[SECURITY] IcedTea 3.19.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Fri May 14 04:22:02 UTC 2021

We are pleased to announce the release of IcedTea 3.18.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the April 2021
security fixes from OpenJDK 8u292.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.java.net mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
New in release 3.19.0 (2021-05-13):

* Security fixes
  - JDK-8227467: Better class method invocations
  - JDK-8244473: Contextualize registration for JNDI
  - JDK-8244543: Enhanced handling of abstract classes
  - JDK-8249906, CVE-2021-2163: Enhance opening JARs
  - JDK-8250568, CVE-2021-2161: Less ambiguous processing
  - JDK-8253799: Make lists of normal filenames
* New features
  - PR3835: Populate unique SystemTap suffix from configure
* Import of OpenJDK 8 u292 build 01
  - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop
  - JDK-8031126: java/lang/management/ThreadMXBean/ThreadUserTime.java fails intermittently
  - JDK-8035166: Remove dependency on EC classes from pkcs11 provider
  - JDK-8035186: j2se_jdk/jdk/test/java/lang/invoke/lambda/LogGeneratedClassesTest.java - assertion error
  - JDK-8078450: Implement consistent process for quarantine of tests
  - JDK-8080953: [TEST_BUG]Test java/awt/FontClass/DebugFonts.java fails due to wrongly typed bugid
  - JDK-8081547: Prepare client libs regression tests for running in a concurrent, headless jtreg environment
  - JDK-8141457: keytool default cert fingerprint algorithm should be SHA-256
  - JDK-8150204: (fs) Enhance java/nio/file/Files/probeContentType/Basic.java debugging output
  - JDK-8160217: JavaSound should clean up resources better
  - JDK-8163363: AArch64: Stack size in tools/launcher/Settings.java needs to be adjusted
  - JDK-8167281: IIOMetadataNode bugs in getElementsByTagName and NodeList.item methods
  - JDK-8168996: C2 crash at postaloc.cpp:140 : assert(false) failed: unexpected yanked node
  - JDK-8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
  - JDK-8186090: java.nio.Bits.unaligned() doesn't handle aarch64
  - JDK-8195685: AArch64 port of 8174962: Better interface invocations
  - JDK-8202343: Disable TLS 1.0 and 1.1
  - JDK-8211339: NPE during SSL handshake caused by HostnameChecker
  - JDK-8216987: ciMethodData::load_data() unpacks MDOs with non-atomic copy
  - JDK-8217338: [Containers] Improve systemd slice memory limit support
  - JDK-8223186: HotSpot compile warnings from GCC 9
  - JDK-8225805: Java Access Bridge does not close the logger
  - JDK-8226899: Problemlist compiler/rtm tests
  - JDK-8227642: [TESTBUG] Make docker tests podman compatible
  - JDK-8228434: jdk/net/Sockets/Test.java fails after JDK-8227642
  - JDK-8229284: jdk/internal/platform/cgroup/TestCgroupMetrics.java fails for - memory:getMemoryUsage
  - JDK-8230388: Problemlist additional compiler/rtm tests
  - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
  - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3
  - JDK-8234728: Some security tests should support TLSv1.3
  - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property.
  - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read
  - JDK-8242141: New System Properties to configure the TLS signature schemes
  - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
  - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
  - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows
  - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities
  - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
  - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
  - JDK-8253368: TLS connection always receives close_notify exception
  - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities
  - JDK-8253932: SSL debug log prints incorrect caller info
  - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
  - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
  - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java
  - JDK-8256642: [TEST_BUG] jdk/test/javax/sound/midi/MidiSystem/DefaultProperties.java failed
  - JDK-8257192: Integrate AArch64 JIT port into 8u
  - JDK-8258079: Eliminate ParNew's use of klass_or_null()
  - JDK-8258241: [8u] Missing doPrivileged() hunks from JDK-8226575
  - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk()
  - JDK-8258430: 8u backport of JDK-8063107 missing test/javax/swing/JRadioButton/8041561/bug8041561.java changes
  - JDK-8258933: G1 needs klass_or_null_acquire
  - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will
  - JDK-8259384: CUP version wrong in THIRD_PARTY_README after JDK-8233548
  - JDK-8259568: PPC64 builds broken after JDK-8221408 8u backport
* Import of OpenJDK 8 u292 build 02
  - JDK-8078614: WindowsClassicLookAndFeel MetalComboBoxUI.getbaseLine fails with IllegalArgumentException
  - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
  - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
  - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
  - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures
* Import of OpenJDK 8 u292 build 03
  - JDK-8145051: Wrong parameter name in synthetic lambda method leads to verifier error
  - JDK-8172404: Tools should warn if weak algorithms are used before restricting them
  - JDK-8209333: Socket reset issue for TLS 1.3 socket close
  - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl
  - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code.
  - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE"
  - JDK-8255880: UI of Swing components is not redrawn after their internal state changed
  - JDK-8256682: JDK-8202343 is incomplete
  - JDK-8260930: AARCH64: Invalid value passed to critical JNI function
* Import of OpenJDK 8 u292 build 04
  - JDK-8061777: (zipfs) IllegalArgumentException in ZipCoder.toString when using Shitft_JIS
  - JDK-8158525: Update a few java/net tests to use the loopback address instead of the host address
  - JDK-8171410: aarch64: long multiplyExact shifts by 31 instead of 63
  - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14
  - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions
  - JDK-8235311: Tag mismatch may alert bad_record_mac
  - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory
  - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS
  - JDK-8261766: [8u] hotspot needs to recognise cl.exe 19.16 to build with VS2017
  - JDK-8262075: sun/security/krb5/auto/UseCacheAndStoreKey.java timed out intermittently
* Import of OpenJDK 8 u292 build 05
  - JDK-6345095: regression test EmptyClipRenderingTest fails
  - JDK-6896810: TEST_BUG: java/lang/ref/SoftReference/Pin.java fails with OOME during System.out.println
  - JDK-7107012: sun.jvm.hostspot.code.CompressedReadStream readDouble() conversion to long mishandled
  - JDK-7112454: TEST_BUG: java/awt/Choice/PopdownGeneratesMouseEvents/PopdownGeneratesMouseEvents.html failed
  - JDK-7131835: [TEST_BUG] Test does not consider that the rounded edges of the window in Mac OS 10.7
  - JDK-7185221: [macosx] Regtest should not throw exception if a suitable display mode found
  - JDK-8041464: [TEST_BUG] CustomClassLoaderTransferTest does not support OS X
  - JDK-8078024: javac, several incorporation steps are silently failing when an error should be reported
  - JDK-8129626: G1: set_in_progress() and clear_started() needs a barrier on non-TSO platforms
  - JDK-8211301: [macos] support full window content options
  - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1
  - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit
  - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines
  - JDK-8261231: Windows IME was disabled after DnD operation
  - JDK-8262073: assert(allocates2(pc)) failed: not in CodeBuffer memory
* Import of OpenJDK 8 u292 build 06
  - JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f
* Import of OpenJDK 8 u292 build 07
  - JDK-8263008: AARCH64: Add debug info for libsaproc.so
* Import of OpenJDK 8 u292 build 08
  - JDK-8191915: JCK tests produce incorrect results with C2
  - JDK-8256421: Add 2 HARICA roots to cacerts truststore
  - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a
* Import of OpenJDK 8 u292 build 09
  - JDK-8264171: Missing aarch64 parts of JDK-8236179 (C1 register allocation failure with T_ADDRESS)
* Import of OpenJDK 8 u292 build 10
  - JDK-8258247: Couple of issues in fix for JDK-8249906
  - JDK-8259428: AlgorithmId.getEncodedParams() should return copy
  - JDK-8261183: Follow on to Make lists of normal filenames
* Backports
