[SECURITY] IcedTea 2.1.3, 2.2.3 & 2.3.3 for OpenJDK7 Released!

Andrew John Hughes gnu.andrew at redhat.com
Wed Oct 17 09:18:00 PDT 2012 

The IcedTea project provides a harness to build the source code from
OpenJDK7 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available:

* IcedTea7 2.1.3
* IcedTea7 2.2.3
* IcedTea7 2.3.3
 
All updates contain the following security fixes:
 
 * S6631398, CVE-2012-3216: FilePermission improved path checking
 * S7093490: adjust package access in rmiregistry
 * S7143535, CVE-2012-5068: ScriptEngine corrected permissions
 * S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
 * S7158807: Revise stack management with volatile call sites
 * S7163198, CVE-2012-5076: Tightened package accessibility
 * S7167656, CVE-2012-5077: Multiple Seeders are being created
 * S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
 * S7169887, CVE-2012-5074: Tightened package accessibility
 * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
 * S7172522, CVE-2012-5072: Improve DomainCombiner checking
 * S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
 * S7189103, CVE-2012-5069: Executors needs to maintain state
 * S7189490: More improvements to DomainCombiner checking
 * S7189567, CVE-2012-5085: java net obselete protocol
 * S7192975, CVE-2012-5071: Issue with JMX reflection
 * S7195194, CVE-2012-5084: Better data validation for Swing
 * S7195549, CVE-2012-5087: Better bean object persistence
 * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
 * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
 * S7196190, CVE-2012-5088: Improve method of handling MethodHandles
 * S7198296, CVE-2012-5089: Refactor classloader usage
 * S7158801: Improve VM CompileOnly option
 * S7158804: Improve config file parsing
 * S7198606, CVE-2012-4416: Improve VM optimization

We believe that the 2.3.3 release takes IcedTea beyond u9[*], providing security
updates from u7 and u9 on top of an OpenJDK7 u6 base, along with additional
IcedTea patches to allow builds against system libraries and to support more
estoric architectures.

Please note support for alternative VM solutions (CACAO, Shark, Zero) may be
lacking in this release, as there has been little time for testing non-standard
builds, and Zero is known to not work with 2.2.x (and only with 2.3.x via
using the HotSpot from 2.1.x).  Patches are welcome; please contact the mailing
list (distro-pkg-dev at openjdk.java.net) and/or file
bugs (http://icedtea.classpath.org/bugzilla) under the appropriate component.
An update release may follow to correct issues with these builds, if necessary,
but we deem it important to get the security updates out for mainstream builds
as quickly as possible without further delay.

Full details of each release can be found below.

What’s New?
—————–

New in release 2.1.3 (2012-10-17):

* Security fixes
  - S6631398, CVE-2012-3216: FilePermission improved path checking
  - S7093490: adjust package access in rmiregistry
  - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  - S7158807: Revise stack management with volatile call sites
  - S7163198, CVE-2012-5076: Tightened package accessibility
  - S7167656, CVE-2012-5077: Multiple Seeders are being created
  - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  - S7169887, CVE-2012-5074: Tightened package accessibility
  - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  - S7172522, CVE-2012-5072: Improve DomainCombiner checking
  - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  - S7189103, CVE-2012-5069: Executors needs to maintain state
  - S7189490: More improvements to DomainCombiner checking
  - S7189567, CVE-2012-5085: java net obselete protocol
  - S7192975, CVE-2012-5071: Issue with JMX reflection
  - S7195194, CVE-2012-5084: Better data validation for Swing
  - S7195549, CVE-2012-5087: Better bean object persistence
  - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
  - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  - S7198296, CVE-2012-5089: Refactor classloader usage
  - S7158801: Improve VM CompileOnly option
  - S7158804: Improve config file parsing
  - S7198606, CVE-2012-4416: Improve VM optimization
* Backports
  - S7175845: "jar uf" changes file permissions unexpectedly
  - S7177216: native2ascii changes file permissions of input file
  - S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
  - S7158800: Improve storage of symbol tables
* Bug fixes
  - Remove merge artefact.
  - Remove the Xp header and library checks.

New in release 2.2.3 (2012-10-17):

* Security fixes
  - S6631398, CVE-2012-3216: FilePermission improved path checking
  - S7093490: adjust package access in rmiregistry
  - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  - S7158807: Revise stack management with volatile call sites
  - S7163198, CVE-2012-5076: Tightened package accessibility
  - S7167656, CVE-2012-5077: Multiple Seeders are being created
  - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  - S7169887, CVE-2012-5074: Tightened package accessibility
  - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  - S7172522, CVE-2012-5072: Improve DomainCombiner checking
  - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  - S7189103, CVE-2012-5069: Executors needs to maintain state
  - S7189490: More improvements to DomainCombiner checking
  - S7189567, CVE-2012-5085: java net obselete protocol
  - S7192975, CVE-2012-5071: Issue with JMX reflection
  - S7195194, CVE-2012-5084: Better data validation for Swing
  - S7195549, CVE-2012-5087: Better bean object persistence
  - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
  - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  - S7198296, CVE-2012-5089: Refactor classloader usage
  - S7158801: Improve VM CompileOnly option
  - S7158804: Improve config file parsing
  - S7198606, CVE-2012-4416: Improve VM optimization
* Backports
  - S7175845: "jar uf" changes file permissions unexpectedly
  - S7177216: native2ascii changes file permissions of input file
  - S7158800: Improve storage of symbol tables
* Bug fixes
  - Remove merge artefact.
  - Remove the Xp header and library checks.

New in release 2.3.3 (2012-10-17):

* Security fixes
  - S6631398, CVE-2012-3216: FilePermission improved path checking
  - S7093490: adjust package access in rmiregistry
  - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  - S7158807: Revise stack management with volatile call sites
  - S7163198, CVE-2012-5076: Tightened package accessibility
  - S7167656, CVE-2012-5077: Multiple Seeders are being created
  - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  - S7169887, CVE-2012-5074: Tightened package accessibility
  - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  - S7172522, CVE-2012-5072: Improve DomainCombiner checking
  - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  - S7189103, CVE-2012-5069: Executors needs to maintain state
  - S7189490: More improvements to DomainCombiner checking
  - S7189567, CVE-2012-5085: java net obselete protocol
  - S7192975, CVE-2012-5071: Issue with JMX reflection
  - S7195194, CVE-2012-5084: Better data validation for Swing
  - S7195549, CVE-2012-5087: Better bean object persistence
  - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
  - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  - S7198296, CVE-2012-5089: Refactor classloader usage
  - S7158800: Improve storage of symbol tables
  - S7158801: Improve VM CompileOnly option
  - S7158804: Improve config file parsing
  - S7198606, CVE-2012-4416: Improve VM optimization
* Bug fixes
  - Remove merge artefact.
  - Remove the Xp header and library checks.
* JamVM
  - PR1155: Do not put version number in libjvm.so SONAME

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.1.3.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.2.3.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.3.3.tar.gz

SHA256 checksums:

1929e57eb6718d30735e1e04e9e129457f845f7d7a8404b2b028740d0779ddb6  icedtea-2.1.3.tar.gz
4397ef71a0d729521be70f920bfc3fb6aec3455f1619b538cea75df512df1a16  icedtea-2.2.3.tar.gz
e5ac5564e00c4a8d7b3376ed6de91b18a2587c8abdad802ccc92c780765b1073  icedtea-2.3.3.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Elliott Baron (creation of reproducers for S7163198/S7169887 & S7186286, checking S7189103 & S7189567)
* Deepak Bhole (creation of reproducer for S7093490)
* Andrew John Hughes (applying all security patches, backports & bug fixes, reproducer runs, release management)
* Omair Majid (creation of reproducers for S7167656, S7172522, S7195549 & S7195917)
* Chris Phillips (checking S7143535, S7169884 & S7198606 reproducers)
* Roman Kennke (creation of reproducers for S7158796, S7192975 & S7198296)
* Pavel Tisnovsky (additional reproducer runs)
* Mario Torre (creation of reproducers for S6631398, S7195919 & S7196190, checking S7195194 reproducer)
* Jon VanAlten (creation of reproducer for S7158801, checking S7158800, S7158804 & S7158807)

We would also like to thank the bug reporters and testers!
 
To get started:

$ tar xzf icedtea-${ver}.tar.gz
 
Full build requirements and instructions are in INSTALL:

$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-${ver}/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

* It is difficult to make authoritative statements about u9 as the release
is proprietary.  Oracle still do not provide GPL binaries based on OpenJDK.
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20121017/8ab7e638/attachment.bin

More information about the distro-pkg-dev mailing list