[SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 17 13:52:08 PDT 2013 

----- Original Message -----
> The IcedTea project provides a harness to build the source code from
> OpenJDK 6 using Free Software build tools, along with additional
> features such as a PulseAudio sound driver and support for alternative
> virtual machines.
> 
> A new security release, 1.11.10.  This contains the following security
> fixes:
> 
>   * S6657673, CVE-2013-1518: Issues with JAXP
>   * S7200507: Refactor Introspector internals
>   * S8000724, CVE-2013-2417: Improve networking serialization
>   * S8001031, CVE-2013-2419: Better font processing
>   * S8001040, CVE-2013-1537: Rework RMI model
>   * S8001322: Refactor deserialization
>   * S8001329, CVE-2013-1557: Augment RMI logging
>   * S8003335: Better handling of Finalizer thread
>   * S8003445: Adjust JAX-WS to focus on API
>   * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
>   * S8004261: Improve input validation
>   * S8004336, CVE-2013-2431: Better handling of method handle intrinsic
>   frames
>   * S8004986, CVE-2013-2383: Better handling of glyph table
>   * S8004987, CVE-2013-2384: Better handling of glyph table
>   * S8004994, CVE-2013-1569: Better handling of glyph table
>   * S8005432: Update access to JAX-WS
>   * S8005943: (process) Improved Runtime.exec
>   * S8006309: More reliable control panel operation
>   * S8006435, CVE-2013-2424: Improvements in JMX
>   * S8006790: Improve checking for windows
>   * S8006795: Improve font warning messages
>   * S8007406: Improve accessibility of AccessBridge
>   * S8007617, CVE-2013-2420: Better validation of images
>   * S8007667, CVE-2013-2430: Better image reading
>   * S8007918, CVE-2013-2429: Better image writing
>   * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
>   * S8009305, CVE-2013-0401: Improve AWT data transfer
>   * S8009699, CVE-2013-2421: Methodhandle lookup
>   * S8009814, CVE-2013-1488: Better driver management
>   * S8009857. CVE-2013-2422: Problem with plugin
> 
> Full details of the release can be found below.
> 
> What’s New?
> —————–
> New in release 1.11.10 (2013-04-17):
> 
> * New features
>   - JAXP, JAXWS & JAF supplied as patches rather than drops to aid subsequent
>   patching.
>   - PR1380: Add AArch64 support to Zero
> * Security fixes
>   - S6657673, CVE-2013-1518: Issues with JAXP
>   - S7200507: Refactor Introspector internals
>   - S8000724, CVE-2013-2417: Improve networking serialization
>   - S8001031, CVE-2013-2419: Better font processing
>   - S8001040, CVE-2013-1537: Rework RMI model
>   - S8001322: Refactor deserialization
>   - S8001329, CVE-2013-1557: Augment RMI logging
>   - S8003335: Better handling of Finalizer thread
>   - S8003445: Adjust JAX-WS to focus on API
>   - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
>   - S8004261: Improve input validation
>   - S8004336, CVE-2013-2431: Better handling of method handle intrinsic
>   frames
>   - S8004986, CVE-2013-2383: Better handling of glyph table
>   - S8004987, CVE-2013-2384: Improve font layout
>   - S8004994, CVE-2013-1569: Improve checking of glyph table
>   - S8005432: Update access to JAX-WS
>   - S8005943: (process) Improved Runtime.exec
>   - S8006309: More reliable control panel operation
>   - S8006435, CVE-2013-2424: Improvements in JMX
>   - S8006790: Improve checking for windows
>   - S8006795: Improve font warning messages
>   - S8007406: Improve accessibility of AccessBridge
>   - S8007617, CVE-2013-2420: Better validation of images
>   - S8007667, CVE-2013-2430: Better image reading
>   - S8007918, CVE-2013-2429: Better image writing
>   - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
>   - S8009305, CVE-2013-0401: Improve AWT data transfer
>   - S8009699, CVE-2013-2421: Methodhandle lookup
>   - S8009814, CVE-2013-1488: Better driver management
>   - S8009857. CVE-2013-2422: Problem with plugin
> * Backports
>   - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32
>   bit shifts
>   - S7036559: ConcurrentHashMap footprint and contention improvements
>   - S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom
>   BeanInfo: Class param (with WeakCache from S6397609)
>   - S6501644: sync LayoutEngine *code* structure to match ICU
>   - S6886358: layout code update
>   - S6963811: Deadlock-prone locking changes in Introspector
>   - S7017324: Kerning crash in JDK 7 since ICU layout update
>   - S7064279: Introspector.getBeanInfo() should release some resources in
>   timely manner
>   - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
> * Bug fixes
>   - OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)
>   - PR1362: Fedora 19 / rawhide FTBFS SIGILL
>   - PR1319: Correct #ifdef to #if
>   - PR1339: Simplify the rhino class rewriter to avoid use of concurrency
> 
> The tarballs can be downloaded from:
>  
> * http://icedtea.classpath.org/download/source/icedtea6-1.11.10.tar.gz
> 
> SHA256 checksums:
> 
> 6c362135db9e0477eb9308b02a2adef26fc56cdabf2eda3286ce4301eb6e951e
> icedtea6-1.11.10.tar.gz
> 
> Each tarball is accompanied by a digital signature (available at the
> above URL + '.sig').  This is produced using my public key.  See
> details below.
> 
> The following people helped with these releases:
> 
> * Andrew John Hughes (applying most security patches, backports & bug fixes,
> release management)
> * Omair Majid (build testing, reproducer runs, patches for S8007667,
> S8007918, S8009305, S8009814, S8009857)
> * Chris Phillips (PR1362 patch for ARM issue)
> * Roman Kennke (S8004986 / S8004987 / S8004994 patch)
> * Andreas Schwab (PR1380 patch for AArch64 Zero support)
> * Jon VanAlten (S8009063 patch and S7036559 dependency backport)
> 
> We would also like to thank the bug reporters and testers!
>  
> To get started:
> 
> $ tar xzf icedtea6-1.11.10.tar.gz
>  
> Full build requirements and instructions are in INSTALL:
> 
> $ mkdir icedtea6-build
> $ cd icedtea6-build
> $ ../icedtea6-1.11.10/configure [--enable-zero --enable-pulse-java
> --enable-systemtap ...]
> $ make
> 
> Happy hacking!
> --
> Andrew :)
> 
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> 

There's an issue with this release on older systems using glibc < 2.17.
A fix is available if needed and we'll do an update release soon:

https://twitter.com/gnu_andrew_java/status/324626008810590209
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the distro-pkg-dev mailing list