The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.
This release updates our OpenJDK 7 support to include the latest security updates. We recommend that users of the 2.3.x branch upgrade to this latest release as soon as possible. The security fixes are as follows:
S6741606, CVE-2013-2407: Integrate Apache Santuario
S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
S7170730, CVE-2013-2451: Improve Windows network stack support.
S8000638, CVE-2013-2450: Improve deserialization
S8000642, CVE-2013-2446: Better handling of objects for transportation
S8001032: Restrict object access
S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
S8001034, CVE-2013-1500: Memory management improvements
S8001038, CVE-2013-2444: Resourcefully handle resources
S8001043: Clarify definition restrictions
S8001308: Update display of applet windows
S8001309: Better handling of annotation interfaces
S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)
S8003703, CVE-2013-2412: Update RMI connection dialog box
S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
S8004584: Augment applet contextualization
S8005007: Better glyph processing
S8006328, CVE-2013-2448: Improve robustness of sound classes
S8006611: Improve scripting
S8007467: Improve robustness of JMX internal APIs
S8007471: Improve MBean notifications
S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
S8007925: Improve cmsStageAllocLabV2ToV4curves
S8007926: Improve cmsPipelineDup
S8007927: Improve cmsAllocProfileSequenceDescription
S8007929: Improve CurvesAlloc
S8008120, CVE-2013-2457: Improve JMX class checking
S8008124, CVE-2013-2453: Better compliance testing
S8008128: Better API coherence for JMX
S8008132, CVE-2013-2456: Better serialization support
S8008585: Better JMX data handling
S8008593: Better URLClassLoader resource management
S8008603: Improve provision of JMX providers
S8008607: Better input checking in JMX
S8008611: Better handling of annotations in JMX
S8008615: Improve robustness of JMX internal APIs
S8008623: Better handling of MBeanServers
S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
S8008982: Adjust JMX for underlying interface changes
S8009004: Better implementation of RMI connections
S8009008: Better manage management-api
S8009013: Better handling of T2K glyphs
S8009034: Improve resulting notifications in JMX
S8009038: Improve JMX notification support
S8009057, CVE-2013-2448: Improve MIDI event handling
S8009067: Improve storing keys in KeyStore
S8009071, CVE-2013-2459: Improve shape handling
S8009235: Improve handling of TSA data
S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
S8009654: Improve stability of cmsnamed
S8010209, CVE-2013-2460: Better provision of factories
S8011243, CVE-2013-2470: Improve ImagingLib
S8011248, CVE-2013-2471: Better Component Rasters
S8011253, CVE-2013-2472: Better Short Component Rasters
S8011257, CVE-2013-2473: Better Byte Component Rasters
S8012375, CVE-2013-1571: Improve Javadoc framing
S8012421: Better positioning of PairPositioning
S8012438, CVE-2013-2463: Better image validation
S8012597, CVE-2013-2465: Better image channel verification
S8012601, CVE-2013-2469: Better validation of image layouts
S8014281, CVE-2013-2461: Better checking of XML signature
S8015997: Additional improvement in Javadoc framing
The HotSpot part of S8001330 is currently only provided for HotSpot 23.7 on x86, x86_64 and SPARC architectures as we’ve found it to be unstable when applied to the older HotSpot used by Zero. If we find a solution for this, we’ll issue a further update.
In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more esoteric architectures. In this release, use of the system version of LCMS is disabled by default to ensure the most secure version is used. Before using the system version, please ensure it has the S8007925, S8007926, S8007927, S8007929 and S8009654 updates listed above.
If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.
Full details of the release can be found below. Note that the unusually large number of backports is due to syncing with the upstream u25 release, which also provides all these.
What’s New?
New in release 2.3.10 (2013-06-28)
Security fixes
S6741606, CVE-2013-2407: Integrate Apache Santuario
S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
S7170730, CVE-2013-2451: Improve Windows network stack support.
S8000638, CVE-2013-2450: Improve deserialization
S8000642, CVE-2013-2446: Better handling of objects for transportation
S8001032: Restrict object access
S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
S8001034, CVE-2013-1500: Memory management improvements
S8001038, CVE-2013-2444: Resourcefully handle resources
S8001043: Clarify definition restrictions
S8001308: Update display of applet windows
S8001309: Better handling of annotation interfaces
S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)
S8003703, CVE-2013-2412: Update RMI connection dialog box
S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
S8004584: Augment applet contextualization
S8005007: Better glyph processing
S8006328, CVE-2013-2448: Improve robustness of sound classes
S8006611: Improve scripting
S8007467: Improve robustness of JMX internal APIs
S8007471: Improve MBean notifications
S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
S8007925: Improve cmsStageAllocLabV2ToV4curves
S8007926: Improve cmsPipelineDup
S8007927: Improve cmsAllocProfileSequenceDescription
S8007929: Improve CurvesAlloc
S8008120, CVE-2013-2457: Improve JMX class checking
S8008124, CVE-2013-2453: Better compliance testing
S8008128: Better API coherence for JMX
S8008132, CVE-2013-2456: Better serialization support
S8008585: Better JMX data handling
S8008593: Better URLClassLoader resource management
S8008603: Improve provision of JMX providers
S8008607: Better input checking in JMX
S8008611: Better handling of annotations in JMX
S8008615: Improve robustness of JMX internal APIs
S8008623: Better handling of MBeanServers
S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
S8008982: Adjust JMX for underlying interface changes
S8009004: Better implementation of RMI connections
S8009008: Better manage management-api
S8009013: Better handling of T2K glyphs
S8009034: Improve resulting notifications in JMX
S8009038: Improve JMX notification support
S8009057, CVE-2013-2448: Improve MIDI event handling
S8009067: Improve storing keys in KeyStore
S8009071, CVE-2013-2459: Improve shape handling
S8009235: Improve handling of TSA data
S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
S8009654: Improve stability of cmsnamed
S8010209, CVE-2013-2460: Better provision of factories
S8011243, CVE-2013-2470: Improve ImagingLib
S8011248, CVE-2013-2471: Better Component Rasters
S8011253, CVE-2013-2472: Better Short Component Rasters
S8011257, CVE-2013-2473: Better Byte Component Rasters
S8012375, CVE-2013-1571: Improve Javadoc framing
S8012421: Better positioning of PairPositioning
S8012438, CVE-2013-2463: Better image validation
S8012597, CVE-2013-2465: Better image channel verification
S8012601, CVE-2013-2469: Better validation of image layouts
S8014281, CVE-2013-2461: Better checking of XML signature
S8015997: Additional improvement in Javadoc framing
New features
PR1378: Add AArch64 support to Zero
Bug fixes
PR1409: IcedTea 2.3.9 fails to build Zero due to -Werror
PR1410: Icedtea 2.3.9 fails to build using icedtea 1.12.4
Backports
S6720349: (ch) Channels tests depending on hosts inside Sun
S6736316: Timeout value in java/util/concurrent/locks/Lock/FlakyMutex.java is insufficient
S6776144: java/lang/ThreadGroup/NullThreadName.java fails with Thread group is not destroyed ,fastdebug LINUX
S6818464: TEST_BUG: java/util/Timer/KillThread.java failing intermittently
S6860309: TEST_BUG: Insufficient sleep time in java/lang/Runtime/exec/StreamsSurviveDestroy.java
S6948101: java/rmi/transport/pinLastArguments/PinLastArguments.java failing intermittently
S6957683: test/java/util/concurrent/ThreadPoolExecutor/Custom.java failing
S6963102: Testcase failures sun/tools/jstatd/jstatdExternalRegistry.sh and sun/tools/jstatd/jstatdDefaults.sh
S6963841: java/util/concurrent/Phaser/Basic.java fails intermittently
S6965150: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Basic.java takes too long
S7030573: test/java/io/FileInputStream/LargeFileAvailable.java fails when there is insufficient disk space
S7032247: java/net/InetAddress/GetLocalHostWithSM.java fails if hostname resolves to loopback address
S7044870: java/nio/channels/DatagramChannel/SelectWhenRefused.java failed on SUSE Linux 10
S7053526: Upgrade JDK 8 to use Little CMS 2.4
S7054918: jdk_security1 test target cleanup
S7055362: jdk_security2 test target cleanup
