[SECURITY] IcedTea 1.13.3 for OpenJDK 6 Released

Andrew Hughes gnu.andrew at redhat.com
Tue Apr 15 21:54:54 UTC 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with
the April 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What's New?
New in release 1.13.3 (2014-04-15):

* Security fixes
  - S8023046: Enhance splashscreen support
  - S8025005: Enhance CORBA initializations
  - S8025010, CVE-2014-2412: Enhance AWT contexts
  - S8025030, CVE-2014-2414: Enhance stream handling
  - S8025152, CVE-2014-0458: Enhance activation set up
  - S8026067: Enhance signed jar verification
  - S8026163, CVE-2014-2427: Enhance media provisioning
  - S8026188, CVE-2014-2423: Enhance envelope factory
  - S8026200: Enhance RowSet Factory
  - S8026736, CVE-2014-2398: Enhance Javadoc pages
  - S8026797, CVE-2014-0451: Enhance data transfers
  - S8026801, CVE-2014-0452: Enhance endpoint addressing
  - S8027766, CVE-2014-0453: Enhance RSA processing
  - S8027775: Enhance ICU code.
  - S8027841, CVE-2014-0429: Enhance pixel manipulations
  - S8028385: Enhance RowSet Factory
  - S8029282, CVE-2014-2403: Enhance CharInfo set up
  - S8029286: Enhance subject delegation
  - S8029699: Update Poller demo
  - S8029730: Improve audio device additions
  - S8029735: Enhance service mgmt natives
  - S8029740, CVE-2014-0446: Enhance handling of loggers
  - S8029750: Enhance LCMS color processing
  - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg)
  - S8029854, CVE-2014-2421: Enhance JPEG decodings
  - S8029858, CVE-2014-0456: Enhance array copies
  - S8030731, CVE-2014-0460: Improve name service robustness
  - S8031330: Refactor ObjectFactory
  - S8031335, CVE-2014-0459: Better color profiling (LCMS 2 only)
  - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng)
  - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader
  - S8031395: Enhance LDAP processing
  - S8033618, CVE-2014-1876: Correct logging output
  - S8034926, CVE-2014-2397: Attribute classes properly
  - S8036794, CVE-2014-0461: Manage JavaScript instances
* Import of OpenJDK6 b31
  - OJ27: Change summary generator can leave out last changeset
  - OJ28: Report generator should not include old changes
  - OJ30: Remove @Override annotation on interfaces added by 2014/04/15 security fixes.
  - S6680198: UnmarshalException caused by incompatible serialVersionUID
  - S6742654: Code insertion/replacement attacks against signed jars
  - S6779717: A Window does not show applet security warning icon on X platforms
  - S6785058: Parent dn't get the focus after dialog is closed if security warning is applied
  - S6799345: JFC demos threw exception in the Java Console when applets are closed
  - S6828273: javax/swing/system/6799345/TestShutdown.java test fails with RuntimeException.
  - S6867515: Reduce impact of D3D initializion on startup time
  - S6891435: Improve D3D preloading
  - S6911041: JCK api/signaturetest tests fails for Mixed Code PIT builds (b91) for all trains
  - S6921823: JarVerifier csdomain field not initialized
  - S6921839: Update trusted.libraries list
  - S6924497: HotSpotDiagnosticsMXBean.getDiagnosticOptions throws NPE
  - S6936389: FontManager.fileCloser may cause memory leak in applets
  - S6946559: AWTToolKit thread crashes in JNU_GetEnv
  - S6955783: ServiceUnavailableException caught even the secondary DNS is available
  - S6987967: D3D preloading thread should initialize COM
  - S7011446: ./windows/classes/sun/awt/windows/WToolkit.java needs to avoid spurious wakeup
  - S7015232: missing copyright header in CheckZOrderChange.java
  - S7119760: [macosx] The OpenGL queue flusher thread is created in the wrong thread group
  - S7155051: DNS provider may return incorrect results
  - S8002191: AWT-Shutdown thread does not start with the AppletSecurity on Linux
  - S8028388: 9 jaxws tests failed in nightly build with java.lang.ClassCastException
  - S8031032: SQE test failures after JDK-8025010 was fixed
  - S8031477: [macosx] Loading AWT native library fails
  - S8032370: No "Truncated file" warning from IIOReadWarningListener on JPEGImageReader
  - S8035834: InetAddress.getLocalHost() can hang after JDK-8030731 was fixed

The tarballs can be downloaded from:


We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:


These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

15a5a9b4ff52f67a3dffd264e75d6f984bc196f47899376c206b1e51000fd072  icedtea6-1.13.3.tar.gz
00e7f7083fa907b9a39dfbae1a5461afe741d0cbf80456c8dbcefa37fa8f14da  icedtea6-1.13.3.tar.gz.sig
0149ffffcfb55739357a2c720421cbc311e4ccb248c0c185ed67671d2c45f748  icedtea6-1.13.3.tar.xz
a36f43665bfcfe0e03ae08507a7db7a09892f14cc9defe345ad344134cc3c17c  icedtea6-1.13.3.tar.xz.sig

The checksums can be downloaded from:


The following people helped with these releases:

* Andrew Hughes (all other backports & bug fixes, release management)
* Omair Majid (OJ26, OJ28)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.3.tar.gz


$ tar x -I xz -f icedtea6-1.13.3.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.3/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140415/987e93da/signature-0001.asc>

More information about the distro-pkg-dev mailing list