icedtea-1, icedtea-2 security updates

icedtea-1, icedtea-2 security updates

[Leo Famulari]

There are security updates for icedtea-1 [0] and icedtea-2 [1]. The
updated versions are 1.3.10 and 2.6.4, respectively.

I spent some time trying to build these new versions but I am having
trouble.

The upstream tarballs contain their own patches on the bundled OpenJDK
source code. For both icedtea-1 and icedtea-2, some of these patches
fail to apply.

I looked into the failing patches to see if it could be fixed by
adjusting, for example, the whitespace the parameters of `patch`, but
the strings to be matched don't exist in the relevant files.

I _think_ this is an upstream bug. However, the icedtea-* package
definitions are complex and I'd like it if someone else could take a
look at this issue before I file an upstream bug report.

Some details follow about the problem in icedtea-2.

The failing patch file is:
icedtea-2.6.4/patches/boot/ecj-multicatch.patch

... and it fails while trying to patch:
jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java

... on the first "diff" line of the patch:
 -        } catch (InvalidAlgorithmParameterException |

The string "InvalidAlgorithmParameterException" does not exist in that
file.

Thanks for your attention.

[0]
http://blog.fuseyism.com/index.php/2016/01/25/security-icedtea-1-13-10-for-openjdk-6-released/
[1]
http://blog.fuseyism.com/index.php/2016/01/21/security-icedtea-2-6-4-for-openjdk-7-released/

Re: icedtea-1, icedtea-2 security updates

[Ricardo Wurmus]

Leo Famulari <leo@famulari.name> writes:

> There are security updates for icedtea-1 [0] and icedtea-2 [1]. The
> updated versions are 1.3.10 and 2.6.4, respectively.
>
> I spent some time trying to build these new versions but I am having
> trouble.

Thanks for trying!  I won’t be able to attend to this before Tuesday, so
it’s nice that somebody else is taking care of this.

> The upstream tarballs contain their own patches on the bundled OpenJDK
> source code. For both icedtea-1 and icedtea-2, some of these patches
> fail to apply.

Not only icedtea (i.e. the patches to the OpenJDK sources to make it
buildable with free software) has to be updated, but also the “drops”.
Drops are upstream OpenJDK source tarballs.

So for icedtea-6 this means the "openjdk6-src" input must be changed to

    https://java.net/downloads/openjdk6/openjdk-6-src-b38-20_jan_2016.tar.gz;
    
for icedtea-7 all of the added native-inputs must be changed, i.e:
"openjdk-src", "corba-drop", "jaxp-drop", "jaxws-drop", "jdk-drop",
"langtools-drop", "hotspot-drop".

The icedtea-7 package has a function to build origins from names and
hashes, so you will just need to update the version and the individual
drop hashes.  You can get all the icedtea-7 drops here:

    http://icedtea.wildebeest.org/download/drops/icedtea7/2.6.4/

Hope this helps!

~~ Ricardo

Re: icedtea-1, icedtea-2 security updates

[Leo Famulari]

On Thu, Jan 28, 2016 at 08:27:14AM +0100, Ricardo Wurmus wrote:
> Not only icedtea (i.e. the patches to the OpenJDK sources to make it
> buildable with free software) has to be updated, but also the “drops”.
> Drops are upstream OpenJDK source tarballs.
> 
> So for icedtea-6 this means the "openjdk6-src" input must be changed to
> 
>     https://java.net/downloads/openjdk6/openjdk-6-src-b38-20_jan_2016.tar.gz;
>     
> for icedtea-7 all of the added native-inputs must be changed, i.e:
> "openjdk-src", "corba-drop", "jaxp-drop", "jaxws-drop", "jdk-drop",
> "langtools-drop", "hotspot-drop".
> 
> The icedtea-7 package has a function to build origins from names and
> hashes, so you will just need to update the version and the individual
> drop hashes.  You can get all the icedtea-7 drops here:
> 
>     http://icedtea.wildebeest.org/download/drops/icedtea7/2.6.4/
> 
> Hope this helps!

Indeed, that helped! Thank you for taking the time to explain this.
Hopefully it took less time to explain than to do the updates yourself
;)

> 
> ~~ Ricardo
>