[SECURITY] IcedTea 3.37.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Mon Nov 3 13:33:27 UTC 2025 

We are pleased to announce the release of IcedTea 3.37.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the October 2025
security fixes from OpenJDK 8u472.

If you find an issue with the release, please report it to our bug
database (https://github.com/icedtea-git/icedtea/issues) under the
appropriate component. Development discussion takes place on the
distro-pkg-dev at openjdk.org mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========
New in release 3.37.0 (2025-11-02):

* CVEs
  - CVE-2025-53057
  - CVE-2025-53066
* Import of OpenJDK 8 u472 build 08
  - JDK-7102969: currency.properties supercede not working correctly
  - JDK-8041924: [TESTBUG] sun/net/www/http/ChunkedOutputStream/checkError.java fails on some systems
  - JDK-8044051: Test jdk/lambda/vm/InterfaceAccessFlagsTest.java gets IOException during compilation
  - JDK-8056283: @ignore tools/javac/defaultMethods/Assertions.java until JDK-8047675 is fixed
  - JDK-8081734: ConcurrentHashMap/ConcurrentAssociateTest.java, times out 90% of time on sparc with 256 cpu.
  - JDK-8157138: Error while fetching currency instance by Currency.getInstance(currencycode)
  - JDK-8160767: [TEST_BUG] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java
  - JDK-8185348: Major performance regression in GetMethodDeclaringClass and other JVMTI Method functions
  - JDK-8185500: [TESTBUG] Add keywords headful/printer in java/awt and javax tests.
  - JDK-8186259: IOExceptionIfEncodedURLTest.sh versus IOExceptionIfEncodedURLTest.java
  - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure
  - JDK-8228658: test GetTotalSafepointTime.java fails on fast Linux machines with Total safepoint time 0 ms
  - JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java fails with D3D basic render driver
  - JDK-8312065: Socket.connect does not timeout when profiling
  - JDK-8335978: [8u] incorrect include file name in semaphore.inline.hpp
  - JDK-8339414: Fix JDK-8202369 incorrect backport for 8u
  - JDK-8340387: Update OS detection code to recognize Windows Server 2025
  - JDK-8345414: Google CAInterop test failures
  - JDK-8348760: RadioButton is not shown if JRadioButtonMenuItem is rendered with ImageIcon in WindowsLookAndFeel
  - JDK-8351624: [8u] Xerces-J version wrong in THIRD_PARTY_README after JDK-7150324
  - JDK-8352302: Test sun/security/tools/jarsigner/TimestampCheck.java is failing
  - JDK-8352637: Enhance bytecode verification
  - JDK-8356294: Enhance Path Factories
  - JDK-8358328: Bump update version of OpenJDK: 8u472
  - JDK-8358538: Update GHA Windows runner to 2025
  - JDK-8360937: Enhance certificate handling
  - JDK-8361212: Remove AffirmTrust root CAs
  - JDK-8363965: GHA: Switch cross-compiling sysroots to Debian bookworm
  - JDK-8365375: Method SU3.setAcceleratorSelectionForeground assigns to acceleratorForeground
  - JDK-8365389: Remove static color fields from SwingUtilities3 and WindowsMenuItemUI
  - JDK-8365560: [8u] ppc64le MaxRAM default is too low at 4GiB
  - JDK-8365811: test/jdk/java/net/CookieHandler/B6644726.java failure - "Should have 5 cookies. Got only 4, expires probably didn't parse correctly"
  - JDK-8366112: [8u] GHA: Fix broken installation of Windows SDK
  - JDK-8368308: ISO 4217 Amendment 180 Update
* Backports
  - JDK-8354941, GH028: Build failure with glibc 2.42 due to uabs() name collision
* Bug fixes
  - GH030: Remove java/util/TimeZone/CheckDisplayNames.java

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.37.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.37.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.37.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.37.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

ba670bc54757582788004602cd0e113b496310e53bfe84ee0f4ab4f058faebd2  icedtea-3.37.0.tar.gz
b3c000293ae538345df8a042cc6207684cec771d8f40698d43f4e441c498e553  icedtea-3.37.0.tar.gz.sig
e51e2f4914f459dec6e78f753edf8abb671d8b71466842f7efca94b220da8000  icedtea-3.37.0.tar.xz
889534617dede4861e9c9ecf8baaa02479c304e2fd814c4b11f81b22f0584b0d  icedtea-3.37.0.tar.xz.sig

SHA512 checksums:

566af18cb4c3d25925a99ece36f96d904c8c875d906a3cdc9f59239dfa318efbef6904abe5df7b7648b7bdaf07aea884f6885927ffb4da99bc7ad4fe1332295d  icedtea-3.37.0.tar.gz
9fdba7f0fab533cb6e58afa708e1f10751169578b4005061633921d245f263c880ecb095fa0ec3c27bebe85a23d427b9bee11c7da59da55b821a5f50e5c46883  icedtea-3.37.0.tar.gz.sig
196d4bd0a56d8788033ac629baf370dcd5624363b4bdf6640887514660410b57a9e5b48202954d2d9046951004e15ef98bc321024b4453ec9d742ab9e0813b87  icedtea-3.37.0.tar.xz
22d7a190c23417b4a200f491d45169da7670dac885344817d2d8365480cf55780f3d7c810146cefe7dd0d81cd3edcbb7298e24c72f30a30fe2347ee28714205d  icedtea-3.37.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.37.0.sha256
* http://icedtea.classpath.org/download/source/icedtea-3.37.0.sha512

The following people helped with this release:

* Andrew Hughes (all bug fixes and backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.37.0.tar.gz

or:

$ tar x -I xz -f icedtea-3.37.0.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.37.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/distro-pkg-dev/attachments/20251103/856bf43c/signature-0001.asc>

More information about the distro-pkg-dev mailing list