[SECURITY] IcedTea 2.1.8 for OpenJDK 7 Released!

Thu May 2 09:56:05 PDT 2013

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

This release updates our OpenJDK 7 support to include the latest
security updates. We recommend that users of the 2.1.x branch upgrade
to this latest release as soon as possible. The security fixes are as
follows:

 * S6657673, CVE-2013-1518: Issues with JAXP
 * S7200507: Refactor Introspector internals
 * S8000724, CVE-2013-2417: Improve networking serialization
 * S8001031, CVE-2013-2419: Better font processing
 * S8001040, CVE-2013-1537: Rework RMI model
 * S8001322: Refactor deserialization
 * S8001329, CVE-2013-1557: Augment RMI logging
 * S8003335: Better handling of Finalizer thread
 * S8003445: Adjust JAX-WS to focus on API
 * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
 * S8004261: Improve input validation
 * S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
 * S8004986, CVE-2013-2383: Better handling of glyph table
 * S8004987, CVE-2013-2384: Improve font layout
 * S8004994, CVE-2013-1569: Improve checking of glyph table
 * S8005432: Update access to JAX-WS
 * S8005943: (process) Improved Runtime.exec
 * S8006309: More reliable control panel operation
 * S8006435, CVE-2013-2424: Improvements in JMX
 * S8006790: Improve checking for windows
 * S8006795: Improve font warning messages
 * S8007406: Improve accessibility of AccessBridge
 * S8007617, CVE-2013-2420: Better validation of images
 * S8007667, CVE-2013-2430: Better image reading
 * S8007918, CVE-2013-2429: Better image writing
 * S8008140: Better method handle resolution
 * S8009049, CVE-2013-2436: Better method handle binding
 * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
 * S8009305, CVE-2013-0401: Improve AWT data transfer
 * S8009677, CVE-2013-2423: Better setting of setters
 * S8009699, CVE-2013-2421: Methodhandle lookup
 * S8009814, CVE-2013-1488: Better driver management
 * S8009857, CVE-2013-2422: Problem with plugin

In addition, IcedTea includes the usual IcedTea patches to allow
builds against system libraries and to support more estoric
architectures.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

New in release 2.1.8 (2013-05-02):

* Security fixes
  - S6657673, CVE-2013-1518: Issues with JAXP
  - S7200507: Refactor Introspector internals
  - S8000724, CVE-2013-2417: Improve networking serialization
  - S8001031, CVE-2013-2419: Better font processing
  - S8001040, CVE-2013-1537: Rework RMI model
  - S8001322: Refactor deserialization
  - S8001329, CVE-2013-1557: Augment RMI logging
  - S8003335: Better handling of Finalizer thread
  - S8003445: Adjust JAX-WS to focus on API
  - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  - S8004261: Improve input validation
  - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  - S8004986, CVE-2013-2383: Better handling of glyph table
  - S8004987, CVE-2013-2384: Improve font layout
  - S8004994, CVE-2013-1569: Improve checking of glyph table
  - S8005432: Update access to JAX-WS
  - S8005943: (process) Improved Runtime.exec
  - S8006309: More reliable control panel operation
  - S8006435, CVE-2013-2424: Improvements in JMX
  - S8006790: Improve checking for windows
  - S8006795: Improve font warning messages
  - S8007406: Improve accessibility of AccessBridge
  - S8007617, CVE-2013-2420: Better validation of images
  - S8007667, CVE-2013-2430: Better image reading
  - S8007918, CVE-2013-2429: Better image writing
  - S8008140: Better method handle resolution
  - S8009049, CVE-2013-2436: Better method handle binding
  - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  - S8009305, CVE-2013-0401: Improve AWT data transfer
  - S8009677, CVE-2013-2423: Better setting of setters
  - S8009699, CVE-2013-2421: Methodhandle lookup
  - S8009814, CVE-2013-1488: Better driver management
  - S8009857, CVE-2013-2422: Problem with plugin
* Backports
  - S7130662, RH928500: GTK file dialog crashes with a NPE
* Bug fixes
  - PR1363: Fedora 19 / rawhide FTBFS SIGILL
  - Fix offset problem in ICU LETableReference.
  - Don't create debuginfo files if not stripping.

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.1.8.tar.gz

SHA256 checksum:

ea68180fe8b40732ccea41cdd6c628de4f660b20fccb4cd87ab35f0727c08b11  icedtea-2.1.8.tar.gz

The tarball is accompanied by a digital signature available at:

* http://icedtea.classpath.org/download/source/icedtea-2.1.8.tar.gz.sig

This is produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

* Andrew Hughes (application of security fixes & backports, release management)
* Roman Kennke (offset fix)
* Chris Phillips (PR1363 patch for ARM issue)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.1.8.tar.gz
$ cd icedtea-2.1.8

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.1.8/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130502/21ccb7d3/attachment.bin 