[SECURITY] IcedTea 2.6.8 for OpenJDK 7 Released!

[Andrew Hughes]

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the October 2016 security fixes from OpenJDK 7 u121.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component.  Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========
New in release 2.6.8 (2016-11-13):

* Security fixes
  - S8151921: Improved page resolution
  - S8155968: Update command line options
  - S8155973, CVE-2016-5542: Tighten jar checks
  - S8157176: Improved classfile parsing
  - S8157739, CVE-2016-5554: Classloader Consistency Checking
  - S8157749: Improve handling of DNS error replies
  - S8157753: Audio replay enhancement
  - S8157759: LCMS Transform Sampling Enhancement
  - S8157764: Better handling of interpolation plugins
  - S8158302: Handle contextual glyph substitutions
  - S8158993, CVE-2016-5568: Service Menu services
  - S8159495: Fix index offsets
  - S8159503: Amend Annotation Actions
  - S8159511: Stack map validation
  - S8159515: Improve indy validation
  - S8159519, CVE-2016-5573: Reformat JDWP messages
  - S8160090: Better signature handling in pack200
  - S8160094: Improve pack200 layout
  - S8160098: Clean up color profiles
  - S8160591, CVE-2016-5582: Improve internal array handling
  - S8160838, CVE-2016-5597: Better HTTP service
  - PR3207, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read()
* Import of OpenJDK 7 u121 build 0
  - S6624200: Regression test fails: test/closed/javax/swing/JMenuItem/4654927/bug4654927.java
  - S6882559: new JEditorPane("text/plain","") fails for null context class loader
  - S7090158: Networking Libraries don't build with javac -Werror
  - S7125055: ContentHandler.getContent API changed in error
  - S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing on windows
  - S7187051: ShortRSAKeynnn.sh tests should do cleanup before start test
  - S8000626: Implement dead key detection for KeyEvent on Linux
  - S8003890: corelibs test scripts should pass TESTVMOPTS
  - S8005629: javac warnings compiling java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
  - S8010297: Missing isLoggable() checks in logging code
  - S8010782: clean up source files containing carriage return characters
  - S8014431: cleanup warnings indicated by the -Wunused-value compiler option on linux
  - S8015265: revise the fix for 8007037
  - S8016747: Replace deprecated PlatformLogger isLoggable(int) with isLoggable(Level)
  - S8020708: NLS mnemonics missing in SwingSet2/JInternalFrame demo
  - S8024756: method grouping tabs are not selectable
  - S8026741: jdk8 l10n resource file translation update 5
  - S8048147: Privilege tests with JAAS Subject.doAs
  - S8048357: PKCS basic tests
  - S8049171: Additional tests for jarsigner's warnings
  - S8059177: jdk8u40 l10n resource file translation update 1
  - S8075584: test for 8067364 depends on hardwired text advance
  - S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given
  - S8077953: [TEST_BUG] com/sun/management/OperatingSystemMXBean/TestTotalSwap.java Compilation failed after JDK-8077387
  - S8080628: No mnemonics on Open and Save buttons in JFileChooser
  - S8083601: jdk8u60 l10n resource file translation update 2
  - S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString
  - S8142926: OutputAnalyzer's shouldXXX() calls return this
  - S8143134: L10n resource file translation update
  - S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General
  - S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline
  - S8150611: Security problem on sun.misc.resources.Messages*
  - S8157653: [Parfait] Uninitialised variable in awt_Font.cpp
  - S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559
  - S8159684: (tz) Support tzdata2016f
  - S8160934: isnan() is not available on older MSVC compilers
  - S8162411: Service Menu services 2
  - S8162419: closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968
  - S8162511: 8u111 L10n resource file updates
  - S8162792: Remove constraint DSA keySize < 1024 from jdk.jar.disabledAlgorithms in jdk8
  - S8164452: 8u111 L10n resource file update - msgdrop 20
  - S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
  - S8166381: Back out changes to the java.security file to not disable MD5
* Backports
  - S6604109, PR3162: javax.print.PrintServiceLookup.lookupPrintServices fails SOMETIMES for Cups
  - S6907252, PR3162: ZipFileInputStream Not Thread-Safe
  - S8024046, PR3162: Test sun/security/krb5/runNameEquals.sh failed on 7u45 Embedded linux-ppc*
  - S8028479, PR3162: runNameEquals still cannot precisely detect if a usable native krb5 is available
  - S8034057, PR3162: Files.getFileStore and Files.isWritable do not work with SUBST'ed drives (win)
  - S8038491, PR3162: Improve synchronization in ZipFile.read()
  - S8038502, PR3162: Deflater.needsInput() should use synchronization
  - S8059411, PR3162: RowSetWarning does not correctly chain warnings
  - S8062198, PR3162: Add RowSetMetaDataImpl Tests and add column range validation to isdefinitlyWritable
  - S8066188, PR3162: BaseRowSet returns the wrong default value for escape processing
  - S8072466, PR3162: Deadlock when initializing MulticastSocket and DatagramSocket
  - S8075118, PR3162: JVM stuck in infinite loop during verification
  - S8076579, PR3162: Popping a stack frame after exception breakpoint sets last method param to exception
  - S8078495, PR3162: End time checking for native TGT is wrong
  - S8078668, PR3162: jar usage string mentions unsupported option '-n'
  - S8080115, PR3162: (fs) Crash in libgio when calling Files.probeContentType(path) from parallel threads
  - S8081794, PR3162: ParsePosition getErrorIndex returns 0 for TimeZone parsing problem
  - S8129957, PR3162: Deadlock in JNDI LDAP implementation when closing the LDAP context
  - S8130136, PR3162: Swing window sometimes fails to repaint partially when it becomes exposed
  - S8130274, PR3162: java/nio/file/FileStore/Basic.java fails when two successive stores in an iteration are determined to be equal
  - S8132551, PR3162: Initialize local variables before returning them in p11_convert.c
  - S8133207, PR3162: [TEST_BUG] ParallelProbes.java test fails after changes for JDK-8080115
  - S8133666, PR3162: OperatingSystemMXBean reports abnormally high machine CPU consumption on Linux
  - S8135002, PR3162: Fix or remove broken links in objectMonitor.cpp comments
  - S8137121, PR3162: (fc) Infinite loop FileChannel.truncate
  - S8137230, PR3162: TEST_BUG: java/nio/channels/FileChannel/LoopingTruncate.java timed out
  - S8139373, PR3162: [TEST_BUG] java/net/MulticastSocket/MultiDead.java failed with timeout
  - S8140249, PR3162: JVM Crashing During startUp If Flight Recording is enabled
  - S8141491, PR3160, G592292: Unaligned memory access in Bits.c
  - S8144483, PR3162: One long Safepoint pause directly after each GC log rotation
  - S8149611, PR3160, G592292: Add tests for Unsafe.copySwapMemory
* Bug fixes
  - S8078628, PR3151: Zero build fails with pre-compiled headers disabled
  - PR3128: pax-mark-vm script calls "exit -1" which is invalid in dash
  - PR3131: PaX marking fails on filesystems which don't support extended attributes
  - PR3135: Makefile.am rule stamps/add/tzdata-support-debug.stamp has a typo in add-tzdata dependency
  - PR3141: Pass $(CC) and $(CXX) to OpenJDK build
  - PR3166: invalid zip timestamp handling leads to error building bootstrap-javac
  - PR3202: Update infinality configure test
  - PR3212: Disable ARM32 JIT by default
* CACAO
  - PR3136: CACAO is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260)
* JamVM
  - PR3134: JamVM is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260)
* AArch64 port
  - S8167200, PR3204: AArch64: Broken stack pointer adjustment in interpreter
  - S8168888: Port 8160591: Improve internal array handling to AArch64.
  - PR3211: AArch64 build fails with pre-compiled headers disabled

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.8.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.8.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.8.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.8.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

e5f0a14077de47a1e6bcba672042880f1cb28859468fe95570555593a28fe02b  icedtea-2.6.8.tar.gz
65628538255b2657b1228b534c18ffb74e52be11d1d25cf694d02f39efabf70d  icedtea-2.6.8.tar.gz.sig
854030ff1b580d896dbabbdb0e64dc0ef3537786285808a7b3cdfcb80520255d  icedtea-2.6.8.tar.xz
23336d9d5aa7256cfc267f9b86eb46b69e0439af3b479405d215f12932ebbe63  icedtea-2.6.8.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.8.sha256

The following people helped with these releases:

* Tiago Stuermer Daitx (PR3134, PR3135, PR3211)
* Andrew Haley (S8167200 & S8168888)
* Andrew Hughes (all other backports & bug fixes, release management)
* Ricardo Ribalda (PR3166)
* Stefan Ring (PR3136)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.8.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.8.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.8/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20161114/a295633a/signature.asc>