Fri 21 Jul 2017
[SECURITY] IcedTea 3.5.0 for OpenJDK 8 Released!
Posted by gnu_andrew under IcedTea , OpenJDK , SecurityNo Comments
We are pleased to announce the release of IcedTea 3.5.0!
The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.
This release updates our OpenJDK 8 support with the July 2017 security fixes from OpenJDK 8 u141.
If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.
Full details of the release can be found below.
What’s New?
New in release 3.5.0 (2017-07-20)
- Security fixes
- S8163958, CVE-2017-10102: Improved garbage collection
- S8167228: Update to libpng 1.6.28
- S8169209, CVE-2017-10053: Improved image post-processing steps
- S8169392, CVE-2017-10067: Additional jar validation steps
- S8170966, CVE-2017-10081: Right parenthesis issue
- S8171539, CVE-2017-10078: Better script accessibility for JavaScript
- S8172204, CVE-2017-10087: Better Thread Pool execution
- S8172461, CVE-2017-10089: Service Registration Lifecycle
- S8172465, CVE-2017-10090: Better handling of channel groups
- S8172469, CVE-2017-10096: Transform Transformer Exceptions
- S8173286, CVE-2017-10101: Better reading of text catalogs
- S8173697, CVE-2017-10107: Less Active Activations
- S8173770, CVE-2017-10074: Image conversion improvements
- S8174098, CVE-2017-10110: Better image fetching
- S8174105, CVE-2017-10108: Better naming attribution
- S8174113, CVE-2017-10109: Better sourcing of code
- S8174770: Check registry registration location
- S8174873: Improved certificate procesing
- S8175106, CVE-2017-10115: Higher quality DSA operations
- S8175110, CVE-2017-10118: Higher quality ECDSA operations
- S8176055: JMX diagnostic improvements
- S8176067, CVE-2017-10116: Proper directory lookup processing
- S8176760, CVE-2017-10135: Better handling of PKCS8 material
- S8178135, CVE-2017-10176: Additional elliptic curve support
- S8179101, CVE-2017-10193: Improve algorithm constraints implementation
- S8179998, CVE-2017-10198: Clear certificate chain connections
- S8181420, CVE-2017-10074: PPC: Image conversion improvements
- S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements
- S8184185, CVE-2017-10111: Rearrange MethodHandle arrangements
- New features
- Import of OpenJDK 8 u141 build 15
- S8139870: sun.management.LazyCompositeData.isTypeMatched() fails for composite types with items of ArrayType
- S8155690: Update libPNG library to the latest up-to-date
- S8159058: SAXParseException when sending soap message
- S8162461: Hang due to JNI up-call made whilst holding JNI critical lock
- S8163889: [macosx] Can’t print from browser on Mac OS X
- S8165231: java.nio.Bits.unaligned() doesn’t return true on ppc
- S8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
- S8173145: Menu is activated after using mnemonic Alt/Key combination
- S8173207: Upgrade compression library
- S8175251: Failed to load RSA private key from pkcs12
- S8176329: jdeps to detect MR jar file and output a warning
- S8176536: Improved algorithm constraints checking
- S8176731: JCK tests in api/javax_xml/transform/ spec conformance started failing after 8172469
- S8176769: Remove accidental spec change in jdk8u
- S8177449: (tz) Support tzdata2017b
- S8178996: [macos] JComboBox doesn’t display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12
- S8179014: JFileChooser with Windows look and feel crashes on win 10
- S8180582: The bind to rmiregistry is rejected by registryFilter even though registryFilter is set
- S8181591: 8u141 L10n resource file update
- S8181698: Remove and retag 8u141-b12 tag from source repository
- S8181946: JDK 8 THIRD_PARTY_README – Minor Cleanup
- S8182054: Improve wsdl support
- S8184235: Backout JDK-8173207 from 8u141, 7u151 and higher updates source base
- Backports
- S8164293, PR3412, RH1459641: HotSpot leaking memory in long-running requests
- S8175813, PR3394, RH1448880: PPC64: “mbind: Invalid argument” when -XX:+UseNUMA is used
- S8175887, PR3415: C1 value numbering handling of Unsafe.get*Volatile is incorrect
- S8179084, PR3409, RH1455694: HotSpot VM fails to start when AggressiveHeap is set
- S8180048, PR3411, RH1449870: Interned string and symbol table leak memory during parallel unlinking
- S8181055, PR3394, RH1448880: PPC64: “mbind: Invalid argument” still seen after 8175813
- S8181419, PR3413, RH1463144: Race in jdwp invoker handling may lead to crashes or invalid results
- AArch64 port
- AArch32 port
- PR3391: Revert PR3385 as -Xshare:dump does appear to work on AArch32
The tarballs can be downloaded from:
- http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.gz
- http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.xz
We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.
The tarballs are accompanied by digital signatures available at:
- http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.gz.sig
- http://icedtea.classpath.org/download/source/icedtea-3.5.0.tar.xz.sig
These are produced using my public key. See details below.
- PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
- Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
GnuPG >= 2.1 is required to be able to handle this key.
SHA256 checksums:
- 2c92e18fa70edaf73517fcf91bc2a7cc2ec2aa8ffdf22bb974fa6f9bc3065f30 icedtea-3.5.0.tar.gz
- d27c337e87221c9de158f83e43823bf2c5ec2ebf78c8fa5b9a11b182acb68ee1 icedtea-3.5.0.tar.gz.sig
- 9aa89e00ecc07baa6b37a6b1e363c3d7128253e95374c74d1d2706f36c3ccab5 icedtea-3.5.0.tar.xz
- 59089156b3ea0973304c6d89d598ca6a149e594f9555fd35c9c0a78101ce7e65 icedtea-3.5.0.tar.xz.sig
The checksums can be downloaded from:
A 3.5.0 ebuild for Gentoo is available.
The following people helped with these releases:
- Severin Gehwolf (S8181419/PR3413/RH1463144 JDWP race)
- Zhengyu Gu (S8175813 & S8181055/PR3394/RH1448880 NUMA issues)
- Andrew Hughes (all other bug fixes and backports, release management)
- Roland Westrelin (S8183551/CVE-2017-10074 AArch64 fix)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea-3.5.0.tar.gz
or:
$ tar x -I xz -f icedtea-3.5.0.tar.xz
then:
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.5.0/configure
$ make
Full build requirements and instructions are available in the INSTALL file.