[SECURITY] IcedTea 2.1.7, 2.2.7 & 2.3.8 for OpenJDK 7 Released!

Andrew John Hughes gnu_andrew at member.fsf.org
Mon Mar 11 22:56:32 PDT 2013


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases are now available for the OpenJDK 7
series: 2.1.7, 2.2.7 & 2.3.8. We recommend that users upgrade to the
latest release from the appropriate branch as soon as possible.  The
releases contain the following security fixes:

 * S8007014, CVE-2013-0809: Improve image handling
 * S8007675, CVE-2013-1493: Improve color conversion

In addition, IcedTea includes the usual IcedTea patches to allow
builds against system libraries and to support more estoric
architectures.

If you find an issue with one of these releases, please report it to
our bug database (http://icedtea.classpath.org/bugzilla) under the
appropriate component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the releases can be found below.

What's New?
===========

New in release 2.3.8 (2013-04-11):

* Security fixes
  - S8007014, CVE-2013-0809: Improve image handling
  - S8007675, CVE-2013-1493: Improve color conversion
* Backports
  - S8002344: Krb5LoginModule config class does not return proper KDC list from DNS
  - S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c
  - S8006179: JSR292 MethodHandles lookup with interface using findVirtual()
  - S8006882: Proxy generated classes in sun.proxy package breaks JMockit
* Bug fixes
  - PR1303: Correct #ifdef to #if
  - PR1340: Simplify the rhino class rewriter to avoid use of concurrency
  - Revert 7017193 and add the missing free call, until a better fix is ready.

New in release 2.2.7 (2013-04-11):

* Security fixes
  - S8007014, CVE-2013-0809: Improve image handling
  - S8007675, CVE-2013-1493: Improve color conversion
* Backports
  - S8002344: Krb5LoginModule config class does not return proper KDC list from DNS
  - S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c
  - S8006179: JSR292 MethodHandles lookup with interface using findVirtual()
  - S8006882: Proxy generated classes in sun.proxy package breaks JMockit
* Bug fixes
  - PR1303: Correct #ifdef to #if
  - PR1340: Simplify the rhino class rewriter to avoid use of concurrency
  - Revert 7017193 and add the missing free call, until a better fix is ready.

New in release 2.1.7 (2013-04-11):

* Security fixes
  - S8007014, CVE-2013-0809: Improve image handling
  - S8007675, CVE-2013-1493: Improve color conversion
* Backports
  - S8002344: Krb5LoginModule config class does not return proper KDC list from DNS
  - S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c
  - S8006179: JSR292 MethodHandles lookup with interface using findVirtual()
  - S8006882: Proxy generated classes in sun.proxy package breaks JMockit
* Bug fixes
  - PR1303: Correct #ifdef to #if
  - Stop libraries being stripped in the OpenJDK build.
  - PR1340: Simplify the rhino class rewriter to avoid use of concurrency
  - Revert 7017193 and add the missing free call, until a better fix is ready.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.1.7.tar.gz 
* http://icedtea.classpath.org/download/source/icedtea-2.2.7.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.3.8.tar.gz

SHA256 checksums:

e23d7715b9b27635f721414614be4bc5e52d32fb9739bc2e5dd1abcd8183dbee  icedtea-2.1.7.tar.gz
070a14f450569f98bd7b1ce5c42a9240c81ac5c234e2b39f8897f11d3d625ecc  icedtea-2.2.7.tar.gz
750a4c6e3e22369aa7dcfb0751fe85d5ea7a36b32871861c5063dbcadddc7153  icedtea-2.3.8.tar.gz

Each tarball is accompanied by a digital signature available at the
above URL + '.sig'. This is produced using my public key. See details
below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

* Andrew Hughes (applying all security patches & backports,
  creation & testing of bug fixes, reproducer testing, release management)
* Matthias Klose (reported & fixed PR1340)
* Bernhard Rosenkränzer (reported issue with PR1303)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz

where ${version} is the version of IcedTea being used.

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${version}/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130312/181326e5/attachment.bin 


More information about the distro-pkg-dev mailing list