLATION on debugging String.contentEquals()
  - S8022683, PR2560: JNI GetStringUTFChars should return NULL on allocation failure not abort the VM
  - S8023052, PR2509: JVM crash in native layout
  - S8025922, PR2560: JNI access to Strings need to check if the value field is non-null
  - S8026119. PR2679: Regression test DHEKeySizing.java failing intermittently
  - S8027624, PR2674: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java unstable again
  - S8033069, PR2674: mouse wheel scroll closes combobox popup
  - S8035150, PR2674: ShouldNotReachHere() in ConstantPool::copy_entry_to
  - S8039212, PR2674: SecretKeyBasic.sh needs to avoid NSS libnss3 and libsoftokn3 version mismatches
  - S8042855, PR2509: [parfait] Potential null pointer dereference in IndicLayoutEngine.cpp
  - S8044364, PR2674: runtime/RedefineFinalizer test fails on windows
  - S8048353, PR2674: jstack -l crashes VM when a Java mirror for a primitive type is locked
  - S8050123, PR2674: Incorrect property name documented in CORBA InputStream API
  - S8056122, PR1896: Upgrade JDK to use LittleCMS 2.6
  - S8056124, PR2674: Hotspot should use PICL interface to get cacheline size on SPARC
  - S8057934, PR1896: Upgrade to LittleCMS 2.6 breaks AIX build
  - S8059200, PR2674: Promoted JDK9 b31 for Solaris-amd64 fails (Error: dl failure on line 744, no picl library) on Solaris 11.1
  - S8059588, PR2674: deadlock in java/io/PrintStream when verbose java.security.debug flags are set
  - S8062518, PR2674: AIOBE occurs when accessing to document function in extended function in JAXP
  - S8062591, PR2674: SPARC PICL causes significantly longer startup times
  - S8072863, PR2674: Replace fatal() with vm_exit_during_initialization() when an incorrect class is found on the bootclasspath
  - S8073453, PR2674: Focus doesn't move when pressing Shift + Tab keys
  - S8074350, PR2674: Support ISO 4217 "Current funds codes" table (A.2)
  - S8074869, PR2674: C2 code generator can replace -0.0f with +0.0f on Linux
  - S8075609, PR2674: java.lang.IllegalArgumentException: aContainer is not a focus cycle root of aComponent
  - S8075773, PR2674: jps running as root fails after the fix of JDK-8050807
  - S8076040, PR2674: Test com/sun/crypto/provider/KeyFactory/TestProviderLeak.java fails with -XX:+UseG1GC
  - S8076328, PR2679: Enforce key exchange constraints
  - S8076455, PR2674: IME Composition Window is displayed on incorrect position
  - S8076968, PR2674: PICL based initialization of L2 cache line size on some SPARC systems is incorrect
  - S8077102, PR2674: dns_lookup_realm should be false by default
  - S8077409, PR2674: Drawing deviates when validate() is invoked on java.awt.ScrollPane
  - S8078113, PR2674: 8011102 changes may cause incorrect results
  - S8078331, PR1896: Upgrade JDK to use LittleCMS 2.7
  - S8080012, PR2674: JVM times out with vdbench on SPARC M7-16
  - S8081392, PR2674: getNodeValue should return 'null' value for Element nodes
  - S8081470, PR2674: com/sun/jdi tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
  - S8081756, PR1896: Mastering Matrix Manipulations
  - S8130297, PR2674: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java still failing after JDK-8076040
  - S8133636, PR2674: [TEST_BUG] Import/add tests for the problem seen in 8076110
* Bug fixes
  - PR2512: Reset success following calls in LayoutManager.cpp
  - PR2557, G390663: Update Gentoo font configuration and allow font directory to be specified 
  - PR2568: openjdk causes a full desktop crash on RHEL 6 i586
  - PR2683: AArch64 port has broken Zero on AArch64
  - PR2684: AArch64 port not selected on architectureswhere host_cpu != aarch64
  - PR2686: Add generated Fedora & Gentoo font configurations for bootstrap stage
  - PR2652: Set classLoader field in java.lang.Class as expected by JDK

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea-2.6.2.tar.xz.sig.ec

and the new key is:

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

c19eafacd23c81179934acab123511c424cd07c094739fa33778bf7cc80e14d0  icedtea-2.6.2.tar.gz
38570f916c85ae77c80da1e3ab3eb5c98266042b5bae89b34894063bb0dcbaa2  icedtea-2.6.2.tar.gz.sig
18d1e0ec86fe4973b890d00e9b9cb2bef109ba8f1ca5a1d8e2958918f1bc955e  icedtea-2.6.2.tar.gz.sig.ec
bee8565c507a484ea876b62474aec379ac0e434acb9de8213279f47e1fe22076  icedtea-2.6.2.tar.xz
43e5f03e561b52a97015a347de1e0c1a445f3a73dd6e38d29c4b8ca4a71dc033  icedtea-2.6.2.tar.xz.sig
aea216e14e5c5389836634285d303728b4cbf93e1ccb974b1a1c458eb8379e43  icedtea-2.6.2.tar.xz.sig.ec

The checksums can be downloaded from:

*  http://icedtea.classpath.org/download/source/icedtea-2.6.2.sha256

The following people helped with this release:

* Andrew Hughes (all other backports & bug fixes, release management)
* Omair Majid (most security backports, with the exception of S8086092 & S8048030)
* Stefan Ring (PR2652)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.2.tar.gz


$ tar x -I xz -f icedtea-2.6.2.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.2/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20151023/36f56496/signature-0001.asc>

More information about the distro-pkg-dev mailing list