S7055363: jdk_security3 test target cleanup
S7072120: No mac os x support in several regression tests
S7073295: TEST_BUG: test/java/lang/instrument/ManifestTest.sh causing havoc (win)
S7076756: TEST_BUG: com/sun/jdi/BreakpointWithFullGC.sh fails to cleanup in Cygwin
S7076791: closed/javax/swing/JColorChooser/Test6827032.java failed on windows
S7077259: [TEST_BUG] [macosx] Test work correctly only when default L&F is Metal
S7084033: TEST_BUG: test/java/lang/ThreadGroup/Stop.java fails intermittently
S7089131: test/java/lang/invoke/InvokeGenericTest.java does not compile
S7102106: TEST_BUG: sun/security/util/Oid/S11N.sh should be modified
S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu
S7104594: [macosx] Test closed/javax/swing/JFrame/4962534/bug4962534 expects Metal L&F by default
S7105929: java/util/concurrent/FutureTask/BlockingTaskExecutor.java fails on solaris sparc
S7124347: [macosx] “java.lang.InternalError: not implemented yet” on call Graphics2D.drawRenderedImage
S7129800: [macosx] Regression test OverrideRedirectWindowActivationTest fails due to timing issue
S7132247: java/rmi/registry/readTest/readTest.sh failing with Cygwin
S7140868: TEST_BUG: jcmd tests need to use -XX:+UsePerfData
S7142596: RMI JPRT tests are failing
S7144833: sun/tools/jcmd/jcmd-Defaults.sh failing intermittently
S7144861: speed up RMI activation tests
S7147408: [macosx] Add autodelay to fix a regression test
S7151434, RH969884: java -jar -XX crashes java launcher
S7152183: TEST_BUG: java/lang/ProcessBuilder/Basic.java failing intermittently [sol]
S7152796: TEST_BUG: java/net/Socks/SocksV4Test.java does not terminate
S7152856: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing on Windows
S7154113: jcmd, jps and jstat tests failing when there are unknown Java processes on the system
S7154114: jstat tests failing on non-english locales
S7161759: TEST_BUG: java/awt/Frame/WindowDragTest/WindowDragTest.java fails to compile, should be modified
S7162111: TEST_BUG: change tests run in headless mode [macosx]
S7162385: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing again
S7175775: Disable SA options in jinfo/Basic.java test until SA updated for new hash and String count/offset
S7178649: TEST BUG: BadKdc3.java needs improvement to ignore the unlikely but possible timeout
S7183203: ShortRSAKeynnn.sh tests intermittent failure
S7183753: [TEST] Some colon in the diff for this test
S7184943: fix failing test com/sun/jndi/rmi/registry/RegistryContext/UnbindIdempotent.java
S7184946: fix failing test com/sun/jndi/rmi/registry/RegistryContext/ContextWithNullProperties.java
S7185340: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Leaky.java failing intermittently [win]
S7186111: fix bugs in java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup
S7187882: TEST_BUG: java/rmi/activation/checkusage/CheckUsage.java fails intermittently
S7193219: JComboBox serialization fails in JDK 1.7
S7194032: update tests for upcoming changes for jtreg
S7194035: update tests for upcoming changes for jtreg
S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
S7199637: TEST_BUG: add serialization tests to jdk7u problem list for macosx
S8000817: Reinstate accidentally removed sleep() from ProcessBuilder/Basic.java
S8001161: mac: EmbeddedFrame doesn’t become active window
S8001621: Update awk scripts that check output from jps/jcmd
S8002070: Remove the stack search for a resource bundle for Logger to use
S8002297: sun/net/www/protocol/http/StackTraceTest.java fails intermittently
S8002313: TEST_BUG : jdk/test/java/security/Security/ClassLoaderDeadlock/ClassLoaderDeadlock.java should run in headless mode
S8003597: TEST_BUG: Eliminate dependency on javaweb from closed net tests
S8003982: new test javax/swing/AncestorNotifier/7193219/bug7193219.java failed on macosx
S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
S8004748: clean up @build tags in RMI tests
S8004925: java/net/Socks/SocksV4Test.java failing on all platforms
S8005290: remove -showversion from RMI test library subprocess mechanism
S8005556: java/net/Socks/SocksV4Test.java is missing @run tag
S8005646: TEST_BUG: java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup leaves process running
S8005920: After pressing combination Windows Key and M key, the frame, the instruction and the dialog can’t be minimized.
