[SECURITY] IcedTea 2.1.3, 2.2.3 & 2.3.3 for OpenJDK7 Released!

Andrew Hughes ahughes at redhat.com
Wed Oct 17 09:42:58 PDT 2012 

----- Original Message -----
> The IcedTea project provides a harness to build the source code from
> OpenJDK7 using Free Software build tools, along with additional
> features such as a PulseAudio sound driver and support for
> alternative
> virtual machines.
> 
> A new set of security releases is now available:
> 
> * IcedTea7 2.1.3
> * IcedTea7 2.2.3
> * IcedTea7 2.3.3
>  
> All updates contain the following security fixes:
>  
>  * S6631398, CVE-2012-3216: FilePermission improved path checking
>  * S7093490: adjust package access in rmiregistry
>  * S7143535, CVE-2012-5068: ScriptEngine corrected permissions
>  * S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
>  * S7158807: Revise stack management with volatile call sites
>  * S7163198, CVE-2012-5076: Tightened package accessibility
>  * S7167656, CVE-2012-5077: Multiple Seeders are being created
>  * S7169884, CVE-2012-5073: LogManager checks do not work correctly
>  for sub-types
>  * S7169887, CVE-2012-5074: Tightened package accessibility
>  * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI
>  connector
>  * S7172522, CVE-2012-5072: Improve DomainCombiner checking
>  * S7186286, CVE-2012-5081: TLS implementation to better adhere to
>  RFC
>  * S7189103, CVE-2012-5069: Executors needs to maintain state
>  * S7189490: More improvements to DomainCombiner checking
>  * S7189567, CVE-2012-5085: java net obselete protocol
>  * S7192975, CVE-2012-5071: Issue with JMX reflection
>  * S7195194, CVE-2012-5084: Better data validation for Swing
>  * S7195549, CVE-2012-5087: Better bean object persistence
>  * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
>  be improved
>  * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
>  needing to create instance
>  * S7196190, CVE-2012-5088: Improve method of handling MethodHandles
>  * S7198296, CVE-2012-5089: Refactor classloader usage
>  * S7158801: Improve VM CompileOnly option
>  * S7158804: Improve config file parsing
>  * S7198606, CVE-2012-4416: Improve VM optimization
> 
> We believe that the 2.3.3 release takes IcedTea beyond u9[*],
> providing security
> updates from u7 and u9 on top of an OpenJDK7 u6 base, along with
> additional
> IcedTea patches to allow builds against system libraries and to
> support more
> estoric architectures.
> 
> Please note support for alternative VM solutions (CACAO, Shark, Zero)
> may be
> lacking in this release, as there has been little time for testing
> non-standard
> builds, and Zero is known to not work with 2.2.x (and only with 2.3.x
> via
> using the HotSpot from 2.1.x).  Patches are welcome; please contact
> the mailing
> list (distro-pkg-dev at openjdk.java.net) and/or file
> bugs (http://icedtea.classpath.org/bugzilla) under the appropriate
> component.
> An update release may follow to correct issues with these builds, if
> necessary,
> but we deem it important to get the security updates out for
> mainstream builds
> as quickly as possible without further delay.
> 
> Full details of each release can be found below.
> 
> What’s New?
> —————–
> 
> New in release 2.1.3 (2012-10-17):
> 
> * Security fixes
>   - S6631398, CVE-2012-3216: FilePermission improved path checking
>   - S7093490: adjust package access in rmiregistry
>   - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
>   - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
>   - S7158807: Revise stack management with volatile call sites
>   - S7163198, CVE-2012-5076: Tightened package accessibility
>   - S7167656, CVE-2012-5077: Multiple Seeders are being created
>   - S7169884, CVE-2012-5073: LogManager checks do not work correctly
>   for sub-types
>   - S7169887, CVE-2012-5074: Tightened package accessibility
>   - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
>   RMI connector
>   - S7172522, CVE-2012-5072: Improve DomainCombiner checking
>   - S7186286, CVE-2012-5081: TLS implementation to better adhere to
>   RFC
>   - S7189103, CVE-2012-5069: Executors needs to maintain state
>   - S7189490: More improvements to DomainCombiner checking
>   - S7189567, CVE-2012-5085: java net obselete protocol
>   - S7192975, CVE-2012-5071: Issue with JMX reflection
>   - S7195194, CVE-2012-5084: Better data validation for Swing
>   - S7195549, CVE-2012-5087: Better bean object persistence
>   - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
>   be improved
>   - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
>   needing to create instance
>   - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
>   - S7198296, CVE-2012-5089: Refactor classloader usage
>   - S7158801: Improve VM CompileOnly option
>   - S7158804: Improve config file parsing
>   - S7198606, CVE-2012-4416: Improve VM optimization
> * Backports
>   - S7175845: "jar uf" changes file permissions unexpectedly
>   - S7177216: native2ascii changes file permissions of input file
>   - S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
>   - S7158800: Improve storage of symbol tables
> * Bug fixes
>   - Remove merge artefact.
>   - Remove the Xp header and library checks.
> 
> New in release 2.2.3 (2012-10-17):
> 
> * Security fixes
>   - S6631398, CVE-2012-3216: FilePermission improved path checking
>   - S7093490: adjust package access in rmiregistry
>   - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
>   - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
>   - S7158807: Revise stack management with volatile call sites
>   - S7163198, CVE-2012-5076: Tightened package accessibility
>   - S7167656, CVE-2012-5077: Multiple Seeders are being created
