[SECURITY] IcedTea 2.5.5 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Wed Apr 15 02:18:43 UTC 2015


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.5.x series with
the April 2015 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
===========
New in release 2.5.5 (2015-04-14):

* Security fixes
  - S8059064: Better G1 log caching
  - S8060461: Fix for JDK-8042609 uncovers additional issue
  - S8064601, CVE-2015-0480: Improve jar file handling
  - S8065286: Fewer subtable substitutions
  - S8065291: Improved font lookups
  - S8066479: Better certificate chain validation
  - S8067050: Better font consistency checking
  - S8067684: Better font substitutions
  - S8067699, CVE-2015-0469: Better glyph storage
  - S8068320, CVE-2015-0477: Limit applet requests
  - S8068720, CVE-2015-0488: Better certificate options checking
  - S8069198: Upgrade image library
  - S8071726, CVE-2015-0478: Better RSA optimizations
  - S8071818: Better vectorization on SPARC
  - S8071931, CVE-2015-0460: Return of the phantom menace
* Backports
  - S6584008, PR2193, RH1173326: jvmtiStringPrimitiveCallback should not be invoked when string value is null
  - S6956398, PR2250: make ephemeral DH key match the length of the certificate key
  - S7090424: TestGlyphVectorLayout failed automately with java.lang.StackOverflowError
  - S7142035: assert in j.l.instrument agents during shutdown when daemon thread is running
  - S7160837: DigestOutputStream does not turn off digest calculation when "close()" is called
  - S7195480: javax.smartcardio does not detect cards on Mac OS X
  - S8001472: api/java_awt/Window/indexTGF_* tests fail because expected colors aren't equal
  - S8011646: SEGV in compiled code with loop predication
  - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode
  - S8016545: java.beans.XMLEncoder.writeObject output is wrong
  - S8019324: assert(_f2 == 0 || _f2 == f2) failed: illegal field change
  - S8019623: Lack of synchronization in AppContext.getAppContext()
  - S8021804: Certpath validation fails if validity period of root cert does not include validity period of intermediate cert
  - S8022070: Compilation error in stubGenerator_sparc.cpp with some compilers
  - S8024061: Exception thrown when drag and drop between two components is executed quickly
  - S8028616: Htmleditorkit parser doesn't handle leading slash (/)
  - S8028617: Dvorak keyboard mapping not honored when ctrl key pressed
  - S8029837: NPE seen in XMLDocumentFragmentScannerImpl.setProperty since 7u40b33
  - S8031290: Adjust call to getisax() for additional words returned
  - S8032872: [macosx] Cannot select from JComboBox in a JWindow
  - S8032874: ArrayIndexOutOfBoundsException in JTable while clearing data in JTable
  - S8032878: Editable combos in table do not behave as expected
  - S8033113: wsimport fails on WSDL:header parameter name customization
  - S8033696: "assert(thread != NULL) failed: just checking" due to Thread::current() and JNI pthread interaction
  - S8036022: D3D: rendering with XOR composite causes InternalError.
  - S8036709: Java 7 jarsigner displays warning about cert policy tree
  - S8036819: JAB: mneumonics not read for textboxes
  - S8036983: JAB:Multiselection Ctrl+CursorUp/Down and ActivateDescenderPropertyChanged event
  - S8037477: Reproducible hang of JAWS and webstart application with JAB 2.0.4
  - S8038925: Java with G1 crashes in dump_instance_fields using jmap or jcmd without fullgc
  - S8039050: Crash in C2 compiler at Node::rematerialize
  - S8039298: assert(base == NULL || t_adr->isa_rawptr() || ! phase->type(base)->higher_equal(TypePtr::NULL_PTR))
  - S8039319: (smartcardio) Card.transmitControlCommand() does not work on Mac OS X
  - S8040228: TransformerConfigurationException occurs with security manager, FSP and XSLT Ext
  - S8040790: [TEST_BUG] tools/javac/innerClassFile/Driver.sh fails to cleanup files after it
  - S8041451: com.sun.jndi.ldap.Connection:ReadTimeout should abandon ldap request
  - S8041740: Test sun/security/tools/keytool/ListKeychainStore.sh fails on Mac
  - S8041979: sun/jvmstat/monitor/MonitoredVm/CR6672135.java failing on all platforms
  - S8042059: Various fixes to linux/sparc
  - S8042857: 14 stuck threads waiting for notification on LDAPRequest
  - S8043123: Hard crash with access violation exception when blitting to very large image
  - S8043200: Decrease the preference mode of RC4 in the enabled cipher suite list
  - S8043205: Incorrect system traps.h include path
  - S8043206: Fix signed vs. unsigned comparison warning in copy_sparc.hpp
  - S8043207: Add const to Address argument for Assembler::swap
  - S8043210: Add _BIG_ENDIAN define on linux/sparc
  - S8043507: javax.smartcardio.CardTerminals.list() fails on MacOSX
  - S8044602: Increment minor version of HSx for 7u72 and initialize the build number
  - S8044659: Java SecureRandom on SPARC T4 much slower than on x86/Linux
  - S8046769: Set T family feature bit on Niagara systems
  - S8048080: (smartcardio) javax.smartcardio.Card.openLogicalChannel() dosn't work on MacOSX
