From gnu_andrew at member.fsf.org Sun Sep 7 15:17:11 2025 From: gnu_andrew at member.fsf.org (Andrew Hughes) Date: Sun, 7 Sep 2025 16:17:11 +0100 Subject: [SECURITY] IcedTea 3.36.0 for OpenJDK 8 Released! Message-ID: We are pleased to announce the release of IcedTea 3.36.0! The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK. This release updates our OpenJDK 8 support with the July 2025 security fixes from OpenJDK 8u462. If you find an issue with the release, please report it to our bug database (https://github.com/icedtea-git/icedtea/issues) under the appropriate component. Development discussion takes place on the distro-pkg-dev at openjdk.org mailing list and patches are always welcome. Full details of the release can be found below. What's New? =========== New in release 3.36.0 (2025-09-07): * CVEs - CVE-2025-30749 - CVE-2025-30754 - CVE-2025-30761 - CVE-2025-50106 * Import of OpenJDK 8 u462 build 08 - JDK-8026976: ECParameters, Point does not match field size - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - JDK-8046883: com/sun/jdi/ProcessAttachTest.sh gets "java.io.IOException: Invalid process identifier" on windows - JDK-8071996: split_if accesses NULL region of ConstraintCast - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names - JDK-8186787: clang-4.0 SIGSEGV in Unsafe_PutByte - JDK-8240235: jdk.test.lib.util.JarUtils updates jar files incorrectly - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken - JDK-8274597: Some of the dnd tests time out and fail intermittently - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test - JDK-8278472: Invalid value set to CANDIDATEFORM structure - JDK-8293107: GHA: Bump to Ubuntu 22.04 - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts - JDK-8303770: Remove Baltimore root certificate expiring in May 2025 - JDK-8309841: Jarsigner should print a warning if an entry is removed - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract - JDK-8341946: [8u] sun/security/pkcs11/ec/ tests fail on RHEL9 - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout - JDK-8345625: Better HTTP connections - JDK-8346887: DrawFocusRect() may cause an assertion failure - JDK-8348989: Better Glyph drawing - JDK-8349111: Enhance Swing supports - JDK-8349594: Enhance TLS protocol support - JDK-8350498: Remove two Camerfirma root CA certificates - JDK-8351098: Bump update version of OpenJDK: 8u462 - JDK-8351422: Improve scripting supports - JDK-8351439: [8u] test/java/util/TimeZone/tools/share/Makefile use wrong path to tzdb - JDK-8352716: (tz) Update Timezone Data to 2025b - JDK-8353433: XCG currency code not recognized in JDK 8u - JDK-8356096: ISO 4217 Amendment 179 Update - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots - JDK-8360147: Better Glyph drawing redux * Backports - JDK-8358538: Update GHA Windows runner to 2025 The tarballs can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.36.0.tar.gz * http://icedtea.classpath.org/download/source/icedtea-3.36.0.tar.xz We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so. The tarballs are accompanied by digital signatures available at: * http://icedtea.classpath.org/download/source/icedtea-3.36.0.tar.gz.sig * http://icedtea.classpath.org/download/source/icedtea-3.36.0.tar.xz.sig These are produced using my public key. See details below. PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 https://keybase.io/gnu_andrew GnuPG >= 2.1 is required to be able to handle this key. SHA256 checksums: 9bccef25d11b2c7ecb027b7fc594a77e528234dbfaef1550e8eeecc41834d9c2 icedtea-3.36.0.tar.gz 7d2fc58f723d5df3bf4da5244f470779faa70f8c26663abaf7e204aac94fa2d6 icedtea-3.36.0.tar.gz.sig 6f989ff90487edc5ebc2d5a1f5d94bca5d5973b5730a036c32f35be551bf9f69 icedtea-3.36.0.tar.xz 1bed4509abe9c90c70d79bb5b5a6719ccb353736e6d11eb2389aea25cc97c8bd icedtea-3.36.0.tar.xz.sig SHA512 checksums: 83b99d08984b3ebc9e1752cd4a32c95de7f403619afda353f475a447e6c7d8d245d8f6520552abe6a9bdf9c94f7e3b32e1768da962d4d60c0d50336fc0dca9ca icedtea-3.36.0.tar.gz 57b3157b2fff6bc99c37a4fbabe5a85498ec4f7c78fe46315e6d99572f910decc270efcf9a32ba82d6605b1739f5cddc0e1e3d2a0adcc89e8021732447cb08e7 icedtea-3.36.0.tar.gz.sig 7f6db3e1a4668a32450e223d3e0c54adaa4858e2e52886a3fe93206820b23cb9d75629cb79826ea8ac83bf233fe1d3d9e772df55f7e07fdc24d3c6173e74097f icedtea-3.36.0.tar.xz f0bfaf519d5abbc17b4d8b24c04c7542e75fd126bb8f01904f18cdba9e2616882e9fc98adb1f21f024f18e1c08907973c08c1ce5bc4b79addcc38fc646ef9b69 icedtea-3.36.0.tar.xz.sig The checksums can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.36.0.sha256 * http://icedtea.classpath.org/download/source/icedtea-3.36.0.sha512 The following people helped with this release: * Andrew Hughes (all bug fixes and backports, release management) We would also like to thank the bug reporters and testers! To get started: $ tar xzf icedtea-3.36.0.tar.gz or: $ tar x -I xz -f icedtea-3.36.0.tar.xz then: $ mkdir icedtea-build $ cd icedtea-build $ ../icedtea-3.36.0/configure $ make Full build requirements and instructions are available in the INSTALL file. Happy hacking, -- Andrew :) Pronouns: he / him or they / them Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 Please contact via e-mail, not proprietary chat networks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: