[SECURITY] IcedTea 1.12.7 for OpenJDK 6 Released!

Thu Nov 21 20:16:39 PST 2013

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.1w.x series with
the October 2013 security errata and a number of bug fixes

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What’s New?
===========
New in release 1.12.7 (2013-11-21):

* Security fixes
  - S8006900, CVE-2013-3829: Add new date/time capability
  - S8008589: Better MBean permission validation
  - S8011071, CVE-2013-5780: Better crypto provider handling
  - S8011081, CVE-2013-5772: Improve jhat
  - S8011157, CVE-2013-5814: Improve CORBA portablility
  - S8012071, CVE-2013-5790: Better Building of Beans
  - S8012147: Improve tool support
  - S8012277: CVE-2013-5849: Improve AWT DataFlavor
  - S8012425, CVE-2013-5802: Transform TransformerFactory
  - S8013503, CVE-2013-5851: Improve stream factories
  - S8013506: Better Pack200 data handling
  - S8013510, CVE-2013-5809: Augment image writing code
  - S8013514: Improve stability of cmap class
  - S8013739, CVE-2013-5817: Better LDAP resource management
  - S8013744, CVE-2013-5783: Better tabling for AWT
  - S8014085: Better serialization support in JMX classes
  - S8014093, CVE-2013-5782: Improve parsing of images
  - S8014102, CVE-2013-5778: Improve image conversion
  - S8014341, CVE-2013-5803: Better service from Kerberos servers
  - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass problematic in some class loader configurations
  - S8014530, CVE-2013-5825: Better digital signature processing
  - S8014534: Better profiling support
  - S8014987, CVE-2013-5842: Augment serialization handling
  - S8015614: Update build settings
  - S8015731: Subject java.security.auth.subject to improvements
  - S8015743, CVE-2013-5774: Address internet addresses
  - S8016256: Make finalization final
  - S8016653, CVE-2013-5804: javadoc should ignore ignoreable characters in names
  - S8016675, CVE-2013-5797: Make Javadoc pages more robust
  - S8017196, CVE-2013-5850: Ensure Proxies are handled appropriately
  - S8017287, CVE-2013-5829: Better resource disposal
  - S8017291, CVE-2013-5830: Cast Proxies Aside
  - S8017298, CVE-2013-4002: Better XML support
  - S8017300, CVE-2013-5784: Improve Interface Implementation
  - S8017505, CVE-2013-5820: Better Client Service
  - S8019292: Better Attribute Value Exceptions
  - S8019617: Better view of objects
  - S8020293: JVM crash
  - S8021290, CVE-2013-5823: Better signature validation
  - S8022940: Enhance CORBA translations
  - S8023683: Enhance class file parsing
* Backports
  - S4075303: Use javap to enquire about a specific inner class
  - S4111861: static final field contents are not displayed
  - S4348375: Javap is not internationalized
  - S4459541: "javap -l" shows line numbers as signed short; they should be unsigned
  - S4501660: change diagnostic of -help as 'print this help message and exit'
  - S4501661: disallow mixing -public, -private, and -protected options at the same time
  - S4776241: unused source file in javap...
  - S4870651: javap should recognize generics, varargs, enum
  - S4876942: javap invoked without args does not print help screen
  - S4880663: javap could output whitespace between class name and opening brace
  - S4884240: additional option required for javap
  - S4893408: JPEGReader throws IllegalArgException when setting the destination to BYTE_GRAY
  - S4975569: javap doesn't print new flag bits
  - S6271787: javap dumps LocalVariableTypeTable attribute in hex, needs to print a table
  - S6305779: javap: support annotations
  - S6439940: Clean up javap implementation
  - S6469569: wrong check of searchpath in JavapEnvironment
  - S6474890: javap does not open .zip files in -classpath
  - S6563752: Build and test JDK7 with Sun Studio 12 Express compilers (prep makefiles)
  - S6587786: Javap throws error : "ERROR:Could not find <classname>" for JRE classes
  - S6622215: javap ignores certain relevant access flags
  - S6622216: javap names some attributes incorrectly
  - S6622232: javap gets whitespace confused
  - S6622260: javap prints negative bytes incorrectly in hex
  - S6631559: Registration of ImageIO plugins should not cause loading of jpeg.dlli and cmm.dll
  - S6636331: ConcurrentModificationException in AppContext code
  - S6636370: minor corrections and simplification of code in AppContext
  - S6708729: update jdk Makefiles for new javap
  - S6715767: javap on java.lang.ClassLoader crashes
  - S6729772: 64-bit build with SS12 compiler: SIGSEGV (0xb) at pc=0x0000000000000048, pid=14826, tid=2
  - S6791502: IIOException "Invalid icc profile" on jpeg after update from JDK5 to JDK6
  - S6793818: JpegImageReader is too greedy creating color profiles
  - S6799141: Build with --hash-style=both so that binaries can work on SuSE 10
  - S6816311: Changes to allow builds with latest Windows SDK 6.1 on 64bit Windows 2003
  - S6819246: improve support for decoding instructions in classfile library
  - S6824493: experimental support for additional info for instructions
  - S6840152: JVM crashes when heavyweight monitors are used
  - S6841419: classfile: add constant pool iterator
  - S6841420: classfile: add new methods to ConstantClassInfo
  - S6843013: missing files in fix for 6824493
  - S6852856: javap changes to facilitate subclassing javap for variants
  - S6867671: javap whitespace formatting issues
  - S6868539: javap should use current names for constant pool tags
  - S6888215: memory leak in jpeg plugin
  - S6902264: fix indentation of tableswitch and lookupswitch
  - S6925851: Localize JRE into pt_BR
  - S6954275: XML signatures with reference data larger 16KB and cacheRef on fails to validate
  - S6974017: Upgrade required Solaris Studio compilers to 5.10 (12 update 1 + patches)
  - S6980281: SWAT: SwingSet2 got core dumped in Solaris-AMD64 using b107 swat build
  - S6989760: cmm native compiler warnings
  - S6989774: imageio compiler warnings in native code
  - S7000225: Sanity check on sane-alsa-headers is broken
  - S7013519: [parfait] Integer overflows in 2D code
  - S7018912: [parfait] potential buffer overruns in imageio jpeg
  - S7022999: Can't build with FORCE_TIERED=0
  - S7035073: Add missing timezones to TimeZoneNames_pt_BR.java
  - S7038711: Fix CC_VER checks for compiler options, fix use of -Wno-clobber
  - S7146431: java.security files out-of-sync
  - S7196533: TimeZone.getDefault() slow due to synchronization bottleneck
  - S8000450: Restrict access to com/sun/corba/se/impl package
  - S8002070: Remove the stack search for a resource bundle for Logger to use
  - S8003992: File and other classes in java.io do not handle embedded nulls properly
  - S8004188: Rename src/share/lib/security/java.security to java.security-linux
  - S8005194: [parfait] #353 sun/awt/image/jpeg/imageioJPEG.c Memory leak of pointer 'scale' allocated with calloc()
  - S8006882: Proxy generated classes in sun.proxy package breaks JMockit
  - S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
  - S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance
  - S8010939: Deadlock in LogManager
  - S8011139: (reflect) Revise checking in getEnclosingClass
  - S8011950: java.io.File.createTempFile enters infinite loop when passed invalid data
  - S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
  - S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
  - S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
  - S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
  - S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
  - S8013827: File.createTempFile hangs with temp file starting with 'com1.4'
  - S8014469: (tz) Support tzdata2013c
  - S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
  - S8014745: Provide a switch to allow stack walk search of resource bundle
  - S8015144: Performance regression in ICU OpenType Layout library
  - S8015965: (process) Typo in name of property to allow ambiguous commands
  - S8015978: Incorrect transformation of XPath expression "string(-0)"
  - S8016357: Update hotspot diagnostic class
  - S8017566: Backout 8000450 - Cannot access to com.sun.corba.se.impl.orb.ORBImpl
  - S8019584: javax/management/remote/mandatory/loading/MissingClassTest.java failed in nightly against jdk7u45: java.io.InvalidObjectException: Invalid notification: null
  - S8019969: nioNetworkChannelInet6/SetOptionGetOptionTestInet6 test case crashes
  - S8019979: Replace CheckPackageAccess test with better one from closed repo
  - S8020054: (tz) Support tzdata2013d
  - S8020983, RH976897: OutOfMemoryError caused by non garbage collected JPEGImageWriter Instances
  - S8021355: REGRESSION: Five closed/java/awt/SplashScreen tests fail since 7u45 b01 on Linux, Solaris
  - S8021366: java_util/Properties/PropertiesWithOtherEncodings fails during 7u45 nightly testing
  - S8021577: JCK test api/javax_management/jmx_serial/modelmbean/ModelMBeanNotificationInfo/serial/index.html#Input has failed since jdk 7u45 b01
  - S8021933: Add extra check for fix # JDK-8014530
  - S8021969: The index_AccessAllowed jnlp can not load successfully with exception thrown in the log.
  - S8022661: InetAddress.writeObject() performs flush() on object output stream
  - S8022682: Supporting XOM
  - S8023964: java/io/IOException/LastErrorString.java should be @ignore-d
  - S8024914: Swapped usage of idx_t and bm_word_t types in bitMap.inline.hpp
  - S8025128: File.createTempFile fails if prefix is absolute path
  - S8025255: (tz) Support tzdata2013g
  - OJ19: Fix test cases from 8010118 to work with OpenJDK 6
  - OJ20: Resolve merge issues with JAXP security fixes
  - OJ21: Remove @Override annotation added on interface by 2013/10/15 security fixes
* Bug fixes
  - PR1188: ASM Interpreter and Thumb2 JIT javac miscompile modulo reminder on armel.
  - RH995488: Java thinks that the default timezone is Busingen instead of Zurich
  - D729448: 32-bit alignment on mips and mipsel

The tarball can be downloaded from:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.7.tar.gz

or:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.7.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.7.tar.gz.sig
    http://icedtea.classpath.org/download/source/icedtea6-1.12.7.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

081b288b3141f5ec87c77ea47fc541825fd02e9e03fcbb30bbe70b007f2a648e  icedtea6-1.12.7.tar.gz
e96ed6e04ec84ddfdb5833e1632c2a4989684f6c43614646baabf26dbd721b71  icedtea6-1.12.7.tar.gz.sig
56e180666f9c6a38aa725033b60bbdf5bf4f652ad9f6876eedc56a27497158a8  icedtea6-1.12.7.tar.xz
0051bc9eb39ad7b3e932f14d0b2cc3b6fc0b70ccff0b152067094e670c1eaf0c  icedtea6-1.12.7.tar.xz.sig

The following people helped with these releases:

    Andrew Hughes (all backports and fixes except those below & release management)
    Omair Majid (initial version of RH995488)
    Xerxes Rånby (PR1188 ARM fix)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.12.7.tar.gz

or:

$ tar x -I xz -f icedtea6-1.12.7.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.12.7/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131122/180f3a93/attachment.bin 