Security


The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 8 support in the 3.0.x series with the April 2016 security fixes from OpenJDK 8 u91.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 3.0.1 (2016-04-23)

  • Security fixes
  • Import of OpenJDK 8 u91 build 14
    • S8002116: This JdbReadTwiceTest.sh gets an exit 1
    • S8007890: [TESTBUG] JcmdWithNMTDisabled.java fails when invoked with NMT explicitly turned on
    • S8036132: Tab characters in test/com/sun/jdi files
    • S8038963: com/sun/jdi tests fail because cygwin’s ps sometimes misses processes
    • S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root
    • S8059661: Test SoftReference and OOM behavior
    • S8067422: Lambda method names are unnecessarily unstable
    • S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME
    • S8074146: [TEST_BUG] jdb has succeded to read an unreadable file
    • S8130212: Thread::current() might access freed memory on Solaris
    • S8132890: Text Overlapping on Dot Matrix Printers
    • S8134297: NPE in GSSNameElement nameType check
    • S8134650: Xsl transformation gives different results in 8u66
    • S8134828: Scrollbar thumb disappears with Nimbus L&F
    • S8138589: Correct limits on unlimited cryptography
    • S8138811: Construction of static protection domains
    • S8140268: Generate link to specification license for JavaDoc API documentation
    • S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c
    • S8143002: [Parfait] JNI exception pending in fontpath.c:1300
    • S8143959: Certificates requiring blacklisting
    • S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again
    • S8146518: Zero interpreter broken with better byte behaviour
    • S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor
    • S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051
    • S8148446: (tz) Support tzdata2016a
    • S8148475: Missing SA Bytecode updates.
    • S8148487: PPC64: Better byte behavior
    • S8148522: Backout JDK-8138811 from 2016 Apr CPU repo
    • S8149170: Better byte behavior for native arguments
    • S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo
    • S8150012: Better byte behavior for reflection
    • S8150790: 8u75 L10n resource file translation update
  • Backports
    • S8148752, PR2943: Compiled StringBuilder code throws StringIndexOutOfBoundsException
    • S8154210: Zero: Better byte behaviour
    • S8154413: AArch64: Better byte behaviour
  • Bug fixes
    • PR2933: Support ccache 3.2 and later
    • PR2934, G579676: SunEC provider throwing KeyException with current NSS

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

  • 8babade1717fff48bcc4e1e2f3159c2c7d97cfb44ef10124bbab3f7dc34a0582 icedtea-3.0.1.tar.gz
  • 8a5e702a114117ed301a632b1a41651d0577c9c59cfae4d10ff41f6a52185fc7 icedtea-3.0.1.tar.gz.sig
  • 346ce30de1de6c493729b79b246f250438fc5b8df7eae47229a97f9000a73af2 icedtea-3.0.1.tar.xz
  • b440f83a05788157b752cc3b1a239261bcbb52bf82211c93173e93cb4f3fa760 icedtea-3.0.1.tar.xz.sig

The checksums can be downloaded from:

A 3.0.1 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-3.0.1.tar.gz

or:

$ tar x -I xz -f icedtea-3.0.1.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-3.0.1/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with the April 2016 security fixes from OpenJDK 7 u101.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.6 (2016-04-21)

  • Security fixes
  • Import of OpenJDK 7 u101 build 0
    • S4858370: JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
    • S7127906: (launcher) convert the launcher regression tests to java
    • S8002116: This JdbReadTwiceTest.sh gets an exit 1
    • S8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true
    • S8007890: [TESTBUG] JcmdWithNMTDisabled.java fails when invoked with NMT explicitly turned on
    • S8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events.
    • S8028537: PPC64: Updated the JDK regression tests to run on AIX
    • S8036132: Tab characters in test/com/sun/jdi files
    • S8038963: com/sun/jdi tests fail because cygwin’s ps sometimes misses processes
    • S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root
    • S8059661: Test SoftReference and OOM behavior
    • S8072753: Nondeterministic wrong answer on arithmetic
    • S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME
    • S8074146: [TEST_BUG] jdb has succeded to read an unreadable file
    • S8134297: NPE in GSSNameElement nameType check
    • S8134650: Xsl transformation gives different results in 8u66
    • S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c
    • S8143002: [Parfait] JNI exception pending in fontpath.c:1300
    • S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again
    • S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor
    • S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051
    • S8148446: (tz) Support tzdata2016a
    • S8148475: Missing SA Bytecode updates.
    • S8149170: Better byte behavior for native arguments
    • S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo
    • S8150012: Better byte behavior for reflection
    • S8150790: 8u75 L10n resource file translation update
    • S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
    • S8154210: Zero: Better byte behaviour
  • Bug fixes
    • PR2889: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
    • PR2929: configure: error: “A JDK home directory could not be found.”
    • PR2935: Check that freetype defines FT_CONFIG_OPTION_INFINALITY_PATCHSET if enabling infinality
    • PR2938: Fix build of 8148487 backport
    • PR2939: Remove rogue ReleaseStringUTFChars line remaining from merge of 7u101 b00
  • PPC & AIX port
  • AArch64 port
    • S8154413: AArch64: Better byte behaviour
    • PR2914: byte_map_base is not page aligned on OpenJDK 7
  • JamVM
    • PR2665: icedtea/jamvm 2.6 fails as a build VM for icedtea

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

  • d6d92e9b20e321d51b2f428868b6de3d3ebc2b4eedde19e5cf2e2452da6d0fde icedtea-2.6.6.tar.gz
  • 765e3dfbaa5eef6fccd9cc53c153681ad2c70384b31fe3691e44709dbeeae3d2 icedtea-2.6.6.tar.gz.sig
  • 79949744436158d9ded3a758c22da7629f843ea3913afdffc65ea0f1a26d544a icedtea-2.6.6.tar.xz
  • a8049026f7b7f8503ce7ff25c28b822e97cce5c495fdaa0c9b734315d99596bd icedtea-2.6.6.tar.xz.sig

The checksums can be downloaded from:

A 2.6.6 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.6.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.6.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.6/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with the March 2016 interim security fix from OpenJDK 7 u99.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.5 (2016-03-24)

  • Security fixes
  • Import of OpenJDK 7 u99 build 0
    • S6425769, PR2858: Allow specifying an address to bind JMX remote connector
    • S6961123: setWMClass fails to null-terminate WM_CLASS string
    • S8145982, PR2858: JMXInterfaceBindingTest is failing intermittently
    • S8146015, PR2858: JMXInterfaceBindingTest is failing intermittently for IPv6 addresses
  • Backports
    • S8028727, PR2814: [parfait] warnings from b116 for jdk.src.share.native.sun.security.ec: JNI pending exceptions
    • S8048512, PR2814: Uninitialised memory in jdk/src/share/native/sun/security/ec/ECC_JNI.cpp
    • S8071705, PR2819, RH1182694: Java application menu misbehaves when running multiple screen stacked vertically
    • S8150954, PR2866, RH1176206: AWT Robot not compatible with GNOME Shell
  • Bug fixes
    • PR2803: Make system CUPS optional
    • PR2886: Location of ‘stap’ executable is hard-coded
    • PR2893: test/tapset/jstaptest.pl should be executable
    • PR2894: Add missing test directory in make check.
  • CACAO
    • PR2781, CA195: typeinfo.cpp: typeinfo_merge_nonarrays: Assertion `dest && result && x.any && y.any’ failed
  • AArch64 port
    • PR2852: Add support for large code cache
    • PR2852: Apply ReservedCodeCacheSize default limiting to AArch64 only.
    • S8081289, PR2852: aarch64: add support for RewriteFrequentPairs in interpreter
    • S8131483, PR2852: aarch64: illegal stlxr instructions
    • S8133352, PR2852: aarch64: generates constrained unpredictable instructions
    • S8133842, PR2852: aarch64: C2 generates illegal instructions with int shifts >=32
    • S8134322, PR2852: AArch64: Fix several errors in C2 biased locking implementation
    • S8136615, PR2852: aarch64: elide DecodeN when followed by CmpP 0
    • S8138575, PR2852: Improve generated code for profile counters
    • S8138641, PR2852: Disable C2 peephole by default for aarch64
    • S8138966, PR2852: Intermittent SEGV running ParallelGC
    • S8143067, PR2852: aarch64: guarantee failure in javac
    • S8143285, PR2852: aarch64: Missing load acquire when checking if ConstantPoolCacheEntry is resolved
    • S8143584, PR2852: Load constant pool tag and class status with load acquire
    • S8144201, PR2852: aarch64: jdk/test/com/sun/net/httpserver/Test6a.java fails with –enable-unlimited-crypto
    • S8144582, PR2852: AArch64 does not generate correct branch profile data
    • S8146709, PR2852: AArch64: Incorrect use of ADRP for byte_map_base
    • S8147805, PR2852: aarch64: C1 segmentation fault due to inline Unsafe.getAndSetObject
    • S8148240, PR2852: aarch64: random infrequent null pointer exceptions in javac
  • PPC & AIX port
    • S8034797, PR2851: AIX: Fix os::naked_short_sleep() in os_aix.cpp after 8028280
    • S8139258, PR2851: PPC64LE: argument passing problem when passing 15 floats in native call
    • S8139421, PR2851: PPC64LE: MacroAssembler::bxx64_patchable kill register R12

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

  • d8bce93bd33b299a52236f03fb57d42ae9de808c8337e6185930799dbfc78795 icedtea-2.6.5.tar.gz
  • 0a12f5916c144879812dc086bfbb506569ee3abb056a81031287d00914652313 icedtea-2.6.5.tar.gz.sig
  • e752304496bb11ae9952beb11e6743dd84e55b340eaca716f310c5a0f48b53f7 icedtea-2.6.5.tar.xz
  • 7bd1b00d3f59e32e80ba41a705a5730de87dd76f138d94dd94995b9a394d9dad icedtea-2.6.5.tar.xz.sig

The checksums can be downloaded from:

A 2.6.5 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.5.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.5.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.5/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with the January 2016 security fixes.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 1.13.10 (2016-01-22)

  • Security fixes
  • Import of OpenJDK6 b38
    • OJ69: Windows build broken after b37 changes
    • OJ70: Allow versions of ALSA >= 1.1.0
    • S6720721: CRL check with circular depency support needed
    • S6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected [Tests only]
    • S7166570: JSSE certificate validation has started to fail for certificate chains
    • S7167988: PKIX CertPathBuilder in reverse mode doesn’t work if more than one trust anchor is specified
    • S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing
    • S8068761: [TEST_BUG] java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException
    • S8074068: Cleanup in src/share/classes/sun/security/x509/
    • S8075773: jps running as root fails after the fix of JDK-8050807
    • S8081297: SSL Problem with Tomcat
    • S8134605: Partial rework of the fix for 8081297
    • S8135307: CompletionFailure thrown when calling FieldDoc.type, if the field’s type is missing
    • S8138716: (tz) Support tzdata2015g
    • S8141213: [Parfait]Potentially blocking function GetArrayLength called in JNI critical region at line 239 of jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c in function GET_ARRAYS
    • S8141287: Add MD5 to jdk.certpath.disabledAlgorithms – Take 2
    • S8142928: [TEST_BUG] sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 8u71 failure
    • S8144955: Wrong changes were pushed with 8143942
    • S8145551: Test failed with Crash for Improved font lookups
    • S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp
  • Backports
    • S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F
    • S8140620, PR2711: Find and load default.sf2 as the default soundbank on Linux

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

  • e467fbdbae88897c4447b400be32f3176a798d3c7d84a311b7a24420e955e93a icedtea6-1.13.10.tar.gz
  • 59a4eef6f98a1ef5951e3fd64f94a3e8f818513fa2cf721ffb60b20601eed92d icedtea6-1.13.10.tar.gz.sig
  • a08907fa5a99a84c1bb480c9a0438264ff01c6215a7e1618e08e4ae79d4600d7 icedtea6-1.13.10.tar.xz
  • 4dac256f93799aa0e75062c94c242f956bd2372b1fb70c220dcb02d4b2d028a5 icedtea6-1.13.10.tar.xz.sig

The checksums can be downloaded from:

A 1.13.10 ebuild for Gentoo is available.

The following people helped with these releases:

  • Andrew Hughes (all backports and bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.10.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.10.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.10/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with the January 2016 security fixes from OpenJDK 7 u95.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.4 (2016-01-19)

  • Security fixes
  • Import of OpenJDK 7 u95 build 0
    • S7167988: PKIX CertPathBuilder in reverse mode doesn’t work if more than one trust anchor is specified
    • S8068761: [TEST_BUG] java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException
    • S8074068: Cleanup in src/share/classes/sun/security/x509/
    • S8075773: jps running as root fails after the fix of JDK-8050807
    • S8081297: SSL Problem with Tomcat
    • S8131181: Increment minor version of HSx for 7u95 and initialize the build number
    • S8132082: Let OracleUcrypto accept RSAPrivateKey
    • S8134605: Partial rework of the fix for 8081297
    • S8134861: XSLT: Extension func call cause exception if namespace URI contains partial package name
    • S8135307: CompletionFailure thrown when calling FieldDoc.type, if the field’s type is missing
    • S8138716: (tz) Support tzdata2015g
    • S8140244: Port fix of JDK-8075773 to MacOSX
    • S8141213: [Parfait]Potentially blocking function GetArrayLength called in JNI critical region at line 239 of jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c in function GET_ARRAYS
    • S8141287: Add MD5 to jdk.certpath.disabledAlgorithms – Take 2
    • S8142928: [TEST_BUG] sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 8u71 failure
    • S8143132: L10n resource file translation update
    • S8144955: Wrong changes were pushed with 8143942
    • S8145551: Test failed with Crash for Improved font lookups
    • S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp
  • Backports
    • S8140244: Port fix of JDK-8075773 to AIX

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

  • ef5dd43c5f87742ac28519420055ad24acaca55b005b5b2e339cf3e451d716c1 icedtea-2.6.4.tar.gz
  • 59acd169e88ab8071f37481351a70b04e4eacd341dba1ecc3588bf5d42ef6b7d icedtea-2.6.4.tar.gz.sig
  • d20a365feea95a4c01c9f9db1f7562f471f638bc672db9de6c6e654d2d826164 icedtea-2.6.4.tar.xz
  • fc90dc9a58db1309d2105766cc9b41f295c1c12981cf1fc0afc04efa860d3f61 icedtea-2.6.4.tar.xz.sig

The checksums can be downloaded from:

A 2.6.4 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.4.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.4.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.4/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with an additional October 2015 security fix from OpenJDK 7 u91.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.3 (2015-11-13)

  • Security fixes
    • S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed
  • Backports

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 89183993d3dd794b4e2a428a8a0a35f1ce77c4ae64563e53f3a08c058ea134cc icedtea-2.6.3.tar.gz
  • 2d1b8e71739cc0d3c0afbab61a2093fb501ffa28b92f6d2630c684ae9ac48551 icedtea-2.6.3.tar.gz.sig
  • d89fea821068d38f1ca9e34bbc08ca1f6da985589d7064d7a5734d66dfd20c4f icedtea-2.6.3.tar.gz.sig.ec
  • df38aa10b4d30f3bae089dcc72f4c32fb2385cb541491791c12829960f53c612 icedtea-2.6.3.tar.xz
  • b7c377c64bcc20865a063b397b4c1cd44dad782a433d6da0ce89b690e54a6c94 icedtea-2.6.3.tar.xz.sig
  • f9373d52f121b97330f77e06064753eca949e703a5b32e501a70fd1dd8f007c0 icedtea-2.6.3.tar.xz.sig.ec

The checksums can be downloaded from:

A 2.6.3 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.3.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.3.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.3/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with the October 2015 security fixes.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 1.13.9 (2015-11-13)

