[SECURITY] IcedTea 2.1.9 & 2.2.9 for OpenJDK 7 Released!
Andrew John Hughes
gnu_andrew at member.fsf.org
Sun Jun 30 06:21:13 PDT 2013
The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.
These releases update our OpenJDK 7 support to include the latest
security updates. We recommend that users of the 2.1.x and 2.2.x branches
upgrade to the latest release as soon as possible. The security fixes are as
follows:
* S6741606, CVE-2013-2407: Integrate Apache Santuario
* S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
* S7170730, CVE-2013-2451: Improve Windows network stack support.
* S8000638, CVE-2013-2450: Improve deserialization
* S8000642, CVE-2013-2446: Better handling of objects for transportation
* S8001032: Restrict object access
* S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
* S8001034, CVE-2013-1500: Memory management improvements
* S8001038, CVE-2013-2444: Resourcefully handle resources
* S8001043: Clarify definition restrictions
* S8001308: Update display of applet windows
* S8001309: Better handling of annotation interfaces
* S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
* S8003703, CVE-2013-2412: Update RMI connection dialog box
* S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
* S8004584: Augment applet contextualization
* S8005007: Better glyph processing
* S8006328, CVE-2013-2448: Improve robustness of sound classes
* S8006611: Improve scripting
* S8007467: Improve robustness of JMX internal APIs
* S8007471: Improve MBean notifications
* S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
* S8007925: Improve cmsStageAllocLabV2ToV4curves
* S8007926: Improve cmsPipelineDup
* S8007927: Improve cmsAllocProfileSequenceDescription
* S8007929: Improve CurvesAlloc
* S8008120, CVE-2013-2457: Improve JMX class checking
* S8008124, CVE-2013-2453: Better compliance testing
* S8008128: Better API coherence for JMX
* S8008132, CVE-2013-2456: Better serialization support
* S8008585: Better JMX data handling
* S8008593: Better URLClassLoader resource management
* S8008603: Improve provision of JMX providers
* S8008607: Better input checking in JMX
* S8008611: Better handling of annotations in JMX
* S8008615: Improve robustness of JMX internal APIs
* S8008623: Better handling of MBeanServers
* S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
* S8008982: Adjust JMX for underlying interface changes
* S8009004: Better implementation of RMI connections
* S8009008: Better manage management-api
* S8009013: Better handling of T2K glyphs
* S8009034: Improve resulting notifications in JMX
* S8009038: Improve JMX notification support
* S8009057, CVE-2013-2448: Improve MIDI event handling
* S8009067: Improve storing keys in KeyStore
* S8009071, CVE-2013-2459: Improve shape handling
* S8009235: Improve handling of TSA data
* S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
* S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
* S8009654: Improve stability of cmsnamed
* S8010209, CVE-2013-2460: Better provision of factories
* S8011243, CVE-2013-2470: Improve ImagingLib
* S8011248, CVE-2013-2471: Better Component Rasters
* S8011253, CVE-2013-2472: Better Short Component Rasters
* S8011257, CVE-2013-2473: Better Byte Component Rasters
* S8012375, CVE-2013-1571: Improve Javadoc framing
* S8012421: Better positioning of PairPositioning
* S8012438, CVE-2013-2463: Better image validation
* S8012597, CVE-2013-2465: Better image channel verification
* S8012601, CVE-2013-2469: Better validation of image layouts
* S8014281, CVE-2013-2461: Better checking of XML signature
* S8015997: Additional improvement in Javadoc framing
S8001330 is currently only provided for HotSpot 23.7 on 2.3.x, as
we’ve found it to be unstable when applied to the older HotSpot used
by Zero. If we find a solution for this, we’ll issue a further update.
This will be the last set of updates for the 2.1.x and 2.2.x branches.
Users should upgrade to either 2.3.10 or the upcoming 2.4.1 release.
Those users who need ARM32 JIT support should wait for the 2.3.11
release, coming in the next few months, which will add this to the
2.3.x series.
