[SECURITY] IcedTea 3.3.0 for OpenJDK 8 Released!
Andrew Hughes
gnu_andrew at member.fsf.org
Sat Jan 28 21:16:35 UTC 2017
We are pleased to announce the release of IcedTea 3.3.0!
The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.
This release updates our OpenJDK 8 support with the October 2016 bug
fixes from OpenJDK 8 u112 and the January 2017 security fixes from
OpenJDK 8 u121.
The 'infinality' feature has been improved and is now known as
'improved font rendering'. It no longer requires a patched FreeType
and we intend to enable it by default from IcedTea 3.4.0 onwards.
We also make the build a little easier on some platforms by removing
the requirement for wget to be installed if downloading is disabled,
and supporting older Kerberos installations which don't use
pkg-config. We also add support for picking up the strangely named JVM
installation locations on RHEL 6 multilib platforms.
If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net OpenJDK mailing list and patches are
always welcome.
Full details of the release can be found below.
What’s New?
===========
New in release 3.3.0 (2017-01-28):
* Security fixes
- S8138725: Add options for Javadoc generation
- S8140353: Improve signature checking
- S8151934, CVE-2017-3231: Resolve class resolution
- S8156804, CVE-2017-3241: Better constraint checking
- S8158406: Limited Parameter Processing
- S8158997: JNDI Protocols Switch
- S8159507: RuntimeVisibleAnnotation validation
- S8161218: Better bytecode loading
- S8161743, CVE-2017-3252: Provide proper login context
- S8162577: Standardize logging levels
- S8162973: Better component components
- S8164143, CVE-2017-3260: Improve components for menu items
- S8164147, CVE-2017-3261: Improve streaming socket output
- S8165071, CVE-2016-2183: Expand TLS support
- S8165344, CVE-2017-3272: Update concurrency support
- S8166988, CVE-2017-3253: Improve image processing performance
- S8167104, CVE-2017-3289: Additional class construction refinements
- S8167223, CVE-2016-5552: URL handling improvements
- S8168705, CVE-2016-5547: Better ObjectIdentifier validation
- S8168714, CVE-2016-5546: Tighten ECDSA validation
- S8168728, CVE-2016-5548: DSA signing improvments
- S8168724, CVE-2016-5549: ECDSA signing improvments
* New features
- PR3300: wget not required when downloading is disabled
- PR3301: Support RHEL multilib installations which use the /usr/lib/jvm/java-1.x.0-openjdk.${arch} naming
- PR3303: Allow Kerberos to be detected by old libs & headers method if pkg-config check fails
* Import of OpenJDK 8 u112 build 16
- S6477756: GraphicsDevice.getConfigurations() is slow taking 3 or more seconds
- S7172749: Xrender: Class cast exception in 2D code running an AWT regression test
- S8017629: G1: UseSHM in combination with a G1HeapRegionSize > os::large_page_size() falls back to use small pages
- S8022203: Intermittent test failures in demo/jvmti/hprof
- S8022582: Relax response flags checking in sun.security.krb5.KrbKdcRep.check.
- S8027575: b113 causing a lot of memory allocation and regression for wls_webapp_atomics
- S8028486: java/awt/Window/WindowsLeak/WindowsLeak.java fails
- S8030780: test/com/sun/corba/cachedSocket/7056731.sh leaves HelloServer behind
- S8036630: Null ProtectionDomain in JVM can cause NPE because principals field is not initialized to an empty array
- S8042660: vm/mlvm/anonloader/stress/byteMutation failed with: assert(index >=0 && index < _length) failed: symbol index overflow
- S8044193: Need to add known answer tests for AES cipher
- S8044575: testlibrary_tests/whitebox/vm_flags/UintxTest.java failed: assert(!res || TypeEntriesAtCall::arguments_profiling_enabled()) failed: no profiling of arguments
- S8048601: Tests for JCE crypto ciphers (part 1)
- S8048621: Implement basic keystore tests
- S8048622: Enhance tests for PKCS11 keystores with NSS
- S8049021: Add smartcardio tests with APDU buffer
- S8049312: AES/CICO test failed with on several modes
- S8050402: Tests to check for use of policy files
- S8050409: Test for JAAS getPrivateCredentials
- S8054326: Confusing message in "Current rem set statistics"
- S8055772: get_source.sh : version check assumes English localization
- S8057791: Selection in JList is drawn with wrong colors in Nimbus L&F
- S8058865: JMX Test Refactoring
- S8067964: Native2ascii doesn't close one of the streams it opens
- S8071487: javax/management/monitor/GaugeMonitorDeadlockTest.java timed out
- S8071909: Port testlibrary improvments in jdk/test to hotspot/test as required for DCMD test port
- S8073542: File Leak in jdk/src/java/base/unix/native/libnet/PlainDatagramSocketImpl.c
- S8074784: Additional tests for XML DSig API
- S8075007: Additional tests for krb5-related cipher suites with unbound server
- S8075297: Tests for RFEs 4515853 and 4745056
- S8075299: Additional tests for krb5 settings
- S8075301: Tests for sun.security.krb5.principal system property
- S8077276: allocating heap with UseLargePages and HugeTLBFS may trash existing memory mappings (linux)
- S8078268: javax.swing.text.html.parser.Parser parseScript incorrectly optimized
- S8078382: Wrong glyph is displayed for a derived font
- S8080729: [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus
- S8085903: New fix for memory leak in ProtectionDomain cache
- S8098581: SecureRandom.nextBytes() hurts performance with small size requests
- S8129740: Incorrect class file created when passing lambda in inner class constructor
- S8130127: streamline input parameter of Nashorn scripting $EXEC function
- S8130309: Need to bailout cleanly if creation of stubs fails when codecache is out of space
- S8130317: "ant test" fails to complete on Windows when run under cygwin shell
- S8133070: Hot lock on BulkCipher.isAvailable
- S8133309: Some unicode characters do not display any more after upgrading to Windows 10
- S8134232: KeyStore.load() throws an IOException with a wrong cause in case of wrong password
- S8135322: ConstantPool::release_C_heap_structures not run in some circumstances
- S8136998: JComboBox prevents wheel mouse scrolling of JScrollPane
- S8137240: Negative lookahead in RegEx breaks backreference
- S8138906: [TEST_BUG] Test test/script/trusted/JDK-8087292.js intermittently fails.
- S8141148: LDAP "follow" throws ClassCastException with Java 8
- S8141541: Simplify Nashorn's Context class loader handling
- S8143640: Showing incorrect result while passing specific argument in the Java launcher tools
- S8143642: Nashorn shebang argument handling is broken
- S8144160: Regression: two tests fail on Windows with "ant test" target
- S8144221: fix Nashorn shebang argument handling on Mac/Linux
- S8144703: ClassCastException: sun.font.CompositeFont cannot be cast to PhysicalFont
- S8145305: fix Nashorn shebang handling on Cygwin
- S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks
- S8146975: NullPointerException in IIOPInputStream.inputClassFields
- S8147026: Convert an assert in ClassLoaderData to a guarantee
- S8147451: Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
- S8147585: Annotations with lambda expressions has parameter result in wrong behavior.
- S8147969: Print size of DH keysize when errors are encountered
- S8148140: arguments are handled differently in apply for JS functions and AbstractJSObjects
- S8148984: [macosx] Chinese Comma cannot be entered using Pinyin Input Method on OS X
- S8150219: ReferenceError in 1.8.0_72
- S8150234: Windows 10 App Containers disallow access to ICMP calls
- S8150814: correct package declaration in Nashorn test
- S8151722: TESTBUG: New test compiler/native/TestDirtyInt.sh should be modified
- S8153149: Uninitialised memory in WinAccessBridge.cpp:1128
- S8153192: (se) Selector.select(long) uses wrong timeout after EINTR (lnx)
- S8153781: Issue in XMLScanner: EXPECTED_SQUARE_BRACKET_TO_CLOSE_INTERNAL_SUBSET when skipping large DOCTYPE section with CRLF at wrong place
- S8153948: sun/security/mscapi/ShortRSAKey1024.sh fails with "Field length overflow"
- S8154009: Some methods of java.security.Security require more permissions, than necessary
- S8154069: Jaws reads wrong values from comboboxes when no element is selected
- S8154144: Tests in com/sun/jdi fails intermittently with "jdb input stream closed prematurely"
- S8154469: Update FSF address
- S8154553: Incorrect GPL header in package-info.java reported
- S8154558: Incorrect GPL header in ProcessEnvironment_md.c reported
- S8154816: Caps Lock doesn't work as expected when using Pinyin Simplified input method
- S8154831: CastII/ConvI2L for a range check is prematurely eliminated
- S8155001: SystemTray.remove() leaks GDI Objects in Windows
- S8155106: MHs.Lookup.findConstructor returns handles for array classes
- S8155214: java/lang/invoke/PermuteArgsTest.java fails due to exhausted code cache
- S8156478: 3 Buffer overrun defect groups in jexec.c
- S8156521: Minor fixes and cleanups in NetworkInterface.c
- S8156714: Parsing issue with automatic semicolon insertion
- S8156836: SIGSEGV: Test test/compiler/jsr292/VMAnonymousClasses.java fails with JTREG 4.2 b02
- S8156896: Script stack trace should display function names
- S8157160: JSON.stringify does not work on ScriptObjectMirror objects
- S8157242: Some java/lang/invoke tests miss othervm
- S8157444: exclude jjs shebang handling test from runs
- S8157603: TestCipher.java doesn't check one of the decrypted message as expected
- S8157680: Callback parameter of any JS builtin implementation should accept any Callable
- S8157819: TypeError when a java.util.Comparator object is invoked as a function
- S8158059: The fix for 8050402 was partially committed
- S8158072: Need a test for JDK-7172749
- S8158111: Make handling of 3rd party providers more stable
- S8158178: java.awt.SplashScreen.getSize() returns incorrect size for high dpi splash screens
- S8158338: Nashorn's ScriptLoader split delegation has to be adjusted
- S8158373: SIGSEGV: Metadata::mark_on_stack
- S8158467: AccessControlException is thrown on public Java class access if "script app loader" is set to null
- S8158495: CCE: sun.java2d.NullSurfaceData cannot be cast to sun.java2d.opengl.OGLSurfaceData
- S8158802: com.sun.jndi.ldap.SimpleClientId produces wrong hash code
- S8158871: Long response times with G1 and StringDeduplication
- S8159822: Non-synchronized access to shared members of com.sun.jndi.ldap.pool.Pool
- S8160122: Backport of JDK-8159244 used wrong version of the JDK 9 fix
- S8160518: Semicolon is not recognized as comment starting character (Kerberos)
- S8160693: ScriptRunData.java uses bitwise AND instead of logical AND
- S8161144: Fix for JDK-8147451 failed: Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
- S8162510: 8u112 L10n resource file updates
- S8164453: 8u112 L10n resource file update - msgdrop 20
* Import of OpenJDK 8 u121 build 13
- S8037099: [macosx] Remove all references to GC from native OBJ-C code
- S8059212: Modify sun/security/smartcardio manual regression tests so that they do not just fail if no cardreader found
- S8139565: Restrict certificates with DSA keys less than 1024 bits
- S8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
- S8148516: Improve the default strength of EC in JDK
- S8151893: Add security property to configure XML Signature secure validation mode
- S8152438: Threads may do significant work out of the non-shared overflow buffer
- S8153438: Avoid repeated "Please insert a smart card" popup windows
- S8154005: Add algorithm constraint that specifies the restriction date
- S8154015: Apply algorithm constraints to timestamped code