  • Security fixes
  • Import of OpenJDK6 b37
    • OJ64: Backport hashtable to map changes from jaxp
    • OJ65: Remove @Override annotation on interfaces added by 2015/10/20 security fixes
    • OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5 test infrastructure)
    • OJ67: Fix copyright headers on imported files
    • OJ68: Ensure SharedSecrets are initialised
    • S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well
    • S6590930: reed/write does not match for ccache
    • S6648972: KDCReq.init always read padata
    • S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding problem
    • S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed on all non-windows platforms
    • S6710360: export Kerberos session key to applications
    • S6733095: Failure when SPNEGO request non-Mutual
    • S6785456: Read Kerberos setting from Windows environment variables
    • S6821190: more InquireType values for ExtendedGSSContext
    • S6843127: krb5 should not try to access unavailable kdc too often
    • S6844193: support max_retries in krb5.conf
    • S6844907: krb5 etype order should be from strong to weak
    • S6844909: support allow_weak_crypto in krb5.conf
    • S6849275: enhance krb5 reg tests
    • S6853328: Support OK-AS-DELEGATE flag
    • S6854308: more ktab options
    • S6856069: PrincipalName.clone() does not invoke super.clone()
    • S6857795: krb5.conf ignored if system properties on realm and kdc are provided
    • S6857802: GSS getRemainingInitLifetime method returns milliseconds not seconds
    • S6858589: more changes to Config on system properties
    • S6862679: ESC: AD Authentication with user with umlauts fails
    • S6877357: IPv6 address does not work
    • S6888701: Change all template java source files to a .java-template file suffix
    • S6893158: AP_REQ check should use key version number
    • S6907425: JCK Kerberos tests fail since b77
    • S6919610: KeyTabInputStream uses static field for per-instance value
    • S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with pre-authentication
    • S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
    • S6950546: “ktab -d name etype” to “ktab -d name [-e etype] [kvno | all | old]“
    • S6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
    • S6952519: kdc_timeout is not being honoured when using TCP
    • S6959292: regression: cannot login if session key and preauth does not use the same etype
    • S6960894: Better AS-REQ creation and processing
    • S6966259: Make PrincipalName and Realm immutable
    • S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
    • S6984764: kerberos fails if service side keytab is generated using JDK ktab
    • S6997740: ktab entry related test compilation error
    • S7018928: test failure: sun/security/krb5/auto/SSL.java
    • S7032354: no-addresses should not be used on acceptor side
    • S7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
    • S7142596: RMI JPRT tests are failing
    • S7157610: NullPointerException occurs when parsing XML doc
    • S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds()
    • S7197159: accept different kvno if there no match
    • S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
    • S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
    • S8006534: CLONE – TestLibrary.getUnusedRandomPort() fails intermittently-doesn’t retry enough times
    • S8014097: add doPrivileged methods with limited privilege scope
    • S8021191: Add isAuthorized check to limited doPrivileged methods
    • S8022213: Intermittent test failures in java/net/URLClassLoader
    • S8028583: Add helper methods to test libraries
    • S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
    • S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX
    • S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
    • S8072932: Test fails with java.security.AccessControlException: access denied (“java.security.SecurityPermission” “getDomainCombiner”)
    • S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
    • S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
    • S8087118: Remove missing package from java.security files
    • S8098547: (tz) Support tzdata2015e
    • S8130253: ObjectStreamClass.getFields too restrictive
    • S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress
    • S8133321: (tz) Support tzdata2015f
    • S8135043: ObjectStreamClass.getField(String) too restrictive
  • Backports
    • S6440786, PR363: Cannot create a ZIP file containing zero entries
    • S6599383, PR363: Unable to open zip files more than 2GB in size
    • S6763122, PR363: ZipFile ctor does not throw exception when file is not a zip file
    • S6929479, PR363: Add a system property sun.zip.disableMemoryMapping to disable mmap use in ZipFile
    • S7105461, PR2662: Large JTables are not rendered correctly with Xrender pipeline
    • S7150134, PR2662: JCK api/java_awt/Graphics/index.html#DrawLine fails with OOM for jdk8 with XRender pipeline
  • Bug fixes
    • PR2513: Reset success following calls in LayoutManager.cpp

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 41baf774c52c1d2a0a094a6355635942e8ecb80cf7853fb6827da80f7818ba33 icedtea6-1.13.9.tar.gz
  • 49a01399630b5477af4ac7e240aaddb04d93578d54d659b560f5f02e687fd98c icedtea6-1.13.9.tar.gz.sig
  • 3a18bb1e540a0694ca1359e5adebaa5e1af66b4ba739b4e0d3ea733683a8330a icedtea6-1.13.9.tar.gz.sig.ec
  • 61e0fb2ed0fc2d793a42e24d2192423f8a7ccb04f130d82d5889a0ecf52bc965 icedtea6-1.13.9.tar.xz
  • bf4c66cd3f64c2ca7510f8584c7bdd67012f4307d73e1f6232a1475df64c1caa icedtea6-1.13.9.tar.xz.sig
  • 51acad266f7c8a6cfd0662a1deab21a91acea88c46af2de2521897e81077b902 icedtea6-1.13.9.tar.xz.sig.ec

The checksums can be downloaded from:

A 1.13.9 ebuild for Gentoo is available.

The following people helped with these releases:

  • Andrew Hughes (all backports and bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.9.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.9.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.9/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with the October 2015 security fixes from OpenJDK 7 u91.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Please Note: The fix for S8086092 below affects the build of the in-tree copy of LCMS. If the default of using the system LCMS is used, this will not take effect. Users should either switch to in-tree LCMS or (ideally) apply the fix to the system build of LCMS.

Full details of the release can be found below.

What’s New?

New in release 2.6.2 (2015-10-22)

