[SECURITY] IcedTea 3.22.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Sat Mar 5 01:09:06 UTC 2022

We are pleased to announce the release of IcedTea 3.22.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the January 2022
security fixes from OpenJDK 8u322.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.java.net mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
New in release 3.22.0 (2022-03-04):

* Security fixes
  - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
  - JDK-8268488: More valuable DerValues
  - JDK-8268494: Better inlining of inlined interfaces
  - JDK-8268512: More content for ContentInfo
  - JDK-8268795: Enhance digests of Jar files
  - JDK-8268801: Improve PKCS attribute handling
  - JDK-8268813, CVE-2022-21283: Better String matching
  - JDK-8269151: Better construction of EncryptedPrivateKeyInfo
  - JDK-8269944: Better HTTP transport redux
  - JDK-8270392, CVE-2022-21293: Improve String constructions
  - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
  - JDK-8270492, CVE-2022-21282: Better resolution of URIs
  - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
  - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
  - JDK-8271962: Better TrueType font loading
  - JDK-8271968: Better canonical naming
  - JDK-8271987: Manifest improved manifest entries
  - JDK-8272014, CVE-2022-21305: Better array indexing
  - JDK-8272026, CVE-2022-21340: Verify Jar Verification
  - JDK-8272236, CVE-2022-21341: Improve serial forms for transport
  - JDK-8272272: Enhance jcmd communication
  - JDK-8272462: Enhance image handling
  - JDK-8273290: Enhance sound handling
  - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering
  - JDK-8273756, CVE-2022-21360: Enhance BMP image support
  - JDK-8273838, CVE-2022-21365: Enhanced BMP processing
* Import of OpenJDK 8 u322
  - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken
  - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03
  - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108
  - JDK-8041928: MouseEvent.getModifiersEx gives wrong result
  - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402
  - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
  - JDK-8048021: Remove @version tag in jaxp repo
  - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage
  - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java
  - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile
  - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS
  - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure
  - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade
  - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank
  - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated
  - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind
  - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator
  - JDK-8148915: Intermittent failures of bug6400879.java
  - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism
  - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black
  - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests
  - JDK-8182036: Load from initializing arraycopy uses wrong memory state
  - JDK-8183369: RFC unconformity of HttpURLConnection with proxy
  - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
  - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
  - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
  - JDK-8190793: Httpserver does not detect truncated request body
  - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail
  - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit
  - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing
  - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
  - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
  - JDK-8225083: Remove Google certificate that is expiring in December 2021
  - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread
  - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software
  - JDK-8231438: [macOS] Dark mode for the desktop is not supported
  - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina
  - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail
  - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails
  - JDK-8236897: Fix the copyright header for pkcs11gcm2.h
  - JDK-8237499: JFR: Include stack trace in the ThreadStart event
  - JDK-8239886: Minimal VM build fails after JDK-8237499
  - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0
  - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
  - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
  - JDK-8273308: PatternMatchTest.java fails on CI
  - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
  - JDK-8273826: Correct Manifest file name and NPE checks
  - JDK-8273968: JCK javax_xml tests fail in CI
  - JDK-8274407: (tz) Update Timezone Data to 2021c
  - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
  - JDK-8274468: TimeZoneTest.java fails with tzdata2021b
  - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused
  - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
  - JDK-8275766: (tz) Update Timezone Data to 2021e
  - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
  - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.22.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.22.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.22.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.22.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

9894235c92303ec2fb5c0bff9e72b1efbf6962b40504868df99da884147579fc  icedtea-3.22.0.tar.gz
eb421798334f15dbd07d2ba7570fcae28af891d25626b53ec8d7669bdffb43cf  icedtea-3.22.0.tar.gz.sig
82bffbe2b04ad8b733f7c796ae8d40ece2437adb1d4e614b8391ab44fc7f175b  icedtea-3.22.0.tar.xz
bdc69c5113787b4b5fbbe16c3815191e02668b647773c8812362b397aa910a17  icedtea-3.22.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.22.0.sha256

The following people helped with this release:

* Andrew Hughes (all bug fixes and backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.22.0.tar.gz


$ tar x -I xz -f icedtea-3.22.0.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.22.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)
Pronouns: he / him or they / them
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20220305/159930cf/signature.asc>

More information about the distro-pkg-dev mailing list