IcedTea6 1.7.4 Released!

Dr Andrew John Hughes ahughes at redhat.com
Wed Jul 28 05:24:34 PDT 2010 

We are pleased to announce a new security release from the IcedTea6 1.7 branch, 1.7.4.

This update contains the following security updates:

* CVE-2010-2783, RH616895: IcedTea 'Extended JNLP Services' arbitrary file access
* CVE-2010-2548, RH616893: IcedTea Incomplete property access check for unsigned applications

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

***********************************************************************************
* Please note that the new NPPlugin is now the default as of this release.        *
* The old plugin is no longer supported and will be removed in any future 1.7     *
* releases.  Please only report bugs against NPPlugin. 	       	   	  	  *
***********************************************************************************

What’s New?
—————–
* NetX security issues:
  - (CVE-2010-2783, RH616895): IcedTea 'Extended JNLP Services' arbitrary file access
  - (CVE-2010-2548, RH616893): IcedTea Incomplete property access check for unsigned applications
* Backport --with-tzdata-dir support from IcedTea6 1.8 to ensure
   that external timezone data works again.
* Restore icedtea-override-metacity.patch to allow full screen apps and
   other expected behavioral improvements.
* S6678385, RH551835: Fixes JVM crashes when window is resized.
* S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
* S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
* S4891262: API spec, javax/accessibility: few invalid javadoc tags.
* S6737212: Fixed javadoc warning messages in RowSet classes.
* S6875861: javadoc build warning on java.util.Properites from unconventional @see ordering.
* S6909563: Javadoc build warnings in rmi, security, management.
* S6879689: Fix warning about ignored return value when compiling with -O2
* S6917485: Corba doc warnings.
* S6921068: Remove javadoc build warnings from specdefault tag.
* PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.
* Make the new plugin the default.  This is now the main supported
  plugin.  Use --disable-npplugin to use the old one.
* New plugin:
  - Added support for JSObject.finalize()
  - Liveconnect message processing design changes.
  - Message protocol overhaul to fix race conditions
  - PR166: Create FIFO pies in temp dir instead of ~/.icedteaplugin
  - Profiled memory usage and implemented proper cleanup for C++ side.
  - Update debug output string and function/structure names to
    change 'GCJ' references to ITNP/IcedTea NP Plugin
  - PR461: plugin working for NSS enabled builds with firefox including a private NSS copy
  - Removed unncessary debug and trace output
  - PR474: Patch from Paulo Cesar Pereira de Andrade, incrementing malloc size to account for NULL terminator.
  - RH524387: javax.net.ssl.SSLKeyException: RSA premaster secret error
  - Set context classloader for all threads in an applet's threadgroup
  - PR436: Close all applet threads on exit
  - PR480: NPPlugin with NoScript extension.
  - PR488: Question mark changing into underscore in URL.
  - RH592553: Fix bug causing 100% CPU usage.
  - Don't generate a random pointer from a pthread_t in the debug output.
  - Add ForbiddenTargetException for legacy support.
  - Use variadic macro for plugin debug message printing.
  - Don't link the plugin with libxul libraries.
  - Fix race conditions in plugin initialization code that were causing hangs.
  - RH506730: BankID (Norwegian common online banking authentication system) applet fails to load.
  - PR491: pass java_{code,codebase,archive} parameters to Java.
  - Adds javawebstart.version property and give user permission to read that property.
* NetX:
  - Make path sanitization consistent; use a blacklisting approach.
  - Make the SingleInstanceServer thread a daemon thread.
  - Handle JNLP files which use native libraries but do not indicate it
  - Allow JNLP classloaders to share native libraries
  - Added encoding support
* PulseAudio provider:
  - Eliminate spurious exception throwing.
* SystemTap support:
  - PR476: Enable building SystemTap support on GCC 4.5.
  - Fix HotSpot tapset object_alloc size variable.
* NIO2 support:
  - Fix UnixNativeDispatcher to build on all systems, not just x86 and x86_64.

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.7.4.tar.gz

sha256sum: 4b5377f2492096bb2822b4f5119b1e3c8255defb402b0b10e56cfb0975f48cd5

The following people helped with the 1.7 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John
Hughes, Nobuhiro Iwamatsu, Matthias Klose, Martin Matejovic, Omair
Majid, Edward Nevill, Xerxes Rånby, Robert Schuster, Pavel Tisnovsky,
Jon VanAlten, Mark Wielaard and Man Lung Wong.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.7.4.tar.gz
$ cd icedtea6-1.7.4

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list