[SECURITY] IcedTea 2.2.2 Released!

Andïï gnu_andrew at member.fsf.org
Fri Aug 31 14:27:46 PDT 2012


We are pleased to announce the release of IcedTea 2.2.2, based on
OpenJDK7 u4 with additional security fixes.

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a
PulseAudio sound driver and support for alternative virtual machines.

This 2.2.2 release includes a fix for the zero-day issues that arose this week:

* RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible
checks removed in 6788531.
* S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
* S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
* S7163201, CVE-2012-0547: Simplify toolkit internals references

A similar 2.1.2 update is in progress and will follow at the beginning
of next week.

Patches are welcome; please contact the mailing list (distro-pkg-dev
at openjdk.java.net) and/or file bugs
(http://icedtea.classpath.org/bugzilla) under the appropriate
component.

Full details of the release can be found below.

What’s New?
—————–
New in release 2.2.2 (2012-08-31):

* Security fixes
  - RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible
checks removed in 6788531.
  - S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
  - S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
  - S7163201, CVE-2012-0547: Simplify toolkit internals references
* OpenJDK
  - Fix Zero FTBFS issues
  - PR1101: Undefined symbols on GNU/Linux SPARC
  - S7180036: Build failure in Mac platform caused by fix # 7163201
  - S7182135: Impossible to use some editors directly
  - S7183701: [TEST] closed/java/beans/security/TestClassFinder.java -
compilation failed
  - S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
failed with NPE
  - S7188168: 7071904 broke the DEBUG_BINARIES option on Linux
  - S7190813: (launcher) RPATH needs to have additional paths

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.2.2.tar.gz

SHA256 checksums:

e645fdcae825e0c60093962cb0a8fbf194c94a5e669162b3b357d99a6e36c86d
icedtea-2.2.2.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

* Andrew John Hughes (all other patches/merging, reproducer testing &
release management)
* Chris Phillips (Zero FTBFS fix)
* Roman Kennke (Zero FTBFS fix)

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea-2.2.2.tar.gz
$ cd icedtea-2.2.2

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap...]
$ make

Happy hacking!
--
Andii :-)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07



More information about the distro-pkg-dev mailing list