[SECURITY] IcedTea 1.10.10 & 1.11.5 for OpenJDK6 Released!

Andrew John Hughes gnu.andrew at redhat.com
Tue Oct 16 19:47:28 PDT 2012

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available:

* IcedTea6 1.10.10
* IcedTea6 1.11.5

We recommend that users upgrade to the latest release from the appropriate
branch as soon as possible.
All updates contain the following security fixes:
 * S6631398, CVE-2012-3216: FilePermission improved path checking
 * S7093490: adjust package access in rmiregistry
 * S7143535, CVE-2012-5068: ScriptEngine corrected permissions
 * S7167656, CVE-2012-5077: Multiple Seeders are being created
 * S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
 * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
 * S7172522, CVE-2012-5072: Improve DomainCombiner checking
 * S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
 * S7189103, CVE-2012-5069: Executors needs to maintain state
 * S7189490: More improvements to DomainCombiner checking
 * S7189567, CVE-2012-5085: java net obselete protocol
 * S7192975, CVE-2012-5071: Conditional usage check is wrong
 * S7195194, CVE-2012-5084: Better data validation for Swing
 * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
 * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
 * S7198296, CVE-2012-5089: Refactor classloader usage
 * S7158800: Improve storage of symbol tables
 * S7158801: Improve VM CompileOnly option
 * S7158804: Improve config file parsing
 * S7176337: Additional changes needed for 7158801 fix
 * S7198606, CVE-2012-4416: Improve VM optimization

Full details of each release can be found below.

What’s New?

New in release 1.10.10 (2012-10-16):

* Security fixes
  - S6631398, CVE-2012-3216: FilePermission improved path checking
  - S7093490: adjust package access in rmiregistry
  - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  - S7167656, CVE-2012-5077: Multiple Seeders are being created
  - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  - S7172522, CVE-2012-5072: Improve DomainCombiner checking
  - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  - S7189103, CVE-2012-5069: Executors needs to maintain state
  - S7189490: More improvements to DomainCombiner checking
  - S7189567, CVE-2012-5085: java net obselete protocol
  - S7192975, CVE-2012-5071: Conditional usage check is wrong
  - S7195194, CVE-2012-5084: Better data validation for Swing
  - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
  - S7198296, CVE-2012-5089: Refactor classloader usage
  - S7158800: Improve storage of symbol tables
  - S7158801: Improve VM CompileOnly option
  - S7158804: Improve config file parsing
  - S7176337: Additional changes needed for 7158801 fix
  - S7198606, CVE-2012-4416: Improve VM optimization
* Backports
  - S7092186: adjust package access in rmiregistry
  - S7175845: "jar uf" changes file permissions unexpectedly
  - S7177216: native2ascii changes file permissions of input file
  - S7199153: TEST_BUG: try-with-resources syntax pushed to 6-open repo
* Bug fixes
  - PR1194: IcedTea tries to build with /usr/lib/jvm/java-openjdk (now a 1.7 VM) by default

New in release 1.11.5 (2012-10-16):

* Security fixes
  - S6631398, CVE-2012-3216: FilePermission improved path checking
  - S7093490: adjust package access in rmiregistry
  - S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  - S7167656, CVE-2012-5077: Multiple Seeders are being created
  - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  - S7172522, CVE-2012-5072: Improve DomainCombiner checking
  - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  - S7189103, CVE-2012-5069: Executors needs to maintain state
  - S7189490: More improvements to DomainCombiner checking
  - S7189567, CVE-2012-5085: java net obselete protocol
  - S7192975, CVE-2012-5071: Conditional usage check is wrong
  - S7195194, CVE-2012-5084: Better data validation for Swing
  - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance
  - S7198296, CVE-2012-5089: Refactor classloader usage
  - S7158800: Improve storage of symbol tables
  - S7158801: Improve VM CompileOnly option
  - S7158804: Improve config file parsing
  - S7176337: Additional changes needed for 7158801 fix
  - S7198606, CVE-2012-4416: Improve VM optimization
* Backports
  - S7175845: "jar uf" changes file permissions unexpectedly
  - S7177216: native2ascii changes file permissions of input file
  - S7199153: TEST_BUG: try-with-resources syntax pushed to 6-open repo
* Bug fixes
  - PR1194: IcedTea tries to build with /usr/lib/jvm/java-openjdk (now a 1.7 VM) by default

The tarballs can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea6-1.10.10.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.11.5.tar.gz

SHA256 checksums:

644804a85b5b446d7840e3d11adf45782d73fcd880a2df5403c53c96cc288c3e  icedtea6-1.10.10.tar.gz
258d81d957f8ab9322fbaf7c90647f27f6b4e675504fa279858e6dfe513f7574  icedtea6-1.11.5.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Elliott Baron (creation of reproducers for S7163198/S7169887 & S7186286, checking S7189103 & S7189567)
* Deepak Bhole (creation of reproducer for S7093490)
* Andrew John Hughes (applying all security patches, backports & bug fixes, reproducer runs, release management)
* Omair Majid (creation of reproducers for S7167656, S7172522, S7195549 & S7195917)
* Chris Phillips (checking S7143535, S7169884 & S7198606 reproducers)
* Roman Kennke (creation of reproducers for S7158796, S7192975 & S7198296)
* Pavel Tisnovsky (additional reproducer runs)
* Mario Torre (creation of reproducers for S6631398, S7195919 & S7196190, checking S7195194 reproducer)
* Jon VanAlten (creation of reproducer for S7158801, checking S7158800, S7158804 & S7158807)

We would also like to thank the bug reporters and testers!
To get started:

$ tar xzf icedtea6-${ver}.tar.gz
Full build requirements and instructions are in INSTALL:

$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-${ver}/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20121017/874c9209/attachment.bin 

More information about the distro-pkg-dev mailing list