[SECURITY] IcedTea 2.6.16 for OpenJDK 7 Released!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with the October 2018 security fixes from OpenJDK 7 u201.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 2.6.16 (2019-01-01)

• Security fixes
  • S8194534, CVE-2018-3136: Manifest better support
  • S8194546: Choosier FileManagers
  • S8195868: Address Internet Addresses
  • S8195874: Improve jar specification adherence
  • S8196897: Improve PRNG support
  • S8196902, CVE-2018-3139: Better HTTP redirection support
  • S8199177, CVE-2018-3149: Enhance JNDI lookups
  • S8199226, CVE-2018-3169: Improve field accesses
  • S8201756: Improve cipher inputs
  • S8202613, CVE-2018-3180: Improve TLS connections stability
  • S8203654: Improve cypher state updates
  • S8204497: Better formatting of decimals
  • S8205361, CVE-2018-3214: Better RIFF reading support
  • S8208353, CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35
  • PR3640, CVE-2018-16435: lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
• Import of OpenJDK 7 u201 build 0
  • S7058700: Unexpected exceptions and timeouts in SF2 parser code
  • S7098755: test/sun/misc/JarIndex/metaInfFilenames/Basic.java should use supported compiler interface
  • S7104650: rawtype warnings in several net, nio and security source files
  • S7116722: Miscellaneous warnings sun.misc ( and related classes )
  • S7117249: fix warnings in java.util.jar, .logging, .prefs, .zip
  • S7142888: sun/security/tools/jarsigner/ec.sh fail on sparc
  • S8044860: Vectors and fixed length fields should be verified for allowed sizes.
  • S8049834: Two security tools tests do not run with only JRE
  • S8054431: Some of the input validation in the javasound is too strict
  • S8074462: Handshake messages can be strictly ordered
  • S8130132: jarsigner should emit warning if weak algorithms or keysizes are used
  • S8142927: Feed some text to STDIN in ProcessTools.executeProcess()
  • S8146377: test/sun/security/tools/jarsigner/concise_jarsigner.sh failing
  • S8158887: sun/security/tools/jarsigner/concise_jarsigner.sh timed out
  • S8164480: Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
  • S8168405: Pending exceptions in java.base/windows/native
  • S8172529: Use PKIXValidator in jarsigner
  • S8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
  • S8190674: sun/security/tools/jarsigner/TimestampCheck.java failed with java.nio.file.NoSuchFileException: ts2.cert
  • S8193892: Impact of noncloneable MessageDigest implementation
  • S8204667: Resources not freed on exception
  • S8207336: Build failure in JDK8u on Windows after fix 8207260
  • S8208350: Disable all DES cipher suites
  • S8208660: JDK 8u191 l10n resource file update
  • S8208754: The fix for JDK-8194534 needs updates
  • S8211107: LDAPS communication failure with jdk 1.8.0_181
  • S8211731: Reconsider default option for ClassPathURLCheck change done in JDK-8195874

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.gz
• http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.xz

We provide both gzip and xz tarballs, so that those who are able to make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

• http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.gz.sig
• http://icedtea.classpath.org/download/source/icedtea-2.6.16.tar.xz.sig

These are produced using my public key. See details below.

• PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
• Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

• f6bf1388d3dc6f7206f49702a00f2836f11841987d74a976b315843959818213 icedtea-2.6.16.tar.gz
• 64b4d156d0a1b253a3df90092ccf5605f81a5d0300434b5fd19444c7a9245585 icedtea-2.6.16.tar.gz.sig
• 6c670e75549dfd4df63a4a36636c13a5040231e7f8601f9d43bf875589df7b69 icedtea-2.6.16.tar.xz
• 0a4a0f95ecbf34302e4368b4f71a51a0da059a2a0839f44919353ae6a67f3acb icedtea-2.6.16.tar.xz.sig

The checksums can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea-2.6.16.sha256

A 2.6.16 ebuild for Gentoo is available.

The following people helped with these releases:

• Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.16.tar.gz

or:

$ tar x -I xz -f icedtea-2.6.16.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.16/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!