[SECURITY] IcedTea 2.6.13 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Wed Feb 28 06:59:25 UTC 2018

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the January 2018 security fixes from OpenJDK 7 u171.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What's New?
New in release 2.6.13 (2018-02-27):

* Security fixes
  - S8160104: CORBA communication improvements
  - S8172525, CVE-2018-2579: Improve key keying case
  - S8174756: Extra validation for public keys
  - S8175932: Improve host instance supports
  - S8176458: Revise default document styling
  - S8178449, CVE-2018-2588: Improve LDAP logins
  - S8178458: Better use of certificates in LDAP
  - S8178466: Better RSA parameters
  - S8179536: Cleaner print job handling
  - S8179990: Cleaner palette entry handling
  - S8180011: Cleaner native graphics device handling
  - S8180015: Cleaner AWT robot handling
  - S8180020: Improve SymbolHashMap entry handling
  - S8180433: Cleaner CLR invocation handling
  - S8180877: More deeply colored ICC spaces
  - S8181664: Improve JVM UTF String handling
  - S8181670: Improve implementation of keystores
  - S8182125, CVE-2018-2599: Improve reliability of DNS lookups
  - S8182387, CVE-2018-2603: Improve PKCS usage
  - S8182601, CVE-2018-2602: Improve usage messages
  - S8185292, CVE-2018-2618: Stricter key generation
  - S8185325, CVE-2018-2641: Improve GTK initialization
  - S8186080: Transform XML interfaces
  - S8186212, CVE-2018-2629: Improve GSS handling
  - S8186600, CVE-2018-2634: Improve property negotiations
  - S8186606, CVE-2018-2633: Improve LDAP lookup robustness
  - S8186867: Improve native glyph layouts
  - S8186998, CVE-2018-2637: Improve JMX supportive features
  - S8189284, CVE-2018-2663: More refactoring for deserialization cases
  - S8190289, CVE-2018-2677: More refactoring for client deserialization cases
  - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases
* Import of OpenJDK 7 u171 build 0
  - S7171982: Cipher getParameters() throws RuntimeException: Cannot find SunJCE provider
  - S7172652: With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin
  - S8022532: [parfait] Potential memory leak in gtk2_interface.c
  - S8031003: [Parfait] warnings from jdk/src/share/native/sun/security/jgss/wrapper: JNI exception pending
  - S8035105: DNS provider cleanups
  - S8041781: Need new regression tests for PBE keys
  - S8041787: Need new regressions tests for buffer handling for PBE algorithms
  - S8044193: Need to add known answer tests for AES cipher
  - S8048601: Tests for JCE crypto ciphers (part 1)
  - S8048819: Implement reliability test for DH algorithm
  - S8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
  - S8075286: Additional tests for signature algorithm OIDs and transformation string
  - S8137255: sun/security/provider/NSASuiteB/TestDSAGenParameterSpec.java timeouts intermittently
  - S8141243: Unexpected timezone returned after parsing a date
  - S8144593: Suppress not recognized property/feature warning messages from SAXParser
  - S8147969: Print size of DH keysize when errors are encountered
  - S8148108: Disable Diffie-Hellman keys less than 1024 bits
  - S8148421, PR3505: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
  - S8154344: sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java fails on solaris
  - S8156502: Use short name of SupportedEllipticCurvesExtension.java
  - S8157548: JVM crashes sometimes while starting
  - S8157603: TestCipher.java doesn't check one of the decrypted message as expected
  - S8158116: com/sun/crypto/provider/KeyAgreement/SupportedDHParamGens.java failed with timeout
  - S8159240: XSOM parser incorrectly processes type names with whitespaces
  - S8163237: Restrict the use of EXPORT cipher suites
  - S8163958: Improved garbage collection [test case]
  - S8166248: tools/pack200/Pack200Test.java fails on Win32: Could not reserve enough space
  - S8166362: [TEST_BUG] test sun/net/www/http/HttpClient/B8025710.java failing with cert error in 8u121 b01
  - S8170157: Enable unlimited cryptographic policy by default in OracleJDK
  - S8170245: [TEST_BUG] Cipher tests fail when running with unlimited policy
  - S8170536: Uninitialised memory in set_uintx_flag of attachListener.cpp
  - S8177144: [TEST BUG] sun/net/www/http/HttpClient/B8025710.java should run in ovm mode
  - S8178728: Check the AlgorithmParameters in algorithm constraints
  - S8180048: Interned string and symbol table leak memory during parallel unlinking
  - S8184016: Text in native popup is not always updated with Sogou IME
  - S8185628: Backport jdk/test/lib/testlibrary/CompilerUtils.java to jdk8u which is helpful in test development
  - S8185719: rmi TestSocketFactory does not flush
  - S8185909: Disable JARs signed with DSA keys less than 1024 bits
  - S8186539: [testlibrary] TestSocketFactory should allow triggers before match/replace
  - S8187667, PR3518: Disable deprecation warning for readdir_r
  - S8188880: A JAXB JCK test failure found after 8186080
  - S8190258, PR3500: (tz) Support tzdata2017c
  - S8190259, PR3500: test tck.java.time.zone.TCKZoneRules is broken by tzdata2017c
  - S8190266: closed/java/awt/ComponentOrientation/WindowTest.java throws java.util.MissingResourceException.
  - S8190449: sun/security/pkcs11/KeyPairGenerator/TestDH2048.java fails on Solaris x64 5.10
  - S8190497: DHParameterSpec.getL() returns zero after JDK-8072452
  - S8190541: 8u161 L10n resource file update
  - S8190789: sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java fails after JDK-8186606
  - S8192793: 8u161 L10n resource file update md20
  - S8193683: Increase the number of clones in the CloneableDigest
  - S8194859: Bad backport of 8024468 breaks Zero build due to lack of 8010862 in OpenJDK 7
  - S8195837: (tz) Upgrade time-zone data to tzdata2018c
* Import of OpenJDK 7 u171 build 1
  - S8007772: G1: assert(!hr->isHumongous() || mr.start() == hr->bottom()) failed: the start of HeapRegion and MemRegion should be consistent for humongous regions
  - S8022956: Clang: enable return type warnings on BSD
  - S8043029: Change 8037816 breaks HS build with older GCC versions which don't support diagnostic pragmas
  - S8048169: Change 8037816 breaks HS build on PPC64 and CPP-Interpreter platforms
  - S8062808: Turn on the -Wreturn-type warning
  - S8064786: Fix debug build after 8062808: Turn on the -Wreturn-type warning
  - S8143245: Zero build requires disabled warnings
  - S8196952, PR3525: Bad primeCertainty value setting in DSAParameterGenerator
  - S8196978: JDK-8187667 fails on GCC 4.4.7 as found on RHEL 6
  - S8197510: fastdebug builds fail due to lack of p2i
  - S8197801: Zero debug build fails on "assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries + 1)) failed: bad stack limit"
* Import of OpenJDK 7 u171 build 2
  - S8197981: Missing return statement in __sync_val_compare_and_swap_8
* Backports
  - S7189886, PR3507: (aio) Add test coverage for AsynchronousChannelGroup.withThreadPool
  - S7200306, PR3507: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
  - S8012930, PR3507: (fs) Eliminate recursion from FileTreeWalker
  - S8013647, PR3507: JPRT unable to clean-up after tests that leave file trees with loops
  - S8020321, PR3507: Problem in PKCS11 regression test TestRSAKeyLength
  - S8022313, PR3507: sun/security/pkcs11/rsa/TestKeyPairGenerator.java failed in aurora
  - S8027218, PR3507: TEST_BUG: sun/security/pkcs11/ec tests fail because of ever-changing key size restrictions
  - S8029158, PR3507: sun/security/pkcs11/Signature/TestDSAKeyLength.java does not compile (or run)
  - S8031113, PR3507: TEST_BUG: java/nio/channels/AsynchronousChannelGroup/Basic.java fails intermittently
  - S8048603, PR3507: Additional tests for MAC algorithms
  - S8048622, PR3507: Enhance tests for PKCS11 keystores with NSS
  - S8075565, PR3337: Define @intermittent jtreg keyword and mark intermittently failing jdk tests
  - S8075670, PR3507: Remove intermittent keyword from some tests
  - S8078334, PR3507: Mark regression tests using randomness
  - S8078880, PR3507: Mark a few more intermittently failuring security-libs
  - S8133318, PR3507: Exclude intermittent failing PKCS11 tests on Solaris SPARC 11.1 and earlier
  - S8144539, PR3507: Update PKCS11 tests to run with security manager
  - S8151731, PR3337: Add new jtreg keywords to jdk 8
  - S8165996, PR3507: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite
  - S8170523, PR3507: Some PKCS11 test cases are ignored with security manager
  - S8196516, PR3524: [REDO] [linux] libfontmanager should be linked against headless awt library
* AArch64 port
  - S8193133, PR3521: Assertion failure because 0xDEADDEAD can be in-heap
  - PR3521: Fix functions with missing return value.
  - PR3521: Fix further functions with a missing return value.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.13.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.13.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.13.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.13.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

7528c905da9b1c09aef16a938e7d879c8cdb14f93b1a25f0ec041307572c3d4f  icedtea-2.6.13.tar.gz
f4f98da8894fbcf9e55a1a5cec9f23b6281aa0cb4cc1714be61b0a25e916383f  icedtea-2.6.13.tar.gz.sig
104e84205d1176e217e24f770784c53d1cd666aeb23ab0bae8ac858e5b0e63f0  icedtea-2.6.13.tar.xz
7e81a4d785484e1dbc504ca418be84d8393b5d790cc11f1cd61c8f6cefa0543c  icedtea-2.6.13.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.13.sha256

The following people helped with these releases:

* Andrew Dinn (PR3521 first missing return value fix)
* Andrew Hughes (all other backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.13.tar.gz


$ tar x -I xz -f icedtea-2.6.13.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.13/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20180228/432469d4/signature.asc>

More information about the distro-pkg-dev mailing list