IcedTea6 1.7.2 (Security Updates) Released!

Andrew John Hughes ahughes at redhat.com
Tue Mar 30 19:06:15 PDT 2010 

We are pleased to announce the release of IcedTea6 1.7.2!

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What's New?

New in release 1.7.2 (2010-03-31):

- Latest security updates and hardening patches:
  - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299)
  - (CVE-2010-0845): No ClassCastException for HashAttributeSet
constructors if run with -Xcomp (6894807)
  - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow
Vulnerability (6899653)
  - (CVE-2010-0082): Loader-constraint table allows arrays instead of
only the base-classes (6626217)
  - (CVE-2010-0095): Subclasses of InetAddress may incorrectly
interpret network addresses (6893954)
  - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  - (CVE-2010-0091): Unsigned applet can retrieve the dragged
information before drop action occurs (6887703)
  - (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV ->
SEGV_MAPERR error (6888149)
  - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects
should enforce stricter checks (6893947)
  - (CVE-2010-0093): System.arraycopy unable to reference elements
beyond Integer.MAX_VALUE bytes (6892265)
  - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege
Escalation Vulnerability (6904691)
  - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  - 6898622: ObjectIdentifer.equals is not capable of detecting
incorrectly encoded CommonName OIDs
  - 6910590: Application can modify command array in ProcessBuilder
  - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
- Backport of 6822370:
  ReentrantReadWriteLock: threads hung when there are no threads
holding onto the lock
- Increase ThreadStackSize by 512kb on 32-bit Zero platforms
- Check cacerts database is valid

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.7.2.tar.gz

The following people helped with the 1.7 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John
Hughes, Nobuhiro Iwamatsu, Matthias Klose, Martin Matejovic, Edward Nevill,
Xerxes Rånby, Robert Schuster, Pavel Tisnovsky, Jon VanAlten, Mark Wielaard
and Man Lung Wong.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.7.2.tar.gz
$ cd icedtea6-1.7.2

Full build requirements and instructions are in INSTALL:
$ ./configure [--with-openjdk --enable-pulse-java --enable-systemtap
--enable-zero...]
$ make

-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list