[SECURITY] IcedTea 2.6.18 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Thu May 2 02:41:21 UTC 2019 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the April 2019 security fixes from OpenJDK 7u221.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========
New in release 2.6.18 (2019-05-01):

* Security fixes
  - S8211936, CVE-2019-2602: Better String parsing
  - S8218453, CVE-2019-2684: More dynamic RMI interactions
  - S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()
* Import of OpenJDK 7 u211 build 1
  - S8003846: Override mechanism for currency data should not require creating currency.properties in java.home
  - S8129361: ISO 4217 amendment 160
  - S8129822: Define "headful" jtreg keyword
  - S8145952: ISO 4217 amendment 161
  - S8164784: ISO 4217 amendment 162
  - S8202088: Japanese new era implementation
  - S8204142: AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts
  - S8205432: Replace the placeholder Japanese era name
  - S8206120: Add test cases for lenient Japanese era parsing
  - S8207152: Placeholder for Japanese new era should be two characters
  - S8207258: Distrust TLS server certificates anchored by Symantec Root CAs
  - S8208656: Move java/util/Calendar/CalendarTestScripts tests into OpenJDK
  - S8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
  - S8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
  - S8219890: [TEST_BUG] Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
  - S8222449: freetypecheck compares versions using lexicographic comparison
* Bug fixes
  - PR3730: Change policytool.desktop.in category Development to Settings
  - PR3731: Use JRE bin directory in policytool.desktop.in
  - PR3732: Use SDK bin directory in jconsole.desktop.in
  - PR3733: Use shortened Java version first in Name field of desktop files
  - PR3737: Use https URLs where possible.
  - PR3739: PR2886 breaks make clean
* AArch64 port
  - S8219635, PR3726: aarch64: missing LoadStore barrier in TemplateTable::fast_storefield
  - S8221220, PR3726: AArch64: Add StoreStore membar explicitly for Volatile Writes in TemplateTable

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.18.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.18.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.18.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.18.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

c92cb68d3ca0241a44531c640b96ae0285779e2ed22bf12ed3e580561d8b422a  icedtea-2.6.18.tar.gz
a235494624d61eaa33874b9f215c3535890f25180c194983fead6ff808beef75  icedtea-2.6.18.tar.gz.sig
af4031b21400d9194bce9aae4dceb012590f88fe8c51efcaa67de33eb7e6152f  icedtea-2.6.18.tar.xz
2189aa8369eb387b79a2a9533b4e38cfe1578acdb3c0e8f7c2445805ced91231  icedtea-2.6.18.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.18.sha256

The following people helped with these releases:

* Andrew Hughes (all other backports & bug fixes, release management)
* Felix Yang (AArch64 fix S8219635)
* Patrick Zhang (AArch64 fix 8221220)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.18.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.18.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.18/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20190502/7c0fd502/signature.asc>

More information about the distro-pkg-dev mailing list