[SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!
Andrew Hughes
gnu.andrew at redhat.com
Wed Apr 17 13:52:08 PDT 2013
----- Original Message -----
> The IcedTea project provides a harness to build the source code from
> OpenJDK 6 using Free Software build tools, along with additional
> features such as a PulseAudio sound driver and support for alternative
> virtual machines.
>
> A new security release, 1.11.10. This contains the following security
> fixes:
>
> * S6657673, CVE-2013-1518: Issues with JAXP
> * S7200507: Refactor Introspector internals
> * S8000724, CVE-2013-2417: Improve networking serialization
> * S8001031, CVE-2013-2419: Better font processing
> * S8001040, CVE-2013-1537: Rework RMI model
> * S8001322: Refactor deserialization
> * S8001329, CVE-2013-1557: Augment RMI logging
> * S8003335: Better handling of Finalizer thread
> * S8003445: Adjust JAX-WS to focus on API
> * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
> * S8004261: Improve input validation
> * S8004336, CVE-2013-2431: Better handling of method handle intrinsic
> frames
> * S8004986, CVE-2013-2383: Better handling of glyph table
> * S8004987, CVE-2013-2384: Better handling of glyph table
> * S8004994, CVE-2013-1569: Better handling of glyph table
> * S8005432: Update access to JAX-WS
> * S8005943: (process) Improved Runtime.exec
> * S8006309: More reliable control panel operation
> * S8006435, CVE-2013-2424: Improvements in JMX
> * S8006790: Improve checking for windows
> * S8006795: Improve font warning messages
> * S8007406: Improve accessibility of AccessBridge
> * S8007617, CVE-2013-2420: Better validation of images
> * S8007667, CVE-2013-2430: Better image reading
> * S8007918, CVE-2013-2429: Better image writing
> * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
> * S8009305, CVE-2013-0401: Improve AWT data transfer
> * S8009699, CVE-2013-2421: Methodhandle lookup
> * S8009814, CVE-2013-1488: Better driver management
> * S8009857. CVE-2013-2422: Problem with plugin
>
> Full details of the release can be found below.
>
> What’s New?
> —————–
> New in release 1.11.10 (2013-04-17):
>
> * New features
> - JAXP, JAXWS & JAF supplied as patches rather than drops to aid subsequent
> patching.
> - PR1380: Add AArch64 support to Zero
> * Security fixes
> - S6657673, CVE-2013-1518: Issues with JAXP
> - S7200507: Refactor Introspector internals
> - S8000724, CVE-2013-2417: Improve networking serialization
> - S8001031, CVE-2013-2419: Better font processing
> - S8001040, CVE-2013-1537: Rework RMI model
> - S8001322: Refactor deserialization
> - S8001329, CVE-2013-1557: Augment RMI logging
> - S8003335: Better handling of Finalizer thread
> - S8003445: Adjust JAX-WS to focus on API
> - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
> - S8004261: Improve input validation
> - S8004336, CVE-2013-2431: Better handling of method handle intrinsic
> frames
> - S8004986, CVE-2013-2383: Better handling of glyph table
> - S8004987, CVE-2013-2384: Improve font layout
> - S8004994, CVE-2013-1569: Improve checking of glyph table
> - S8005432: Update access to JAX-WS
> - S8005943: (process) Improved Runtime.exec
> - S8006309: More reliable control panel operation
> - S8006435, CVE-2013-2424: Improvements in JMX
> - S8006790: Improve checking for windows
> - S8006795: Improve font warning messages
> - S8007406: Improve accessibility of AccessBridge
> - S8007617, CVE-2013-2420: Better validation of images
> - S8007667, CVE-2013-2430: Better image reading
> - S8007918, CVE-2013-2429: Better image writing
> - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
> - S8009305, CVE-2013-0401: Improve AWT data transfer
> - S8009699, CVE-2013-2421: Methodhandle lookup
> - S8009814, CVE-2013-1488: Better driver management
> - S8009857. CVE-2013-2422: Problem with plugin
> * Backports
> - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32
> bit shifts
> - S7036559: ConcurrentHashMap footprint and contention improvements
> - S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom
> BeanInfo: Class param (with WeakCache from S6397609)
> - S6501644: sync LayoutEngine *code* structure to match ICU
> - S6886358: layout code update
> - S6963811: Deadlock-prone locking changes in Introspector
> - S7017324: Kerning crash in JDK 7 since ICU layout update
> - S7064279: Introspector.getBeanInfo() should release some resources in
> timely manner
> - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
> * Bug fixes
> - OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)
> - PR1362: Fedora 19 / rawhide FTBFS SIGILL
> - PR1319: Correct #ifdef to #if
> - PR1339: Simplify the rhino class rewriter to avoid use of concurrency
>
> The tarballs can be downloaded from:
>
> * http://icedtea.classpath.org/download/source/icedtea6-1.11.10.tar.gz
>
> SHA256 checksums:
>
> 6c362135db9e0477eb9308b02a2adef26fc56cdabf2eda3286ce4301eb6e951e
> icedtea6-1.11.10.tar.gz
>
> Each tarball is accompanied by a digital signature (available at the
> above URL + '.sig'). This is produced using my public key. See
> details below.
>
> The following people helped with these releases:
>
> * Andrew John Hughes (applying most security patches, backports & bug fixes,
> release management)
> * Omair Majid (build testing, reproducer runs, patches for S8007667,
> S8007918, S8009305, S8009814, S8009857)
> * Chris Phillips (PR1362 patch for ARM issue)
> * Roman Kennke (S8004986 / S8004987 / S8004994 patch)
> * Andreas Schwab (PR1380 patch for AArch64 Zero support)
> * Jon VanAlten (S8009063 patch and S7036559 dependency backport)
>
> We would also like to thank the bug reporters and testers!
>
> To get started:
>
> $ tar xzf icedtea6-1.11.10.tar.gz
>
> Full build requirements and instructions are in INSTALL:
>
> $ mkdir icedtea6-build
> $ cd icedtea6-build
> $ ../icedtea6-1.11.10/configure [--enable-zero --enable-pulse-java
> --enable-systemtap ...]
> $ make
>
> Happy hacking!
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>
There's an issue with this release on older systems using glibc < 2.17.
A fix is available if needed and we'll do an update release soon:
https://twitter.com/gnu_andrew_java/status/324626008810590209
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the distro-pkg-dev
mailing list