[SECURITY] IcedTea 2.3.10 for OpenJDK 7 Released!

Andrew John Hughes gnu_andrew at member.fsf.org
Fri Jun 28 06:10:07 PDT 2013


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

This release updates our OpenJDK 7 support to include the latest
security updates. We recommend that users of the 2.3.x branch upgrade
to this latest release as soon as possible. The security fixes are as
follows:

  * S6741606, CVE-2013-2407: Integrate Apache Santuario
  * S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
  * S7170730, CVE-2013-2451: Improve Windows network stack support.
  * S8000638, CVE-2013-2450: Improve deserialization
  * S8000642, CVE-2013-2446: Better handling of objects for transportation
  * S8001032: Restrict object access
  * S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
  * S8001034, CVE-2013-1500: Memory management improvements
  * S8001038, CVE-2013-2444: Resourcefully handle resources
  * S8001043: Clarify definition restrictions
  * S8001308: Update display of applet windows
  * S8001309: Better handling of annotation interfaces
  * S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
  * S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)
  * S8003703, CVE-2013-2412: Update RMI connection dialog box
  * S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
  * S8004584: Augment applet contextualization
  * S8005007: Better glyph processing
  * S8006328, CVE-2013-2448: Improve robustness of sound classes
  * S8006611: Improve scripting
  * S8007467: Improve robustness of JMX internal APIs
  * S8007471: Improve MBean notifications
  * S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
  * S8007925: Improve cmsStageAllocLabV2ToV4curves
  * S8007926: Improve cmsPipelineDup
  * S8007927: Improve cmsAllocProfileSequenceDescription
  * S8007929: Improve CurvesAlloc
  * S8008120, CVE-2013-2457: Improve JMX class checking
  * S8008124, CVE-2013-2453: Better compliance testing
  * S8008128: Better API coherence for JMX
  * S8008132, CVE-2013-2456: Better serialization support
  * S8008585: Better JMX data handling
  * S8008593: Better URLClassLoader resource management
  * S8008603: Improve provision of JMX providers
  * S8008607: Better input checking in JMX
  * S8008611: Better handling of annotations in JMX
  * S8008615: Improve robustness of JMX internal APIs
  * S8008623: Better handling of MBeanServers
  * S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
  * S8008982: Adjust JMX for underlying interface changes
  * S8009004: Better implementation of RMI connections
  * S8009008: Better manage management-api
  * S8009013: Better handling of T2K glyphs
  * S8009034: Improve resulting notifications in JMX
  * S8009038: Improve JMX notification support
  * S8009057, CVE-2013-2448: Improve MIDI event handling
  * S8009067: Improve storing keys in KeyStore
  * S8009071, CVE-2013-2459: Improve shape handling
  * S8009235: Improve handling of TSA data
  * S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
  * S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
  * S8009654: Improve stability of cmsnamed
  * S8010209, CVE-2013-2460: Better provision of factories
  * S8011243, CVE-2013-2470: Improve ImagingLib
  * S8011248, CVE-2013-2471: Better Component Rasters
  * S8011253, CVE-2013-2472: Better Short Component Rasters
  * S8011257, CVE-2013-2473: Better Byte Component Rasters
  * S8012375, CVE-2013-1571: Improve Javadoc framing
  * S8012421: Better positioning of PairPositioning
  * S8012438, CVE-2013-2463: Better image validation
  * S8012597, CVE-2013-2465: Better image channel verification
  * S8012601, CVE-2013-2469: Better validation of image layouts
  * S8014281, CVE-2013-2461: Better checking of XML signature
  * S8015997: Additional improvement in Javadoc framing

The HotSpot part of S8001330 is currently only provided for HotSpot
23.7 on x86, x86_64 and SPARC architectures as we've found it to be
unstable when applied to the older HotSpot used by Zero.  If we find a
solution for this, we'll issue a further update.

In addition, IcedTea includes the usual IcedTea patches to allow
builds against system libraries and to support more esoteric
architectures.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.  Note that the unusually
large number of backports is due to syncing with the upstream u25 release,
which also provides all these.