  - S8049081: Increment hsx 24.72 build to b02 for 7u72-b03
  - S8049542: C2: assert(size_in_words <= (julong)max_jint) failed: no overflow
  - S8049787: Increment hsx 24.72 build to b03 for 7u72-b04
  - S8050158: Introduce system property to maintain RC4 preference order
  - S8050165: linux-sparcv9: NMT detail causes assert((intptr_t*)younger_sp[FP->sp_offset_in_saved_window()] == (intptr_t*)((intptr_t)sp - STACK_BIAS)) failed: younger_sp must be valid
  - S8050167: linux-sparcv9: hs_err file does not show any stack information
  - S8055714: Increment hsx 24.72 build to b04 for 7u72-b11
  - S8056211: api/java_awt/Event/InputMethodEvent/serial/index.html#Input[serial2002] failure
  - S8060072: Increment minor version of HSx for 7u79 and initialize the build number
  - S8064454: [TEST_BUG] Test tools/javac/innerClassFile/Driver.sh fails for Mac and Linux
  - S8064532: 7u76 build failed with # 8041979
  - S8065072: sun/net/www/http/HttpClient/StreamingRetry.java failed intermittently
  - S8065373: [macosx] jdk8, jdk7u60 Regression in Graphics2D drawing of derived Fonts
  - S8065709: Deadlock in awt/logging apparently introduced by 8019623
  - S8065991: LogManager unecessarily calls JavaAWTAccess from within a critical section
  - S8068405: GenerateCurrencyData throws RuntimeException for old data
  - S8071591: java/util/logging/LogManagerAppContextDeadlock.java test started to fail due to JDK-8065991
  - S8072039: jdk7u79 l10n resource file translation update
  - S8072042: (tz) Support tzdata2015a
  - S8073226: Increment hsx 24.79 build to b02 for 7u79-b10
  - S8074312, PR2254: Enable hotspot builds on 4.x Linux kernels
  - S8074662: Update 3rd party readme and license for LibPNG v 1.6.16
  - S8075211: [TEST_BUG] Test sun/net/www/http/HttpClient/StreamingRetry.java fails with compilation error
* Bug fixes
  - PR2196, RH1164762: jhat man page has broken URL
  - PR2200: Support giflib 5.1.0
  - PR2210: DGifCloseFile call should check the return value, not the error code, for failure
  - PR2225: giflib 5.1 conditional excludes 6.0, 7.0, etc.
  - PR2250: JSSE server is still limited to 768-bit DHE
* ARM32 port
  - PR2228: Add ARM32 JIT
  - PR2297: Use the IcedTea 2.6.0 HotSpot for ARM32 by default
  - Several bug fixes to get Eclipse working
* AArch64 port
  - Add java.lang.ref.Reference.get intrinsic to template interpreter
  - Fix implementation of InterpreterMacroAssembler::increment_mdp_data_at().
  - Remove insanely large stack allocation in entry frame.
  - S6976528: PS: assert(!limit_exceeded || softrefs_clear) failed: Should have been cleared
  - S8020675: invalid jar file in the bootclasspath could lead to jvm fatal error
  - S8020829: NMT tests fail on platforms if NMT detail is not supported
  - S8026303: CMS: JVM intermittently crashes with "FreeList of size 258 violates Conservation Principle" assert
  - S8029775: Solaris code cleanup
  - S8041980: (hotspot) sun/jvmstat/monitor/MonitoredVm/CR6672135.java failing on all platforms
  - S8042235: redefining method used by multiple MethodHandles crashes VM
  - S8044406: JVM crash with JDK8 (build 1.8.0-b132) with G1 GC
  - S8046233: VerifyError on backward branch
  - S8046289: compiler/6340864/TestLongVect.java timeout with
  - S8048170: Test closed/java/text/Normalizer/ConformanceTest.java failed
  - S8050022: linux-sparcv9: assert(SharedSkipVerify || obj->is_oop()) failed: sanity check
  - S8054478: C2: Incorrectly compiled char[] array access crashes JVM
  - S8054530: C2: assert(res == old_res) failed: Inconsistency between old and new
  - S8054883: Segmentation error while running program
  - S8056309: Set minor version for hotspot in 7u76 to 76 and build number to b01
  - S8058583: Remove CompilationRepeat
  - S8058935: CPU detection gives 0 cores per cpu, 2 threads per core in Amazon EC2 environment
  - S8059216: Make PrintGCApplicationStoppedTime print information about stopping threads
  - S8060169: Update the Crash Reporting URL in the Java crash log
  - S8061507: Increment hsx 24.76 build to b02 for 7u76-b05
  - S8061694: Increment hsx 24.76 build to b03 for 7u76-b06
  - S8062229: Test failure of test_loggc_filename in 7u-cpu
  - S8062672: JVM crashes during GC on various asserts which checks that HeapWord ptr is an oop
  - S8064493: Increment the build value to b04 for hs24.76 in 7u76-b08
  - S8064667: Add -XX:+CheckEndorsedAndExtDirs flag to JDK 8
  - S8065618: C2 RA incorrectly removes kill projections
  - S8065765: Missing space in output message from -XX:+CheckEndorsedAndExtDirs
  - S8066045: opto/node.hpp:355, assert(i < _max) failed: oob: i=1, _max=1
  - S8066103: C2's range check smearing allows out of bound array accesses
  - S8066649: 8u backport for 8065618 is incorrect
  - S8066775: opto/node.hpp:355, assert(i < _max) failed: oob: i=1, _max=1
  - S8071947: AARCH64: frame::safe_for_sender() computes incorrect sender_sp value for interpreted frames
  - S8072129: [AARCH64] missing fix for 8066900
  - S8072483: AARCH64: aarch64.ad uses the wrong operand class for some operations

