[Security] IcedTea 2.3.13 and 2.4.4 Released!

Omair Majid omajid at redhat.com
Tue Jan 14 20:38:04 PST 2014


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

These releases update our OpenJDK 7 support in the 2.3.x and 2.4.x
series with a number of security fixes.

Existing users of the 2.3.x series are strongly advised to upgrade to
the 2.4.x series.  Although there is a 2.3.x update, one security
issue (CVE-2013-5893) is resolved by a Method Handles fix (S8029507)
which is present in the 2.4.x series, but not 2.3.x. We have not been
able to backport this (patches and suggestions welcome). The safest
solution is to use 2.4.x where possible.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========

New in release 2.4.4 (2014-01-14):

* Security fixes
  - S6727821: Enhance JAAS Configuration
  - S7068126, CVE-2014-0373: Enhance SNMP statuses
  - S8010935: Better XML handling
  - S8011786, CVE-2014-0368: Better applet networking
  - S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list 
  - S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code 
  - S8022904: Enhance JDBC Parsers
  - S8022927: Input validation for byte/endian conversions
  - S8022935: Enhance Apache resolver classes
  - S8022945: Enhance JNDI implementation classes
  - S8023057: Enhance start up image display
  - S8023069, CVE-2014-0411: Enhance TLS connections
  - S8023245, CVE-2014-0423: Enhance Beans decoding
  - S8023301: Enhance generic classes
  - S8023338: Update jarsigner to encourage timestamping
  - S8023672: Enhance jar file validation
  - S8024302: Clarify jar verifications
  - S8024306, CVE-2014-0416: Enhance Subject consistency
  - S8024530: Enhance font process resilience
  - S8024867: Enhance logging start up
  - S8025014: Enhance Security Policy
  - S8025018, CVE-2014-0376: Enhance JAX-P set up
  - S8025026, CVE-2013-5878: Enhance canonicalization
  - S8025034, CVE-2013-5907: Improve layout lookups
  - S8025448: Enhance listening events
  - S8025758, CVE-2014-0422: Enhance Naming management
  - S8025767, CVE-2014-0428: Enhance IIOP Streams
  - S8026172: Enhance UI Management
  - S8026176: Enhance document printing
  - S8026193, CVE-2013-5884: Enhance CORBA stub factories
  - S8026204: Enhance auth login contexts
  - S8026417, CVE-2013-5910: Enhance XML canonicalization
  - S8026502: java/lang/invoke/MethodHandleConstants.java fails on all platforms
  - S8027201, CVE-2014-0376: Enhance JAX-P set up
  - S8029507, CVE-2013-5893: Enhance JVM method processing
  - S8029533: REGRESSION: closed/java/lang/invoke/8008140/Test8008140.java fails agains
* Backports
  - S8025255: (tz) Support tzdata2013g
  - S8026826: JDK 7 fix for 8010935 broke the build
* Bug fixes
  - PR1618: Include defs.make in vm.make so VM_LITTLE_ENDIAN is defined on Zero builds
  - D729448: 32-bit alignment on mips and mipsel
  - PR1623: Collision between OpenJDK 6 & 7 classes when bootstrapping with OpenJDK 6


New in release 2.3.13 (2014-01-14):

* Security fixes
  - S6727821: Enhance JAAS Configuration
  - S7068126, CVE-2014-0373: Enhance SNMP statuses
  - S8010935: Better XML handling
  - S8011786, CVE-2014-0368: Better applet networking
  - S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list 
  - S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code 
  - S8022904: Enhance JDBC Parsers
  - S8022927: Input validation for byte/endian conversions
  - S8022935: Enhance Apache resolver classes
  - S8022945: Enhance JNDI implementation classes
  - S8023057: Enhance start up image display
  - S8023069, CVE-2014-0411: Enhance TLS connections
  - S8023245, CVE-2014-0423: Enhance Beans decoding
  - S8023301: Enhance generic classes
  - S8023338: Update jarsigner to encourage timestamping
  - S8023672: Enhance jar file validation
  - S8024302: Clarify jar verifications
  - S8024306, CVE-2014-0416: Enhance Subject consistency
  - S8024530: Enhance font process resilience
  - S8024867: Enhance logging start up
  - S8025014: Enhance Security Policy
  - S8025018, CVE-2014-0376: Enhance JAX-P set up
  - S8025026, CVE-2013-5878: Enhance canonicalization
  - S8025034, CVE-2013-5907: Improve layout lookups
  - S8025448: Enhance listening events
  - S8025758, CVE-2014-0422: Enhance Naming management
  - S8025767, CVE-2014-0428: Enhance IIOP Streams
  - S8026172: Enhance UI Management
  - S8026176: Enhance document printing
  - S8026193, CVE-2013-5884: Enhance CORBA stub factories
  - S8026204: Enhance auth login contexts
  - S8026417, CVE-2013-5910: Enhance XML canonicalization
  - S8027201, CVE-2014-0376: Enhance JAX-P set up
* Backports
  - S7173959: Jvm crashed during coherence exabus (tmb) testin
  - S7182152: Instrumentation hot swap test incorrect monitor count
  - S8009399: Bump the hsx build number for APRIL CPU
  - S8014312: Fork hs23.25 hsx from hs23.21 for jdk7u25 and reinitialize build number
  - S8014925: Disable sun.reflect.Reflection.getCallerClass(int) with a temporary switch to re-enable it
  - S8015614: Update build settings
  - S8016256: Make finalization final
  - S8016814: sun.reflect.Reflection.getCallerClass returns the frame off by 1
  - S8020943: Memory leak when GCNotifier uses create_from_platform_dependent_str()
  - S8023457: Event based tracing framework needs a mutex for thread groups
  - S8023478: Test fails with HS crash in GCNotifier.
  - S8023683: Enhance class file parsing
  - S8024914: Swapped usage of idx_t and bm_word_t types in bitMap.inline.hpp
  - S8026826: JDK 7 fix for 8010935 broke the build
* Bug fixes
  - Enable Zero when there is no HotSpot JIT and an alternate VM has not been explictly enabled.
  - PR1551: Add build support for Zero AArch64

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.3.13.tar.gz

and

* http://icedtea.classpath.org/download/source/icedtea-2.4.4.tar.gz


The tarballs are accompanied by digital signatures available at:

    http://icedtea.classpath.org/download/source/icedtea-2.3.13.tar.gz.sig
    http://icedtea.classpath.org/download/source/icedtea-2.4.4.tar.gz.sig

These are produced using my public key. See details below.

    PGP Key: 66484681 (http://pgp.mit.edu/)
    Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

SHA256 checksums:

490935de1762fb1a02e858701cbfdb5a8df45560b56c528131b51ff444c7a454  icedtea-2.3.13.tar.gz
ddce5dadaca4a24e8ecd632d5299fefd76f3bdcd7040bfbded3de3b1dffd56b3  icedtea-2.4.4.tar.gz

The following people helped with these releases:

* Elliott Baron
* Andrew Dinn
* Jana Fabrikova
* Christine Flood
* Severin Gehwolf
* Andrew Haley
* Andrew Hughes
* Roman Kennke
* Omair Majid
* Chris Phillips
* Pavel Tisnovsky
* Mario Torre
* Jonathan VanAlten
* Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:

$ tar xf icedtea-2.4.4.tar.gz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.4.4/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Thanks,
Omair

-- 
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681


More information about the distro-pkg-dev mailing list