  • Security fixes
  • Import of OpenJDK 7 u85 build 2
    • S8133968: Revert 8014464 on OpenJDK 7
    • S8133993: [TEST_BUG] Make CipherInputStreamExceptions compile on OpenJDK 7
    • S8134248: Fix recently backported tests to work with OpenJDK 7u
    • S8134610: Mac OS X build fails after July 2015 CPU
    • S8134618: test/javax/xml/jaxp/transform/8062923/XslSubstringTest.java has bad license header
  • Import of OpenJDK 7 u91 build 0
    • S6854417: TESTBUG: java/util/regex/RegExTest.java fails intermittently
    • S6966259: Make PrincipalName and Realm immutable
    • S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
    • S8014097: add doPrivileged methods with limited privilege scope
    • S8021191: Add isAuthorized check to limited doPrivileged methods
    • S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
    • S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
    • S8076506: Increment minor version of HSx for 7u91 and initialize the build number
    • S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
    • S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
    • S8087118: Remove missing package from java.security files
    • S8098547: (tz) Support tzdata2015e
    • S8130253: ObjectStreamClass.getFields too restrictive
    • S8133321: (tz) Support tzdata2015f
    • S8135043: ObjectStreamClass.getField(String) too restrictive
  • Import of OpenJDK 7 u91 build 1
    • S8072932: Test fails with java.security.AccessControlException: access denied (“java.security.SecurityPermission” “getDomainCombiner”)
  • Backports
    • S6880559, PR2674: Enable PKCS11 64-bit windows builds
    • S6904403, PR2674: assert(f == k->has_finalizer(),"inconsistent has_finalizer") with debug VM
    • S7011441, PR2674: jndi/ldap/Connection.java needs to avoid spurious wakeup
    • S7059542, PR2674: JNDI name operations should be locale independent
    • S7105461, PR2571: Large JTables are not rendered correctly with Xrender pipeline
    • S7105883, PR2560, RH1245855: JDWP: agent crash if there exists a ThreadGroup with null name
    • S7107611, PR2674: sun.security.pkcs11.SessionManager is scalability blocker
    • S7127066, PR2674: Class verifier accepts an invalid class file
    • S7150092, PR2674: NTLM authentication fail if user specified a different realm
    • S7150134, PR2571: JCK api/java_awt/Graphics/index.html#DrawLine fails with OOM for jdk8 with XRender pipeline
    • S7152582, PR2674: PKCS11 tests should use the NSS libraries available in the OS
    • S7156085, PR2674: ArrayIndexOutOfBoundsException throws in UTF8Reader of SAXParser
    • S7177045, PR2674: Rework the TestProviderLeak.java regression test, it is too fragile to low memory errors.
    • S7190945, PR2674: pkcs11 problem loading NSS libs on Ubuntu
    • S8005226, PR2674: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
    • S8009438, PR2674: sun/security/pkcs11/Secmod tests failing on Ubuntu 12.04
    • S8011709, PR2509: [parfait] False positive: memory leak in jdk/src/share/native/sun/font/layout/CanonShaping.cpp
    • S8012971, PR2674: PKCS11Test hiding exception failures
    • S8016105, PR2560, RH1245855: Add complementary RETURN_NULL allocation macros in allocation.hpp
    • S8020424, PR2674: The NSS version should be detected before running crypto tests
    • S8020443, PR2674: Frame is not created on the specified GraphicsDevice with two monitors
    • S8021897, PR2560, RH1245855: EXCEPTION_ACCESS_VIOLATION on debugging String.contentEquals()
    • S8022683, PR2560, RH1245855: JNI GetStringUTFChars should return NULL on allocation failure not abort the VM
    • S8023052, PR2509: JVM crash in native layout
    • S8025922, PR2560, RH1245855: JNI access to Strings need to check if the value field is non-null
    • S8026119, PR2679: Regression test DHEKeySizing.java failing intermittently
    • S8027624, PR2674: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java unstable again
    • S8033069, PR2674: mouse wheel scroll closes combobox popup
    • S8035150, PR2674: ShouldNotReachHere() in ConstantPool::copy_entry_to
    • S8039212, PR2674: SecretKeyBasic.sh needs to avoid NSS libnss3 and libsoftokn3 version mismatches
    • S8042855, PR2509: [parfait] Potential null pointer dereference in IndicLayoutEngine.cpp
    • S8044364, PR2674: runtime/RedefineFinalizer test fails on windows
    • S8048353, PR2674: jstack -l crashes VM when a Java mirror for a primitive type is locked
    • S8050123, PR2674: Incorrect property name documented in CORBA InputStream API
    • S8056122, PR1896: Upgrade JDK to use LittleCMS 2.6
    • S8056124, PR2674: Hotspot should use PICL interface to get cacheline size on SPARC
    • S8057934, PR1896: Upgrade to LittleCMS 2.6 breaks AIX build
    • S8059200, PR2674: Promoted JDK9 b31 for Solaris-amd64 fails (Error: dl failure on line 744, no picl library) on Solaris 11.1
    • S8059588, PR2674: deadlock in java/io/PrintStream when verbose java.security.debug flags are set
    • S8062518, PR2674: AIOBE occurs when accessing to document function in extended function in JAXP
    • S8062591, PR2674: SPARC PICL causes significantly longer startup times
    • S8072863, PR2674: Replace fatal() with vm_exit_during_initialization() when an incorrect class is found on the bootclasspath
    • S8073453, PR2674: Focus doesn’t move when pressing Shift + Tab keys
    • S8074350, PR2674: Support ISO 4217 “Current funds codes” table (A.2)
    • S8074869, PR2674: C2 code generator can replace -0.0f with +0.0f on Linux
    • S8075609, PR2674: java.lang.IllegalArgumentException: aContainer is not a focus cycle root of aComponent
    • S8075773, PR2674: jps running as root fails after the fix of JDK-8050807
    • S8076040, PR2674: Test com/sun/crypto/provider/KeyFactory/TestProviderLeak.java fails with -XX:+UseG1GC
    • S8076328, PR2679: Enforce key exchange constraints
    • S8076455, PR2674: IME Composition Window is displayed on incorrect position
    • S8076968, PR2674: PICL based initialization of L2 cache line size on some SPARC systems is incorrect
    • S8077102, PR2674: dns_lookup_realm should be false by default
    • S8077409, PR2674: Drawing deviates when validate() is invoked on java.awt.ScrollPane
    • S8078113, PR2674: 8011102 changes may cause incorrect results
    • S8078331, PR1896: Upgrade JDK to use LittleCMS 2.7
    • S8080012, PR2674: JVM times out with vdbench on SPARC M7-16
    • S8081392, PR2674: getNodeValue should return ‘null’ value for Element nodes
    • S8081470, PR2674: com/sun/jdi tests are failing with “Error. failed to clean up files after test” with jtreg 4.1 b12
    • S8081756, PR1896: Mastering Matrix Manipulations
    • S8130297, PR2674: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java still failing after JDK-8076040
    • S8133636, PR2674: [TEST_BUG] Import/add tests for the problem seen in 8076110
  • Bug fixes
    • PR2512: Reset success following calls in LayoutManager.cpp
    • PR2557, G390663: Update Gentoo font configuration and allow font directory to be specified
    • PR2568: openjdk causes a full desktop crash on RHEL 6 i586
    • PR2683: AArch64 port has broken Zero on AArch64
    • PR2684: AArch64 port not selected on architectures where host_cpu != aarch64
    • PR2686: Add generated Fedora & Gentoo font configurations for bootstrap stage
  • CACAO
    • PR2652: Set classLoader field in java.lang.Class as expected by JDK

