[SECURITY] IcedTea 3.28.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Sat Jul 29 01:03:32 UTC 2023

We are pleased to announce the release of IcedTea 3.28.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the July 2023 security
fixes from OpenJDK 8u382.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.org mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
New in release 3.28.0 (2023-07-28):

* CVEs
  - CVE-2023-22045
  - CVE-2023-22049
* Security fixes
  - JDK-8298676: Enhanced Look and Feel
  - JDK-8300596: Enhance Jar Signature validation
  - JDK-8304468: Better array usages
  - JDK-8305312: Enhanced path handling
* Import of OpenJDK 8 u382 build 05
  - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
  - JDK-8151460: Metaspace counters can have inconsistent values
  - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
  - JDK-8185736: missing default exception handler in calls to rethrow_Stub
  - JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
  - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
  - JDK-8241311: Move some charset mapping tests from closed to open
  - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
  - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
  - JDK-8276841: Add support for Visual Studio 2022
  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
  - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
  - JDK-8282345: handle latest VS2022 in abstract_vm_version
  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
  - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
  - JDK-8293232: Fix race condition in pkcs11 SessionManager
  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
  - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
  - JDK-8298108: Add a regression test for JDK-8297684
  - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
  - JDK-8301119: Support for GB18030-2022
  - JDK-8301400: Allow additional characters for GB18030-2022 support
  - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
  - JDK-8303028: Update system property for Java SE specification maintenance version
  - JDK-8303462: Bump update version of OpenJDK: 8u382
  - JDK-8304760: Add 2 Microsoft TLS roots
  - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
  - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
  - JDK-8305975: Add TWCA Global Root CA
  - JDK-8307134: Add GTS root CAs
  - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
  - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
  - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.28.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.28.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.28.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.28.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

f9396a18d1ef1c9f898034c2ba430de64a331c92a2a4bf21dd4b628643a1b21d  icedtea-3.28.0.tar.gz
c23623652120973fb762977568cfe4b0866f63ca6132e18dc6124a81046f19b1  icedtea-3.28.0.tar.gz.sig
822697a4f0039ec312cc143df40916fc8b68fbfe49c2631186bbba83bd6c5c8d  icedtea-3.28.0.tar.xz
f4c53bc28bff2162c41a26e27213902ab81336b682f6db566152a6e800b37d7a  icedtea-3.28.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.28.0.sha256

The following people helped with this release:

* Andrew Hughes (all bug fixes and backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.28.0.tar.gz


$ tar x -I xz -f icedtea-3.28.0.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.28.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/distro-pkg-dev/attachments/20230729/22520d3a/signature.asc>

More information about the distro-pkg-dev mailing list