[SECURITY] IcedTea 3.5.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Fri Jul 21 03:35:49 UTC 2017 

We are pleased to announce the release of IcedTea 3.5.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the July 2017
security fixes from OpenJDK 8 u141.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
===========
New in release 3.5.0 (2017-07-20):

* Security fixes
  - S8163958, CVE-2017-10102: Improved garbage collection
  - S8167228: Update to libpng 1.6.28
  - S8169209, CVE-2017-10053: Improved image post-processing steps
  - S8169392, CVE-2017-10067: Additional jar validation steps
  - S8170966, CVE-2017-10081: Right parenthesis issue
  - S8171539, CVE-2017-10078: Better script accessibility for JavaScript
  - S8172204, CVE-2017-10087: Better Thread Pool execution
  - S8172461, CVE-2017-10089: Service Registration Lifecycle
  - S8172465, CVE-2017-10090: Better handling of channel groups
  - S8172469, CVE-2017-10096: Transform Transformer Exceptions
  - S8173286, CVE-2017-10101: Better reading of text catalogs
  - S8173697, CVE-2017-10107: Less Active Activations
  - S8173770, CVE-2017-10074: Image conversion improvements
  - S8174098, CVE-2017-10110: Better image fetching
  - S8174105, CVE-2017-10108: Better naming attribution
  - S8174113, CVE-2017-10109: Better sourcing of code
  - S8174770: Check registry registration location
  - S8174873: Improved certificate processing
  - S8175106, CVE-2017-10115: Higher quality DSA operations
  - S8175110, CVE-2017-10118: Higher quality ECDSA operations
  - S8176055: JMX diagnostic improvements
  - S8176067, CVE-2017-10116: Proper directory lookup processing
  - S8176760, CVE-2017-10135: Better handling of PKCS8 material
  - S8178135, CVE-2017-10176: Additional elliptic curve support
  - S8179101, CVE-2017-10193: Improve algorithm constraints implementation
  - S8179998, CVE-2017-10198: Clear certificate chain connections
  - S8181420, CVE-2017-10074: PPC: Image conversion improvements
  - S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements
  - S8184185, CVE-2017-10111: Rearrange MethodHandle arrangements
* New features
  - PR3392, RH1273760: Support using RSAandMGF1 with the SHA hash algorithms in the PKCS11 provider
* Import of OpenJDK 8 u141 build 15
  - S8139870: sun.management.LazyCompositeData.isTypeMatched() fails for composite types with items of ArrayType
  - S8155690: Update libPNG library to the latest up-to-date
  - S8159058: SAXParseException when sending soap message
  - S8162461: Hang due to JNI up-call made whilst holding JNI critical lock
  - S8163889: [macosx] Can't print from browser on Mac OS X
  - S8165231: java.nio.Bits.unaligned() doesn't return true on ppc
  - S8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
  - S8173145: Menu is activated after using mnemonic Alt/Key combination
  - S8173207: Upgrade compression library
  - S8175251: Failed to load RSA private key from pkcs12
  - S8176329: jdeps to detect MR jar file and output a warning
  - S8176536: Improved algorithm constraints checking
  - S8176731: JCK tests in api/javax_xml/transform/ spec conformance started failing after 8172469
  - S8176769: Remove accidental spec change in jdk8u
  - S8177449: (tz) Support tzdata2017b
  - S8178996: [macos] JComboBox doesn't display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12
  - S8179014: JFileChooser with Windows look and feel crashes on win 10
  - S8180582: The bind to rmiregistry is rejected by registryFilter even though registryFilter is set
  - S8181591: 8u141 L10n resource file update
  - S8181698: Remove and retag 8u141-b12 tag from source repository
  - S8181946: JDK 8 THIRD_PARTY_README - Minor Cleanup
  - S8182054: Improve wsdl support
  - S8184235: Backout JDK-8173207 from 8u141, 7u151 and higher updates source base
* Backports
  - S8164293, PR3412, RH1459641: HotSpot leaking memory in long-running requests
  - S8175813, PR3394, RH1448880: PPC64: "mbind: Invalid argument" when -XX:+UseNUMA is used
  - S8175887, PR3415: C1 value numbering handling of Unsafe.get*Volatile is incorrect
  - S8179084, PR3409, RH1455694: HotSpot VM fails to start when AggressiveHeap is set
  - S8180048, PR3411, RH1449870: Interned string and symbol table leak memory during parallel unlinking
  - S8181055, PR3394, RH1448880: PPC64: "mbind: Invalid argument" still seen after 8175813
  - S8181419, PR3413, RH1463144: Race in jdwp invoker handling may lead to crashes or invalid results
* AArch64 port
  - S7009641, PR3423: Don't fail VM when CodeCache is full
  - S8182581, PR3423: aarch64: fix for crash caused by earlyret of compiled method
* AArch32 port
  - PR3391: Revert PR3385 as -Xshare:dump does appear to work on AArch32

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

2c92e18fa70edaf73517fcf91bc2a7cc2ec2aa8ffdf22bb974fa6f9bc3065f30  icedtea-3.5.0.tar.gz
d27c337e87221c9de158f83e43823bf2c5ec2ebf78c8fa5b9a11b182acb68ee1  icedtea-3.5.0.tar.gz.sig
9aa89e00ecc07baa6b37a6b1e363c3d7128253e95374c74d1d2706f36c3ccab5  icedtea-3.5.0.tar.xz
59089156b3ea0973304c6d89d598ca6a149e594f9555fd35c9c0a78101ce7e65  icedtea-3.5.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.5.0.sha256

The following people helped with these releases:

* Severin Gehwolf (S8181419/PR3413/RH1463144 JDWP race)
* Zhengyu Gu (S8175813 & S8181055/PR3394/RH1448880 NUMA issues)
* Andrew Hughes (all other bug fixes and backports, release management)
* Roland Westrelin (S8183551/CVE-2017-10074 AArch64 fix)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.5.0.tar.gz

or:

$ tar x -I xz -f icedtea-3.5.0.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.5.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20170721/51101477/signature.asc>

More information about the distro-pkg-dev mailing list