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • c19eafacd23c81179934acab123511c424cd07c094739fa33778bf7cc80e14d0 icedtea-2.6.2.tar.gz
  • 38570f916c85ae77c80da1e3ab3eb5c98266042b5bae89b34894063bb0dcbaa2 icedtea-2.6.2.tar.gz.sig
  • 18d1e0ec86fe4973b890d00e9b9cb2bef109ba8f1ca5a1d8e2958918f1bc955e icedtea-2.6.2.tar.gz.sig.ec
  • bee8565c507a484ea876b62474aec379ac0e434acb9de8213279f47e1fe22076 icedtea-2.6.2.tar.xz
  • 43e5f03e561b52a97015a347de1e0c1a445f3a73dd6e38d29c4b8ca4a71dc033 icedtea-2.6.2.tar.xz.sig
  • aea216e14e5c5389836634285d303728b4cbf93e1ccb974b1a1c458eb8379e43 icedtea-2.6.2.tar.xz.sig.ec

The checksums can be downloaded from:

A 2.6.2 ebuild for Gentoo is available.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.2.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.2.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.2/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with the July 2015 security fixes.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

Please Note: This release includes a backport of jdk.tls.ephemeralDHKeySize which changes the default for Diffee-Hellman ephemeral keys to 1024-bit (CVE-2015-4000). To use the previous default (768-bit keys), pass -Djdk.tls.ephemeralDHKeySize=legacy on the command-line. All current releases of IcedTea 1.x and 2.x, along with OpenJDK 8, allow the use of “matched” mode which creates an ephemeral DH key matching the size of the authentication key, or the specification of an explicit key size between 1024 and 2048 bits inclusive (e.g. -Djdk.tls.ephemeralDHKeySize=1536).

What’s New?

New in release 1.13.8 (2015-07-29)

  • Security fixes
  • Import of OpenJDK6 b36
    • OJ58: Allow OpenJDK to build on PaX-enabled kernels
    • OJ59: Only apply PaX-marking when needed by a running PaX kernel
    • OJ61: Remove translation strings for ErrorMsg.JAXP_INVALID_ATTR_VALUE_ERR which doesn’t exist in OpenJDK 6
    • OJ62, PR2552: Restrict key size of RSA certificates to >= 1024
    • OJ63: Remove @Override annotation on interfaces added by 2015/07/14 security fixes.
    • S6787645: CRL validation code should permit some clock skew when checking validity of CRLs
    • S6996365: Evaluate the priorities of cipher suites
    • S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
    • S8007142: Add utility classes for writing better multiprocess tests in jtreg
    • S8008089: Delete OS dependent check in JdkFinder.getExecutable()
    • S8024861: Incomplete token triggers GSS-API NullPointerException
    • S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
    • S8036786: Update jdk7 testlibrary to match jdk8
    • S8042205: javax/management/monitor/*: some tests didn’t get all the notifications
    • S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine
    • S8043200, PR2485: Decrease the preference mode of RC4 in the enabled cipher suite list
    • S8043201: Deprecate RC4 in SunJSSE provider
    • S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
    • S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
    • S8050158: Introduce system property to maintain RC4 preference order
    • S8062923: XSL: Run-time internal error in ‘substring()’
    • S8062924: XSL: wrong answer from substring() function
    • S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
    • S8065764: javax/management/monitor/CounterMonitorTest.java hangs
    • S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
    • S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
    • S8073385: Bad error message on parsing illegal character in XML attribute
    • S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
    • S8074297: substring in XSLT returns wrong character if string contains supplementary chars
    • S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
    • S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
    • S8075667: (tz) Support tzdata2015b
    • S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
    • S8077685: (tz) Support tzdata2015d
    • S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
    • S8078439: SPNEGO auth fails if client proposes MS krb5 OID
    • S8078666, PR2327: JVM fastdebug build compiled with GCC 5 asserts with “widen increases”
    • S8080318: jdk8u51 l10n resource file translation update
    • S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
    • S8081775: two lib/testlibrary tests are failing with “Error. failed to clean up files after test” with jtreg 4.1 b12
  • Backports
    • S4890063,PR2306, RH1214835: HPROF: default text truncated when using doe=n option
    • S6562614, PR2555: Compiler warnings for gettimeofday in Inet4/Inet6AddressImpl.c
    • S6956398, PR2486: make ephemeral DH key match the length of the certificate key
    • S6989466, PR2555: Miscellaneous compiler warnings in java/lang, java/util, java/io, sun/misc native code
    • S6991580, PR2309: IPv6 Nameservers in resolv.conf throws NumberFormatException
    • S6997561, PR2479: A request for better error handling in JNDI
    • S7007905, PR2298: javazic produces wrong line numbers
    • S7017176, PR2479: Several JNDI tests are mssing GPL header
    • S7058708, PR2298: Eliminate JDK build tools build warnings
    • S7069870, PR2298: Parts of the JDK erroneously rely on generic array initializers with diamond
    • S7090844, PR2298: Support a timezone whose offset is changed more than once in the future
    • S7094377, PR2479: Com.sun.jndi.ldap.read.timeout doesn’t work with ldaps.
    • S7133138, PR2298: Improve io performance around timezone lookups
    • S7170638, PR2495: Use DTRACE_PROBE[N] in JNI Set and SetStatic Field.
    • S8000487, PR2479: Java JNDI connection library on ldap conn is not honoring configured timeout
    • S8011709, PR2510: [parfait] False positive: memory leak in jdk/src/share/native/sun/font/layout/CanonShaping.cpp
    • S8023052, PR2510: JVM crash in native layout
    • S8039921, PR2468: SHA1WithDSA with key > 1024 bits not working
    • S8041451, PR2480: com.sun.jndi.ldap.Connection:ReadTimeout should abandon ldap request
    • S8042855, PR2510: [parfait] Potential null pointer dereference in IndicLayoutEngine.cpp
    • S8042857, PR2479: 14 stuck threads waiting for notification on LDAPRequest
    • S8065238, PR2479: javax.naming.NamingException after upgrade to JDK 8
    • S8074761, PR2469: Empty optional parameters of LDAP query are not interpreted as empty
    • S8078654, PR2334: CloseTTFontFileFunc callback should be removed
    • S8081315, PR2406: Avoid giflib interlacing workaround with giflib 5.0.0 on
    • S8081475, PR2495: SystemTap does not work when JDK is compiled with GCC 5
    • S8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
  • Bug fixes
    • PR2319: Checksum of policy JAR files changes on every build
    • PR2340: Fail early if there is no native HotSpot JIT & all other options are disabled
    • PR2342: Update README & INSTALL files
    • PR2360: Ensure all stamp targets have aliases
    • PR2391: Make elliptic curve removal optional
    • PR2460: Policy JAR files should be timestamped with the date of the policy file they hold
    • PR2481, RH489586, RH1236619: OpenJDK can’t handle spaces in zone names in /etc/sysconfig/clock
    • PR2486: JSSE server is still limited to 768-bit DHE
    • PR2508, G541462: Only apply PaX markings by default on running PaX kernels
    • PR2556, G390663: Update Gentoo font configuration and allow font directory to be specified
    • PR2559: generated directory gets confused with generated alias
    • PR2565: Replace ipv4-mapped-ipv6-addresses.patch with upstream fix 6882910
  • CACAO
    • PR829: Raise javadoc and JAVAC_FLAGS memory limits for CACAO
  • JamVM
    • PR2522: Add executable stack markings to callNative.S on JamVM

