[SECURITY] IcedTea6 1.8.10, 1.9.10 and 1.10.4 Released!

Dr Andrew John Hughes ahughes at redhat.com
Tue Oct 18 17:48:56 PDT 2011 

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available:

* IcedTea6 1.8.10
* IcedTea6 1.9.10
* IcedTea6 1.10.4
 
All updates contain the following security fixes:
 
* S7000600, CVE-2011-3547: InputStream skip() information leak
* S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
* S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
* S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
* S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
* S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
* S7055902, CVE-2011-3521: IIOP deserialization code execution
* S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
* S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
* S7077466, CVE-2011-3556: RMI DGC server remote code execution
* S7083012, CVE-2011-3557: RMI registry privileged code execution
* S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

The 1.9.10 and 1.10.4 updates also include:

* S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer

The patch for this issue did not apply to the older versions of
HotSpot (14 and 16) supported by the 1.8 release series.  It is
believed that the underlying issue is also not present in these
versions, but for safety, we recommend using the latest 1.10.x release
series where possible.

Full details of each release can be found below.

What’s New?
—————–

New in release 1.10.4 (2011-10-18):

* Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
* Bug fixes
  - RH727195: Japanese font mappings are broken
* Backports
  - S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal dialog
* Zero/Shark
  - PR690: Shark fails to JIT using hs20.
  - PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.

New in release 1.9.10 (2011-10-18):

* Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
* NetX
  - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
* Fixes
  - G356743: Support libpng 1.5.

New in release 1.8.10 (2011-10-18):

* Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
* NetX
  - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
  - PR764: icedtea 1.8.9 fails to build in CachedJarFileCallback.java
* Fixes
  - G356743: Support libpng 1.5.

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea6-1.8.10.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.9.10.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.10.4.tar.gz

SHA256 checksums:

4a17b55de875a49efa192cfe015f1cb0cf02aeac03f7fc7afe2a3e9fdef64b83  icedtea6-1.8.10.tar.gz
3f41d433ed362f2bb81536585511d901b19864b98a97abab8ccd0b4ba00803a6  icedtea6-1.9.10.tar.gz
15491d7f2f81436aaf87f964d923b95b4bda8f6689198b4999961070b6c68851  icedtea6-1.10.4.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Deepak Bhole (PR794, S6826104)
* Andrew John Hughes (all other fixes and release management)
* Xerxes Rånby (PR690, PR696)
* Jiri Vanek (RH727195)

We would also like to thank the bug reporters and testers!
 
To get started:
$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>
 
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20111019/5c0d116c/attachment.bin

More information about the distro-pkg-dev mailing list