[SECURITY] IcedTea 3.6.0 for OpenJDK 8 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Thu Nov 2 06:07:13 UTC 2017

We are pleased to announce the release of IcedTea 3.6.0!

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 8 support with the October 2017 security
fixes from OpenJDK 8 u151.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What’s New?
New in release 3.6.0 (2017-10-31):

* Security fixes
  - S8165543: Better window framing
  - S8169026, CVE-2017-10274: Handle smartcard clean up better
  - S8169966: Larger AWT menus
  - S8170218: Improved Font Metrics
  - S8171252: Improve exception checking
  - S8171261: Stability fixes for lcms
  - S8174109, CVE-2017-10281: Better queuing priorities
  - S8174966, CVE-2017-10285: Unreferenced references
  - S8175940: More certificate subject checking
  - S8176751, CVE-2017-10295: Better URL connections
  - S8178794, CVE-2017-10388: Correct Kerberos ticket grants
  - S8180024: Improve construction of objects during deserialization
  - S8180711, CVE-2017-10346: Better invokespecial checks
  - S8181100, CVE-2017-10350: Better Base Exceptions
  - S8181323, CVE-2017-10347: Better timezone processing
  - S8181327, CVE-2017-10349: Better X processing
  - S8181370, CVE-2017-10345: Better keystore handling
  - S8181432, CVE-2017-10348: Better processing of unresolved permissions
  - S8181597, CVE-2017-10357: Process Proxy presentation
  - S8181612, CVE-2017-10355: More stable connection processing
  - S8181692, CVE-2017-10356: Update storage implementations
  - S8183028, CVE-2016-10165: Improve CMS header processing
  - S8184682, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library
* New features
  - PR3469: Alternative path to tzdb.dat
  - PR3483: Separate addition of nss.cfg and tz.properties into separate targets
  - PR3484: Move SystemTap support to its own target
  - PR3485: Support additional targets for the bootstrap build
* Import of OpenJDK 8 u151 build 12
  - S8029659: Keytool, print key algorithm of certificate or key entry
  - S8057810: New defaults for DSA keys in jarsigner and keytool
  - S8075484, PR3473, RH1490713: SocketInputStream.socketRead0 can hang even with soTimeout set
  - S8077670: sun/security/krb5/auto/MaxRetries.java may fail with BindException
  - S8087144: sun/security/krb5/auto/MaxRetries.java fails with Retry count is -1 less
  - S8153146: sun/security/krb5/auto/MaxRetries.java failed with timeout
  - S8157561: Ship the unlimited policy files in JDK Updates
  - S8158517: Minor optimizations to ISO10126PADDING
  - S8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
  - S8177569: keytool should not warn if signature algorithm used in cacerts is weak
  - S8177837: need to upgrade install tools
  - S8178714: PKIX validator nameConstraints check failing after change 8175940
  - S8179423: 2 security tests started failing for JDK 1.6.0 u161 b05
  - S8179564: Missing @bug for tests added with JDK-8165367
  - S8181048: Refactor existing providers to refer to the same constants for default values for key length
  - S8182879: Add warnings to keytool when using JKS and JCEKS
  - S8184937: LCMS error 13: Couldn't link the profiles
  - S8185039: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
  - S8185040: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
  - S8185778: 8u151 L10n resource file update
  - S8185845: Add SecurityTools.java test library
  - S8186503: sun/security/tools/jarsigner/DefaultSigalg.java failed after backport to JDK 6/7/8
  - S8186533: 8u151 L10n resource file update md20
  - S8186674: Remove JDK-8174109 from CPU Aug 21 week builds
* Backports
  - S8035496, PR3487: G1 ARM: missing remset entry noticed by VerifyAfterGC for vm/gc/concurrent/lp50yp10rp70mr30st0
  - S8146086, PR3439, RH1478402: Publishing two webservices on same port fails with "java.net.BindException: Address already in use"
  - S8184673, PR3475, RH1487266: Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers
  - S8185164, PR3438: GetOwnedMonitorInfo() returns incorrect owned monitor
  - S8187822, PR3478, RH1494230: C2 conditonal move optimization might create broken graph
* Bug fixes
  - PR3479, RH1486025: ECC and NSS JVM crash
  - PR3486: Path to jvm.cfg is wrong in add-systemtap-boot
  - S8165852, PR3468: (fs) Mount point not found for a file which is present in overlayfs
  - S8188030, PR3459, RH1484079: AWT java apps fail to start when some minimal fonts are present
* PPC port
  - S8145913, PR3466, RH1498309: PPC64: add Montgomery multiply intrinsic
  - S8168318, PR3466, RH1498320: PPC64: Use cmpldi instead of li/cmpld
  - S8170328, PR3466, RH1498321: PPC64: Use andis instead of lis/and
  - S8181810, PR3466, RH1498319: PPC64: Leverage extrdi for bitfield extract
* AArch64 port
  - S8161190, PR3488: AArch64: Fix overflow in immediate cmp instruction
  - S8187224, PR3488: aarch64: some inconsistency between aarch64_ad.m4 and aarch64.ad
* SystemTap
  - PR3467, RH1492139: Hotspot object_alloc tapset uses HeapWordSize incorrectly
* Shenandoah
  - Add missing UseShenandoahGC checks to C2
  - [backport] Add JVMTI notifications to Shenandoah GC pauses.
  - [backport] After Evac verification should run consistently
  - [backport] All definitions should start with Shenandoah*
  - [backport] Allocation latency tracing
  - [backport] Allow allocations in pinned regions
  - [backport] Assorted monitoring support fixes
  - [backport] Avoid Full STW GC on System.gc() + related fixes
  - [backport] BrooksPointer tracing overwhelms -Xlog:gc=trace
  - [backport] Cannot do more than 1000 Full GCs
  - [backport] Cap heap size for TestRegionSizeArgs test
  - [backport] Cleanup "dirty" mentions
  - [backport] Cleanup unused methods and statements + Trivial cleanup: removed unused field, etc.
  - [backport] Common pause marker to capture everything before/after pause
  - [backport] Consistent print_on and tty handling
  - [backport] "continuous" heuristics
  - [backport] Disable biased locking by default
  - [backport] Fix build error: avoid loops with empty bodies
  - [backport] Fix build error: switches over enums should take all enums
  - [backport] Fix build error: verifier liveness should not be implicitly casted to size_t
  - [backport] Fixed assertion failures when printing heap region to trace output
  - [backport] Fixed C calling convention of shenandoah_wb() on Windows
  - [backport] LotsOfCycles test always degrades to Full GC
  - [backport] Made ShenandoahPrinter debug only
  - [backport] Make sure different Verifier levels work
  - [backport] Make sure we have at least one memory pool per memory manager (JMX) + JMX double-counts heap used size
  - [backport] Mark heuristics diagnostic/experimental
  - [backport] Move Verifier "start" message under (gc,start)
  - [backport] On-demand commit as heap resizing strategy
  - [backport] Periodic GC
  - [backport] PhiNode::has_only_data_users() needs to apply to shenandoah barrier only
  - [backport] Pinning humongous regions should be allowed
  - [backport] Reclaimed humongous regions should count towards immediate garbage
  - [backport] Refactor region flags into finite state machine
  - [backport] Refactor ShConcThread dispatch
  - [backport] Refactor ShenandoahFreeSet + Fast-forward over humongous regions to keep "current" non-humongous
  - [backport] Refactor ShenandoahHeapLock
  - [backport] Refactor ShenandoahHeapRegionSet
  - [backport] Region (byte|word) shifts as the replacement for divisions
  - [backport] Rehash -XX:-UseTLAB in tests + Rehash allocation tests
  - [backport] Rename inline guards
  - [backport] Selectable humongous threshold + Humongous top() should be correct for iteration
  - [backport] Shortcut concurrent cycle when enough immediate garbage is reclaimed
  - [backport] Templatize and improve inlining of arraycopy and clone barriers.
  - [backport] TestRegionSampling test
  - [backport] TestSmallHeap test for Shenandoah
  - [backport] Uncommit heap regions after given delay
  - [backport] Underflow in adaptive free_threshold calculation
  - [backport] Unlock more GC-specific tests for Shenandoah
  - [backport] Update counters on slow-path more rarely
  - [backport] Verifier should avoid pushing on stack when walking objects past TAMS
  - [backport] Verifier should walk cset and humongous regions
  - [backport] Verify humongous regions liveness
  - [backport] Verify liveness data
  - Correct way to fix Windows call convention issue
  - Fix build error in release config.
  - Fixed Fixed message logging
  - Handle Java heap initialization and expansion failures
  - Make sure -verbose:gc, PrintGC, PrintGCDetails work consistently
  - Missing barriers on constant oops + acmp rework + cas fix + write barrier on constant oop fix
  - Missing UseShenandoahGC check in LibraryCallKit::inline_multiplyToLen()
  - Missing UseShenandoahGC check to C2
  - OOME in SurrogateLockerThread deadlocks the GC cycle
  - Properly unlock ShenandoahVerify
  - Remove unused memory_for, fixing the build
  - Remove useless code following acmp rework
  - Revert accidental G1 closure rename
  - Test bug: test library and flags in TestHeapAlloc
  - UnlockDiagnosticVMOptions flag is needed for ShenandoahVerify
  - Write barrier pin and expand cleanup

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.6.0.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-3.6.0.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-3.6.0.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-3.6.0.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

74a43c4e027c72bb1c324f8f73af21565404326c9998f534f234ec2a36ca1cdb  icedtea-3.6.0.tar.gz
6050c8e69974a33641b764afdbd91f07725336abd20e7f260e2a0dbf562f8b32  icedtea-3.6.0.tar.gz.sig
d0a0a9ce58b3ed29f2deecef8b78f28a79315f4a6330ee833410f79cbf48417e  icedtea-3.6.0.tar.xz
2de4119e3e59cf7acbb1f9c93a5760397c846116067d3c45504bd3ff6297f9a8  icedtea-3.6.0.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-3.6.0.sha256

The following people helped with these releases:

* Martin Balao (PR3479/RH1486025)
* Severin Gehwolf (PR3467/RH1492139)
* Andrew Hughes (all other bug fixes and backports, release management)
* Fridrich Strba (PR3468/S8165852, PR3469)
* Mario Torre (PR3459/S8188030/RH1484079)
* Felix Yang (PR3488/S8187224)
* Yang Zhang (PR3488/S8161190)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.6.0.tar.gz


$ tar x -I xz -f icedtea-3.6.0.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.6.0/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20171102/00e162ba/signature.asc>

More information about the distro-pkg-dev mailing list