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 05fd1584e458ddaaf1d464842431dbcbcbaf7f9ef9f92f9cebaa180ccbbc5d1b icedtea6-1.13.8.tar.gz
  • 27fe15966c69d40f3ccec392b6725aafe81fcbd14fd698067a46eff23cb94620 icedtea6-1.13.8.tar.gz.sig
  • 1af0e21b109b58d27ce063696b42f1cdded0f829f51440f716540bec138355ed icedtea6-1.13.8.tar.gz.sig.ec
  • fcbc623957e393a00d6189cb88288fed21c21860485092ea7719a12fbbc00adb icedtea6-1.13.8.tar.xz
  • 95dad7fbcb133e461e557fbe343f0cf27aeb2972cce58ad9184c71e0bc9431c1 icedtea6-1.13.8.tar.xz.sig
  • 2b4f32188d5631c0bc3f0168099cd903b09f7b6832b82c2060b6b8003de1567c icedtea6-1.13.8.tar.xz.sig.ec

The checksums can be downloaded from:

A 1.13.8 ebuild for Gentoo is available.

The following people helped with these releases:

  • James Le Cuirot (PR829 CACAO work)
  • Andrew Hughes (all backports and other bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.8.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.8.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.8/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.5.x series with the July 2015 security fixes. This is the last release in the 2.5.x series.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

Please Note: The backport of jdk.tls.ephemeralDHKeySize now defaults to 1024-bit keys (CVE-2015-4000). To use the previous default (768-bit keys), pass -Djdk.tls.ephemeralDHKeySize=legacy on the command-line. Both OpenJDK 7 & 8 allow the use of “matched” mode which creates an ephemeral DH key matching the size of the authentication key, or the specification of a key size between 1024 and 2048 bits inclusive.

What’s New?

New in release 2.5.6 (2015-07-22)

