[SECURITY] IcedTea 2.6.23 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Sat Sep 26 17:52:44 UTC 2020

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the July 2020 security fixes from OpenJDK 7u271.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.java.net mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
New in release 2.6.23 (2020-09-26):

* Security fixes
  - JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)
  - JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
  - JDK-8230613: Better ASCII conversions
  - JDK-8231800: Better listing of arrays
  - JDK-8232014: Expand DTD support
  - JDK-8233255: Better Swing Buttons
  - JDK-8234032: Improve basic calendar services
  - JDK-8234042: Better factory production of certificates
  - JDK-8234418: Better parsing with CertificateFactory
  - JDK-8234836: Improve serialization handling
  - JDK-8236191: Enhance OID processing
  - JDK-8237592, CVE-2020-14577: Enhance certificate verification
  - JDK-8238002, CVE-2020-14581: Better matrix operations
  - JDK-8238804: Enhance key handling process
  - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
  - JDK-8238843: Enhanced font handing
  - JDK-8238920, CVE-2020-14583: Better Buffer support
  - JDK-8238925: Enhance WAV file playback
  - JDK-8240119, CVE-2020-14593: Less Affine Transformations
  - JDK-8240482: Improved WAV file playback
  - JDK-8241379: Update JCEKS support
  - JDK-8241522: Manifest improved jar headers redux
  - JDK-8242136, CVE-2020-14621: Better XML namespace handling
* Import of OpenJDK 7 u271 build 1
  - JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
  - JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
  - JDK-8077982: GIFLIB upgrade
  - JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
  - JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
  - JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to "Connection succeeded"
  - JDK-8155691: Update GIFlib library to the latest up-to-date
  - JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
  - JDK-8203190: SessionId.hashCode generates too many collisions
  - JDK-8217676: Upgrade libpng to 1.6.37
  - JDK-8220495: Update GIFlib library to the 5.1.8
  - JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
  - JDK-8229899: Make java.io.File.isInvalid() less racy
  - JDK-8230597: Update GIFlib library to the 5.2.1
  - JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
  - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
  - JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
* Backports
  - JDK-8150652, PR3496: Remove unused code in AArch64 back end

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.23.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.23.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.23.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.23.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

bed97c623f5a93ea4bce812a37b4c1d2344b6e7a135ef880aabfa7d843df6fca  icedtea-2.6.23.tar.gz
fbd9be74fa16fde0b275418360247c2dcc15030e4294038d5b5c190ad836ed80  icedtea-2.6.23.tar.gz.sig
8370d62caf0c5decd7e2a16f0863824ffc0d0b82de609e0fa692c661cffde793  icedtea-2.6.23.tar.xz
6a2b886f2e486201f1341b1edcf93b601ed867b2af8087a0347820e5b89eaa2e  icedtea-2.6.23.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.23.sha256

The following people helped with these releases:

* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.23.tar.gz


$ tar x -I xz -f icedtea-2.6.23.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.23/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20200926/5832b050/signature.asc>

More information about the distro-pkg-dev mailing list