[SECURITY] IcedTea7 2.3.6 Released!

Andrew John Hughes gnu_andrew at member.fsf.org
Tue Feb 12 09:00:13 PST 2013


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

This release updates our OpenJDK7 support to include the latest security
update just released:

 * S6563318, CVE-2013-0424: RMI data sanitization
 * S6664509, CVE-2013-0425: Add logging context
 * S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
 * S6776941: CVE-2013-0427: Improve thread pool shutdown
 * S7141694, CVE-2013-0429: Improving CORBA internals
 * S7173145: Improve in-memory representation of splashscreens
 * S7186945: Unpack200 improvement
 * S7186946: Refine unpacker resource usage
 * S7186948: Improve Swing data validation
 * S7186952, CVE-2013-0432: Improve clipboard access
 * S7186954: Improve connection performance
 * S7186957: Improve Pack200 data validation
 * S7192392, CVE-2013-0443: Better validation of client keys
 * S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
 * S7192977, CVE-2013-0442: Issue in toolkit thread
 * S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
 * S7200491: Tighten up JTable layout code
 * S7200493, CVE-2013-0444: Improve cache handling
 * S7200499: Better data validation for options
 * S7200500: Launcher better input validation
 * S7201064: Better dialogue checking
 * S7201066, CVE-2013-0441: Change modifiers on unused fields
 * S7201068, CVE-2013-0435: Better handling of UI elements
 * S7201070: Serialization to conform to protocol
 * S7201071, CVE-2013-0433: InetSocketAddress serialization issue
 * S8000210: Improve JarFile code quality
 * S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
 * S8000539, CVE-2013-0431: Introspect JMX data handling
 * S8000540, CVE-2013-1475: Improve IIOP type reuse management
 * S8000631, CVE-2013-1476: Restrict access to class constructor
 * S8001235, CVE-2013-0434: Improve JAXP HTTP handling
 * S8001242: Improve RMI HTTP conformance
 * S8001307: Modify ACC_SUPER behavior
 * S8001972, CVE-2013-1478: Improve image processing
 * S8002325, CVE-2013-1480: Improve management of images

This release has been delayed because the original patches supplied to
us by Oracle introduced a number of regressions which were not resolved
until fixes were made available over a week later in the OpenJDK 7u-dev
repository.  Most notably, building with OpenJDK6 was broken and we felt
it unwise to ship in this state.

The regressions are as follows:

 * S8002068: Build broken: corba code changes unable to use new JDK 7 classes
 * S8004341: Two JCK tests fails with 7u11 b06
 * S8005615: Java Logger fails to load tomcat logger implementation (JULI)

Given the delay, we have also taken the opportunity to sync the repository with
the upstream 7u-dev repository [1] at the tag "jdk7u13-b20".  Oracle
have continually omitted providing branches for security releases.  Only the
releases developed in the open (u2, u4 and u6) have branches and apparently
the goal of 7u to 'develop updates' does not include developing 'security updates'
as one woudl naturally assume [2].  However, it has become clear that there must
be such a branch internally as the security patches are pulled into the 7u
repository and merged with its current state.  Thus, although it is not possible
to work on top of 7u13-b20 in the 7u trees (as the merge and later fixes are piled
on top), we can pull just that tag and retrieve just the changesets we need without
the ones destined for u8/u12/u14/whatever it's called next week.

In short, examining the changesets resulting from "hg in -r jdk7u13-b20" showed
that there was no major changes in there, just a few fixes believed to be included
in u10 and upstream versions of the security patches.  So we've included these
changesets in this release in the hope of bringing something closer to u13 in
IcedTea7 2.3.6, though obviously we can't make any guarantees about how the two
compare as the code of u13 is proprietary.

In addition, IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it at
http://icedtea.classpath.org/bugzilla under the appropriate component.
Development discussion takes place on distro-pkg-dev at openjdk.java.net
and patches are always welcome.

Full details of the release can be found below.  Note that 2.3.5 was tagged
in the forest and used by Fedora, but ended up being a forest-only release
after the regressions were found.

What’s New?
—————–
New in release 2.3.6 (2013-02-12):

* Security fixes
  - S6563318, CVE-2013-0424: RMI data sanitization
  - S6664509, CVE-2013-0425: Add logging context
  - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  - S6776941: CVE-2013-0427: Improve thread pool shutdown
  - S7141694, CVE-2013-0429: Improving CORBA internals
  - S7173145: Improve in-memory representation of splashscreens
  - S7186945: Unpack200 improvement
  - S7186946: Refine unpacker resource usage
  - S7186948: Improve Swing data validation
  - S7186952, CVE-2013-0432: Improve clipboard access
  - S7186954: Improve connection performance
  - S7186957: Improve Pack200 data validation
  - S7192392, CVE-2013-0443: Better validation of client keys
  - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  - S7192977, CVE-2013-0442: Issue in toolkit thread
  - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  - S7200491: Tighten up JTable layout code
  - S7200493, CVE-2013-0444: Improve cache handling
  - S7200499: Better data validation for options
  - S7200500: Launcher better input validation
  - S7201064: Better dialogue checking
  - S7201066, CVE-2013-0441: Change modifiers on unused fields
  - S7201068, CVE-2013-0435: Better handling of UI elements
  - S7201070: Serialization to conform to protocol
  - S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  - S8000210: Improve JarFile code quality
  - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  - S8000539, CVE-2013-0431: Introspect JMX data handling
  - S8000540, CVE-2013-1475: Improve IIOP type reuse management
  - S8000631, CVE-2013-1476: Restrict access to class constructor
  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  - S8001242: Improve RMI HTTP conformance
  - S8001307: Modify ACC_SUPER behavior
  - S8001972, CVE-2013-1478: Improve image processing
  - S8002325, CVE-2013-1480: Improve management of images
* Backports
  - S7057320: test/java/util/concurrent/Executors/AutoShutdown.java failing intermittently
  - S7083664: TEST_BUG: test hard code of using c:/temp but this dir might not exist
  - S7107613: scalability blocker in javax.crypto.CryptoPermissions
  - S7107616: scalability blocker in javax.crypto.JceSecurityManager
  - S7146424: Wildcard expansion for single entry classpath
  - S7160609: [macosx] JDK crash in libjvm.dylib ( C [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)
  - S7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar
  - S7162488: VM not printing unknown -XX options
  - S7169395: Exception throws due to the changes in JDK 7 object tranversal and break backward compatibility
  - S7175616: Port fix for TimeZone from JDK 8 to JDK 7
  - S7176485: (bf) Allow temporary buffer cache to grow to IOV_MAX
  - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and reinitialize build number
  - S7184326: TEST_BUG: java/awt/Frame/7024749/bug7024749.java has a typo
  - S7185245: Licensee source bundle tries to compile JFR
  - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
  - S7186371: [macosx] Main menu shortcuts not displayed (7u6 regression)
  - S7187834: [macosx] Usage of private API in macosx 2d implementation causes Apple Store rejection
  - S7188114: (launcher) need an alternate command line parser for Windows
  - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and reinitialize build number
  - S7189350: Fix failed for CR 7162144
  - S7190550: REGRESSION: Some closed/com/oracle/jfr/api tests fail to compile becuse of fix 7185245
  - S7193219: JComboBox serialization fails in JDK 1.7
  - S7193977: REGRESSION:Java 7's JavaBeans persistence ignoring the "transient" flag on properties
  - S7195106: REGRESSION : There is no way to get Icon inf, once Softreference is released
  - S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node
  - S7195931: UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6+
  - S7197071: Makefiles for various security providers aren't including the default manifest.
  - S7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default
  - S7198146: Another new regression test does not compile on windows-amd64
  - S7198570: (tz) Support tzdata2012f
  - S7198640: new hotspot build - hs23.6-b04
  - S7199488: [TEST] runtime/7158800/InternTest.java failed due to false-positive on PID match.
  - S7199645: Increment build # of hs23.5 to b02
  - S7199669: Update tags in .hgtags file for CPU release rename
  - S7200720: crash in net.dll during NTLM authentication
  - S7200742: (se) Selector.select does not block when starting Coherence (sol11u1)
  - S7200762: [macosx] Stuck in sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native Method)
  - S8000285: Deadlock between PostEventQueue.noEvents, EventQueue.isDispatchThread and SwingUtilities.invokeLater
  - S8000286: [macosx] Views keep scrolling back to the drag position after DnD
  - S8000297: REGRESSION: closed/java/awt/EventQueue/PostEventOrderingTest.java fails
  - S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab
  - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number
  - S8001124: jdk7u ProblemList.txt updates (10/2012)
  - S8001242: Improve RMI HTTP conformance
  - S8001808: Create a test for 8000327
  - S8001876: Create regtest for 8000283
  - S8002068: Build broken: corba code changes unable to use new JDK 7 classes
  - S8002091: tools/launcher/ToolsOpts.java test started to fail since 7u11 b01 on Windows
  - S8002114: fix failed for JDK-7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar
  - S8002225: (tz) Support tzdata2012i
  - S8003402: (dc) test/java/nio/channels/DatagramChannel/SendToUnresovled.java failing after 7u11 cleanup issues
  - S8003403: Test ShortRSAKeyWithinTLS and ClientJSSEServerJSSE failing after 7u11 cleanup
  - S8003948: NTLM/Negotiate authentication problem
  - S8004175: Restricted packages added in java.security are missing in java.security-{macosx, solaris, windows}
  - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
  - S8004341: Two JCK tests fails with 7u11 b06
  - S8005615: Java Logger fails to load tomcat logger implementation (JULI)
* Bug fixes
  - Fix build using Zero's HotSpot so all patches apply again.
  - PR1295: jamvm parallel unpack failure

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.3.6.tar.gz

SHA256 checksums:

f55f2f2e5cdfa8b0429eaa56b4ecba7d63c701e867dbb636883c03cd8e64f4f9  icedtea-2.3.6.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Andrew John Hughes (application of security fixes & backports, creation & testing of bug fixes, release management)

We would also like to thank the bug reporters and testers!
 
To get started:

$ tar xzf icedtea-2.3.6.tar.gz
 
Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${ver}/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130212/4887917c/attachment.bin 


More information about the distro-pkg-dev mailing list