[SECURITY] IcedTea 2.6.24 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Fri Nov 6 06:28:36 UTC 2020 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the October 2020 security fixes from OpenJDK 7u281.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.java.net mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
===========
New in release 2.6.24 (2020-11-05):

* Security fixes
  - JDK-8233624: Enhance JNI linkage
  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
  - JDK-8237995, CVE-2020-14782: Enhance certificate processing
  - JDK-8240124: Better VM Interning
  - JDK-8241114, CVE-2020-14792: Better range handling
  - JDK-8242680, CVE-2020-14796: Improved URI Support
  - JDK-8242685, CVE-2020-14797: Better Path Validation
  - JDK-8242695, CVE-2020-14798: Enhanced buffer support
  - JDK-8243302: Advanced class supports
  - JDK-8244136, CVE-2020-14803: Improved Buffer supports
  - JDK-8244479: Further constrain certificates
  - JDK-8244955: Additional Fix for JDK-8240124
  - JDK-8245407: Enhance zoning of times
  - JDK-8245412: Better class definitions
  - JDK-8245417: Improve certificate chain handling
  - JDK-8248574: Improve jpeg processing
  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
  - JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
  - JDK-8145096: Undefined behaviour in HotSpot
  - JDK-8215265: C2: range check elimination may allow illegal out of bound access
* Backports
  - JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.24.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.24.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.24.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.24.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

80453f0e4c6b778970806459ebba007d64feb15a865e9a2ddbda4adb5466b148  icedtea-2.6.24.tar.gz
818e3edbfe42fddc7e76ba2aa757af48be04e521383c3c0db12f30624e3f7983  icedtea-2.6.24.tar.gz.sig
eb3ecbfca6649dd8e59f6d8da76e8d1a484165629d45fd5a071d64f90523899a  icedtea-2.6.24.tar.xz
9f3144996ae6c817ce4de4267226b96c998e24319511b3b4373c781153405721  icedtea-2.6.24.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.24.sha256

The following people helped with these releases:

* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.24.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.24.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.24/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20201106/7a0d1df7/signature.asc>

More information about the distro-pkg-dev mailing list