[SECURITY] IcedTea 2.1.5 & 2.2.5 Released!

Andrew John Hughes gnu.andrew at member.fsf.org
Wed Feb 13 16:32:30 PST 2013 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

These releases update our older OpenJDK7 support to include the
latest security updates just released:

 * S6563318, CVE-2013-0424: RMI data sanitization
 * S6664509, CVE-2013-0425: Add logging context
 * S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
 * S6776941: CVE-2013-0427: Improve thread pool shutdown
 * S7141694, CVE-2013-0429: Improving CORBA internals
 * S7173145: Improve in-memory representation of splashscreens
 * S7186945: Unpack200 improvement
 * S7186946: Refine unpacker resource usage
 * S7186948: Improve Swing data validation
 * S7186952, CVE-2013-0432: Improve clipboard access
 * S7186954: Improve connection performance
 * S7186957: Improve Pack200 data validation
 * S7192392, CVE-2013-0443: Better validation of client keys
 * S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
 * S7192977, CVE-2013-0442: Issue in toolkit thread
 * S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
 * S7200491: Tighten up JTable layout code
 * S7200493, CVE-2013-0444: Improve cache handling
 * S7200499: Better data validation for options
 * S7200500: Launcher better input validation
 * S7201064: Better dialogue checking
 * S7201066, CVE-2013-0441: Change modifiers on unused fields
 * S7201068, CVE-2013-0435: Better handling of UI elements
 * S7201070: Serialization to conform to protocol
 * S7201071, CVE-2013-0433: InetSocketAddress serialization issue
 * S8000210: Improve JarFile code quality
 * S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
 * S8000539, CVE-2013-0431: Introspect JMX data handling
 * S8000540, CVE-2013-1475: Improve IIOP type reuse management
 * S8000631, CVE-2013-1476: Restrict access to class constructor
 * S8001235, CVE-2013-0434: Improve JAXP HTTP handling
 * S8001242: Improve RMI HTTP conformance
 * S8001307: Modify ACC_SUPER behavior
 * S8001972, CVE-2013-1478: Improve image processing
 * S8002325, CVE-2013-1480: Improve management of images

In addition, IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it at
http://icedtea.classpath.org/bugzilla under the appropriate component.
Development discussion takes place on distro-pkg-dev at openjdk.java.net
and patches are always welcome.

Full details of the releases can be found below.

Note that this will be the last release in the 2.2.x series with 2.4.0
being imminent.  The 2.1.x series will unfortunately have to be supported
until the ARM32 port is moved to a newer release, but we hope this won't
be for much longer.

What’s New?
—————–
New in release 2.1.5 (2013-02-13):

* Security fixes
  - S6563318, CVE-2013-0424: RMI data sanitization
  - S6664509, CVE-2013-0425: Add logging context
  - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  - S6776941: CVE-2013-0427: Improve thread pool shutdown
  - S7141694, CVE-2013-0429: Improving CORBA internals
  - S7173145: Improve in-memory representation of splashscreens
  - S7186945: Unpack200 improvement
  - S7186946: Refine unpacker resource usage
  - S7186948: Improve Swing data validation
  - S7186952, CVE-2013-0432: Improve clipboard access
  - S7186954: Improve connection performance
  - S7186957: Improve Pack200 data validation
  - S7192392, CVE-2013-0443: Better validation of client keys
  - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  - S7192977, CVE-2013-0442: Issue in toolkit thread
  - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  - S7200491: Tighten up JTable layout code
  - S7200493, CVE-2013-0444: Improve cache handling
  - S7200499: Better data validation for options
  - S7200500: Launcher better input validation
  - S7201064: Better dialogue checking
  - S7201066, CVE-2013-0441: Change modifiers on unused fields
  - S7201068, CVE-2013-0435: Better handling of UI elements
  - S7201070: Serialization to conform to protocol
  - S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  - S8000210: Improve JarFile code quality
  - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  - S8000539, CVE-2013-0431: Introspect JMX data handling
  - S8000540, CVE-2013-1475: Improve IIOP type reuse management
  - S8000631, CVE-2013-1476: Restrict access to class constructor
  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  - S8001242: Improve RMI HTTP conformance
  - S8001307: Modify ACC_SUPER behavior
  - S8001972, CVE-2013-1478: Improve image processing
  - S8002325, CVE-2013-1480: Improve management of images
* Backports
  - S7054590: (JSR-292) MethodHandleProxies.asInterfaceInstance() accepts private/protected nested interfaces
  - S7175616: Port fix for TimeZone from JDK 8 to JDK 7
  - S8002068: Build broken: corba code changes unable to use new JDK 7 classes
  - S8004341: Two JCK tests fails with 7u11 b06
  - S8005615: Java Logger fails to load tomcat logger implementation (JULI)

New in release 2.2.5 (2013-02-13):

* Security fixes
  - S6563318, CVE-2013-0424: RMI data sanitization
  - S6664509, CVE-2013-0425: Add logging context
  - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  - S6776941: CVE-2013-0427: Improve thread pool shutdown
  - S7141694, CVE-2013-0429: Improving CORBA internals
  - S7173145: Improve in-memory representation of splashscreens
  - S7186945: Unpack200 improvement
  - S7186946: Refine unpacker resource usage
  - S7186948: Improve Swing data validation
  - S7186952, CVE-2013-0432: Improve clipboard access
  - S7186954: Improve connection performance
  - S7186957: Improve Pack200 data validation
  - S7192392, CVE-2013-0443: Better validation of client keys
  - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  - S7192977, CVE-2013-0442: Issue in toolkit thread
  - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  - S7200491: Tighten up JTable layout code
  - S7200493, CVE-2013-0444: Improve cache handling
  - S7200499: Better data validation for options
  - S7200500: Launcher better input validation
  - S7201064: Better dialogue checking
  - S7201066, CVE-2013-0441: Change modifiers on unused fields
  - S7201068, CVE-2013-0435: Better handling of UI elements
  - S7201070: Serialization to conform to protocol
  - S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  - S8000210: Improve JarFile code quality
  - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  - S8000539, CVE-2013-0431: Introspect JMX data handling
  - S8000540, CVE-2013-1475: Improve IIOP type reuse management
  - S8000631, CVE-2013-1476: Restrict access to class constructor
  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  - S8001242: Improve RMI HTTP conformance
  - S8001307: Modify ACC_SUPER behavior
  - S8001972, CVE-2013-1478: Improve image processing
  - S8002325, CVE-2013-1480: Improve management of images
* Backports
  - S7175616: Port fix for TimeZone from JDK 8 to JDK 7
  - S8002068: Build broken: corba code changes unable to use new JDK 7 classes
  - S8004341: Two JCK tests fails with 7u11 b06
  - S8005615: Java Logger fails to load tomcat logger implementation (JULI)

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.1.5.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.2.5.tar.gz

SHA256 checksums:

f8144e370379371d5d4db6955b43b371f4fa8a99a9dca404995a12af21d46974  icedtea-2.1.5.tar.gz
cf79e99c1a8ad8d0dcc1ef66c30a776d159ab4a64290d9c1affa0e304ba2e7b5  icedtea-2.2.5.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Andrew John Hughes (application of security fixes & backports, release management)

We would also like to thank the bug reporters and testers!
 
To get started:

$ tar xzf icedtea-${version}.tar.gz

where ${version} is the version of IcedTea being used.
 
Full build requirements and instructions are in INSTALL:

$ ../icedtea-${version}/configure [--with-parallel-jobs --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130214/5745400c/attachment.bin

More information about the distro-pkg-dev mailing list