IcedTea6 1.6.3 Released!

Dr Andrew John Hughes ahughes at redhat.com
Mon Jul 26 15:57:03 PDT 2010 

We are pleased to announce a new minor release from the IcedTea6 1.6 branch, 1.6.3.

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

***********************************************************************************
* Please note that although a version of our Free Software plugin and Web Start   *
* implementation are included with the 1.6.3 release, this version is no longer   *
* supported or maintained.  For plugin and Web Start usage, we recommend that you *
* upgrade to the 1.7 or 1.8 release series.    	     	       		          *
***********************************************************************************

What’s New?
—————–
- Enable debuginfo for saproc and jsig
- Add missing mkbc.c
- Increase ThreadStackSize by 512kb on 32-bit Zero platforms
- Make the original HotSpot build work for normal builds and disable Zero/Shark builds with it
- Latest security updates and hardening patches:
  - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299)
  - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
  - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
  - (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
  - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
  - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  - (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
  - (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
  - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
  - (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
  - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
  - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
  - 6910590: Application can modify command array in ProcessBuilder
  - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
- Add stack markings to the x86 assembly so as not to use executable stack.
- PR179: Rewrite Rhino class files to avoid bootclasspath issue
- PR356: Support ECC via NSS
- PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.
- Backport tzdata support from 1.8 (--with-tzdata-dir).
- Fix issue with ant -diagnostics on ant 1.8.0 due to changed exit code
- S6678385, RH551835: Fixes JVM crashes when window is resized.
- S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
- S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
- S4891262: API spec, javax/accessibility: few invalid javadoc tags.
- S6737212: Fixed javadoc warning messages in RowSet classes.
- S6875861: javadoc build warning on java.util.Properites from unconventional @see ordering.
- S6909563: Javadoc build warnings in rmi, security, management.
- S6879689: Fix warning about ignored return value when compiling with -O2
- S6917485: Corba doc warnings.
- S6921068: Remove javadoc build warnings from specdefault tag.
- S6822370: ReentrantReadWriteLock: threads hung when there are no threads holding onto the lock
* SystemTap support:
  - Enable SystemTap JNI tracing.
  - Add SystemTap jstack support.
  - PR476: Enable building SystemTap support on GCC 4.5.
  - Fix HotSpot tapset object_alloc size variable.
  - Fix JNI DEFINE_NEWSCALARARRAY usage of DT_RETURN_MARK_DECL_FOR.
  - Add hotspot_jni tapset.
  - tapsets/hotspot.stp.in (hotspot.gc_end): Match gc__end, not begin.
* PulseAudio:
  - Corrected Pulse Audio library build on PPC32 and PPC64

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.6.3.tar.gz

sha256sum: 5b5ca9c5bc670b3d380a495d04fec26f6af569e36a5cd7e96f51c676fbbc96ab

The following people helped with the 1.6 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Kees Cook, Andrew Haley,
Andrew John Hughes, Matthias Klose, Martin Matejovic, Ed Nevill, Pavel
Tisnovsky, Jon VanAlten, Mark Wielaard and many others.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.6.3.tar.gz
$ cd icedtea6-1.6.3

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list