[SECURITY] IcedTea 2.6.16 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Tue Jan 1 23:15:41 UTC 2019

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the October 2018 security fixes from OpenJDK 7 u201.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always

Full details of the release can be found below.

What's New?
New in release 2.6.16 (2019-01-01):

* Security fixes
  - S8194534, CVE-2018-3136: Manifest better support
  - S8194546: Choosier FileManagers
  - S8195868: Address Internet Addresses
  - S8195874: Improve jar specification adherence
  - S8196897: Improve PRNG support
  - S8196902, CVE-2018-3139: Better HTTP redirection support
  - S8199177, CVE-2018-3149: Enhance JNDI lookups
  - S8199226, CVE-2018-3169: Improve field accesses
  - S8201756: Improve cipher inputs
  - S8202613, CVE-2018-3180: Improve TLS connections stability
  - S8203654: Improve cypher state updates
  - S8204497: Better formatting of decimals
  - S8205361, CVE-2018-3214: Better RIFF reading support
  - S8208353, CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35
  - PR3640, CVE-2018-16435: lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
* Import of OpenJDK 7 u201 build 0
  - S7058700: Unexpected exceptions and timeouts in SF2 parser code
  - S7098755: test/sun/misc/JarIndex/metaInfFilenames/Basic.java should use supported compiler interface
  - S7104650: rawtype warnings in several net, nio and security source files
  - S7116722: Miscellaneous warnings sun.misc ( and related classes )
  - S7117249: fix warnings in java.util.jar, .logging, .prefs, .zip
  - S7142888: sun/security/tools/jarsigner/ec.sh fail on sparc
  - S8044860: Vectors and fixed length fields should be verified for allowed sizes.
  - S8049834: Two security tools tests do not run with only JRE
  - S8054431: Some of the input validation in the javasound is too strict
  - S8074462: Handshake messages can be strictly ordered
  - S8130132: jarsigner should emit warning if weak algorithms or keysizes are used
  - S8142927: Feed some text to STDIN in ProcessTools.executeProcess()
  - S8146377: test/sun/security/tools/jarsigner/concise_jarsigner.sh failing
  - S8158887: sun/security/tools/jarsigner/concise_jarsigner.sh timed out
  - S8164480: Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
  - S8168405: Pending exceptions in java.base/windows/native
  - S8172529: Use PKIXValidator in jarsigner
  - S8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
  - S8190674: sun/security/tools/jarsigner/TimestampCheck.java failed with java.nio.file.NoSuchFileException: ts2.cert
  - S8193892: Impact of noncloneable MessageDigest implementation
  - S8204667: Resources not freed on exception
  - S8207336: Build failure in JDK8u on Windows after fix 8207260
  - S8208350: Disable all DES cipher suites
  - S8208660: JDK 8u191 l10n resource file update
  - S8208754: The fix for JDK-8194534 needs updates
  - S8211107: LDAPS communication failure with jdk 1.8.0_181
  - S8211731: Reconsider default option for ClassPathURLCheck change done in JDK-8195874

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

f6bf1388d3dc6f7206f49702a00f2836f11841987d74a976b315843959818213  icedtea-2.6.16.tar.gz
64b4d156d0a1b253a3df90092ccf5605f81a5d0300434b5fd19444c7a9245585  icedtea-2.6.16.tar.gz.sig
6c670e75549dfd4df63a4a36636c13a5040231e7f8601f9d43bf875589df7b69  icedtea-2.6.16.tar.xz
0a4a0f95ecbf34302e4368b4f71a51a0da059a2a0839f44919353ae6a67f3acb  icedtea-2.6.16.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.16.sha256

The following people helped with these releases:

* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.16.tar.gz


$ tar x -I xz -f icedtea-2.6.16.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.16/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20190101/376def0b/signature.asc>

More information about the distro-pkg-dev mailing list