2013-06-28

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

This release updates our OpenJDK 7 support to include the latest security updates. We recommend that users of the 2.3.x branch upgrade to this latest release as soon as possible. The security fixes are as follows:

S6741606, CVE-2013-2407: Integrate Apache Santuario

S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls

S7170730, CVE-2013-2451: Improve Windows network stack support.

S8000638, CVE-2013-2450: Improve deserialization

S8000642, CVE-2013-2446: Better handling of objects for transportation

S8001032: Restrict object access

S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers

S8001034, CVE-2013-1500: Memory management improvements

S8001038, CVE-2013-2444: Resourcefully handle resources

S8001043: Clarify definition restrictions

S8001308: Update display of applet windows

S8001309: Better handling of annotation interfaces

S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost

S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)

S8003703, CVE-2013-2412: Update RMI connection dialog box

S8004288, CVE-2013-2449: (fs) Files.probeContentType problems

S8004584: Augment applet contextualization

S8005007: Better glyph processing

S8006328, CVE-2013-2448: Improve robustness of sound classes

S8006611: Improve scripting

S8007467: Improve robustness of JMX internal APIs

S8007471: Improve MBean notifications

S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes

S8007925: Improve cmsStageAllocLabV2ToV4curves

S8007926: Improve cmsPipelineDup

S8007927: Improve cmsAllocProfileSequenceDescription

S8007929: Improve CurvesAlloc

S8008120, CVE-2013-2457: Improve JMX class checking

S8008124, CVE-2013-2453: Better compliance testing

S8008128: Better API coherence for JMX

S8008132, CVE-2013-2456: Better serialization support

S8008585: Better JMX data handling

S8008593: Better URLClassLoader resource management

S8008603: Improve provision of JMX providers

S8008607: Better input checking in JMX

S8008611: Better handling of annotations in JMX

S8008615: Improve robustness of JMX internal APIs

S8008623: Better handling of MBeanServers

S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606

S8008982: Adjust JMX for underlying interface changes

S8009004: Better implementation of RMI connections

S8009008: Better manage management-api

S8009013: Better handling of T2K glyphs

S8009034: Improve resulting notifications in JMX

S8009038: Improve JMX notification support

S8009057, CVE-2013-2448: Improve MIDI event handling

S8009067: Improve storing keys in KeyStore

S8009071, CVE-2013-2459: Improve shape handling

S8009235: Improve handling of TSA data

S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change

S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields

S8009654: Improve stability of cmsnamed

S8010209, CVE-2013-2460: Better provision of factories

S8011243, CVE-2013-2470: Improve ImagingLib

S8011248, CVE-2013-2471: Better Component Rasters

S8011253, CVE-2013-2472: Better Short Component Rasters

S8011257, CVE-2013-2473: Better Byte Component Rasters

S8012375, CVE-2013-1571: Improve Javadoc framing

S8012421: Better positioning of PairPositioning

S8012438, CVE-2013-2463: Better image validation

S8012597, CVE-2013-2465: Better image channel verification

S8012601, CVE-2013-2469: Better validation of image layouts

S8014281, CVE-2013-2461: Better checking of XML signature

S8015997: Additional improvement in Javadoc framing

The HotSpot part of S8001330 is currently only provided for HotSpot 23.7 on x86, x86_64 and SPARC architectures as we’ve found it to be unstable when applied to the older HotSpot used by Zero. If we find a solution for this, we’ll issue a further update.

In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more esoteric architectures. In this release, use of the system version of LCMS is disabled by default to ensure the most secure version is used. Before using the system version, please ensure it has the S8007925, S8007926, S8007927, S8007929 and S8009654 updates listed above.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below. Note that the unusually large number of backports is due to syncing with the upstream u25 release, which also provides all these.

What’s New?

New in release 2.3.10 (2013-06-28)

Security fixes

S6741606, CVE-2013-2407: Integrate Apache Santuario

S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls

S7170730, CVE-2013-2451: Improve Windows network stack support.

S8000638, CVE-2013-2450: Improve deserialization

S8000642, CVE-2013-2446: Better handling of objects for transportation

S8001032: Restrict object access

S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers

S8001034, CVE-2013-1500: Memory management improvements

S8001038, CVE-2013-2444: Resourcefully handle resources

S8001043: Clarify definition restrictions

S8001308: Update display of applet windows

S8001309: Better handling of annotation interfaces

S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost

S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)

S8003703, CVE-2013-2412: Update RMI connection dialog box

S8004288, CVE-2013-2449: (fs) Files.probeContentType problems

S8004584: Augment applet contextualization

S8005007: Better glyph processing

S8006328, CVE-2013-2448: Improve robustness of sound classes

S8006611: Improve scripting

S8007467: Improve robustness of JMX internal APIs

S8007471: Improve MBean notifications

S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes

S8007925: Improve cmsStageAllocLabV2ToV4curves

S8007926: Improve cmsPipelineDup

S8007927: Improve cmsAllocProfileSequenceDescription

S8007929: Improve CurvesAlloc

S8008120, CVE-2013-2457: Improve JMX class checking

S8008124, CVE-2013-2453: Better compliance testing

S8008128: Better API coherence for JMX

S8008132, CVE-2013-2456: Better serialization support

S8008585: Better JMX data handling

S8008593: Better URLClassLoader resource management

S8008603: Improve provision of JMX providers

S8008607: Better input checking in JMX

S8008611: Better handling of annotations in JMX

S8008615: Improve robustness of JMX internal APIs

S8008623: Better handling of MBeanServers

S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606

S8008982: Adjust JMX for underlying interface changes

S8009004: Better implementation of RMI connections

S8009008: Better manage management-api

S8009013: Better handling of T2K glyphs

S8009034: Improve resulting notifications in JMX

S8009038: Improve JMX notification support

S8009057, CVE-2013-2448: Improve MIDI event handling

S8009067: Improve storing keys in KeyStore

S8009071, CVE-2013-2459: Improve shape handling

S8009235: Improve handling of TSA data

S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change

S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields

S8009654: Improve stability of cmsnamed

S8010209, CVE-2013-2460: Better provision of factories

S8011243, CVE-2013-2470: Improve ImagingLib

S8011248, CVE-2013-2471: Better Component Rasters

S8011253, CVE-2013-2472: Better Short Component Rasters

S8011257, CVE-2013-2473: Better Byte Component Rasters

S8012375, CVE-2013-1571: Improve Javadoc framing

S8012421: Better positioning of PairPositioning

S8012438, CVE-2013-2463: Better image validation

S8012597, CVE-2013-2465: Better image channel verification

S8012601, CVE-2013-2469: Better validation of image layouts

S8014281, CVE-2013-2461: Better checking of XML signature

S8015997: Additional improvement in Javadoc framing

New features

PR1378: Add AArch64 support to Zero

Bug fixes

PR1409: IcedTea 2.3.9 fails to build Zero due to -Werror

PR1410: Icedtea 2.3.9 fails to build using icedtea 1.12.4

Backports

S6720349: (ch) Channels tests depending on hosts inside Sun

S6736316: Timeout value in java/util/concurrent/locks/Lock/FlakyMutex.java is insufficient

S6776144: java/lang/ThreadGroup/NullThreadName.java fails with Thread group is not destroyed ,fastdebug LINUX

S6818464: TEST_BUG: java/util/Timer/KillThread.java failing intermittently

S6860309: TEST_BUG: Insufficient sleep time in java/lang/Runtime/exec/StreamsSurviveDestroy.java

S6948101: java/rmi/transport/pinLastArguments/PinLastArguments.java failing intermittently

S6957683: test/java/util/concurrent/ThreadPoolExecutor/Custom.java failing

S6963102: Testcase failures sun/tools/jstatd/jstatdExternalRegistry.sh and sun/tools/jstatd/jstatdDefaults.sh

S6963841: java/util/concurrent/Phaser/Basic.java fails intermittently

S6965150: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Basic.java takes too long

S7030573: test/java/io/FileInputStream/LargeFileAvailable.java fails when there is insufficient disk space

