[SECURITY] IcedTea 2.3.9 for OpenJDK 7 Released!

Andii Hughes gnu_andrew at member.fsf.org
Sun Apr 21 17:36:01 PDT 2013 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

This release updates our OpenJDK 7 support to include the
latest security updates:

 * S6657673, CVE-2013-1518: Issues with JAXP
 * S7200507: Refactor Introspector internals
 * S8000724, CVE-2013-2417: Improve networking serialization
 * S8001031, CVE-2013-2419: Better font processing
 * S8001040, CVE-2013-1537: Rework RMI model
 * S8001322: Refactor deserialization
 * S8001329, CVE-2013-1557: Augment RMI logging
 * S8003335: Better handling of Finalizer thread
 * S8003445: Adjust JAX-WS to focus on API
 * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
 * S8004261: Improve input validation
 * S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
 * S8004986, CVE-2013-2383: Better handling of glyph table
 * S8004987, CVE-2013-2384: Improve font layout
 * S8004994, CVE-2013-1569: Improve checking of glyph table
 * S8005432: Update access to JAX-WS
 * S8005943: (process) Improved Runtime.exec
 * S8006309: More reliable control panel operation
 * S8006435, CVE-2013-2424: Improvements in JMX
 * S8006790: Improve checking for windows
 * S8006795: Improve font warning messages
 * S8007406: Improve accessibility of AccessBridge
 * S8007617, CVE-2013-2420: Better validation of images
 * S8007667, CVE-2013-2430: Better image reading
 * S8007918, CVE-2013-2429: Better image writing
 * S8008140: Better method handle resolution
 * S8009049, CVE-2013-2436: Better method handle binding
 * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
 * S8009305, CVE-2013-0401: Improve AWT data transfer
 * S8009677, CVE-2013-2423: Better setting of setters
 * S8009699, CVE-2013-2421: Methodhandle lookup
 * S8009814, CVE-2013-1488: Better driver management
 * S8009857, CVE-2013-2422: Problem with plugin

In addition, IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it at
http://icedtea.classpath.org/bugzilla under the appropriate component.
Development discussion takes place on distro-pkg-dev at openjdk.java.net
and patches are always welcome.

Full details of the releases can be found below.

What’s New?
—————–
New in release 2.3.9 (2013-04-21):

* Security fixes
  - S6657673, CVE-2013-1518: Issues with JAXP
  - S7200507: Refactor Introspector internals
  - S8000724, CVE-2013-2417: Improve networking serialization
  - S8001031, CVE-2013-2419: Better font processing
  - S8001040, CVE-2013-1537: Rework RMI model
  - S8001322: Refactor deserialization
  - S8001329, CVE-2013-1557: Augment RMI logging
  - S8003335: Better handling of Finalizer thread
  - S8003445: Adjust JAX-WS to focus on API
  - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  - S8004261: Improve input validation
  - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  - S8004986, CVE-2013-2383: Better handling of glyph table
  - S8004987, CVE-2013-2384: Improve font layout
  - S8004994, CVE-2013-1569: Improve checking of glyph table
  - S8005432: Update access to JAX-WS
  - S8005943: (process) Improved Runtime.exec
  - S8006309: More reliable control panel operation
  - S8006435, CVE-2013-2424: Improvements in JMX
  - S8006790: Improve checking for windows
  - S8006795: Improve font warning messages
  - S8007406: Improve accessibility of AccessBridge
  - S8007617, CVE-2013-2420: Better validation of images
  - S8007667, CVE-2013-2430: Better image reading
  - S8007918, CVE-2013-2429: Better image writing
  - S8008140: Better method handle resolution
  - S8009049, CVE-2013-2436: Better method handle binding
  - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  - S8009305, CVE-2013-0401: Improve AWT data transfer
  - S8009677, CVE-2013-2423: Better setting of setters
  - S8009699, CVE-2013-2421: Methodhandle lookup
  - S8009814, CVE-2013-1488: Better driver management
  - S8009857, CVE-2013-2422: Problem with plugin
* Backports
  - S7130662, RH928500: GTK file dialog crashes with a NPE
* Bug fixes
  - PR1363: Fedora 19 / rawhide FTBFS SIGILL
  - PR1401: Fix Zero build on 2.3.8
  - Fix offset problem in ICU LETableReference.
  - Change -Werror fix to preserve OpenJDK default.
  - PR1404: Failure to bootstrap with ecj 4.2

The tarball can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.3.9.tar.gz

SHA256 checksums:

7e1fdd4c53c9772337c971b6f6f8058dabd99d7f4c4fcc85c88d836c9005c6da  icedtea-2.3.9.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Martin Buchholz (-Werror fix)
* Andrew John Hughes (application of security fixes & backports, PR1401, PR1404)
* Roman Kennke (offset fix)
* Chris Phillips (PR1363 patch for ARM issue)

We would also like to thank the bug reporters and testers!
 
To get started:
$ tar xzf icedtea-2.3.9.tar.gz

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.3.9/configure [--with-parallel-jobs --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

-- 
Andii :)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130422/fc582f81/attachment.bin

More information about the distro-pkg-dev mailing list