[SECURITY] IcedTea 2.1.3, 2.2.3 & 2.3.3 for OpenJDK7 Released!
Andrew Hughes
ahughes at redhat.com
Wed Oct 17 09:42:58 PDT 2012
----- Original Message -----
> The IcedTea project provides a harness to build the source code from
> OpenJDK7 using Free Software build tools, along with additional
> features such as a PulseAudio sound driver and support for
> alternative
> virtual machines.
>
> A new set of security releases is now available:
>
> * IcedTea7 2.1.3
> * IcedTea7 2.2.3
> * IcedTea7 2.3.3
>
> All updates contain the following security fixes:
>
> * S6631398, CVE-2012-3216: FilePermission improved path checking
> * S7093490: adjust package access in rmiregistry
> * S7143535, CVE-2012-5068: ScriptEngine corrected permissions
> * S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
> * S7158807: Revise stack management with volatile call sites
> * S7163198, CVE-2012-5076: Tightened package accessibility
> * S7167656, CVE-2012-5077: Multiple Seeders are being created
> * S7169884, CVE-2012-5073: LogManager checks do not work correctly
> for sub-types
> * S7169887, CVE-2012-5074: Tightened package accessibility
> * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI
> connector
> * S7172522, CVE-2012-5072: Improve DomainCombiner checking
> * S7186286, CVE-2012-5081: TLS implementation to better adhere to
> RFC
> * S7189103, CVE-2012-5069: Executors needs to maintain state
> * S7189490: More improvements to DomainCombiner checking
> * S7189567, CVE-2012-5085: java net obselete protocol
> * S7192975, CVE-2012-5071: Issue with JMX reflection
> * S7195194, CVE-2012-5084: Better data validation for Swing
> * S7195549, CVE-2012-5087: Better bean object persistence
> * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
> be improved
> * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
> needing to create instance
> * S7196190, CVE-2012-5088: Improve method of handling MethodHandles
> * S7198296, CVE-2012-5089: Refactor classloader usage
> * S7158801: Improve VM CompileOnly option
> * S7158804: Improve config file parsing
> * S7198606, CVE-2012-4416: Improve VM optimization
>
> We believe that the 2.3.3 release takes IcedTea beyond u9[*],
> providing security
> updates from u7 and u9 on top of an OpenJDK7 u6 base, along with
> additional
> IcedTea patches to allow builds against system libraries and to
> support more
> estoric architectures.
>
> Please note support for alternative VM solutions (CACAO, Shark, Zero)
> may be
> lacking in this release, as there has been little time for testing
> non-standard
> builds, and Zero is known to not work with 2.2.x (and only with 2.3.x
> via
> using the HotSpot from 2.1.x). Patches are welcome; please contact
> the mailing
> list (distro-pkg-dev at openjdk.java.net) and/or file
> bugs (http://icedtea.classpath.org/bugzilla) under the appropriate
> component.
> An update release may follow to correct issues with these builds, if
> necessary,
> but we deem it important to get the security updates out for
> mainstream builds
> as quickly as possible without further delay.
>
> Full details of each release can be found below.
>
> What’s New?
> —————–
>
> New in release 2.1.3 (2012-10-17):
>
> * Security fixes
> - S6631398, CVE-2012-3216: FilePermission improved path checking
> - S7093490: adjust package access in rmiregistry
> - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
> - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
> - S7158807: Revise stack management with volatile call sites
> - S7163198, CVE-2012-5076: Tightened package accessibility
> - S7167656, CVE-2012-5077: Multiple Seeders are being created
> - S7169884, CVE-2012-5073: LogManager checks do not work correctly
> for sub-types
> - S7169887, CVE-2012-5074: Tightened package accessibility
> - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
> RMI connector
> - S7172522, CVE-2012-5072: Improve DomainCombiner checking
> - S7186286, CVE-2012-5081: TLS implementation to better adhere to
> RFC
> - S7189103, CVE-2012-5069: Executors needs to maintain state
> - S7189490: More improvements to DomainCombiner checking
> - S7189567, CVE-2012-5085: java net obselete protocol
> - S7192975, CVE-2012-5071: Issue with JMX reflection
> - S7195194, CVE-2012-5084: Better data validation for Swing
> - S7195549, CVE-2012-5087: Better bean object persistence
> - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
> be improved
> - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
> needing to create instance
> - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
> - S7198296, CVE-2012-5089: Refactor classloader usage
> - S7158801: Improve VM CompileOnly option
> - S7158804: Improve config file parsing
> - S7198606, CVE-2012-4416: Improve VM optimization
> * Backports
> - S7175845: "jar uf" changes file permissions unexpectedly
> - S7177216: native2ascii changes file permissions of input file
> - S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
> - S7158800: Improve storage of symbol tables
> * Bug fixes
> - Remove merge artefact.
> - Remove the Xp header and library checks.
