[SECURITY] IcedTea6 1.11.6 Released!

Andrew John Hughes gnu.andrew at redhat.com
Sun Feb 3 10:30:28 PST 2013 

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new security release is now available: 1.11.6.  An update for the
recent release, 1.12.1, will follow shortly.
 
The update contains the following security fixes:
 
 * S6563318, CVE-2013-0424: RMI data sanitization
 * S6664509, CVE-2013-0425: Add logging context
 * S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
 * S6776941: CVE-2013-0427: Improve thread pool shutdown
 * S7141694, CVE-2013-0429: Improving CORBA internals
 * S7173145: Improve in-memory representation of splashscreens
 * S7186945: Unpack200 improvement
 * S7186946: Refine unpacker resource usage
 * S7186948: Improve Swing data validation
 * S7186952, CVE-2013-0432: Improve clipboard access
 * S7186954: Improve connection performance
 * S7186957: Improve Pack200 data validation
 * S7192392, CVE-2013-0443: Better validation of client keys
 * S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
 * S7192977, CVE-2013-0442: Issue in toolkit thread
 * S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
 * S7200491: Tighten up JTable layout code
 * S7200500: Launcher better input validation
 * S7201064: Better dialogue checking
 * S7201066, CVE-2013-0441: Change modifiers on unused fields
 * S7201068, CVE-2013-0435: Better handling of UI elements
 * S7201070: Serialization to conform to protocol
 * S7201071, CVE-2013-0433: InetSocketAddress serialization issue
 * S8000210: Improve JarFile code quality
 * S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
 * S8000540, CVE-2013-1475: Improve IIOP type reuse management
 * S8000631, CVE-2013-1476: Restrict access to class constructor
 * S8001235, CVE-2013-0434: Improve JAXP HTTP handling
 * S8001242: Improve RMI HTTP conformance
 * S8001307: Modify ACC_SUPER behavior
 * S8001972, CVE-2013-1478: Improve image processing
 * S8002325, CVE-2013-1480: Improve management of images

Full details can be found below.

What’s New?
—————–

New in release 1.11.6 (2012-02-03):

* Security fixes
  - S6563318, CVE-2013-0424: RMI data sanitization
  - S6664509, CVE-2013-0425: Add logging context
  - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  - S6776941: CVE-2013-0427: Improve thread pool shutdown
  - S7141694, CVE-2013-0429: Improving CORBA internals
  - S7173145: Improve in-memory representation of splashscreens
  - S7186945: Unpack200 improvement
  - S7186946: Refine unpacker resource usage
  - S7186948: Improve Swing data validation
  - S7186952, CVE-2013-0432: Improve clipboard access
  - S7186954: Improve connection performance
  - S7186957: Improve Pack200 data validation
  - S7192392, CVE-2013-0443: Better validation of client keys
  - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  - S7192977, CVE-2013-0442: Issue in toolkit thread
  - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  - S7200491: Tighten up JTable layout code
  - S7200500: Launcher better input validation
  - S7201064: Better dialogue checking
  - S7201066, CVE-2013-0441: Change modifiers on unused fields
  - S7201068, CVE-2013-0435: Better handling of UI elements
  - S7201070: Serialization to conform to protocol
  - S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  - S8000210: Improve JarFile code quality
  - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  - S8000540, CVE-2013-1475: Improve IIOP type reuse management
  - S8000631, CVE-2013-1476: Restrict access to class constructor
  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  - S8001242: Improve RMI HTTP conformance
  - S8001307: Modify ACC_SUPER behavior
  - S8001972, CVE-2013-1478: Improve image processing
  - S8002325, CVE-2013-1480: Improve management of images
* Backports
  - S7010849: 5/5 Extraneous javac source/target options when building sa-jdi

The tarball can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea6-1.11.6.tar.gz

SHA256 checksum:

1d4efe74bf8902c6682512ddb3cf71620e4fe107d1fb364b71453b551860fcca  icedtea6-1.11.6.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Andrew John Hughes (applying all security patches & backports, release management)
* Omair Majid (identification of ordering issues with security patches)

We would also like to thank the bug reporters and testers!
 
To get started:

$ tar xzf icedtea6-1.11.6.tar.gz
 
Full build requirements and instructions are in INSTALL:

$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-1.11.6/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130203/b0153aa7/attachment.bin

More information about the distro-pkg-dev mailing list