  • Security fixes
  • Backports
    • S4890063, PR2305, RH1214835: HPROF: default text truncated when using doe=n option
    • S6991580, PR2308: IPv6 Nameservers in resolv.conf throws NumberFormatException
    • S7124253: [macosx] Flavor change notification not coming
    • S8007219: [macosx] Frame size reverts meaning of maximized attribute if frame size close to display
    • S8013581: [macosx] Key Bindings break with awt GraphicsEnvironment setFullScreenWindow
    • S8020210: [macosx] JVM crashes in CWrapper$NSWindow.screen(long)
    • S8021120, PR2301: TieredCompilation can be enabled even if TIERED is undefined
    • S8027058: sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh Failed to initialize connector
    • S8027561: [macosx] Cleanup “may not respond to selector” warnings in native code
    • S8029607, PR2418: Type of Service (TOS) cannot be set in IPv6 header
    • S8029868: Fix KSS issues in sun.lwawt.macosx
    • S8039921, PR2421: SHA1WithDSA with key > 1024 bits not working
    • S8042205: javax/management/monitor/*: some tests didn’t get all the notifications
    • S8042982: Unexpected RuntimeExceptions being thrown by SSLEngine
    • S8043201: Deprecate RC4 in SunJSSE provider
    • S8043129, PR2338: JAF initialisation in SAAJ clashing with the one in javax.mail
    • S8046817: JDK 8 schemagen tool does not generate xsd files for enum types
    • S8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
    • S8048212, PR2418: Two tests failed with “java.net.SocketException: Bad protocol option” on Windows after 8029607
    • S8048214, PR2357: Linker error when compiling G1SATBCardTableModRefBS after include order changes
    • S8062923: XSL: Run-time internal error in ‘substring()’
    • S8062924: XSL: wrong answer from substring() function
    • S8064546: CipherInputStream throws BadPaddingException if stream is not fully read
    • S8065238, PR2478: javax.naming.NamingException after upgrade to JDK 8
    • S8065764: javax/management/monitor/CounterMonitorTest.java hangs
    • S8066952: [TEST-BUG] javax/management/monitor/CounterMonitorTest.java hangs
    • S8071668: [macosx] Clipboard does not work with 3rd parties Clipboard Managers
    • S8072385, PR2387: Only the first DNSName entry is checked for endpoint identification
    • S8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed
    • S8073385: Bad error message on parsing illegal character in XML attribute
    • S8074098: 2D_Font/Bug8067699 test fails with SIGBUS crash on Solaris Sparc
    • S8074297: substring in XSLT returns wrong character if string contains supplementary chars
    • S8074761, PR2470: Empty optional parameters of LDAP query are not interpreted as empty
    • S8075575: com/sun/security/auth/login/ConfigFile/InconsistentError.java failed in certain env.
    • S8075576: com/sun/security/auth/module/KeyStoreLoginModule/OptionTest.java failed in certain env.
    • S8075667: (tz) Support tzdata2015b
    • S8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
    • S8077685: (tz) Support tzdata2015d
    • S8078348: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException
    • S8078439: SPNEGO auth fails if client proposes MS krb5 OID
    • S8078562: Add modified dates
    • S8078654, PR2333: CloseTTFontFileFunc callback should be removed
    • S8078666, PR2326: JVM fastdebug build compiled with GCC 5 asserts with “widen increases”
    • S8080318: jdk8u51 l10n resource file translation update
    • S8081315, PR2405: Avoid giflib interlacing workaround with giflib 5.0.0 on
    • S8081386: Test sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh test has RC4 dependencies
    • S8081475, PR2494: SystemTap does not work when JDK is compiled with GCC 5
    • S8081775: two lib/testlibrary tests are failing with “Error. failed to clean up files after test” with jtreg 4.1 b12
    • S8087120, RH1206656, PR2553: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
    • S8133970: Only apply PaX-marking when needed by a running PaX kernel
    • S8133990: Revert introduction of lambda expression in sun.lwawt.macosx.LWCToolkit
    • S8133991: Fix mistake in 8075374 backport
  • Bug fixes
    • PR2328: GCJ uses ppc64el named libarch directory on ppc64le
    • PR2341: Update README & INSTALL files
    • PR2367: 7 no longer builds with 6 – Util is not public in sun.management
    • PR2390: Make elliptic curve removal optional
    • PR2395: Path to jvm.cfg is wrong in add-systemtap-boot
    • PR2458: Policy JAR files should be timestamped with the date of the policy file they hold
    • PR2482, RH489586, RH1236619: OpenJDK can’t handle spaces in zone names in /etc/sysconfig/clock
    • PR2499: Update remove-intree-libraries.sh script
    • PR2502: Remove -fno-tree-vectorize workaround now http://gcc.gnu.org/PR63341 is fixed
    • PR2507, G541462: Only apply PaX markings by default on running PaX kernels
  • CACAO
    • PR2380: Raise javadoc and JAVAC_FLAGS memory limits for CACAO
  • JamVM
    • PR2500: Add executable stack markings to callNative.S on JamVM
  • AArch64 port
    • Changes to make aix compile after the merge
    • S8025613, PR2437: clang: remove -Wno-unused-value
    • S8035938: Memory leak in JvmtiEnv::GetConstantPool
    • S8058113: Execution of OnOutOfMemoryError command hangs on linux-sparc
    • S8068674: Increment minor version of HSx for 7u85 and initialize the build number
    • S8069593: Changes to JavaThread::_thread_state must use acquire and release
    • S8071423: Increment hsx 24.80 build to b08 for 7u80-b07
    • S8071807: Increment hsx 24.80 build to b09 for 7u80-b08
    • S8072639: Increment hsx 24.80 build to b10 for 7u80-b09
    • S8074349: AARCH64: C2 generates poor code for some byte and character stores
    • S8075045: AARCH64: Stack banging should use store rather than load
    • S8075136: Unnecessary sign extension for byte array access
    • S8075324: Costs of memory operands in aarch64.ad are inconsistent
    • S8075443: AARCH64: Missed L2I optimizations in C2
    • S8075930: AARCH64: Use FP Register in C2
    • S8076212, PR2314: AllocateHeap() and ReallocateHeap() should be inlined.
    • S8076467: AARCH64: assertion fail with -XX:+UseG1GC
    • S8078529: Increment the build value to b02 for hs24.85 in 8u85
    • S8079203: AARCH64: Need to cater for different partner implementations
    • S8080586: aarch64: hotspot test compiler/codegen/7184394/TestAESMain.java fails
    • S8081622: Increment the build value to b03 for hs24.85 in 8u51
  • PPC & AIX port
    • S8069590: AIX port of “8050807: Better performing performance data handling”
    • S8078482, PR2307: ppc: pass thread to throw_AbstractMethodError
    • S8080190: PPC64: Fix wrong rotate instructions in the .ad file

The tarballs can be downloaded from:

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

These are produced using my public key. See details below.

  • PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
  • Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

I’m transitioning to the use of a new key for signing releases over the next year. Signatures made with this key are available at:

and the new key is:

  • PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
  • Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this newer key.

SHA256 checksums:

  • 055fccbb0e5f25382c89d1bd71d50a5a34ffae32859375bb3dcc048a98ef4726 icedtea-2.5.6.tar.gz
  • e4caa7def2561918e79e5778ec9f793ed0a28fc4cafd10675fa1ed7d7133f032 icedtea-2.5.6.tar.gz.sig
  • 2f0bab310ad177669a0724aa1b0fc32094ff435e8afd930f9d132e505ab99543 icedtea-2.5.6.tar.gz.sig.ec
  • bb3c7e9fd372c737849d9d3129d935174492a0d924a2801223c822426338b8c4 icedtea-2.5.6.tar.xz
  • e5b4f9c7890051c3e209c3dd606e8da0d74e215c05d08369cf19cbdd6e57a4d5 icedtea-2.5.6.tar.xz.sig
  • ac4ed71aed0ade86a3253aae8f52f9e1e651237e5a1ae4dddfe216c58495be51 icedtea-2.5.6.tar.xz.sig.ec

The checksums can be downloaded from:

A 2.5.6 ebuild for Gentoo is available.

The following people helped with these releases:

  • James Le Cuirot (PR2380 CACAO work)
  • Tiago Sturmer Diatx (PR2328 ppc64le work)
  • Andrew Dinn (AArch64 integration work)
  • Andrew Hughes (all other backports & bug fixes, release management)
  • Omair Majid (OJ05)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.5.6.tar.gz

or:

$ tar x -I xz -f icedtea-2.5.6.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.5.6/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

Next Page »