[SECURITY] IcedTea6 1.7.10, 1.8.7 and 1.9.7 Released!

Dr Andrew John Hughes ahughes at redhat.com
Tue Feb 15 13:59:45 PST 2011 

There is a new set of security releases: IcedTea6 1.7.10, IcedTea6
1.8.7 and IcedTea6 1.9.7.
 
This update contains the following security updates:
 
* S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
* S6907662, CVE-2010-4465: Swing timer-based security manager bypass
* S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
* S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
* S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
* S6985453, CVE-2010-4471: Java2D font-related system property leak
* S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
* RH677332, CVE-2011-0706: Multiple signers privilege escalation

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–

New in release 1.7.10 (2011-02-15):

* Security updates
  - S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
  - S6907662, CVE-2010-4465: Swing timer-based security manager bypass
  - S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
  - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
  - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
  - S6985453, CVE-2010-4471: Java2D font-related system property leak
  - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
  - RH677332, CVE-2011-0706: Multiple signers privilege escalation
* Bug fixes
  - RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
  - Fix latent JAXP bug caused by missing import

New in release 1.8.7 (2011-02-15):

* Security updates
  - S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
  - S6907662, CVE-2010-4465: Swing timer-based security manager bypass
  - S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
  - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
  - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
  - S6985453, CVE-2010-4471: Java2D font-related system property leak
  - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
  - RH677332, CVE-2011-0706: Multiple signers privilege escalation
* Bug fixes
  - RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
  - Fix latent JAXP bug caused by missing import

New in release 1.9.7 (2011-02-15):

* Security updates
  - S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
  - S6907662, CVE-2010-4465: Swing timer-based security manager bypass
  - S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
  - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
  - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
  - S6985453, CVE-2010-4471: Java2D font-related system property leak
  - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
  - RH677332, CVE-2011-0706: Multiple signers privilege escalation
* Bug fixes
  - RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
  - G344659: Fix issue when building on SPARC
  - Fix latent JAXP bug caused by missing import

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea6-1.7.10.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.8.7.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.9.7.tar.gz

dbca9d7598352d178651c8cc28ff887c59a27f0125785a58e9f9723611137f78  /mirrored/security/20110215/icedtea6-1.7.10.tar.gz
c6b16e89cd3da5ddb9cdc9c8615773c6cef214d1d611030a07bae92a19e8562a  /mirrored/security/20110215/icedtea6-1.8.7.tar.gz
fe89234ca7f5dbb8696aa0e97a342c51901c10c0254f8fd563c6ccf7bf532fcc  /mirrored/security/20110215/icedtea6-1.9.7.tar.gz

The following people helped with these releases:

Andrew John Hughes, Omair Majid

We would also like to thank the bug reporters and testers!
 
To get started:
$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>
 
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Thanks,
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the distro-pkg-dev mailing list