January 2013


We are pleased to announce the release of IcedTea6 1.12.0!

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

This is the first major release in a year (1.11 was released on 2012-01-30). In accordance with the release policy, 1.10 will no longer receive security updates.

If you find an issue with one of these releases, please report it in our bug database under the appropriate component. Development discussion takes place on the OpenJDK distro-pkg-dev mailing list and patches are always welcome.

Full details of each release can be found below.

What’s New?

New in release 1.12.0 (2013-01-29)

  • Import of OpenJDK6 b27 (all changes already in security updates)
  • Import of OpenJDK6 b26
    • S7071826: Avoid benign race condition in initialization of UUID
    • S7123896: Unexpected behavior due to Solaris using separate IPv4 and IPv6 port spaces
    • S7142509: Cipher.doFinal(ByteBuffer,ByteBuffer) fails to process when in.remaining() == 0
    • S7157903: JSSE client sockets are very slow
    • S7174440: JDK6-open build breakage
    • S7175845: JSSE client sockets are very slow
    • S7176477: TEST: Remove testcase test/java/lang/SecurityManager/CheckPackageDefinition.java from jdk6-open
    • S7184700: Backout changes with wrong id for 7157903
    • S7199153: TEST_BUG: try-with-resources syntax pushed to 6-open repo
  • Import of OpenJDK6 b25
    • S6790292: BOOTDIR of jdk6 u12 will not work with jdk7 builds
    • S6967036: Need to fix links with // in Javadoc comments
    • S7007299: FileFontStrike appears not to be threadsafe
    • S7022473: JDK7 still runs /etc/prtconf to find memory size
    • S7058133: Javah should use the freshly built classes instead of those from the BOOTDIR jdk
    • S7107919: Remove hotspot assertion due to Solaris 8 kstat “unimplemented”.
    • S7123519: problems with certification path
    • S7126889: Incorrect SSLEngine debug output
    • S7127104: Build issue with prtconf and zones, also using := to avoid extra execs
    • S7128474: Update source copyright years
    • S7128505: Building on em64t system does not work
    • S7149751: another krb5 test in openjdk6 without test infrastructure
  • Backports
    • S6706974: Add krb5 test infrastructure
    • S6764553: com.sun.org.apache.xml.internal.security.utils.IdResolver is not thread safe
    • S6761072: new krb5 tests fail on multiple platforms
    • S6883983: JarVerifier dependency on sun.security.pkcs should be removed
    • S4465490: Suspicious about double-check locking idiom being used in the code
    • S6763340: memory leak in com.sun.corba.se.* classes
    • S6873605: Missing finishedDispatch() call in ORBImpl causes test failures after 5u20 b04
    • S6980681: CORBA deadlock in Java SE believed to be related to CR 6238477
    • S7162902: Umbrella port of a number of corba bug fixes from JDK 6 to jdk7u/8
    • S6414899: P11Digest should support cloning
    • S4898461: Support for ECB and CBC/PKCS5Padding
    • S6604496: Support for CKM_AES_CTR (counter mode)
    • S6682411: JCK test failed w/ ArrayIndexOutOfBoundException (-1) when decrypting with no data
    • S6682417: JCK test failed w/ ProviderException when decrypted data is not multiple of blocks
    • S6687725: Internal PKCS5Padding impl should throw IllegalBlockSizeException and not BadPaddingException
    • S6812738: SSL stress test with GF leads to 32 bit max process size in less than 5 minutes with PCKS11 provider
    • S6867345: Turkish regional options cause NPE in sun.security.x509.AlgorithmId.algOID
    • S6924489: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED
    • S7088989: Improve the performance for T4 by utilizing the newly provided crypto APIs
  • Bug fixes
    • PR902: PulseAudioClip getMicrosecondsLength() returns length in milliseconds, not microseconds
    • PR1050: Stream objects not garbage collected
    • PR1113: Add tapset tests to distribution.
    • PR1117: IcedTea6 prebuilds far too many classes on bootstrap
    • PR1121: Old installs still suffer from GCC PR41686
    • PR1119: Only add classes to rt-source-files.txt if the class (or one or more of its methods/fields) are actually missing from the boot JDK
    • PR1114: Provide option to turn off downloading of tarballs (–disable-downloading)
    • PR1176: Synchronise CACAO rules between IcedTea6/7/8 where possible
    • RH513605, PR1171: Updating/Installing OpenJDK should recreate the shared class-data archive
    • G422525: Apply pax markings before using a freshly built JVM.
    • PR986: IcedTea7 fails to build with IcedTea6 CACAO due to low max heap size
  • CACAO
    • PR1120: Unified version for icedtea6/7
    • CA166, CA167: check-langtools fixes for icedtea6
    • Implemented sun.misc.Perf.highResCounter
    • CACAO now identifies by its own Mercurial revision
    • Some memory barrier maintenance
    • Ability to run when compiled as Thumb on armv5 (no Thumb JIT though)
    • Stop creating pseudo files for OpenJDK (libjsig.so, Xusage.txt)
    • Clang fix for the i386 backend
    • CONTRIBUTE: Reference code submission process wiki instructions.
    • INSTALL.CACAO: Update, so following the instruction actually works.
    • Make doxygen work
    • CA172, PR1266, G453612: ARM hardfloat support
    • src/scripts/java.in: Look for cacao executable in install path, not in PATH.
    • src/vm/jit/alpha/asmpart.S: Fix copyright header.
    • src/vm/jit/alpha/asmpart.S: Properly set up GP in asm_abstractmethoderror
    • Use @abs_top_builddir@ for support scripts
  • JamVM
    • ARMv6 armhf: Changes for Raspbian (Raspberry Pi)
    • PPC: Don’t use lwsync if it isn’t supported
    • X86: Generate machine-dependent stubs for i386
    • When suspending, ignore detached threads that have died, this prevents a user caused deadlock when an external thread has been attached to the VM via JNI and it has exited without detaching
    • Add missing REF_TO_OBJs for references passed from JNI, this enable JamVM to run Qt-Jambi
    • PR1155: Do not put version number in libjvm.so SONAME
  • SystemTap
    • Addition of garbage collection probes

The tarball can be downloaded from:

SHA256 checksums:

  • 4f27f3f42b57836cfb11541736282ccfc22de3f4acc0e540560fcf5512d66ced icedtea6-1.12.0.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with this release:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.12.0.tar.gz
$ cd icedtea-${version}

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

[As sent to distro-pkg-dev]

I’d like to do a couple of new releases of both 6 & 7 by the end of this week (Friday the 25th of January, 2013). This will enable us to get some fixes out to users that are lurking only in HEAD. This is particularly true of 6 where the last major release is nearly a year ago (30th of January, 2012). Note that 2.4.0 is already tagged in the forest, so any remaining changes prior to release will only take place in IcedTea7.

These release will also make the upcoming security release easier, as we will then update them rather than the aging 1.10 and 2.2, as stated in the release policy. In particular, it is becoming painful to maintain 1.10 as it has two HotSpot releases. Others are, of course, welcome to update these releases if they so wish.

I intend to delay creating branches for these releases until after the release, as neither repository is particularly high traffic at the moment. Please bear this in mind if you intend to commit work this week, and perhaps consider delaying it until the week after if it will be fairly disruptive.

If anyone has objections to the release of 1.12 and 2.4 this Friday, please reply to this mail as soon as possible. I’m unwilling to delay them much further as we get closer to the update, and I’d rather not be bundling feature updates with security updates.

The security update will still bring updates for 1.11, 2.1 and 2.3 (2.1 being for the ARM32 port), so an option remains between the new releases and the old.

I don’t like to go into too much detail about security updates, but I think it’s necessary to point out a few facts about the one we released yesterday, given some of the inaccuracies I’ve seen been spread on Twitter and elsewhere.

Patches were belatedly approved for OpenJDK 7u. OpenJDK 6 is not affected.

Running Java code from the command-line is quite different from running it via a browser plugin. In the latter situation, the user generally does not invoke the code and it runs in a sandbox with a much restricted set of privileges. Security issues occur when ways are found of achieving privilege escalation and being able to do thiings from the browser plugin that shouldn’t be allowed, such as invoking a program on the user’s computer. Bugs that allow this have a much higher security impact. Such escalation is fairly irrelevant when running Java from the command line as generally users run without a security manager and the code has full privileges anyway.

It is generally advisable to only run plugins in the browser that are needed (this applies to both Java and others such as Flash) and, where possible, whitelists should be used so that plugins are only used on pages approved by the user (of course, this depends on how informed the user is about giving such approval). So, all these advisories to turn off the Java browser plugin have some merit, as if you don’t use the plugin, you won’t be hit by browser-based exploits from either this issue or any future issues which may occur. Some people, of course, have no choice but to use the plugin, as some sites they use require it. In these situations, the plugin should only be used on those sites and disable for others; browsers such as Firefox and Chromium are now starting to provide users with more options (such as ‘click to play’) as to when and where plugins are invoked, and this will also help with security issues.

As always, any opinions expressed here are my own, and not those of Red Hat, Inc.

Thanks to Matthias Klose, we just discovered that building Zero with the recent 2.3.4 release is broken (as is the earlier 2.3.3 release). Zero on 2.3.x uses the HotSpot from the 2.1.x tree (which includes the ARM32 assembler port), and, when we backported 7158800 in 2.1.3, we broke the application of 6924259 to this HotSpot in 2.3.3. This changeset, just applied to the 2.3 branch, fixes the issue. It will be included in the eventual 2.3.5 release, but, if you want Zero on 2.3.4 now, you’ll need to apply this patch yourself. Sorry for the inconvenience.

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

These releases update our OpenJDK7 support to include the latest security updates just released:

In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it in our bug database under the appropriate component. Development discussion takes place on the OpenJDK distro-pkg-dev mailing list and patches are always welcome.

Full details of the releases can be found below.

What’s New?

New in release 2.3.4 (2013-01-15)

  • Security fixes
  • Backports
    • S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  • Bug fixes
    • G422525: Fix building with PaX enabled kernels.

New in release 2.2.4 (2013-01-15)

New in release 2.1.4 (2013-01-15)

The tarball can be downloaded from

SHA256 checksums:

  • 7762ce53479e49f8afffc81621515eb6c3f765c578ff13d4c601ce4af8935db6 icedtea-2.1.4.tar.gz
  • 6fd07ef223de0a24428384f56c848ce5e33e1030749de920adade570218f9ef3 icedtea-2.2.4.tar.gz
  • ea859f37fb20904ffd40802a41396326f7e301fa6873d88d01bf4afef5a60ca8 icedtea-2.3.4.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz
$ cd icedtea-${version}

where ${version} is the version you’ve downloaded.

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!