[SECURITY] IcedTea 2.6.17 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Tue Mar 19 04:14:51 UTC 2019 

On Sun, 17 Mar 2019 at 08:18, Andrew Hughes <gnu_andrew at member.fsf.org> wrote:
>
> The IcedTea project provides a harness to build the source code from
> OpenJDK using Free Software build tools, along with additional
> features such as the ability to build against system libraries and
> support for alternative virtual machines and architectures beyond
> those supported by OpenJDK.
>
> This release updates our OpenJDK 7 support in the 2.6.x series with
> the January 2019 security fixes from OpenJDK 7 u211.
>
> If you find an issue with the release, please report it to our bug
> database (http://icedtea.classpath.org/bugzilla) under the appropriate
> component. Development discussion takes place on the
> distro-pkg-dev at openjdk.java.net mailing list and patches are always
> welcome.
>
> Full details of the release can be found below.
>
> What's New?
> ===========
> New in release 2.6.17 (2019-03-16):
>
> * Security fixes
>   - S8199156: Better route routing
>   - S8199161: Better interface enumeration
>   - S8199166: Better interface lists
>   - S8199552: Update to build scripts
>   - S8200659: Improve BigDecimal support
>   - S8203955: Improve robot support
>   - S8204895: Better icon support
>   - S8205356: Choose printer defaults
>   - S8205709: Proper allocation handling
>   - S8205714: Initial class initialization
>   - S8206290, CVE-2019-2422: Better FileChannel transfer performance
>   - S8206295: More reliable p11 transactions
>   - S8206301: Improve NIO stability
>   - S8208585: Make crypto code more robust
>   - S8209094, CVE_2019-2426: Improve web server connections
>   - S8210094: Better loading of classloader classes
>   - S8210606: Improved data set handling
>   - S8210610: Improved LSA authentication
>   - S8210866, CVE-2018-11212: Improve JPEG processing
>   - S8210870: Libsunmscapi improved interactions
> * Import of OpenJDK 7 u211 build 0
>   - S6383200: PBE: need new algorithm support in password based encryption
>   - S6483657: MSCAPI provider does not create unique alias names
>   - S8000203: File descriptor leak in src/solaris/native/java/net/net_util_md.c
>   - S8008321: compile.cpp verify_graph_edges uses bool as int
>   - S8013069: javax.crypto tests fail with new PBE algorithm names
>   - S8027781: New jarsigner timestamp warning is grammatically incorrect
>   - S8029018: (bf) Check src/share/native/java/nio/Bits.c for JNI pending exceptions
>   - S8029661: Support TLS v1.2 algorithm in SunPKCS11 provider
>   - S8098854: Do cleanup in a proper order in sunmscapi code
>   - S8133070: Hot lock on BulkCipher.isAvailable
>   - S8138589: Correct limits on unlimited cryptography
>   - S8143913: MSCAPI keystore should accept Certificate[] in setEntry()
>   - S8159805: sun/security/tools/jarsigner/warnings/NoTimestampTest.java fails after JDK-8027781
>   - S8162362: Introduce system property to control enabled ciphersuites
>   - S8165463: Native implementation of sunmscapi should use operator new (nothrow) for allocations
>   - S8191438: jarsigner should print when a timestamp will expire
>   - S8205330: InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
>   - S8207775: Better management of CipherCore buffers
>   - S8208583: Better management of internal KeyStore buffers
>   - S8209129: Further improvements to cipher buffer management
>   - S8209862: CipherCore performance improvement
>   - S8210695: Create test to cover JDK-8205330 InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
>   - S8210951: Test sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java fails
>   - S8211883: Disable anon and NULL cipher suites
>   - S8213085: (tz) Upgrade time-zone data to tzdata2018g
>   - S8213368: JDK 8u201 l10n resource file update
>   - S8213949: OpenJDK 8 CCharToGlyphMapper.m missing the Classpath exception license text
>   - S8214357: JDK 8u201 l10n resource file update md20
>   - S8218798: slowdebug build broken by JDK-8205714
> * Import of OpenJDK 7 u211 build 1
>   - S8213154: Update copyright headers of files in src tree that are missing Classpath exception
> * Import of OpenJDK 7 u211 build 2
>   - S8219570: JDK-6383200 wrongly extends PBEParameterSpec API
> * Backports
>   - S6424123, PR3702: JVM crashes on failed 'strdup' call
>   - S8005921, PR3702: Memory leaks in vmStructs.cpp
>   - S8011661, PR3702: Insufficient memory message says "malloc" when sometimes it should say "mmap"
>   - S8014138, PR3702: Add VM option to facilitate the writing of CDS tests
>   - S8055286, PR3702: Extend CompileCommand=option to handle numeric parameters
>   - S8056964, PR3702: JDK-8055286 changes are incomplete.
>   - S8057129, PR3702: Fix AIX build after the Extend CompileCommand=option change 8055286
>   - S8059847, PR3702: complement JDK-8055286 and JDK-8056964 changes
>   - S8076475, PR3702: Misuses of strncpy/strncat
>   - S8145096, PR3700: Undefined behaviour in HotSpot
>   - S8214059, PR3701: Undefined behaviour in ADLC
>   - S8217753, PR3686: Enable HotSpot builds on 5.x Linux kernels
> * Bug fixes
>   - PR3647: Backed out changeset 4e3ea67d3b69 (JDK-4890063/PR2305/RH1214835)
>   - PR3676: Update CVE URL
> * SystemTap
>   - PR3698: jstack.stp should support ppc64[le,be]
> * AArch64 port
>   - S8207838, PR3669: AArch64: Float registers incorrectly restored in JNI call
>   - S8209414, PR3669: AArch64: method handle invocation does not respect JVMTI interp_only mode
>   - S8209415, PR3669: Fix JVMTI test failure HS202
>   - S8211064, PR3669: [AArch64] Interpreter and c1 don't correctly handle jboolean results in native calls
>   - S8215951, PR3669: AArch64: jtreg test vmTestbase/nsk/jvmti/PopFrame/popframe005 segfaults
>   - S8218185, PR3669: aarch64: missing LoadStore barrier in TemplateTable::putfield_or_static
>
> The tarballs can be downloaded from:
>
> * http://icedtea.classpath.org/download/source/icedtea-2.6.17.tar.gz
> * http://icedtea.classpath.org/download/source/icedtea-2.6.17.tar.xz
>
> We provide both gzip and xz tarballs, so that those who are able to
> make use of the smaller tarball produced by xz may do so.
>
> The tarballs are accompanied by digital signatures available at:
>
> * http://icedtea.classpath.org/download/source/icedtea-2.6.17.tar.gz.sig
> * http://icedtea.classpath.org/download/source/icedtea-2.6.17.tar.xz.sig
>
> These are produced using my public key. See details below.
>
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
> GnuPG >= 2.1 is required to be able to handle this key.
>
> SHA256 checksums:
>
> aa36111d5f5d2ad408f4caa98a379594a604a7540c80712cc1169d4b77fac38a  icedtea-2.6.17.tar.gz
> 0b312a7c9dbe39c325de4787a474e36d66e71237b64e4a5276f8756398ec2c78  icedtea-2.6.17.tar.gz.sig
> 56360402eabda81200439485a60f0fdb3790000f957651757ea688b336cdab57  icedtea-2.6.17.tar.xz
> d386690549d6846b5539333e0335ff6ab84119acb66d6eda0ac254775fe03367  icedtea-2.6.17.tar.xz.sig
>
> The checksums can be downloaded from:
>
> * http://icedtea.classpath.org/download/source/icedtea-2.6.17.sha256
>
> The following people helped with these releases:
>
> * Andrew Haley (AArch64 fixes S8209415 & S8211064)
> * Andrew Hughes (all other backports & bug fixes, release management)
> * Mark Wielaard (PR3698)
> * Felix Yang (AArch64 fixes S8215951, S8209414 & S8207838)
>
> We would also like to thank the bug reporters and testers!
>
> To get started:
>
> $ tar xzf icedtea-2.6.17.tar.gz
>
> or:
>
> $ tar x -I xz -f icedtea-2.6.17.tar.xz
>
> then:
>
> $ mkdir icedtea-build
> $ cd icedtea-build
> $ ../icedtea-2.6.17/configure
> $ make
>
> Full build requirements and instructions are available in the INSTALL file.
>
> Happy hacking!
> --
> Andrew :)
>
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Thanks to Tiago Daitx who spotted that I forgot to bump the OpenJDK
version when updating to 7u211 [0].

Updated tarballs are now available with this fixed:

* http://icedtea.classpath.org/download/source/icedtea-2.6.17-r1.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.17-r1.tar.xz
* http://icedtea.classpath.org/download/source/icedtea-2.6.17-r1.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.17-r1.tar.xz.sig

SHA256 checksums:

bda13b779b0a390ae6a43774750ee1ce830ad679634d8ff629ea4ee5a705e2f3
icedtea-2.6.17-r1.tar.gz
79130f1bead9dcda685f0b4642d046445c17a24f2c2af4b34f86734f2985ea05
icedtea-2.6.17-r1.tar.gz.sig
c098f3a41554e613969c6b0b0512ef038ff8abf0d135f1a84a39e9a8bbd4143b
icedtea-2.6.17-r1.tar.xz
5d92acb2f8dfe5029a728fe94bc310093f0c2a5f11a13d4796a7f2895a8dc960
icedtea-2.6.17-r1.tar.xz.sig

[0] http://icedtea.classpath.org/hg/release/icedtea7-2.6/rev/98565b0caec9

--
Andrew :)

More information about the distro-pkg-dev mailing list