[SECURITY] IcedTea6 1.7.8, 1.8.5, 1.9.5 Released!

Dr Andrew John Hughes ahughes at redhat.com
Tue Feb 1 06:14:49 PST 2011 

We are pleased to announce a new set of security releases, IcedTea6 1.7.8, IcedTea6 1.8.5
and IcedTea6 1.9.5.
 
This update contains the following security updates:
 
* RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.
 
What’s New?
—————–

IcedTea6 1.7.8
==============

* Security updates
  - RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
* Backports
  - S6687968: PNGImageReader leaks native memory through an Inflater
  - S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
  - S6782079: PNG: reading metadata may cause OOM on truncated images
* Fixes:
  - RH647157, RH582455: Update fontconfig files for rhel 6
  - PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.8.5
==============

* Security updates
  - RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
* Backports
  - S6687968: PNGImageReader leaks native memory through an Inflater
  - S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
  - S6782079: PNG: reading metadata may cause OOM on truncated images
* Fixes
  - RH647157, RH582455: Update fontconfig files for rhel 6
  - PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.9.5
==============

* Security updates
  - RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
* Backports
  - S6687968: PNGImageReader leaks native memory through an Inflater
  - S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
  - S6782079: PNG: reading metadata may cause OOM on truncated images
* Fixes
  - RH647157, RH582455: Update fontconfig files for rhel 6
  - PR619: Improper finalization by the plugin can crash the browser

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea6-1.7.8.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.8.5.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.9.5.tar.gz
 
SHA256 sums:

a1cbb4e5962d1fed0c816cebce33b6896b61a9f19b404f5e91439b9e7ffcd97c  icedtea6-1.7.8.tar.gz
1ee081368587507e7ea75bd3351be0eafadd3f7020930db68448bcec6fa5c452  icedtea6-1.8.5.tar.gz
dac8ad42c452b3211b4daf26446da090f1f6c45952d9dbf52f66447adef73a29  icedtea6-1.9.5.tar.gz
 
The following people helped with these releases:
 
Deepak Bhole, Andrew John Hughes, Jiri Vanek

We would also like to thank the bug reporters and testers!
 
To get started:
$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>
 
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org

More information about the distro-pkg-dev mailing list