S8005932: Java 7 on mac os x only provides text clipboard formats
S8006120: Provide “Server JRE” for 7u train
S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X
S8006534: CLONE – TestLibrary.getUnusedRandomPort() fails intermittently-doesn’t retry enough times
S8006536: [launcher] removes trailing slashes on arguments
S8006560: java/net/ipv6tests/B6521014.java fails intermittently
S8006564: Test sun/security/util/Oid/S11N.sh fails with timeout on Linux 32-bit
S8006669: sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/PostThruProxy.sh fails on mac
S8007515: TEST_BUG: update ProblemList.txt and TEST.ROOT in jdk7u-dev to match jdk8
S8007699: Move some tests from test/sun/security/provider/certpath/X509CertPath to closed repo
S8008223: java/net/BindException/Test.java fails rarely
S8008249: Sync ICU into JDK :
S8008379: TEST_BUG: Fail automatically with java.lang.NullPointerException.
S8008815: [TEST_BUG] Add back tests to the Problemlist files post the jdk7u -> 7u-cpu test sync up
S8009165: Fix for 8008817 needs revision
S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03
S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing.
S8009530: ICU Kern table support broken
S8009610: Blacklist certificate used with malware.
S8009634: TEST_BUG: sun/misc/Version/Version.java handle 2 digit minor in VM version
S8009750: javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java should run in other vm mode
S8009987: (tz) Support tzdata2013b
S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail
S8009999: Test sun/tools/jcmd/jcmd-f.sh failing after JDK-8008820
S8010009: [macosx] Unable type into online word games on MacOSX
S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
S8010166: TEST_BUG: fix for 8009634 overlooks possible version strings (sun/misc/Version/Version.java)
S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build
S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
S8010727: WLS fails to add a logger with “” in its own LogManager subclass instance
S8010939: Deadlock in LogManager
S8011139: (reflect) Revise checking in getEnclosingClass
S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows
S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
S8011557: Improve reflection utility classes
S8011695: [tck-red] Application can not be run, the Security Warning dialog is gray.
S8011806: 7u25-b05 hotspot fastdebug build failure
S8011896: Add check for invalid offset for new AccessControlContext isAuthorized field
S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05
S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris
S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus
S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07
S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext()
S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
S8014205: Most of the Swing dialogs are blank on one win7 MUI
S8014423: [macosx] The scrollbar’s block increment performs incorrectly
S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09
S8014618, RH962568: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
S8014676: Java debugger may fail to run
S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
S8014745: Provide a switch to allow stack walk search of resource bundle
S8014968: OCSP and CRL connection timeout is set to four hours by default
The tarball can be downloaded from:
http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz
SHA256 checksum:
d1c3b9423867b41508050e1d32b38e4a090f84a96b864b09936a4281ff01f5da icedtea-2.3.10.tar.gz
The tarball is accompanied by a digital signature available at:
http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz.sig
This is produced using my public key. See details below.
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
The following people helped with these releases:
Andreas Schwab (PR1378 patch for AArch64 Zero support
Andrew Hughes (all other bug fixes, application of security fixes & backports, release management)
We would also like to thank the bug reporters and testers!
To get started:
Full build requirements and instructions are available in the INSTALL file.
Happy hacking!