[SECURITY] IcedTea6 1.12.1 Released!
Omair Majid
omajid at redhat.com
Mon Feb 4 16:37:33 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.
A new security release is now available: 1.12.1.
The update contains the following security fixes:
* S6563318, CVE-2013-0424: RMI data sanitization
* S6664509, CVE-2013-0425: Add logging context
* S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
* S6776941: CVE-2013-0427: Improve thread pool shutdown
* S7141694, CVE-2013-0429: Improving CORBA internals
* S7173145: Improve in-memory representation of splashscreens
* S7186945: Unpack200 improvement
* S7186946: Refine unpacker resource usage
* S7186948: Improve Swing data validation
* S7186952, CVE-2013-0432: Improve clipboard access
* S7186954: Improve connection performance
* S7186957: Improve Pack200 data validation
* S7192392, CVE-2013-0443: Better validation of client keys
* S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
* S7192977, CVE-2013-0442: Issue in toolkit thread
* S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
* S7200491: Tighten up JTable layout code
* S7200500: Launcher better input validation
* S7201064: Better dialogue checking
* S7201066, CVE-2013-0441: Change modifiers on unused fields
* S7201068, CVE-2013-0435: Better handling of UI elements
* S7201070: Serialization to conform to protocol
* S7201071, CVE-2013-0433: InetSocketAddress serialization issue
* S8000210: Improve JarFile code quality
* S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
* S8000540, CVE-2013-1475: Improve IIOP type reuse management
* S8000631, CVE-2013-1476: Restrict access to class constructor
* S8001235, CVE-2013-0434: Improve JAXP HTTP handling
* S8001242: Improve RMI HTTP conformance
* S8001307: Modify ACC_SUPER behavior
* S8001972, CVE-2013-1478: Improve image processing
* S8002325, CVE-2013-1480: Improve management of images
Full details can be found below.
What's New
__________
New in release 1.12.1 (2012-02-04):
* Security fixes
- S6563318, CVE-2013-0424: RMI data sanitization
- S6664509, CVE-2013-0425: Add logging context
- S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
- S6776941: CVE-2013-0427: Improve thread pool shutdown
- S7141694, CVE-2013-0429: Improving CORBA internals
- S7173145: Improve in-memory representation of splashscreens
- S7186945: Unpack200 improvement
- S7186946: Refine unpacker resource usage
- S7186948: Improve Swing data validation
- S7186952, CVE-2013-0432: Improve clipboard access
- S7186954: Improve connection performance
- S7186957: Improve Pack200 data validation
- S7192392, CVE-2013-0443: Better validation of client keys
- S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
- S7192977, CVE-2013-0442: Issue in toolkit thread
- S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
- S7200491: Tighten up JTable layout code
- S7200500: Launcher better input validation
- S7201064: Better dialogue checking
- S7201066, CVE-2013-0441: Change modifiers on unused fields
- S7201068, CVE-2013-0435: Better handling of UI elements
- S7201070: Serialization to conform to protocol
- S7201071, CVE-2013-0433: InetSocketAddress serialization issue
- S8000210: Improve JarFile code quality
- S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
- S8000540, CVE-2013-1475: Improve IIOP type reuse management
- S8000631, CVE-2013-1476: Restrict access to class constructor
- S8001235, CVE-2013-0434: Improve JAXP HTTP handling
- S8001242: Improve RMI HTTP conformance
- S8001307: Modify ACC_SUPER behavior
- S8001972, CVE-2013-1478: Improve image processing
- S8002325, CVE-2013-1480: Improve management of images
* Backports
- S7010849: 5/5 Extraneous javac source/target options when building sa-jdi
The tarball can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea6-1.12.1.tar.gz
SHA256 checksum:
8e73a3939ba8c2cca888defc6c90811c959273a9bc7bd1352338a72cefcf1157 icedtea6-1.12.1.tar.gz
Each tarball is accompanied by a digital signature (available at the
above URL + '.sig'). This is produced using my public key. See
details below.
The following people helped with these releases:
* Andrew John Hughes (applying all security patches & backports, release testing)
* Omair Majid (identification of ordering issues with security patches, porting security patches to 1.12)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xf icedtea6-1.12.1.tar.gz
Full build requirements and instructions are in INSTALL:
$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-1.12.1/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
Happy hacking!
- --
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJREFRMAAoJEPKG8U9mSEaBqb0P/3GgwxTdjrSU5I0aK3cL9Hh1
Dtv8ZpSGX560T2zzK4AzB3a+WZDd8Erw9fmHMS0d3qvMSaGfysPl0U1b9IDNzDEN
7nhHUKYkkN8/mfRxW84IvMj5A14kSUxUxSK1dxFo5xUQv4+9JBO5Hc+0JPEAnTsB
HwOZgZITAUA8klYBO6/TV/ucvvlmU4G9OCJV86z7gUWDh29p4uWyyDb7gUdzT74Y
AIgOep8Jehwi0WGzIT8uT/LyCKpoL98Fw42hfvDofUBbPPHBJAOm+XDa5QK2jP4n
TxeedM6he9JntVjwKbxXEMLxG3r7rjSyVi9LuiO9Al4WegeE5xXj+iiQ2vviEUyb
nkXP8WitONtVWSAtemYNGtWXE7A8LrnigWhMk6J2seENH5+6Nbhy6z98VresEjsa
/MTalZQwTd31EQnBqc9rPjlrz7ZYMv/9ieW//iyIeu5n4yowbm5rXzlZ7SG/wet3
9+fNbfgS+Lr5WxCBtaVuNDQVY0uwZhVvUUkpzYREkusLjz2t8q69Xu7r+uu/qi3w
ESHUlAjqjvI7xbyuoUwp8zzjyAbhAudsaH6gih1py5Ifq6lXzhygRnGDOqK5/XCl
nEYEN+xZOBWmGsBX2cwn9VEDQq/cn5e6JjSngV/yvSXdLB/WMnomI46mlzKBx+l0
t9NPsQ7x3lfv4wPR2s/a
=OeRQ
-----END PGP SIGNATURE-----
More information about the distro-pkg-dev
mailing list