What's New?
===========

New in release 2.3.10 (2013-06-28):

* Security fixes
  - S6741606, CVE-2013-2407: Integrate Apache Santuario
  - S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
  - S7170730, CVE-2013-2451: Improve Windows network stack support.
  - S8000638, CVE-2013-2450: Improve deserialization
  - S8000642, CVE-2013-2446: Better handling of objects for transportation
  - S8001032: Restrict object access
  - S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
  - S8001034, CVE-2013-1500: Memory management improvements
  - S8001038, CVE-2013-2444: Resourcefully handle resources
  - S8001043: Clarify definition restrictions
  - S8001308: Update display of applet windows
  - S8001309: Better handling of annotation interfaces
  - S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
  - S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)
  - S8003703, CVE-2013-2412: Update RMI connection dialog box
  - S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
  - S8004584: Augment applet contextualization
  - S8005007: Better glyph processing
  - S8006328, CVE-2013-2448: Improve robustness of sound classes
  - S8006611: Improve scripting
  - S8007467: Improve robustness of JMX internal APIs
  - S8007471: Improve MBean notifications
  - S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
  - S8007925: Improve cmsStageAllocLabV2ToV4curves
  - S8007926: Improve cmsPipelineDup
  - S8007927: Improve cmsAllocProfileSequenceDescription
  - S8007929: Improve CurvesAlloc
  - S8008120, CVE-2013-2457: Improve JMX class checking
  - S8008124, CVE-2013-2453: Better compliance testing
  - S8008128: Better API coherence for JMX
  - S8008132, CVE-2013-2456: Better serialization support
  - S8008585: Better JMX data handling
  - S8008593: Better URLClassLoader resource management
  - S8008603: Improve provision of JMX providers
  - S8008607: Better input checking in JMX
  - S8008611: Better handling of annotations in JMX
  - S8008615: Improve robustness of JMX internal APIs
  - S8008623: Better handling of MBeanServers
  - S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
  - S8008982: Adjust JMX for underlying interface changes
  - S8009004: Better implementation of RMI connections
  - S8009008: Better manage management-api
  - S8009013: Better handling of T2K glyphs
  - S8009034: Improve resulting notifications in JMX
  - S8009038: Improve JMX notification support
  - S8009057, CVE-2013-2448: Improve MIDI event handling
  - S8009067: Improve storing keys in KeyStore
  - S8009071, CVE-2013-2459: Improve shape handling
  - S8009235: Improve handling of TSA data
  - S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
  - S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
  - S8009654: Improve stability of cmsnamed
  - S8010209, CVE-2013-2460: Better provision of factories
  - S8011243, CVE-2013-2470: Improve ImagingLib
  - S8011248, CVE-2013-2471: Better Component Rasters
  - S8011253, CVE-2013-2472: Better Short Component Rasters
  - S8011257, CVE-2013-2473: Better Byte Component Rasters
  - S8012375, CVE-2013-1571: Improve Javadoc framing
  - S8012421: Better positioning of PairPositioning
  - S8012438, CVE-2013-2463: Better image validation
  - S8012597, CVE-2013-2465: Better image channel verification
  - S8012601, CVE-2013-2469: Better validation of image layouts
  - S8014281, CVE-2013-2461: Better checking of XML signature
  - S8015997: Additional improvement in Javadoc framing
* New features
  - PR1378: Add AArch64 support to Zero
* Bug fixes
  - PR1409: IcedTea 2.3.9 fails to build Zero due to -Werror
  - PR1410: Icedtea 2.3.9 fails to build using icedtea 1.12.4
* Backports
  - S6720349: (ch) Channels tests depending on hosts inside Sun
  - S6736316: Timeout value in java/util/concurrent/locks/Lock/FlakyMutex.java is insufficient
  - S6776144: java/lang/ThreadGroup/NullThreadName.java fails with Thread group is not destroyed ,fastdebug LINUX
  - S6818464: TEST_BUG: java/util/Timer/KillThread.java failing intermittently
  - S6860309: TEST_BUG: Insufficient sleep time in java/lang/Runtime/exec/StreamsSurviveDestroy.java
  - S6948101: java/rmi/transport/pinLastArguments/PinLastArguments.java failing intermittently
  - S6957683: test/java/util/concurrent/ThreadPoolExecutor/Custom.java failing
  - S6963102: Testcase failures sun/tools/jstatd/jstatdExternalRegistry.sh and sun/tools/jstatd/jstatdDefaults.sh
  - S6963841: java/util/concurrent/Phaser/Basic.java fails intermittently
  - S6965150: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Basic.java takes too long
  - S7030573: test/java/io/FileInputStream/LargeFileAvailable.java fails when there is insufficient disk space
  - S7032247: java/net/InetAddress/GetLocalHostWithSM.java fails if hostname resolves to loopback address
  - S7044870: java/nio/channels/DatagramChannel/SelectWhenRefused.java failed on SUSE Linux 10
  - S7053526: Upgrade JDK 8 to use Little CMS 2.4
  - S7054918: jdk_security1 test target cleanup
  - S7055362: jdk_security2 test target cleanup
  - S7055363: jdk_security3 test target cleanup
  - S7072120: No mac os x support in several regression tests
  - S7073295: TEST_BUG: test/java/lang/instrument/ManifestTest.sh causing havoc (win)
  - S7076756: TEST_BUG: com/sun/jdi/BreakpointWithFullGC.sh fails to cleanup in Cygwin
  - S7076791: closed/javax/swing/JColorChooser/Test6827032.java failed on windows
  - S7077259: [TEST_BUG] [macosx] Test work correctly only when default L&F is Metal
  - S7084033: TEST_BUG: test/java/lang/ThreadGroup/Stop.java fails intermittently
  - S7089131: test/java/lang/invoke/InvokeGenericTest.java does not compile
  - S7102106: TEST_BUG: sun/security/util/Oid/S11N.sh should be modified
  - S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu
  - S7104594: [macosx] Test closed/javax/swing/JFrame/4962534/bug4962534 expects Metal L&F by default
  - S7105929: java/util/concurrent/FutureTask/BlockingTaskExecutor.java fails on solaris sparc
  - S7124347: [macosx] "java.lang.InternalError: not implemented yet" on call Graphics2D.drawRenderedImage
  - S7129800: [macosx] Regression test OverrideRedirectWindowActivationTest fails due to timing issue
  - S7132247: java/rmi/registry/readTest/readTest.sh failing with Cygwin
  - S7140868: TEST_BUG: jcmd tests need to use -XX:+UsePerfData
  - S7142596: RMI JPRT tests are failing
  - S7144833: sun/tools/jcmd/jcmd-Defaults.sh failing intermittently
  - S7144861: speed up RMI activation tests
  - S7147408: [macosx] Add autodelay to fix a regression test
  - S7151434, RH969884: java -jar -XX crashes java launcher
  - S7152183: TEST_BUG: java/lang/ProcessBuilder/Basic.java failing intermittently [sol]
  - S7152796: TEST_BUG: java/net/Socks/SocksV4Test.java does not terminate
  - S7152856: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing on Windows
  - S7154113: jcmd, jps and jstat tests failing when there are unknown Java processes on the system
  - S7154114: jstat tests failing on non-english locales
  - S7161759: TEST_BUG: java/awt/Frame/WindowDragTest/WindowDragTest.java fails to compile, should be modified
  - S7162111: TEST_BUG: change tests run in headless mode [macosx]
  - S7162385: TEST_BUG: sun/net/www/protocol/jar/B4957695.java failing again
  - S7175775: Disable SA options in jinfo/Basic.java test until SA updated for new hash and String count/offset
  - S7178649: TEST BUG: BadKdc3.java needs improvement to ignore the unlikely but possible timeout
  - S7183203: ShortRSAKeynnn.sh tests intermittent failure
  - S7183753: [TEST] Some colon in the diff for this test
  - S7184943: fix failing test com/sun/jndi/rmi/registry/RegistryContext/UnbindIdempotent.java
  - S7184946: fix failing test com/sun/jndi/rmi/registry/RegistryContext/ContextWithNullProperties.java
  - S7185340: TEST_BUG: java/nio/channels/AsynchronousSocketChannel/Leaky.java failing intermittently [win]
  - S7186111: fix bugs in java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup
  - S7187882: TEST_BUG: java/rmi/activation/checkusage/CheckUsage.java fails intermittently
  - S7193219: JComboBox serialization fails in JDK 1.7
  - S7194032: update tests for upcoming changes for jtreg
  - S7194035: update tests for upcoming changes for jtreg
  - S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
  - S7199637: TEST_BUG: add serialization tests to jdk7u problem list for macosx
  - S8000817: Reinstate accidentally removed sleep() from ProcessBuilder/Basic.java
  - S8001161: mac: EmbeddedFrame doesn't become active window
  - S8001621: Update awk scripts that check output from jps/jcmd
  - S8002070: Remove the stack search for a resource bundle for Logger to use
  - S8002297: sun/net/www/protocol/http/StackTraceTest.java fails intermittently
  - S8002313: TEST_BUG : jdk/test/java/security/Security/ClassLoaderDeadlock/ClassLoaderDeadlock.java should run in headless mode
  - S8003597: TEST_BUG: Eliminate dependency on javaweb from closed net tests
  - S8003982: new test javax/swing/AncestorNotifier/7193219/bug7193219.java failed on macosx
  - S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
  - S8004748: clean up @build tags in RMI tests
  - S8004925: java/net/Socks/SocksV4Test.java failing on all platforms
  - S8005290: remove -showversion from RMI test library subprocess mechanism
  - S8005556: java/net/Socks/SocksV4Test.java is missing @run tag
  - S8005646: TEST_BUG: java/rmi/activation/ActivationSystem/unregisterGroup/UnregisterGroup leaves process running
  - S8005920: After pressing combination Windows Key and M key, the frame, the instruction and the dialog can't be minimized.
  - S8005932: Java 7 on mac os x only provides text clipboard formats
  - S8006120: Provide "Server JRE" for 7u train
  - S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X
  - S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails intermittently-doesn't retry enough times
  - S8006536: [launcher]  removes trailing slashes on arguments
  - S8006560: java/net/ipv6tests/B6521014.java fails intermittently
  - S8006564: Test sun/security/util/Oid/S11N.sh fails with timeout on Linux 32-bit
  - S8006669: sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/PostThruProxy.sh fails on mac
  - S8007515: TEST_BUG: update ProblemList.txt and TEST.ROOT in jdk7u-dev to match jdk8
  - S8007699: Move some tests from test/sun/security/provider/certpath/X509CertPath to closed repo
  - S8008223: java/net/BindException/Test.java fails rarely
  - S8008249: Sync ICU into JDK :
  - S8008379: TEST_BUG: Fail automatically with java.lang.NullPointerException.
  - S8008815: [TEST_BUG] Add back tests to the Problemlist files post the jdk7u -> 7u-cpu test sync up
  - S8009165: Fix for 8008817 needs revision
  - S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03
  - S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing.
  - S8009530: ICU Kern table support broken
  - S8009610: Blacklist certificate used with malware.
  - S8009634: TEST_BUG: sun/misc/Version/Version.java handle 2 digit minor in VM version
  - S8009750: javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java should run in other vm mode
  - S8009987: (tz) Support tzdata2013b
  - S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail
  - S8009999: Test sun/tools/jcmd/jcmd-f.sh failing after JDK-8008820
  - S8010009: [macosx] Unable type into online word games on MacOSX
  - S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
  - S8010166: TEST_BUG: fix for 8009634 overlooks possible version strings (sun/misc/Version/Version.java)
  - S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build
  - S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
  - S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance
  - S8010939: Deadlock in LogManager
  - S8011139: (reflect) Revise checking in getEnclosingClass
  - S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows
  - S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
  - S8011557: Improve reflection utility classes
  - S8011695: [tck-red] Application can not be run, the Security Warning dialog is gray.
  - S8011806: 7u25-b05 hotspot fastdebug build failure
  - S8011896: Add check for invalid offset for new AccessControlContext isAuthorized field
  - S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
  - S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05
  - S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris
  - S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
  - S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus
  - S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
  - S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
  - S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07
  - S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext()
  - S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
  - S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
  - S8014205: Most of the Swing dialogs are blank on one win7 MUI
  - S8014423: [macosx] The scrollbar's block increment performs incorrectly
  - S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09
  - S8014618, RH868136: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
  - S8014676: Java debugger may fail to run
  - S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
  - S8014745: Provide a switch to allow stack walk search of resource bundle
  - S8014968: OCSP and CRL connection timeout is set to four hours by default

The tarball can be downloaded from:

    http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz

SHA256 checksum:

    d1c3b9423867b41508050e1d32b38e4a090f84a96b864b09936a4281ff01f5da  icedtea-2.3.10.tar.gz

The tarball is accompanied by a digital signature available at:

    http://icedtea.classpath.org/download/source/icedtea-2.3.10.tar.gz.sig

This is produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

 * Andreas Schwab (PR1378 patch for AArch64 Zero support)
 * Andrew Hughes (all other bug fixes, application of security fixes & backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.3.10.tar.gz
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.3.10/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130628/c8286b95/attachment.bin 


More information about the distro-pkg-dev mailing list