[SECURITY] IcedTea 2.1.1 & 2.2.1 Released!

Andii Hughes gnu_andrew at member.fsf.org
Wed Jun 13 07:31:03 PDT 2012 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

The IcedTea 2.1.1 & 2.2.1 release updates our OpenJDK7 support to include the
latest security updates just released:

* S7079902, CVE-2012-1711: Refine CORBA data models
* S7110720: Issue with vm config file loadingIssue with vm config file loading
* S7143606, CVE-2012-1717: File.createTempFile should be improved for
temporary files created by the platform.
* S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
* S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations
* S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC
* S7143872, CVE-2012-1718: Improve certificate extension processing
* S7145239: Finetune package definition restriction
* S7152811, CVE-2012-1723: Issues in client compiler
* S7157609, CVE-2012-1724: Issues with loop
* S7160677: missing else in fix for 7152811
* S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
* S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup

We believe that the 2.2.1 release takes IcedTea to the level of 7u5,
including both the
changes in the public OpenJDK7 repository for u4 and the security updates, which
is what we believe u5 is comprised of[*].

In addition, IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more estoric architectures.

Please note that support for alternative VM solutions (CACAO, Shark, Zero)
may be lacking in this release.  Specifically, Zero/Shark are known
not to work with
the 2.2 release series.  Patches are welcome; please contact the mailing list
(distro-pkg-dev at openjdk.java.net) and/or file bugs
(http://icedtea.classpath.org/bugzilla) under
the appropriate component.

Full details of the releases can be found below.

What’s New?
—————–

New in release 2.2.1 (2012-06-12):

* Security fixes
  - S7079902, CVE-2012-1711: Refine CORBA data models
  - S7110720: Issue with vm config file loadingIssue with vm config file loading
  - S7143606, CVE-2012-1717: File.createTempFile should be improved
for temporary files created by the platform.
  - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
  - S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations
  - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC
  - S7143872, CVE-2012-1718: Improve certificate extension processing
  - S7145239: Finetune package definition restriction
  - S7152811, CVE-2012-1723: Issues in client compiler
  - S7157609, CVE-2012-1724: Issues with loop
  - S7160677: missing else in fix for 7152811
  - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
  - S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup

New in release 2.1.1 (2012-06-12):

* Security fixes
  - S7079902, CVE-2012-1711: Refine CORBA data models
  - S7110720: Issue with vm config file loadingIssue with vm config file loading
  - S7143606, CVE-2012-1717: File.createTempFile should be improved
for temporary files created by the platform.
  - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
  - S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations
  - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC
  - S7143872, CVE-2012-1718: Improve certificate extension processing
  - S7145239: Finetune package definition restriction
  - S7152811, CVE-2012-1723: Issues in client compiler
  - S7157609, CVE-2012-1724: Issues with loop
  - S7160677: missing else in fix for 7152811
  - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
  - S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup
* Bug fixes
  - PR885: IcedTea7 does not build scripting support
  - Fix bug whereby JPEG_LIBS were not set by jdk_generic_profile.sh
  - S7150392: Linux build breaks with GCC 4.7 due to unrecognized option
  - Support glib >= 2.32.
* ARM port
  - Add arm_port from IcedTea 6
  - added jvmti event generation for dynamic_generate and
compiled_method_load events to ARM JIT compiler
  - Adjust saved SP when safepointing.
  - ARM: First cut of invokedynamic
  - ARM: JIT-compilation of ldc methodHandle
  - Changes for HSX22
  - corrected call from fast_method_handle_entry to
CppInterpreter::method_handle_entry so that thread is loaded into r2
  - Don't save locals at a return.
  - Fix JIT bug that miscompiles
org.eclipse.ui.internal.contexts.ContextAuthority.sourceChanged
  - invokedynamic and aldc for JIT
  - Minor review cleanups.
  - modified safepoint check to rely on memory protect signal instead of polling
  - patched method handle adapter code to deal with failures in TCK
  - Phase 1
  - Phase 2
  - RTC Thumb2 JIT enhancements.
  - Zero fails to build in hsx22+, fix for hsx22 after runs gamma OK,
hsx23 still nogo.
  - Use ldrexd for atomic reads on ARMv7.
  - Use unified syntax for thumb code.

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.1.1.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.2.1.tar.gz

SHA256 checksums:

4a015cf3fb8fb9aa6b3ce4a41fd9bc5dcb417a1885a10a01e92d0cc7a5ffdc65
icedtea-2.1.1.tar.gz
0f5ba163904f7c50374ab345216dd1b66c077fc431592eb3d4801f7ecda200b6
icedtea-2.2.1.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Deepak Bhole (PR885, S7150392 in OpenJDK8, JPEG_LIBS bug)
* Andrew Dinn (checking of S7160757, ARM port work, backport of
S7150392 to 2.1 branch)
* Andrew Haley (checking of S7110720, S7152811 & S7143606, ARM port work)
* Andrew John Hughes (checking of S7143872, reproducer testing &
release management)
* Omair Majid (checking of S7079902, S7143851 & S7143606)
* Chris Phillips (checking of S7165628, Zero build fix)
* Xerxes Rånby (IcedTea7 2.1 branch update)
* Pavel Tisnovsky (PR1018, checking of 7143617 & 7157609)
* Jon VanAlten (checking of S7145239)
* Jiri Vanek (checking of S7143606)

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea-<ver>.tar.gz
$ cd icedtea-<ver>

Full build requirements and instructions are in INSTALL:
$ ./configure [--with-parallel-jobs --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

* It is difficult to make authoritative statements about u5 as the release
is proprietary.  Oracle still do not provide GPL binaries based on OpenJDK.
--
Andii :-)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the distro-pkg-dev mailing list