>
> New in release 2.2.3 (2012-10-17):
>
> * Security fixes
> - S6631398, CVE-2012-3216: FilePermission improved path checking
> - S7093490: adjust package access in rmiregistry
> - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
> - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
> - S7158807: Revise stack management with volatile call sites
> - S7163198, CVE-2012-5076: Tightened package accessibility
> - S7167656, CVE-2012-5077: Multiple Seeders are being created
> - S7169884, CVE-2012-5073: LogManager checks do not work correctly
> for sub-types
> - S7169887, CVE-2012-5074: Tightened package accessibility
> - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
> RMI connector
> - S7172522, CVE-2012-5072: Improve DomainCombiner checking
> - S7186286, CVE-2012-5081: TLS implementation to better adhere to
> RFC
> - S7189103, CVE-2012-5069: Executors needs to maintain state
> - S7189490: More improvements to DomainCombiner checking
> - S7189567, CVE-2012-5085: java net obselete protocol
> - S7192975, CVE-2012-5071: Issue with JMX reflection
> - S7195194, CVE-2012-5084: Better data validation for Swing
> - S7195549, CVE-2012-5087: Better bean object persistence
> - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
> be improved
> - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
> needing to create instance
> - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
> - S7198296, CVE-2012-5089: Refactor classloader usage
> - S7158801: Improve VM CompileOnly option
> - S7158804: Improve config file parsing
> - S7198606, CVE-2012-4416: Improve VM optimization
> * Backports
> - S7175845: "jar uf" changes file permissions unexpectedly
> - S7177216: native2ascii changes file permissions of input file
> - S7158800: Improve storage of symbol tables
> * Bug fixes
> - Remove merge artefact.
> - Remove the Xp header and library checks.
>
> New in release 2.3.3 (2012-10-17):
>
> * Security fixes
> - S6631398, CVE-2012-3216: FilePermission improved path checking
> - S7093490: adjust package access in rmiregistry
> - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
> - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
> - S7158807: Revise stack management with volatile call sites
> - S7163198, CVE-2012-5076: Tightened package accessibility
> - S7167656, CVE-2012-5077: Multiple Seeders are being created
> - S7169884, CVE-2012-5073: LogManager checks do not work correctly
> for sub-types
> - S7169887, CVE-2012-5074: Tightened package accessibility
> - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
> RMI connector
> - S7172522, CVE-2012-5072: Improve DomainCombiner checking
> - S7186286, CVE-2012-5081: TLS implementation to better adhere to
> RFC
> - S7189103, CVE-2012-5069: Executors needs to maintain state
> - S7189490: More improvements to DomainCombiner checking
> - S7189567, CVE-2012-5085: java net obselete protocol
> - S7192975, CVE-2012-5071: Issue with JMX reflection
> - S7195194, CVE-2012-5084: Better data validation for Swing
> - S7195549, CVE-2012-5087: Better bean object persistence
> - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
> be improved
> - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
> needing to create instance
> - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
> - S7198296, CVE-2012-5089: Refactor classloader usage
> - S7158800: Improve storage of symbol tables
> - S7158801: Improve VM CompileOnly option
> - S7158804: Improve config file parsing
> - S7198606, CVE-2012-4416: Improve VM optimization
> * Bug fixes
> - Remove merge artefact.
> - Remove the Xp header and library checks.
> * JamVM
> - PR1155: Do not put version number in libjvm.so SONAME
>
> The tarballs can be downloaded from:
>
> * http://icedtea.classpath.org/download/source/icedtea-2.1.3.tar.gz
> * http://icedtea.classpath.org/download/source/icedtea-2.2.3.tar.gz
> * http://icedtea.classpath.org/download/source/icedtea-2.3.3.tar.gz
>
> SHA256 checksums:
>
> 1929e57eb6718d30735e1e04e9e129457f845f7d7a8404b2b028740d0779ddb6
> icedtea-2.1.3.tar.gz
> 4397ef71a0d729521be70f920bfc3fb6aec3455f1619b538cea75df512df1a16
> icedtea-2.2.3.tar.gz
> e5ac5564e00c4a8d7b3376ed6de91b18a2587c8abdad802ccc92c780765b1073
> icedtea-2.3.3.tar.gz
>
> Each tarball is accompanied by a digital signature (available at the
> above URL + '.sig'). This is produced using my public key. See
> details below.
>
> The following people helped with these releases:
>
> * Elliott Baron (creation of reproducers for S7163198/S7169887 &
> S7186286, checking S7189103 & S7189567)
> * Deepak Bhole (creation of reproducer for S7093490)
> * Andrew John Hughes (applying all security patches, backports & bug
> fixes, reproducer runs, release management)
> * Omair Majid (creation of reproducers for S7167656, S7172522,
> S7195549 & S7195917)
> * Chris Phillips (checking S7143535, S7169884 & S7198606 reproducers)
> * Roman Kennke (creation of reproducers for S7158796, S7192975 &
> S7198296)
> * Pavel Tisnovsky (additional reproducer runs)
> * Mario Torre (creation of reproducers for S6631398, S7195919 &
> S7196190, checking S7195194 reproducer)
> * Jon VanAlten (creation of reproducer for S7158801, checking
> S7158800, S7158804 & S7158807)
>
> We would also like to thank the bug reporters and testers!
>
> To get started:
>
> $ tar xzf icedtea-${ver}.tar.gz
>
> Full build requirements and instructions are in INSTALL:
>
> $ mkdir icedtea6-build
> $ cd icedtea6-build
> $ ../icedtea6-${ver}/configure [--enable-zero --enable-pulse-java
> --enable-systemtap ...]
> $ make
>
> Happy hacking!
>
> * It is difficult to make authoritative statements about u9 as the
> release
> is proprietary. Oracle still do not provide GPL binaries based on
> OpenJDK.
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>
Thanks also to Severin Gehwolf for doing the work with Elliott Baron
credited above. Sorry, just didn't have my nickname decoder ring
handy at the time...
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the distro-pkg-dev
mailing list