From gnu_andrew at member.fsf.org Fri Feb 2 18:17:46 2024 From: gnu_andrew at member.fsf.org (Andrew Hughes) Date: Fri, 2 Feb 2024 18:17:46 +0000 Subject: [SECURITY] IcedTea 3.30.0 for OpenJDK 8 Released! Message-ID: We are pleased to announce the release of IcedTea 3.30.0! The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK. This release updates our OpenJDK 8 support with the January 2024 security fixes from OpenJDK 8u402. If you find an issue with the release, please report it to our bug database (http://icedtea.classpath.org/bugzilla) under the appropriate component. Development discussion takes place on the distro-pkg-dev at openjdk.org mailing list and patches are always welcome. Full details of the release can be found below. What's New? =========== New in release 3.30.0 (2024-02-02): * CVEs - CVE-2024-20918 - CVE-2024-20919 - CVE-2024-20921 - CVE-2024-20926 - CVE-2024-20945 - CVE-2024-20952 * Security fixes - JDK-8308204: Enhanced certificate processing - JDK-8314284: Enhance Nashorn performance - JDK-8314295: Enhance verification of verifier - JDK-8314307: Improve loop handling - JDK-8314468: Improve Compiler loops - JDK-8316976: Improve signature handling - JDK-8317547: Enhance TLS connection support * Import of OpenJDK 8 u402 build 06 - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion - JDK-8029995: accept yes/no for boolean krb5.conf settings - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix. - JDK-8176509: Use pandoc for converting build readme to html - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value - JDK-8207404: MulticastSocket tests failing on AIX - JDK-8212677: X11 default visual support for IM status window on VNC - JDK-8239365: ProcessBuilder test modifications for AIX execution - JDK-8271838: AmazonCA.java interop test fails - JDK-8285398: Cache the results of constraint checks - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null - JDK-8302017: Allocate BadPaddingException only if it will be thrown - JDK-8305329: [8u] Unify test libraries into single test library - step 1 - JDK-8307837: [8u] Check step in GHA should also print errors - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails - JDK-8311813: C1: Uninitialized PhiResolver::_loop field - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException - JDK-8315280: Bump update version of OpenJDK: 8u402 - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher - JDK-8317291: Missing null check for nmethod::is_native_method() - JDK-8317373: Add Telia Root CA v2 - JDK-8317374: Add Let's Encrypt ISRG Root X2 - JDK-8318759: Add four DigiCert root certificates - JDK-8319187: Add three eMudhra emSign roots - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly * Bug fixes - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'" The tarballs can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.30.0.tar.gz * http://icedtea.classpath.org/download/source/icedtea-3.30.0.tar.xz We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so. The tarballs are accompanied by digital signatures available at: * http://icedtea.classpath.org/download/source/icedtea-3.30.0.tar.gz.sig * http://icedtea.classpath.org/download/source/icedtea-3.30.0.tar.xz.sig These are produced using my public key. See details below. PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 https://keybase.io/gnu_andrew GnuPG >= 2.1 is required to be able to handle this key. SHA256 checksums: e20dfecb64b36d724ecb42bc78d93fb99f9038e11dcca58725c8466d7068e680 icedtea-3.30.0.tar.gz fc532d4ca3c6648f89ff15fde9e099240cf969906580d7d20d80135db71b3d6f icedtea-3.30.0.tar.gz.sig 600beb80f1c5a6dc6c6a8ed88a068a2c6d3777e225f6c97fcb812b9a35094940 icedtea-3.30.0.tar.xz 547d2823c16acfaa8e552dd05502b34b74948d2663fd4cbda4ae37b9fa58220b icedtea-3.30.0.tar.xz.sig The checksums can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.30.0.sha256 The following people helped with this release: * Andrew Hughes (all bug fixes and backports, release management) We would also like to thank the bug reporters and testers! To get started: $ tar xzf icedtea-3.30.0.tar.gz or: $ tar x -I xz -f icedtea-3.30.0.tar.xz then: $ mkdir icedtea-build $ cd icedtea-build $ ../icedtea-3.30.0/configure $ make Full build requirements and instructions are available in the INSTALL file. Happy hacking! -- Andrew :) Pronouns: he / him or they / them Principal Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 Please contact via e-mail, not proprietary chat networks Available on Libera Chat & OFTC IRC networks as gnu_andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: