[SECURITY] IcedTea6 1.7.5, 1.8.2, 1.9.1 Released!

Dr Andrew John Hughes ahughes at redhat.com
Tue Oct 12 16:18:03 PDT 2010 

We are pleased to announce a new set of security releases, IcedTea6 1.7.5, IcedTea6 1.8.2
and IcedTea6 1.9.1.

This update contains the following security updates:

* S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation 
* S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
* S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
* S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
* S6938813, CVE-2010-3557: OpenJDK Swing mutable static
* S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
* S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
* S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
* S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
* S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
* S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
* S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
* S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
* S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
* S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
* S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
* S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
* S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection

See: http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–

IcedTea6 1.7.5
==============

* Security updates
  - S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation 
  - S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  - S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  - S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  - S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  - S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  - S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  - S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  - S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  - S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  - S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  - S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  - S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  - S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  - S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  - S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  - S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  - S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  - S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
* Fixes
  - G244901: Skip test_gamma on hardened (PaX-enabled) kernels
  - G266295: Provide font configuration for Gentoo.
  - Provide font configuration for RHEL 6.
  - RH633510: OpenJDK should use NUMA even if glibc doesn't provide it
* Backports
  - S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
  - S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398).
  - S6638712: Inference with wildcard types causes selection of inapplicable method
  - S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  - S6623943: javax.swing.TimerQueue's thread occasionally fails to start
* NetX
  - Fix browser command in BasicService.showDocument(URL)
  - Run programs that inherit main(String[]) in their main-class
  - Work with JNLP files that use spec version 1.6
  - RH601281: Possible NullPointerException in splash screen code
  - New man page for javaws
* Plugin 
  - RH560193: Fix ziperror when applet jar contained another 0-byte jar
  - PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.8.2
==============

* Security updates
  - S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation 
  - S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  - S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  - S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  - S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  - S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  - S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  - S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  - S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  - S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  - S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  - S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  - S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  - S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  - S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  - S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  - S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  - S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  - S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
* Fixes:
  - G244901: Skip test_gamma on hardened (PaX-enabled) kernels
  - G266295: Provide font configuration for Gentoo.
  - Provide font configuration for RHEL 6.
  - RH633510: OpenJDK should use NUMA even if glibc doesn't provide it
* Backports:
  - S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398)
  - S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
  - S6638712: Inference with wildcard types causes selection of inapplicable method
  - S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  - S6623943: javax.swing.TimerQueue's thread occasionally fails to start
* NetX:
  - Fix browser command in BasicService.showDocument(URL)
  - Run programs that inherit main(String[]) in their main-class
  - Run JNLP files that use 1.6 as the spec version
  - RH601281: Possible NullPointerException in splash screen code
  - New man page for javaws
* Plugin 
  - RH560193: Fix ziperror when applet jar contained another 0-byte jar
  - PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.9.1
==============

* HotSpot 19 supported; use --with-hotspot-build=hs19 to enable.
* Security updates
  - S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation 
  - S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  - S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  - S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  - S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  - S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  - S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  - S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  - S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  - S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  - S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  - S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  - S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  - S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  - S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  - S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  - S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  - S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  - S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
* Backports
  - S6638712: Inference with wildcard types causes selection of inapplicable method
  - S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  - S6623943: javax.swing.TimerQueue's thread occasionally fails to start
* Fixes
  - Fix build failure on S390
  - RH633510: OpenJDK should use NUMA even if glibc doesn't provide it
* NetX
  - New man page for javaws
* Plugin 
  - PR519: 100% CPU usage when displaying applets in Webkit based browsers

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.7.5.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.8.2.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.9.1.tar.gz

SHA256 sums:

1b62ac07d13f0b3a9acb503aeb38668f40bd9de8e81e0165d5d8e816bf274b4d  icedtea6-1.7.5.tar.gz
93d7f427fde99f2df7b457c811405af8311e0bce4192ff99516b3227d5daa716  icedtea6-1.8.2.tar.gz
d773a6eb60f560d291206bfdeb83b1da03b79c7c09b7ae53da1877e57ddb3cea  icedtea6-1.9.1.tar.gz

The following people helped with these releases:

Deepak Bhole, Andrew John Hughes, Matthias Klose, Omair Majid, Man
Lung Wong, Andrew Su, Pavel Tisnovsky, Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list