  - JDK-8250825, PR3837: C2 crashes with assert(field != __null) failed: missing field
  - JDK-8255466, PR3837: C2 crashes at ciObject::get_oop() const+0x0
* Bug fixes
  - PR3822: Update elliptic curve patch to handle jdk.disabled.namedCurves (JDK-8233228) & file movement (JDK-8035166)
  - PR3836: Extra compiler flags not passed to adlc build
  - PR3838: Bogus -Wnonnull warning on Zero builds
  - PR3839: Make -Wnonnull warnings on ppc64 non-fatal for now
* Shenandoah
  - [backport] 8202976: Add C1 lea patching support for x86
  - [backport] 8221507: Implement JFR Events for Shenandoah
  - [backport] 8224573: Fix windows build after JDK-8221507
  - [backport] 8228369: Shenandoah: Refactor LRB C1 stubs
  - [backport] 8229474: Shenandoah: Cleanup CM::update_roots()
  - [backport] 8229709: x86_32 build and test failures after JDK-8228369 (Shenandoah: Refactor LRB C1 stubs)
  - [backport] 8231087: Shenandoah: Self-fixing load reference barriers for C1/C2
  - [backport] 8232747: Shenandoah: Concurrent GC should deactivate SATB before processing weak roots
  - [backport] 8232992: Shenandoah: Implement self-fixing interpreter LRB
  - [backport] 8233021: Shenandoah: SBSC2::is_shenandoah_lrb_call should match all LRB shapes
  - [backport] 8233165: Shenandoah:SBSA::gen_load_reference_barrier_stub() should use pointer register for address on aarch64
  - [backport] 8233574: Shenandoah: build is broken without jfr
  - [backport] 8237837: Shenandoah: assert(mem == __null) failed: only one safepoint
  - [backport] 8238153: CTW: C2 (Shenandoah) compilation fails with "Unknown node in get_load_addr: CreateEx"
  - [backport] 8238851: Shenandoah: C1: Resolve into registers of correct type
  - [backport] 8240315: Shenandoah: Rename ShLBN::get_barrier_strength()
  - [backport] 8240751: Shenandoah: fold ShenandoahTracer definition
  - [backport] 8241765: Shenandoah: AARCH64 need to save/restore call clobbered registers before calling keepalive barrier
  - [backport] 8244510: Shenandoah: invert SHC2Support::is_in_cset condition
  - [backport] 8244663: Shenandoah: C2 assertion fails in Matcher::collect_null_checks
  - [backport] 8244721: CTW: C2 (Shenandoah) compilation fails with "unexpected infinite loop graph shape"
  - [backport] 8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
  - [backport] 8252660: Shenandoah: support manageable SoftMaxHeapSize option
  - [backport] 8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
  - [backport] 8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
  - [backport] 8255457: Shenandoah: cleanup ShenandoahMarkTask
  - [backport] 8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback
  - [backport] 8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test
  - [backport] 8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
  - Fix racy update of code roots
  - Fix register allocation for thread register is 32bit LRB
  - Fix Shenandoah bindings in ADLC formssel
  - Normalise whitespace in AArch64 sources prior to merge of upstreamed version in 8u292-b01.
  - Revert differences against upstream 8u
  - Shenandoah: Backed out weak roots cleaning during full gc
* AArch64 port
  - Normalise AArch64 sources, prior to merge of upstream version.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.19.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.19.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.19.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.19.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

f7a610da95be712f66b0ec03bbd6faa8f2164f4f6f0d7c48cc9a4a3e5cb86cee  icedtea-3.19.0.tar.gz
c5e1755523f75632c4e2de6e6f0d6d9f2f83e37eabb13993a1c00a455277bae7  icedtea-3.19.0.tar.gz.sig
eed61e51ba35635b2292a6e67404d5e3f4bf7cc5d69bc1b81f5b69b1d8d1b5b2  icedtea-3.19.0.tar.xz
8b8c0a999edb43106c5200781981660f60426fc5c5d8f1f1516164720f0f1fd3  icedtea-3.19.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.19.0.sha256

The following people helped with this release:

* Andrew Hughes (all bug fixes and backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.19.0.tar.gz


$ tar x -I xz -f icedtea-3.19.0.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.19.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20210514/ad9b4c3e/signature.asc>

More information about the distro-pkg-dev mailing list