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:

    http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.gz.sig.ec
    http://icedtea.classpath.org/download/source/icedtea-2.5.5.tar.xz.sig.ec

and the new key is:

    PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
    Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

SHA256 checksums:

f05b1db06021f4cd3a39647f358a47130136d189431fb55f79855f627b1d6619  icedtea-2.5.5.tar.gz
4863db17fa8afbbedf8bb4d19d9e520652d859e806b7abf27a86d71c483172f6  icedtea-2.5.5.tar.gz.sig
738dfcdbd59cf9093203934d4efa94281fb2e28cff1c9ec6d9b588ad42bac66f  icedtea-2.5.5.tar.gz.sig.ec
09e7aeb739a468dec8357f4b0757624b6c7ef38065fdf50323d369deac983dc7  icedtea-2.5.5.tar.xz
c47744296d5569a251d2ef8ed891fd91a223adb0ac460db5270583d3fa6d4288  icedtea-2.5.5.tar.xz.sig
61e1c6c89f3fb4623bef5a3375ecebf185d713b5460c6ca1ac87f1328cecb2a9  icedtea-2.5.5.tar.xz.sig.ec

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.5.5.sha256

The following people helped with these releases:

* Andrew Dinn (AArch64 work)
* Andrew Hughes (all other backports & bug fixes, release management)
* Edward Nevill (ARM32 work including PR2228)
* Fridrich Strba (PR2200)
* Jiri Vanek (PR2196)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.5.5.tar.gz

or:

$ tar x -I xz -f icedtea-2.5.5.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.5.5/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
-- 
Andrew :)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150415/1b8e4391/signature.asc>


More information about the distro-pkg-dev mailing list