November 2015


The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with an additional October 2015 security fix from OpenJDK 7 u91.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.3 (2015-11-13)

  • Security fixes
    • S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed
  • Backports

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 89183993d3dd794b4e2a428a8a0a35f1ce77c4ae64563e53f3a08c058ea134cc icedtea-2.6.3.tar.gz
  • 2d1b8e71739cc0d3c0afbab61a2093fb501ffa28b92f6d2630c684ae9ac48551 icedtea-2.6.3.tar.gz.sig
  • d89fea821068d38f1ca9e34bbc08ca1f6da985589d7064d7a5734d66dfd20c4f icedtea-2.6.3.tar.gz.sig.ec
  • df38aa10b4d30f3bae089dcc72f4c32fb2385cb541491791c12829960f53c612 icedtea-2.6.3.tar.xz
  • b7c377c64bcc20865a063b397b4c1cd44dad782a433d6da0ce89b690e54a6c94 icedtea-2.6.3.tar.xz.sig
  • f9373d52f121b97330f77e06064753eca949e703a5b32e501a70fd1dd8f007c0 icedtea-2.6.3.tar.xz.sig.ec

The checksums can be downloaded from:

A 2.6.3 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.3.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.3.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.3/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with the October 2015 security fixes.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 1.13.9 (2015-11-13)

  • Security fixes
  • Import of OpenJDK6 b37
    • OJ64: Backport hashtable to map changes from jaxp
    • OJ65: Remove @Override annotation on interfaces added by 2015/10/20 security fixes
    • OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5 test infrastructure)
    • OJ67: Fix copyright headers on imported files
    • OJ68: Ensure SharedSecrets are initialised
    • S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well
    • S6590930: reed/write does not match for ccache
    • S6648972: KDCReq.init always read padata
    • S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding problem
    • S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed on all non-windows platforms
    • S6710360: export Kerberos session key to applications
    • S6733095: Failure when SPNEGO request non-Mutual
    • S6785456: Read Kerberos setting from Windows environment variables
    • S6821190: more InquireType values for ExtendedGSSContext
    • S6843127: krb5 should not try to access unavailable kdc too often
    • S6844193: support max_retries in krb5.conf
    • S6844907: krb5 etype order should be from strong to weak
    • S6844909: support allow_weak_crypto in krb5.conf
    • S6849275: enhance krb5 reg tests
    • S6853328: Support OK-AS-DELEGATE flag
    • S6854308: more ktab options
    • S6856069: PrincipalName.clone() does not invoke super.clone()
    • S6857795: krb5.conf ignored if system properties on realm and kdc are provided
    • S6857802: GSS getRemainingInitLifetime method returns milliseconds not seconds
    • S6858589: more changes to Config on system properties
    • S6862679: ESC: AD Authentication with user with umlauts fails
    • S6877357: IPv6 address does not work
    • S6888701: Change all template java source files to a .java-template file suffix
    • S6893158: AP_REQ check should use key version number
    • S6907425: JCK Kerberos tests fail since b77
    • S6919610: KeyTabInputStream uses static field for per-instance value
    • S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with pre-authentication
    • S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
    • S6950546: “ktab -d name etype” to “ktab -d name [-e etype] [kvno | all | old]“
    • S6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
    • S6952519: kdc_timeout is not being honoured when using TCP
    • S6959292: regression: cannot login if session key and preauth does not use the same etype
    • S6960894: Better AS-REQ creation and processing
    • S6966259: Make PrincipalName and Realm immutable
    • S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
    • S6984764: kerberos fails if service side keytab is generated using JDK ktab
    • S6997740: ktab entry related test compilation error
    • S7018928: test failure: sun/security/krb5/auto/SSL.java
    • S7032354: no-addresses should not be used on acceptor side
    • S7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
    • S7142596: RMI JPRT tests are failing
    • S7157610: NullPointerException occurs when parsing XML doc
    • S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds()
    • S7197159: accept different kvno if there no match
    • S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
    • S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
    • S8006534: CLONE – TestLibrary.getUnusedRandomPort() fails intermittently-doesn’t retry enough times
    • S8014097: add doPrivileged methods with limited privilege scope
    • S8021191: Add isAuthorized check to limited doPrivileged methods
    • S8022213: Intermittent test failures in java/net/URLClassLoader
    • S8028583: Add helper methods to test libraries
    • S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
    • S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX
    • S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
    • S8072932: Test fails with java.security.AccessControlException: access denied (“java.security.SecurityPermission” “getDomainCombiner”)
    • S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
    • S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
    • S8087118: Remove missing package from java.security files
    • S8098547: (tz) Support tzdata2015e
    • S8130253: ObjectStreamClass.getFields too restrictive
    • S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress
    • S8133321: (tz) Support tzdata2015f
    • S8135043: ObjectStreamClass.getField(String) too restrictive
  • Backports
    • S6440786, PR363: Cannot create a ZIP file containing zero entries
    • S6599383, PR363: Unable to open zip files more than 2GB in size
    • S6763122, PR363: ZipFile ctor does not throw exception when file is not a zip file
    • S6929479, PR363: Add a system property sun.zip.disableMemoryMapping to disable mmap use in ZipFile
    • S7105461, PR2662: Large JTables are not rendered correctly with Xrender pipeline
    • S7150134, PR2662: JCK api/java_awt/Graphics/index.html#DrawLine fails with OOM for jdk8 with XRender pipeline
  • Bug fixes
    • PR2513: Reset success following calls in LayoutManager.cpp

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 41baf774c52c1d2a0a094a6355635942e8ecb80cf7853fb6827da80f7818ba33 icedtea6-1.13.9.tar.gz
  • 49a01399630b5477af4ac7e240aaddb04d93578d54d659b560f5f02e687fd98c icedtea6-1.13.9.tar.gz.sig
  • 3a18bb1e540a0694ca1359e5adebaa5e1af66b4ba739b4e0d3ea733683a8330a icedtea6-1.13.9.tar.gz.sig.ec
  • 61e0fb2ed0fc2d793a42e24d2192423f8a7ccb04f130d82d5889a0ecf52bc965 icedtea6-1.13.9.tar.xz
  • bf4c66cd3f64c2ca7510f8584c7bdd67012f4307d73e1f6232a1475df64c1caa icedtea6-1.13.9.tar.xz.sig
  • 51acad266f7c8a6cfd0662a1deab21a91acea88c46af2de2521897e81077b902 icedtea6-1.13.9.tar.xz.sig.ec

The checksums can be downloaded from:

A 1.13.9 ebuild for Gentoo is available.

The following people helped with these releases:

  • Andrew Hughes (all backports and bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.9.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.9.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.9/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!