From gnu_andrew at member.fsf.org Tue Aug 2 17:34:50 2022 From: gnu_andrew at member.fsf.org (Andrew Hughes) Date: Tue, 2 Aug 2022 18:34:50 +0100 Subject: [SECURITY] IcedTea 3.24.0 for OpenJDK 8 Released! Message-ID: We are pleased to announce the release of IcedTea 3.24.0! The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK. This release updates our OpenJDK 8 support with the July 2022 security fixes from OpenJDK 8u342 and the interim 8u345 release. If you find an issue with the release, please report it to our bug database (http://icedtea.classpath.org/bugzilla) under the appropriate component. Development discussion takes place on the distro-pkg-dev at openjdk.org mailing list and patches are always welcome. Full details of the release can be found below. What's New? =========== New in release 3.24.0 (2022-08-02): * Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties - JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - JDK-8283190: Improve MIDI processing - JDK-8284370: Improve zlib usage - JDK-8285407, CVE-2022-34169: Improve Xalan supports * Import of OpenJDK 8 u342 - JDK-8076190: Customizing the generation of a PKCS12 keystore - JDK-8129572: Cleanup usage of getResourceAsStream in jaxp - JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/bcel/internal/util/ClassPath.java - JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow - JDK-8170530: bash configure output contains a typo in a suggested library name - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - JDK-8194154: System property user.dir should not be changed - JDK-8202142: jfr/event/io/TestInstrumentation is unstable - JDK-8209771: jdk.test.lib.Utils::runAndCheckException error - JDK-8221988: add possibility to build with Visual Studio 2019 - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" - JDK-8248876: LoadObject with bad base address created for exec file on linux - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream) - JDK-8266187: Memory leak in appendBootClassPath() - JDK-8274658: ISO 4217 Amendment 170 Update - JDK-8274751: Drag And Drop hangs on Windows - JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017 - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936 - JDK-8282458: Update .jcheck/conf file for 8u move to git - JDK-8282552: Bump update version of OpenJDK: 8u342 - JDK-8283350: (tz) Update Timezone Data to 2022a - JDK-8284620: CodeBuffer may leak _overflow_arena - JDK-8285445: cannot open file "NUL:" - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java - JDK-8285591: [11] add signum checks in DSA.java engineVerify - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head - JDK-8286989: Build failure on macOS after 8281814 - JDK-8287537: 8u JDK-8284620 backport broke AArch64 build * Import of OpenJDK 8 u345 - JDK-8290832: It is no longer possible to change "user.dir" in the JDK8 - JDK-8291568: Bump update version of OpenJDK: 8u345 The tarballs can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.24.0.tar.gz * http://icedtea.classpath.org/download/source/icedtea-3.24.0.tar.xz We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so. The tarballs are accompanied by digital signatures available at: * http://icedtea.classpath.org/download/source/icedtea-3.24.0.tar.gz.sig * http://icedtea.classpath.org/download/source/icedtea-3.24.0.tar.xz.sig These are produced using my public key. See details below. PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 https://keybase.io/gnu_andrew GnuPG >= 2.1 is required to be able to handle this key. SHA256 checksums: 96cf94c0d29aa5a659369e75c0f6ed4e7832e0aa23d5ebb09fd06dea38feb864 icedtea-3.24.0.tar.gz d8b02f464ed6ac93ccfa6140938fddcebd6f49bd665f22f8e501446237c752b7 icedtea-3.24.0.tar.gz.sig 1c74bf6f3a69bf18ee6dc449fc2ad3294e9371b67ff93aa7d38a140e24041cfe icedtea-3.24.0.tar.xz 864231bd655bddded247a3045f9911ba86a81c61558983f6ae00397963c90281 icedtea-3.24.0.tar.xz.sig The checksums can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.24.0.sha256 The following people helped with this release: * Andrew Hughes (all bug fixes and backports, release management) We would also like to thank the bug reporters and testers! To get started: $ tar xzf icedtea-3.24.0.tar.gz or: $ tar x -I xz -f icedtea-3.24.0.tar.xz then: $ mkdir icedtea-build $ cd icedtea-build $ ../icedtea-3.24.0/configure $ make Full build requirements and instructions are available in the INSTALL file. Happy hacking! -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: