From gnu_andrew at member.fsf.org Sun Feb 1 12:15:34 2026 From: gnu_andrew at member.fsf.org (Andrew Hughes) Date: Sun, 1 Feb 2026 12:15:34 +0000 Subject: [SECURITY] IcedTea 3.38.0 for OpenJDK 8 Released! Message-ID: We are pleased to announce the release of IcedTea 3.38.0! The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK. This release updates our OpenJDK 8 support with the January 2026 security fixes from OpenJDK 8u482. If you find an issue with the release, please report it to our bug database (https://github.com/icedtea-git/icedtea/issues) under the appropriate component. Development discussion takes place on the distro-pkg-dev at openjdk.org mailing list and patches are always welcome. Full details of the release can be found below. What's New? =========== New in release 3.38.0 (2026-02-01): * CVEs - CVE-2026-21925 - CVE-2026-21932 - CVE-2026-21933 - CVE-2026-21945 * Import of OpenJDK 8 u482 build 08 - JDK-8154043: Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups. - JDK-8182577: Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel - JDK-8193017: Import freetype sources into OpenJDK source tree - JDK-8211804: Constant AO_UNUSED_MBZ uses left shift of negative value - JDK-8212155: Race condition when posting dynamic_code_generated event leads to JVM crash - JDK-8212678: Windows IME related patch - JDK-8219006: AArch64: Register corruption in slow subtype check - JDK-8222362: Upgrade to Freetype 2.10.0 - JDK-8227324: Upgrade to freetype 2.10.1 - JDK-8247867: Upgrade to freetype 2.10.2 - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 - JDK-8261170: Upgrade to FreeType 2.10.4 - JDK-8265429: Improve GCM encryption - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 - JDK-8285686: Update FreeType to 2.12.0 - JDK-8290334: Update FreeType to 2.12.1 - JDK-8293672: Update freetype md file - JDK-8297088: Update LCMS to 2.14 - JDK-8298974: Add ftcolor.c to imported freetype sources - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent - JDK-8306881: Update FreeType to 2.13.0 - JDK-8316028: Update FreeType to 2.13.2 - JDK-8316030: Update Libpng to 1.6.40 - JDK-8317970: Bump target macosx-x64 version to 11.00.00 - JDK-8329004: Update Libpng to 1.6.43 - JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC - JDK-8341496: Improve JMX connections - JDK-8345358: Some DLL Files are missing Windows Properties - JDK-8348596: Update FreeType to 2.13.3 - JDK-8348598: Update Libpng to 1.6.47 - JDK-8353299: VerifyJarEntryName.java test fails - JDK-8359501: Enhance Handling of URIs - JDK-8362208: [8u] Buffer overflow in g1GCPhaseTimes.cpp::LineBuffer::_buffer - JDK-8362308: Enhance Bitmap operations - JDK-8362632: Improve HttpServer Request handling - JDK-8364214: Enhance polygon data support - JDK-8364597: Replace THL A29 Limited with Tencent - JDK-8364660: ClassVerifier::ends_in_athrow() should be removed - JDK-8365058: Enhance CopyOnWriteArraySet - JDK-8365271: Improve Swing supports - JDK-8366574: Bump update version of OpenJDK: 8u482 - JDK-8367115: [8u] Problem list CAInterop.java#actalisauthenticationrootca test - JDK-8367257: [8u] Problem list CAInterop.java#entrustrootcag4 test - JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName - JDK-8368032: Enhance Certificate Checking - JDK-8371334: [8u] GHA: installation of VS2010 hangs - JDK-8371352: [8u] Fix VS2010 build issue in check_code.c - JDK-8371387: [8u] hotspot needs to recognise latest VS2022 - JDK-8372534: Update Libpng to 1.6.51 * Backports - JDK-8376272: [8u] Windows x86-32 fails to build after JDK-8359501 - JDK-8376352: [8u] Build failure on Windows 32-bit after JDK-8362308 * AArch32 port - JDK-8374556: [aarch32] JDK hangs on startup after 8354941 The tarballs can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.38.0.tar.gz * http://icedtea.classpath.org/download/source/icedtea-3.38.0.tar.xz We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so. The tarballs are accompanied by digital signatures available at: * http://icedtea.classpath.org/download/source/icedtea-3.38.0.tar.gz.sig * http://icedtea.classpath.org/download/source/icedtea-3.38.0.tar.xz.sig These are produced using my public key. See details below. PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 https://keybase.io/gnu_andrew GnuPG >= 2.1 is required to be able to handle this key. SHA256 checksums: c6c5f0954504142effc32fe86eb92e27347a01f1acfa4029fde156f152b8da7f icedtea-3.38.0.tar.gz 06a444bc3e4cd9a6666949cf092c3e81b500787661d3ef491ef2b95f630b0666 icedtea-3.38.0.tar.gz.sig 83c38767fb0ef319414b35aa9c426782b546a05989838fd0e9f0245d738cf496 icedtea-3.38.0.tar.xz 1ea0d6006b6e8e24a73949aba977f5c6d45da1a655454ea11f3db008514de1aa icedtea-3.38.0.tar.xz.sig SHA512 checksums: 14e110bf26908fdbdb513dbefbc6278d4cc4969c399c33e2de85a1b81f5d28656621a17192b21a53669daf6656b940de306341f029073b8a144139b6760f2dda icedtea-3.38.0.tar.gz b80c675daf59c749dc98426ad6aaedb2db1f5f6f72c32b4a93b8d19709b247962c97f255f037f4099e4aa62a0da2121fb021308a81114b7784a9ad5faa8607a4 icedtea-3.38.0.tar.gz.sig 132846dc28d8d15d58df4730b79aa8b4932ef5be74a2fb08c85fba5de6ebae6818b1f102b7101fd8ded8870e07366f53cac668ad6a41fa7e8387fb61327c60a7 icedtea-3.38.0.tar.xz 3565398e75482149f50e96c0327e30df2cc024391fb46399651dfdb793660137bd526c3ddd8855a7ee6eceffb5357b948dbde111eeaa6a2a2712b56c4f9ae37a icedtea-3.38.0.tar.xz.sig The checksums can be downloaded from: * http://icedtea.classpath.org/download/source/icedtea-3.38.0.sha256 * http://icedtea.classpath.org/download/source/icedtea-3.38.0.sha512 The following people helped with this release: * Andrew Hughes (all bug fixes and backports, release management) We would also like to thank the bug reporters and testers! To get started: $ tar xzf icedtea-3.38.0.tar.gz or: $ tar x -I xz -f icedtea-3.38.0.tar.xz then: $ mkdir icedtea-build $ cd icedtea-build $ ../icedtea-3.38.0/configure $ make Full build requirements and instructions are available in the INSTALL file. Happy hacking, -- Andrew :) Pronouns: he / him or they / them PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 Please contact via e-mail, not proprietary chat networks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: