[SECURITY] IcedTea 3.10.0 for OpenJDK 8 Released!
Andrew Hughes
gnu_andrew at member.fsf.org
Wed Dec 26 04:15:08 UTC 2018
We are pleased to announce the release of IcedTea 3.10.0!
The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.
This release updates our OpenJDK 8 support with the October 2018
security fixes from OpenJDK 8 u191.
If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.
Full details of the release can be found below.
What's New?
===========
New in release 3.10.0 (2018-12-25):
* Security fixes
- S8194534, CVE-2018-3136: Manifest better support
- S8194546: Choosier FileManagers
- S8195868: Address Internet Addresses
- S8195874: Improve jar specification adherence
- S8196897: Improve PRNG support
- S8196902, CVE-2018-3139: Better HTTP redirection support
- S8199177, CVE-2018-3149: Enhance JNDI lookups
- S8199226, CVE-2018-3169: Improve field accesses
- S8201756: Improve cipher inputs
- S8202613, CVE-2018-3180: Improve TLS connections stability
- S8202936, CVE-2018-3183: Improve script engine support
- S8203654: Improve cypher state updates
- S8204497: Better formatting of decimals
- S8205361, CVE-2018-3214: Better RIFF reading support
- S8208353, CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35
- PR3639, CVE-2018-16435: lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
* New features
- PR3655: Allow use of system crypto policy to be disabled by the user
* Import of OpenJDK 8 u191 build 12
- S8033251: Use DWARF debug symbols for Linux 32-bit as default
- S8049834: Two security tools tests do not run with only JRE
- S8074462: Handshake messages can be strictly ordered
- S8130132: jarsigner should emit warning if weak algorithms or keysizes are used
- S8142927: Feed some text to STDIN in ProcessTools.executeProcess()
- S8146377: test/sun/security/tools/jarsigner/concise_jarsigner.sh failing
- S8152974: AWT hang occurrs when sequenced events arrive out of sequence
- S8158887: sun/security/tools/jarsigner/concise_jarsigner.sh timed out
- S8164480: Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
- S8168628: (fc) SIGBUS when extending file size to map it
- S8171452: (ch) linux io_util_md: Operation not supported exception after 8168628
- S8172529: Use PKIXValidator in jarsigner
- S8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
- S8189762: [TESTBUG] Create tests for JDK-8146115 container awareness and resource configuration
- S8190674: sun/security/tools/jarsigner/TimestampCheck.java failed with java.nio.file.NoSuchFileException: ts2.cert
- S8193892: Impact of noncloneable MessageDigest implementation
- S8196663: [TESTBUG] test/compiler/loopopts/TestCMovSplitThruPhi.java fails on 32 bit Java
- S8197518: Kerberos krb5 authentication: AuthList's put method leads to performance issue
- S8202478: Backout JDK-8152974
- S8204667: Resources not freed on exception
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/corba repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/hotspot repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/jaxp repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/jaxws repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/jdk repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/langtools repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181/nashorn repo
- S8206916: Remove jdk8u181-b31 tag from jdk8u181 repo
- S8207336: Build failure in JDK8u on Windows after fix 8207260
- S8208350: Disable all DES cipher suites
- S8208660: JDK 8u191 l10n resource file update
- S8208754: The fix for JDK-8194534 needs updates
- S8210431: Complete backport of libpng 1.6.35 TPRM
- S8211107: LDAPS communication failure with jdk 1.8.0_181
- S8211731: Reconsider default option for ClassPathURLCheck change done in JDK-8195874
* Backports
- PR3646: Backed out changeset 6e3f4784affc (S4890063/PR2304/RH1214835)
- S8029661, PR3642, RH1477159: Support TLS v1.2 algorithm in SunPKCS11 provider
- S8131048, PR3574, RH1498936: ppc implement CRC32 intrinsic
- S8164920, PR3574, RH1498936: ppc: enhancement of CRC32 intrinsic
- S8172850, PR3643, RH1640127: Anti-dependency on membar causes crash in register allocator due to invalid instruction scheduling
- S8202261, PR3638: (fc) FileChannel.map and RandomAccessFile.setLength should not preallocate space
- S8209639, PR3643, RH1640127: assert failure in coalesce.cpp: attempted to spill a non-spillable item
* Bug fixes
- PR3653: Detect whether -Xprefer:source and -J-Xmx<limit> can be used, rather than assuming
- PR3673: Alternate HotSpot builds need fix for PR3094
* SystemTap
- PR3625: arc_priority representation creates an implicit limit on character sequence within regexp
* Shenandoah
- PR3634: Shenandoah still broken on s390 with aarch64-shenandoah-jdk8u181-b16
- [backport] Adaptive CSet selection overshoots max-CSet
- [backport] Adaptive CSet selection selects excessively when memory is tight
- [backport] Adaptive/Traversal heuristics rewrite for allocation rate
- [backport] Added logging for the number of workers used for GC cycles
- [backport] Add task termination and enhanced task queue state tracking + weakrefs
- [backport] Allocation path should not touch GC barriers for metadata
- [backport] Allocation tracker should really report bytes
- [backport] AlwaysPreTouch fails with non-default ConcGCThreads
- [backport] Application pacing precision fixes
- [backport] Apply ShenandoahEvacOOMScope only for evac-taking paths in ShenandoahBarrierSet
- [backport] Assembler write barriers should consistently check for forwarded objects
- [backport] Avoid indirection to next-mark-context
- [backport] Avoid using uintx in ShenandoahHeapRegion
- [backport] C1 shenandoah_wb expects obj in a register
- [backport] Check and ensure that Shenandoah-enabled compilations succeed
- [backport] Check heap stability in C1 WBs
- [backport] ClassUnloadingWithConcurrentMark should be opt-in with Shenandoah
- [backport] Clean up obsolete c2 code
- [backport] Cleanup: remove unused root processor's sub tasks
- [backport] Cleanup UseShenandoahOWST blocks
- [backport] CollectedHeap::max_tlab_size is measured in words
- [backport] Complete liveness for recently allocated regions outside the allocation path
- [backport] Comprehensible GC trigger logging
- [backport] Concurrent uncommit should be recorded as GC event
- [backport] Constify ShHeapRegionSet and ShCollectionSet
- [backport] Convert magic value to ShenandoahPacingSurcharge
- [backport] Default to ShenandoahCodeRootsStyle = 2
- [backport] Degenerated evacuation
- [backport] Disable UseFastJNIAccessors for Shenandoah
- [backport] Elastic TLABs support for Shenandoah
- [backport] Enable ShenandoahEvacReserveOverflow by default
- [backport] Evac assist should touch marked objects only
- [backport] Evac reserve: make sure GC has untouchable space to move the objects into
- [backport] EvilSyncBug test is too slow
- [backport] Explicit GC should actually uncommit the heap
- [backport] Exponential backoff with pacing
- [backport] Fix aarch64 CAS predicates
- [backport] Fix CAS-obj predicates and add expected-null-versions for cmpxchg-narrow-oop
- [backport] Fixed SA due to code refactoring and merging
- [backport] Fix Minimal and Zero builds
- [backport] Fix ShHeap::notify_alloc usages: it accepts words, not bytes
- [backport] Fix TestCommonGCLoads test
- [backport] Fix TestFullGCALot test failure
- [backport] Fix TestGCThreadGroups test
- [backport] Forceful SATB buffer flushes should be time-periodic, not traffic-dependent
- [backport] Full GC always comes with liveness data
- [backport] Full GC should not always update references
- [backport] GCLAB slowpath allocations should fit the object into GCLAB
- [backport] GC trace messages have to be immortal
- [backport] Handle missing ShenandoahWriteBarrierRB case
- [backport] Heap region count selection should only consider max heap size
- [backport] Hook up GCLABs to Elastic LAB support
- [backport] Improve scheduling and interleaving of SATB processing in mark loop
- [backport] Including metaspace info when reporting heap info
- [backport] Incorrect label for static heuristics
- [backport] Make in-cset checks use signed bytes to match C2 better
- [backport] Micro-optimize AArch64 assembly write-barriers
- [backport] Missing Shenandoah entry in GCNameHelper::to_string
- [backport] More detailed pacing histogram
- [backport] More verbose profiling for phase 4 in mark-compact
- [backport] Move heuristics from ShCollectorPolicy to ShHeap
- [backport] Move (Java)Thread::_gc_state to lower offset to optimize barrier fast-path encoding
- [backport] Move ParallelCodeIterator to ShenandoahCodeRoots
- [backport] Move periodic GC decision making to GC heuristics base class
- [backport] Move Shenandoah stress tests to tier3
- [backport] Non-cancellable mark loops should have sensible stride
- [backport] Off-by-one error in degen progress calculation
- [backport] Only Java and GC worker threads should get GCLABs
- [backport] Out-of-cycle Degenerated GC should process references and unload classes
- [backport] Pacer for evacuation should print "Avail" to capture discounting
- [backport] Pacer should account actual size for elastic TLABs
- [backport] Parallel +AlwaysPreTouch should run with max workers
- [backport] Passive heuristics should enter degen GC, not full GC
- [backport] Perform gc-state checks with LoadB to fit C2 matchers
- [backport] Pre-filter oops before enqueing them in SBS slowpaths
- [backport] Print task queue statistics at the end of GC cycle
- [backport] Process remaining SATB buffers in final mark/traverse loop instead of separate phase
- [backport] Proper units for allocation failure messages
- [backport] Prune undefined and unused methods
- [backport] Purge partial heuristics and connection matrix infrastructure
- [backport] Purge support for ShenandoahConcurrentEvacCodeRoots and ShenandoahBarriersForConst
- [backport] Rearrange Shenandoah tests into 3 tiers
- [backport] Reclaim immediate garbage after mark-compact marking
- [backport] Recycle the regions only once
- [backport] Refactor alive-closures to deal better with new marking contexts
- [backport] Refactor allocation path to accept ShenandoahAllocRequest tuple
- [backport] Refactor and improve ShenandoahCodeRoots strategies
- [backport] Refactor FreeSet logging: support evac-reserve, denser printouts
- [backport] Refactor gc+init logging
- [backport] Refactoring ShenandoahStrDedupStress test to reduce test time
- [backport] Refactor to group marking bitmap and TAMS structure in one class ShenandoahMarkingContext
- [backport] Remove C2 write-barrier from .ad files
- [backport] Removed racy assertion
- [backport] Remove NMethodSizeLimit adjustment for Shenandoah
- [backport] Remove obsolete/unused logging usages
- [backport] Remove safe_equals()
- [backport] Remove ShHeuristics::print_threshold
- [backport] Rename and move ShenandoahPrepareForMarkClosure
- [backport] Rename "cancel_concgc" to "cancel_gc"
- [backport] Replace custom asserts with shenandoah_assert_*
- [backport] Replace risky SBS::need_update_refs_barrier with straightforward check
- [backport] Replace ShBarrierSet* casts with accessor
- [backport] Report actual free size in non-verbose FreeSet status
- [backport] Report heap region stats in proper units
- [backport] Resettable iterators to avoid dealing with copying/assignment compilation differences
- [backport] Reshuffle tests: verify STW GC is working first, then verify under aggressive, then the rest
- [backport] Rework ClassUnloading* flags handling
- [backport] Rework GC degradation on allocation failure
- [backport] SATB buffer filtering/compaction hides unmarked objects until final-mark
- [backport] shenandoah_assert_correct should check object/forwardee klasses
- [backport] shenandoah_assert_correct should verify classes before claiming _safe_oop
- [backport] Shenandoah changes to allow enabling -Wreorder
- [backport] Shenandoah/PPC barrier stubs
- [backport] Shenandoah string deduplication
- [backport] SH::make_(tlabs)_parsable() should work correctly with/without TLABs
- [backport] Shortcut regions that are known not to be alive
- [backport] Should cleanup previous/bad versions of redefined classes during full gc
- [backport] Skip RESOLVE in SATBBufferClosure if no forwarded objects are in heap
- [backport] Soft-refs policy needs reliable heap usage data after the GC cycle
- [backport] Soft refs should be purged reliably on allocation failure, or with compact heuristics
- [backport] Some trivial-ish cleanups
- [backport] Split write barrier paths for mutator and GC workers
- [backport] StringInternCleanup times out
- [backport] TestHeapDump runs much faster with small heap
- [backport] Tests should use -XX:+ShenandoahVerify in some OOM-evac configurations
- [backport] TLAB sizing policy should converge faster with Shenandoah
- [backport] Trace and report total allocation latency and sizes
- [backport] Traversal should resize TLABs
- [backport] Trivial enhancement to avoid costly deletion array element
- [backport] Uncommit should relinquish the heap lock regularly
- [backport] Unreachable assert in ShenandoahCodeRoots::acquire_lock
- [backport] Verifier should dump raw memory around the problematic oops
- [backport] Verify global and local gc-state status
- [backport] VSC++ requires space(s) in between two string literals
- [backport] WB slowpath should assist with evacuation of adjacent objects
- [backport] Wiring GC events to JFR + Restore heap occupancy in GC logs after JFR changes
- [backport] Wiring heap and metaspace info to JFR
- [backport] Wrap worker id in thread local worker session
- [backport] -XX:-UseTLAB should disable GCLABs too
- Cleanup undeclared methods in barrier stubs
- Disable evac assist by default until bugfixes arrive
- Fix build failure: signedness mismatch in assert
- Fix MacOS/Clang build failure
- Fix x86_32 build
- JDK8u: Silence compilation warnings on implicit type conversion
- Move JNI Weak References workaround to Shenandoah-specific root processor
- Fix code differences against shenandoah/jdk8u
* AArch64 port
- S8155627, PR3651: Enable SA on AArch64
- S8207838, PR3666: AArch64: Float registers incorrectly restored in JNI call
- S8209415, PR3666: Fix JVMTI test failure HS202
- S8211064, PR3666: [AArch64] Interpreter and c1 don't correctly handle jboolean results in native calls
The tarballs can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea-3.10.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.10.0.tar.xz
We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.
The tarballs are accompanied by digital signatures available at:
* http://icedtea.classpath.org/download/source/icedtea-3.10.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.10.0.tar.xz.sig
These are produced using my public key. See details below.
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
GnuPG >= 2.1 is required to be able to handle this key.
SHA256 checksums:
e3fbcaef960971add75d7e4cf7b0a994185672f68fcb4f97b1f61a66a71ef027 icedtea-3.10.0.tar.gz
9365e58bd6455ea911a1e97b31219b1a4b27c31e9d760e697eff325a2a8bb30f icedtea-3.10.0.tar.gz.sig
ac4c5ec996555db6b4943e3849afc72ba2504b14c7d443cded68dd7d7e0055f9 icedtea-3.10.0.tar.xz
39d50c4dafc7eb33d55bcf7eb5752041ba736271b00f095e64de26aeef4908dd icedtea-3.10.0.tar.xz.sig
The checksums can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea-3.10.0.sha256
The following people helped with these releases:
* Severin Gehwolf (PR3625)
* Andrew Hughes (all other bug fixes and backports, release management)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea-3.10.0.tar.gz
or:
$ tar x -I xz -f icedtea-3.10.0.tar.xz
then:
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.10.0/configure
$ make
Full build requirements and instructions are available in the INSTALL file.
Happy hacking & happy holidays!
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20181226/8ac159f1/signature.asc>
More information about the distro-pkg-dev
mailing list