There are security updates for icedtea-1 [0] and icedtea-2 [1]. The updated versions are 1.3.10 and 2.6.4, respectively.
I spent some time trying to build these new versions but I am having trouble. The upstream tarballs contain their own patches on the bundled OpenJDK source code. For both icedtea-1 and icedtea-2, some of these patches fail to apply. I looked into the failing patches to see if it could be fixed by adjusting, for example, the whitespace the parameters of `patch`, but the strings to be matched don't exist in the relevant files. I _think_ this is an upstream bug. However, the icedtea-* package definitions are complex and I'd like it if someone else could take a look at this issue before I file an upstream bug report. Some details follow about the problem in icedtea-2. The failing patch file is: icedtea-2.6.4/patches/boot/ecj-multicatch.patch ... and it fails while trying to patch: jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java ... on the first "diff" line of the patch: - } catch (InvalidAlgorithmParameterException | The string "InvalidAlgorithmParameterException" does not exist in that file. Thanks for your attention. [0] http://blog.fuseyism.com/index.php/2016/01/25/security-icedtea-1-13-10-for-openjdk-6-released/ [1] http://blog.fuseyism.com/index.php/2016/01/21/security-icedtea-2-6-4-for-openjdk-7-released/
