[SECURITY] IcedTea 2.1.6, 2.2.6 & 2.3.7 for OpenJDK 7 Released!

Andrew John Hughes gnu_andrew at member.fsf.org
Wed Feb 20 10:12:23 PST 2013 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases are now available for the OpenJDK 7
series: 2.1.6, 2.2.6 & 2.3.7. These contain the following security fixes:

 * S8004937, CVE-2013-1484: Improve proxy construction
 * S8006439, CVE-2013-1485: Improve MethodHandles coverage
 * S8006446, CVE-2013-1486: Restrict MBeanServer access
 * S8006777, CVE-2013-0169: Improve TLS handling of invalid messages
 * S8007688: Blacklist known bad certificate

In addition, IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it at
http://icedtea.classpath.org/bugzilla under the appropriate component.
Development discussion takes place on distro-pkg-dev at openjdk.java.net
and patches are always welcome.

Full details of the releases can be found below.

What’s New?
===========
New in release 2.3.7 (2013-02-20):

* Security fixes
  - S8004937, CVE-2013-1484: Improve proxy construction
  - S8006439, CVE-2013-1485: Improve MethodHandles coverage
  - S8006446, CVE-2013-1486: Restrict MBeanServer access
  - S8006777, CVE-2013-0169: Improve TLS handling of invalid messages
  - S8007688: Blacklist known bad certificate
* Backports
  - S8007393: Possible race condition after JDK-6664509
  - S8007611: logging behavior in applet changed
* Bug fixes
  - PR1303: Support building with giflib 5

New in release 2.2.6 (2013-02-20):

* Security fixes
  - S8004937, CVE-2013-1484: Improve proxy construction
  - S8006439, CVE-2013-1485: Improve MethodHandles coverage
  - S8006446, CVE-2013-1486: Restrict MBeanServer access
  - S8006777, CVE-2013-0169: Improve TLS handling of invalid messages
  - S8007688: Blacklist known bad certificate
* Backports
  - S8007393: Possible race condition after JDK-6664509
  - S8007611: logging behavior in applet changed
* Bug fixes
  - PR1303: Support building with giflib 5

New in release 2.1.6 (2013-02-20):

* Security fixes
  - S8004937, CVE-2013-1484: Improve proxy construction
  - S8006439, CVE-2013-1485: Improve MethodHandles coverage
  - S8006446, CVE-2013-1486: Restrict MBeanServer access
  - S8006777, CVE-2013-0169: Improve TLS handling of invalid messages
  - S8007688: Blacklist known bad certificate
* Backports
  - S7123519: problems with certification path
  - S8007393: Possible race condition after JDK-6664509
  - S8007611: logging behavior in applet changed
* Bug fixes
  - PR1303: Support building with giflib 5

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.1.6.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.2.6.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.3.7.tar.gz

SHA256 checksums:

e6a65923acb29b87b9f8492adc6f00152b489441e788b64e2869301cc7fa29ba  icedtea-2.1.6.tar.gz
90adf40e725d7a301c3e23efdb75fcb992b0e645d8be0250cd4d058d85488f33  icedtea-2.2.6.tar.gz
378f67f6f84bfb6c705f600b47b68a61b18d67648dd7eaf8498b152587695940  icedtea-2.3.7.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Elliott Baron (production of reproducer for 8006439)
* Severin Gehwolf (production of reproducer for 8006777)
* Andrew John Hughes (application of security fixes & backports, creation & testing of bug fixes, reproducer testing, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz
$ cd icedtea-${version}

where ${version} is the version you’ve downloaded.
 
Full build requirements and instructions are in INSTALL:
$ ./configure [--with-parallel-jobs --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130220/c4ca6c9d/attachment.bin

More information about the distro-pkg-dev mailing list