- S8159410: InetAddress.isReachable returns true for non existing IP adresses
- S8160108: Implement Serialization Filtering
- S8161228: URL objects with custom protocol handlers have port changed after deserializing
- S8161571: Verifying ECDSA signatures permits trailing bytes
- S8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
- S8163583: [macosx] Press "To Back" button on the Dialog,the Dialog moves behind the Frame
- S8164908: ReflectionFactory support for IIOP and custom serialization
- S8165230: RMIConnection addNotificationListeners failing with specific inputs
- S8166389: [TEST_BUG] closed/java/security/Security/ReadProp/ReadProp.sh failing
- S8166393: disabledAlgorithms property should not be strictly parsed
- S8166432: Bad 8u112 merge of sun/security/tools/jarsigner/warnings/Test.java
- S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is very fast (Trackpad, Retina only)
- S8166739: Improve extensibility of ObjectInputFilter information passed to the filter
- S8166875: (tz) Support tzdata2016g
- S8166878: Connection reset during TLS handshake
- S8167356: Follow up fix for jdk8 backport of 8164143. Changes for CMenuComponent.m were missed
- S8167459: Add debug output for indicating if a chosen ciphersuite was legacy
- S8167472: Chrome interop regression with JDK-8148516
- S8167591: Add MD5 to signed JAR restrictions
- S8168861: AnchorCertificates uses hardcoded password for cacerts keystore
- S8168963: Backout JDK-8154005
- S8168993: JDK8u121 L10n resource file update
- S8169072: Backout JDK-8154015
- S8169191: (tz) Support tzdata2016i
- S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU
- S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304
- S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property
- S8170268: 8u121 L10n resource file update - msgdrop 20
* Bug fixes
- PR3271: Always round glyph advance in 26.6 space
- PR3271: Fix compatibility with vanilla Fontconfig
- PR3271: Fix glyph y advance
- PR3271: Replace 'infinality' with 'improved font rendering' (--enable-improved-font-rendering)
- PR3271: Simplify glyph advance handling
- PR3286: -ffp-contract not available on older GCCs
- PR3302: zip should be optional, as it's only used in the manually invoked dist-openjdk and dist-openjdk-fsg rules
- PR3304: zip still a requirement of the underlying OpenJDK build
* PPC port
- S8170873, PR3280: PPC64/aarch64: Poor StrictMath performance due to non-optimized compilation
* AArch64 port
- S8130309, PR3280: Need to bailout cleanly if creation of stubs fails when codecache is out of space (AArch64 changes)
- S8132875, PR3280: AArch64: Fix error introduced into AArch64 CodeCache by commit for 8130309
- S8165673, PR3280: AArch64: Fix JNI floating point argument handling
- S8170188, PR3280: jtreg test compiler/types/TestMeetIncompatibleInterfaceArrays.java causes JVM crash
- S8170873, PR3280: PPC64/aarch64: Poor StrictMath performance due to non-optimized compilation
The tarballs can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea-3.3.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.3.0.tar.xz
We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.
The tarballs are accompanied by digital signatures available at:
* http://icedtea.classpath.org/download/source/icedtea-3.3.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.3.0.tar.xz.sig
These are produced using my public key. See details below.
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
GnuPG >= 2.1 is required to be able to handle this key.
SHA256 checksums:
ce74a343759bfe6a7332301835e7c6e77d01db588a1dab672816c9ce338474b1 icedtea-3.3.0.tar.gz
efed173fa928897f02eed70c63b0e764800593c4800cb0e055a450df0d1aa045 icedtea-3.3.0.tar.gz.sig
b764ff09674f9139f94dfe9df8f6393ed55af149c7bb1033fbf119f68cea750b icedtea-3.3.0.tar.xz
4ca9acdbec277afe2028508d36f30309a06a4317125f9207c9e95dce9335a0a0 icedtea-3.3.0.tar.xz.sig
The checksums can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea-3.3.0.sha256
The following people helped with these releases:
* Matthias Dahl (PR3271 font rendering improvements)
* Andrew Hughes (all other bug fixes & backports, release management)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea-3.3.0.tar.gz
or:
$ tar x -I xz -f icedtea-3.3.0.tar.xz
then:
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.3.0/configure
$ make
Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20170128/0bf83b92/signature-0001.asc>
More information about the distro-pkg-dev
mailing list