IcedTea includes the usual IcedTea patches to allow builds against
system libraries and to support more esoteric architectures. In these
releases, use of the system version of LCMS is disabled by default to
ensure the most secure version is used. Before using the system
version, please ensure it has the S8007925, S8007926, S8007927,
S8007929 and S8009654 updates listed above.
If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.
Full details of the release can be found below. Note that the
unusually large number of backports is due to backporting from the
upstream u25 release, which also provides all these.
What's New?
===========
New in release 2.1.9 (2013-06-29):
* New features
- PR1378: Add AArch64 support to Zero
* Security fixes
- S6741606, CVE-2013-2407: Integrate Apache Santuario
- S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
- S7170730, CVE-2013-2451: Improve Windows network stack support.
- S8000638, CVE-2013-2450: Improve deserialization
- S8000642, CVE-2013-2446: Better handling of objects for transportation
- S8001032: Restrict object access
- S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
- S8001034, CVE-2013-1500: Memory management improvements
- S8001038, CVE-2013-2444: Resourcefully handle resources
- S8001043: Clarify definition restrictions
- S8001308: Update display of applet windows
- S8001309: Better handling of annotation interfaces
- S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
- S8003703, CVE-2013-2412: Update RMI connection dialog box
- S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
- S8004584: Augment applet contextualization
- S8005007: Better glyph processing
- S8006328, CVE-2013-2448: Improve robustness of sound classes
- S8006611: Improve scripting
- S8007467: Improve robustness of JMX internal APIs
- S8007471: Improve MBean notifications
- S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
- S8007925: Improve cmsStageAllocLabV2ToV4curves
- S8007926: Improve cmsPipelineDup
- S8007927: Improve cmsAllocProfileSequenceDescription
- S8007929: Improve CurvesAlloc
- S8008120, CVE-2013-2457: Improve JMX class checking
- S8008124, CVE-2013-2453: Better compliance testing
- S8008128: Better API coherence for JMX
- S8008132, CVE-2013-2456: Better serialization support
- S8008585: Better JMX data handling
- S8008593: Better URLClassLoader resource management
- S8008603: Improve provision of JMX providers
- S8008607: Better input checking in JMX
- S8008611: Better handling of annotations in JMX
- S8008615: Improve robustness of JMX internal APIs
- S8008623: Better handling of MBeanServers
- S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
- S8008982: Adjust JMX for underlying interface changes
- S8009004: Better implementation of RMI connections
- S8009008: Better manage management-api
- S8009013: Better handling of T2K glyphs
- S8009034: Improve resulting notifications in JMX
- S8009038: Improve JMX notification support
- S8009057, CVE-2013-2448: Improve MIDI event handling
- S8009067: Improve storing keys in KeyStore
- S8009071, CVE-2013-2459: Improve shape handling
- S8009235: Improve handling of TSA data
- S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
- S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
- S8009654: Improve stability of cmsnamed
- S8010209, CVE-2013-2460: Better provision of factories
- S8011243, CVE-2013-2470: Improve ImagingLib
- S8011248, CVE-2013-2471: Better Component Rasters
- S8011253, CVE-2013-2472: Better Short Component Rasters
- S8011257, CVE-2013-2473: Better Byte Component Rasters
- S8012375, CVE-2013-1571: Improve Javadoc framing
- S8012421: Better positioning of PairPositioning
- S8012438, CVE-2013-2463: Better image validation
- S8012597, CVE-2013-2465: Better image channel verification
- S8012601, CVE-2013-2469: Better validation of image layouts
- S8014281, CVE-2013-2461: Better checking of XML signature
- S8015997: Additional improvement in Javadoc framing
* Backports
- S7171223, RH967436: Building ExtensionSubtables.cpp should use -fno-strict-aliasing
- S7053526: Upgrade JDK 8 to use Little CMS 2.4
- S7077803: java.lang.InternalError in java.lang.invoke.MethodHandleNatives.init
- S7124347: [macosx] java.lang.InternalError: not implemented yet on call Graphics2D.drawRenderedImage
- S7142596: RMI JPRT tests are failing
- S7151434, RH969884: java -jar -XX crashes java launcher
- S7158483: (tz) Support tzdata2012c
- S7188114: (launcher) need an alternate command line parser for Windows
- S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node
- S7198570: (tz) Support tzdata2012f
- S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
- S8002070: Remove the stack search for a resource bundle for Logger to use
- S8002225: (tz) Support tzdata2012i
- S8006120: Provide "Server JRE" for 7u train
- S8006536: [launcher] removes trailing slashes on arguments
- S8009165: Fix for 8006435 needs revision
- S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03
- S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing.
- S8009610: Blacklist certificate used with malware.
- S8009987: (tz) Support tzdata2013b
- S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail
- S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
- S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build
- S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
- S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance
- S8010939: Deadlock in LogManager
- S8011139: (reflect) Revise checking in getEnclosingClass
- S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows
- S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
- S8011557: Improve reflection utility classes
- S8011806: 7u25-b05 hotspot fastdebug build failure
- S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
- S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05
- S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris
- S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
- S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
- S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
- S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07
- S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext()
- S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
- S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
- S8014205: Most of the Swing dialogs are blank on one win7 MUI
- S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09
- S8014618, RH868136: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
- S8014676: Java debugger may fail to run
- S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
- S8014745: Provide a switch to allow stack walk search of resource bundle
- S8014968: OCSP and CRL connection timeout is set to four hours by default
* Bug fixes
- PR1095, PR1409: Allow -Werror to be turned off (HotSpot repository only).
- PR1188: ASM Interpreter and Thumb2 JIT javac miscompile modulo reminder on armel
New in release 2.2.9 (2013-06-29):
* New features
- PR1378: Add AArch64 support to Zero
* Security fixes
- S6741606, CVE-2013-2407: Integrate Apache Santuario
- S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls
- S7170730, CVE-2013-2451: Improve Windows network stack support.
- S8000638, CVE-2013-2450: Improve deserialization
- S8000642, CVE-2013-2446: Better handling of objects for transportation
- S8001032: Restrict object access
- S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers
- S8001034, CVE-2013-1500: Memory management improvements
- S8001038, CVE-2013-2444: Resourcefully handle resources
- S8001043: Clarify definition restrictions
- S8001308: Update display of applet windows
- S8001309: Better handling of annotation interfaces
- S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost
- S8003703, CVE-2013-2412: Update RMI connection dialog box
- S8004288, CVE-2013-2449: (fs) Files.probeContentType problems
- S8004584: Augment applet contextualization
- S8005007: Better glyph processing
- S8006328, CVE-2013-2448: Improve robustness of sound classes
- S8006611: Improve scripting
- S8007467: Improve robustness of JMX internal APIs
- S8007471: Improve MBean notifications
- S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes
- S8007925: Improve cmsStageAllocLabV2ToV4curves
- S8007926: Improve cmsPipelineDup
- S8007927: Improve cmsAllocProfileSequenceDescription
- S8007929: Improve CurvesAlloc
- S8008120, CVE-2013-2457: Improve JMX class checking
- S8008124, CVE-2013-2453: Better compliance testing
- S8008128: Better API coherence for JMX
- S8008132, CVE-2013-2456: Better serialization support
- S8008585: Better JMX data handling
- S8008593: Better URLClassLoader resource management
- S8008603: Improve provision of JMX providers
- S8008607: Better input checking in JMX
- S8008611: Better handling of annotations in JMX
- S8008615: Improve robustness of JMX internal APIs
- S8008623: Better handling of MBeanServers
- S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606
- S8008982: Adjust JMX for underlying interface changes
- S8009004: Better implementation of RMI connections
- S8009008: Better manage management-api
- S8009013: Better handling of T2K glyphs
- S8009034: Improve resulting notifications in JMX
- S8009038: Improve JMX notification support
- S8009057, CVE-2013-2448: Improve MIDI event handling
- S8009067: Improve storing keys in KeyStore
- S8009071, CVE-2013-2459: Improve shape handling
- S8009235: Improve handling of TSA data
- S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change
- S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields
- S8009654: Improve stability of cmsnamed
- S8010209, CVE-2013-2460: Better provision of factories
- S8011243, CVE-2013-2470: Improve ImagingLib
- S8011248, CVE-2013-2471: Better Component Rasters
- S8011253, CVE-2013-2472: Better Short Component Rasters
- S8011257, CVE-2013-2473: Better Byte Component Rasters
- S8012375, CVE-2013-1571: Improve Javadoc framing
- S8012421: Better positioning of PairPositioning
- S8012438, CVE-2013-2463: Better image validation
- S8012597, CVE-2013-2465: Better image channel verification
- S8012601, CVE-2013-2469: Better validation of image layouts
- S8014281, CVE-2013-2461: Better checking of XML signature
- S8015997: Additional improvement in Javadoc framing
* Bug fixes
- S7053526: Upgrade JDK 8 to use Little CMS 2.4
- S7124347: [macosx] java.lang.InternalError: not implemented yet on call Graphics2D.drawRenderedImage
- S7142091: [macosx] RFE: Refactoring of peer initialization/disposing
- S7142596: RMI JPRT tests are failing
- S7150345: [macosx] Can't type into applets
- S7151434, RH969884: java -jar -XX crashes java launcher
- S7156191: [macosx] Can't type into applet demos in Pivot
- S7156194: [macosx] Can't type non-ASCII characters into applets
- S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing
- S7174718: [macosx] Regression in 7u6 b12: PopupFactory leaks DefaultFrames.
- S7188114: (launcher) need an alternate command line parser for Windows
- S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node
- S7198570: (tz) Support tzdata2012f
- S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
- S8001161: mac: EmbeddedFrame doesn't become active window
- S8002070: Remove the stack search for a resource bundle for Logger to use
- S8002225: (tz) Support tzdata2012i
- S8005932: Java 7 on mac os x only provides text clipboard formats
- S8006120: Provide "Server JRE" for 7u train
- S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X
- S8006536: [launcher] removes trailing slashes on arguments
- S8009165: Fix for 8006435 needs revision
- S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03
- S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing.
- S8009610: Blacklist certificate used with malware.
- S8009987: (tz) Support tzdata2013b
- S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail
- S8010009: [macosx] Unable type into online word games on MacOSX
- S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
- S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build
- S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod
- S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance
- S8010939: Deadlock in LogManager
- S8011139: (reflect) Revise checking in getEnclosingClass
- S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows
- S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
- S8011557: Improve reflection utility classes
- S8011806: 7u25-b05 hotspot fastdebug build failure
- S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
- S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05
- S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris
- S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
- S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus
- S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
- S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
- S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07
- S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext()
- S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
- S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
- S8014205: Most of the Swing dialogs are blank on one win7 MUI
- S8014423: [macosx] The scrollbar's block increment performs incorrectly
- S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09
- S8014618, RH868136: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
- S8014676: Java debugger may fail to run
- S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
- S8014745: Provide a switch to allow stack walk search of resource bundle
- S8014968: OCSP and CRL connection timeout is set to four hours by default
The tarballs can be downloaded from:
http://icedtea.classpath.org/download/source/icedtea-2.1.9.tar.gz
http://icedtea.classpath.org/download/source/icedtea-2.2.9.tar.gz
SHA256 checksum:
978bd734103ac3a81476d31801ff9ddc007b4b30bccf13ce83af5f4a5e17604d icedtea-2.1.9.tar.gz
e56dbcc3fe783535881aca893ce5cd20e73d9c0f159811b98233042843af756a icedtea-2.2.9.tar.gz
The tarballs are accompanied by a digital signature available at:
http://icedtea.classpath.org/download/source/icedtea-2.1.9.tar.gz.sig
http://icedtea.classpath.org/download/source/icedtea-2.2.9.tar.gz.sig
respectively. This is produced using my public key. See details below.
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
The following people helped with these releases:
* Andreas Schwab (PR1378 patch for AArch64 Zero support)
* Andrew Hughes (all other bug fixes, application of security fixes & backports, release management)
* Xerxes Rånby (PR1188 ARM fix for 2.1.9)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea-${ver}.tar.gz
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${ver}/configure
$ make
where ${ver} is the version used.
Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130630/ce24fade/attachment.bin
More information about the distro-pkg-dev
mailing list