>   - S7169884, CVE-2012-5073: LogManager checks do not work correctly
>   for sub-types
>   - S7169887, CVE-2012-5074: Tightened package accessibility
>   - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
>   RMI connector
>   - S7172522, CVE-2012-5072: Improve DomainCombiner checking
>   - S7186286, CVE-2012-5081: TLS implementation to better adhere to
>   RFC
>   - S7189103, CVE-2012-5069: Executors needs to maintain state
>   - S7189490: More improvements to DomainCombiner checking
>   - S7189567, CVE-2012-5085: java net obselete protocol
>   - S7192975, CVE-2012-5071: Issue with JMX reflection
>   - S7195194, CVE-2012-5084: Better data validation for Swing
>   - S7195549, CVE-2012-5087: Better bean object persistence
>   - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
>   be improved
>   - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
>   needing to create instance
>   - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
>   - S7198296, CVE-2012-5089: Refactor classloader usage
>   - S7158801: Improve VM CompileOnly option
>   - S7158804: Improve config file parsing
>   - S7198606, CVE-2012-4416: Improve VM optimization
> * Backports
>   - S7175845: "jar uf" changes file permissions unexpectedly
>   - S7177216: native2ascii changes file permissions of input file
>   - S7158800: Improve storage of symbol tables
> * Bug fixes
>   - Remove merge artefact.
>   - Remove the Xp header and library checks.
> 
> New in release 2.3.3 (2012-10-17):
> 
> * Security fixes
>   - S6631398, CVE-2012-3216: FilePermission improved path checking
>   - S7093490: adjust package access in rmiregistry
>   - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
>   - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
>   - S7158807: Revise stack management with volatile call sites
>   - S7163198, CVE-2012-5076: Tightened package accessibility
>   - S7167656, CVE-2012-5077: Multiple Seeders are being created
>   - S7169884, CVE-2012-5073: LogManager checks do not work correctly
>   for sub-types
>   - S7169887, CVE-2012-5074: Tightened package accessibility
>   - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX
>   RMI connector
>   - S7172522, CVE-2012-5072: Improve DomainCombiner checking
>   - S7186286, CVE-2012-5081: TLS implementation to better adhere to
>   RFC
>   - S7189103, CVE-2012-5069: Executors needs to maintain state
>   - S7189490: More improvements to DomainCombiner checking
>   - S7189567, CVE-2012-5085: java net obselete protocol
>   - S7192975, CVE-2012-5071: Issue with JMX reflection
>   - S7195194, CVE-2012-5084: Better data validation for Swing
>   - S7195549, CVE-2012-5087: Better bean object persistence
>   - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should
>   be improved
>   - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without
>   needing to create instance
>   - S7196190, CVE-2012-5088: Improve method of handling MethodHandles
>   - S7198296, CVE-2012-5089: Refactor classloader usage
>   - S7158800: Improve storage of symbol tables
>   - S7158801: Improve VM CompileOnly option
>   - S7158804: Improve config file parsing
>   - S7198606, CVE-2012-4416: Improve VM optimization
> * Bug fixes
>   - Remove merge artefact.
>   - Remove the Xp header and library checks.
> * JamVM
>   - PR1155: Do not put version number in libjvm.so SONAME
> 
> The tarballs can be downloaded from:
>  
> * http://icedtea.classpath.org/download/source/icedtea-2.1.3.tar.gz
> * http://icedtea.classpath.org/download/source/icedtea-2.2.3.tar.gz
> * http://icedtea.classpath.org/download/source/icedtea-2.3.3.tar.gz
> 
> SHA256 checksums:
> 
> 1929e57eb6718d30735e1e04e9e129457f845f7d7a8404b2b028740d0779ddb6
>  icedtea-2.1.3.tar.gz
> 4397ef71a0d729521be70f920bfc3fb6aec3455f1619b538cea75df512df1a16
>  icedtea-2.2.3.tar.gz
> e5ac5564e00c4a8d7b3376ed6de91b18a2587c8abdad802ccc92c780765b1073
>  icedtea-2.3.3.tar.gz
> 
> Each tarball is accompanied by a digital signature (available at the
> above URL + '.sig').  This is produced using my public key.  See
> details below.
> 
> The following people helped with these releases:
> 
> * Elliott Baron (creation of reproducers for S7163198/S7169887 &
> S7186286, checking S7189103 & S7189567)
> * Deepak Bhole (creation of reproducer for S7093490)
> * Andrew John Hughes (applying all security patches, backports & bug
> fixes, reproducer runs, release management)
> * Omair Majid (creation of reproducers for S7167656, S7172522,
> S7195549 & S7195917)
> * Chris Phillips (checking S7143535, S7169884 & S7198606 reproducers)
> * Roman Kennke (creation of reproducers for S7158796, S7192975 &
> S7198296)
> * Pavel Tisnovsky (additional reproducer runs)
> * Mario Torre (creation of reproducers for S6631398, S7195919 &
> S7196190, checking S7195194 reproducer)
> * Jon VanAlten (creation of reproducer for S7158801, checking
> S7158800, S7158804 & S7158807)
> 
> We would also like to thank the bug reporters and testers!
>  
> To get started:
> 
> $ tar xzf icedtea-${ver}.tar.gz
>  
> Full build requirements and instructions are in INSTALL:
> 
> $ mkdir icedtea6-build
> $ cd icedtea6-build
> $ ../icedtea6-${ver}/configure [--enable-zero --enable-pulse-java
> --enable-systemtap ...]
> $ make
> 
> Happy hacking!
> 
> * It is difficult to make authoritative statements about u9 as the
> release
> is proprietary.  Oracle still do not provide GPL binaries based on
> OpenJDK.
> --
> Andrew :)
> 
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> 

Thanks also to Severin Gehwolf for doing the work with Elliott Baron
credited above.  Sorry, just didn't have my nickname decoder ring
handy at the time...
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the distro-pkg-dev mailing list