S7032247: java/net/InetAddress/GetLocalHostWithSM.java fails if hostname resolves to loopback address

S7044870: java/nio/channels/DatagramChannel/SelectWhenRefused.java failed on SUSE Linux 10

S7053526: Upgrade JDK 8 to use Little CMS 2.4

S7054918: jdk_security1 test target cleanup

S7055362: jdk_security2 test target cleanup

S7055363: jdk_security3 test target cleanup

S7072120: No mac os x support in several regression tests

S7073295: TEST_BUG: test/java/lang/instrument/ManifestTest.sh causing havoc (win)

S7076756: TEST_BUG: com/sun/jdi/BreakpointWithFullGC.sh fails to cleanup in Cygwin

S7076791: closed/javax/swing/JColorChooser/Test6827032.java failed on windows

S7077259: [TEST_BUG] [macosx] Test work correctly only when default L&F is Metal

S7084033: TEST_BUG: test/java/lang/ThreadGroup/Stop.java fails intermittently

S7089131: test/java/lang/invoke/InvokeGenericTest.java does not compile

S7102106: TEST_BUG: sun/security/util/Oid/S11N.sh should be modified

S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu

S7104594: [macosx] Test closed/javax/swing/JFrame/4962534/bug4962534 expects Metal L&F by default

S7105929: java/util/concurrent/FutureTask/BlockingTaskExecutor.java fails on solaris sparc

S7124347: [macosx] “java.lang.InternalError: not implemented yet” on call Graphics2D.drawRenderedImage

S7129800: [macosx] Regression test OverrideRedirectWindowActivationTest fails due to timing issue

S7132247: java/rmi/registry/readTest/readTest.sh failing with Cygwin

S7140868: TEST_BUG: jcmd tests need to use -XX:+UsePerfData

S7142596: RMI JPRT tests are failing

S7144833: sun/tools/jcmd/jcmd-Defaults.sh failing intermittently

S7144861: speed up RMI activation tests

S7147408: [macosx] Add autodelay to fix a regression test

S7151434, RH969884: java -jar -XX crashes java launcher

S7152183: TEST_BUG: java/lang/ProcessBuilder/Basic.java failing intermittently [sol]

S7152796: TEST_BUG: java/net/Socks/SocksV4Test.java does not terminate

S7152856: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing on Windows

S7154113: jcmd, jps and jstat tests failing when there are unknown Java processes on the system

S7154114: jstat tests failing on non-english locales

S7161759: TEST_BUG: java/awt/Frame/WindowDragTest/WindowDragTest.java fails to compile, should be modified

S7162111: TEST_BUG: change tests run in headless mode [macosx]

S7162385: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing again

S7175775: Disable SA options in jinfo/Basic.java test until SA updated for new hash and String count/offset

S7178649: TEST BUG: BadKdc3.java needs improvement to ignore the unlikely but possible timeout

S7183203: ShortRSAKeynnn.sh tests intermittent failure

S7183753: [TEST] Some colon in the diff for this test

S7184943: fix failing test com/sun/jndi/rmi/registry/RegistryContext/UnbindIdempotent.java

S7184946: fix failing test com/sun/jndi/rmi/registry/RegistryContext/ContextWithNullProperties.java

S7185340: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Leaky.java failing intermittently [win]

S7186111: fix bugs in java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup

S7187882: TEST_BUG: java/rmi/activation/checkusage/CheckUsage.java fails intermittently

S7193219: JComboBox serialization fails in JDK 1.7

S7194032: update tests for upcoming changes for jtreg

S7194035: update tests for upcoming changes for jtreg

S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout

S7199637: TEST_BUG: add serialization tests to jdk7u problem list for macosx

S8000817: Reinstate accidentally removed sleep() from ProcessBuilder/Basic.java

S8001161: mac: EmbeddedFrame doesn’t become active window

S8001621: Update awk scripts that check output from jps/jcmd

S8002070: Remove the stack search for a resource bundle for Logger to use

S8002297: sun/net/www/protocol/http/StackTraceTest.java fails intermittently

S8002313: TEST_BUG : jdk/test/java/security/Security/ClassLoaderDeadlock/ClassLoaderDeadlock.java should run in headless mode

S8003597: TEST_BUG: Eliminate dependency on javaweb from closed net tests

S8003982: new test javax/swing/AncestorNotifier/7193219/bug7193219.java failed on macosx

S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported

S8004748: clean up @build tags in RMI tests

S8004925: java/net/Socks/SocksV4Test.java failing on all platforms

S8005290: remove -showversion from RMI test library subprocess mechanism

S8005556: java/net/Socks/SocksV4Test.java is missing @run tag

S8005646: TEST_BUG: java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup leaves process running

S8005920: After pressing combination Windows Key and M key, the frame, the instruction and the dialog can’t be minimized.

S8005932: Java 7 on mac os x only provides text clipboard formats

S8006120: Provide “Server JRE” for 7u train

S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X

S8006534: CLONE – TestLibrary.getUnusedRandomPort() fails intermittently-doesn’t retry enough times

S8006536: [launcher] removes trailing slashes on arguments

S8006560: java/net/ipv6tests/B6521014.java fails intermittently

S8006564: Test sun/security/util/Oid/S11N.sh fails with timeout on Linux 32-bit

S8006669: sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/PostThruProxy.sh fails on mac

S8007515: TEST_BUG: update ProblemList.txt and TEST.ROOT in jdk7u-dev to match jdk8

S8007699: Move some tests from test/sun/security/provider/certpath/X509CertPath to closed repo

S8008223: java/net/BindException/Test.java fails rarely

S8008249: Sync ICU into JDK :

S8008379: TEST_BUG: Fail automatically with java.lang.NullPointerException.

S8008815: [TEST_BUG] Add back tests to the Problemlist files post the jdk7u -> 7u-cpu test sync up

S8009165: Fix for 8008817 needs revision

S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03

S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing.

S8009530: ICU Kern table support broken

S8009610: Blacklist certificate used with malware.

S8009634: TEST_BUG: sun/misc/Version/Version.java handle 2 digit minor in VM version

S8009750: javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java should run in other vm mode

S8009987: (tz) Support tzdata2013b

S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail

S8009999: Test sun/tools/jcmd/jcmd-f.sh failing after JDK-8008820

S8010009: [macosx] Unable type into online word games on MacOSX

S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive

S8010166: TEST_BUG: fix for 8009634 overlooks possible version strings (sun/misc/Version/Version.java)

S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build

S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod

S8010727: WLS fails to add a logger with “” in its own LogManager subclass instance

S8010939: Deadlock in LogManager

S8011139: (reflect) Revise checking in getEnclosingClass

S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows

S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined

S8011557: Improve reflection utility classes

S8011695: [tck-red] Application can not be run, the Security Warning dialog is gray.

S8011806: 7u25-b05 hotspot fastdebug build failure

S8011896: Add check for invalid offset for new AccessControlContext isAuthorized field

S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows

S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05

S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris

S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21

S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus

S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]

S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer

S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07

S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext()

S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout

S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup

S8014205: Most of the Swing dialogs are blank on one win7 MUI

S8014423: [macosx] The scrollbar’s block increment performs incorrectly

S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09

S8014618, RH962568: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement

S8014676: Java debugger may fail to run

S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10

S8014745: Provide a switch to allow stack walk search of resource bundle

S8014968: OCSP and CRL connection timeout is set to four hours by default

The tarball can be downloaded from:

http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz

SHA256 checksum:

d1c3b9423867b41508050e1d32b38e4a090f84a96b864b09936a4281ff01f5da icedtea-2.3.10.tar.gz

The tarball is accompanied by a digital signature available at:

http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz.sig

This is produced using my public key. See details below.

PGP Key: 248BDC07 (https://keys.indymedia.org/)

Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

Andreas Schwab (PR1378 patch for AArch64 Zero support

Andrew Hughes (all other bug fixes, application of security fixes & backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!

Show more