[SECURITY] IcedTea 1.12.8 & 1.13.1 for OpenJDK 6 Released!

Wed Jan 22 07:26:01 PST 2014

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.12.x and 1.13.x
series with the January 2014 security errata and a number of bug fixes.

An update will follow for the 1.11.x series (1.11.15), but this will
be the final update for this release series, following the release
of the 1.13.x series (see http://icedtea.classpath.org/wiki/ReleasePolicy).
Users are advised to migrate to either the 1.12.x or 1.13.x series
as soon as possible.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.

Full details of the release can be found below.

What's New?
===========
New in release 1.13.1 (2014-01-22):

* Security fixes
  - S6727821: Enhance JAAS Configuration
  - S7068126, CVE-2014-0373: Enhance SNMP statuses
  - S8010935: Better XML handling
  - S8011786, CVE-2014-0368: Better applet networking
  - S8021257, CVE-2013-5896: com.sun.corba.se.** should be on restricted package list
  - S8021271: Better buffering in ObjC code
  - S8022904: Enhance JDBC Parsers
  - S8022927: Input validation for byte/endian conversions
  - S8022935: Enhance Apache resolver classes
  - S8022945: Enhance JNDI implementation classes
  - S8023057: Enhance start up image display
  - S8023069, CVE-2014-0411: Enhance TLS connections
  - S8023245, CVE-2014-0423: Enhance Beans decoding
  - S8023301: Enhance generic classes
  - S8023672: Enhance jar file validation
  - S8024306, CVE-2014-0416: Enhance Subject consistency
  - S8024530: Enhance font process resilience
  - S8024867: Enhance logging start up
  - S8025014: Enhance Security Policy
  - S8025018, CVE-2014-0376: Enhance JAX-P set up
  - S8025026, CVE-2013-5878: Enhance canonicalization
  - S8025034, CVE-2013-5907: Improve layout lookups
  - S8025448: Enhance listening events
  - S8025758, CVE-2014-0422: Enhance Naming management
  - S8025767, CVE-2014-0428: Enhance IIOP Streams
  - S8026172: Enhance UI Management
  - S8026176: Enhance document printing
  - S8026193, CVE-2013-5884: Enhance CORBA stub factories
  - S8026204: Enhance auth login contexts
  - S8026417, CVE-2013-5910: Enhance XML canonicalization
  - S8027201, CVE-2014-0376: Enhance JAX-P set up
* Import of OpenJDK6 b30
  - OJ24: Fix change summary generator
  - OJ25: Remove @Override annotation added on interfaces by 2014/01/14 security fixes
  - S6995424: Eliminate dependency to a deprecated API com.sun.security.auth.PolicyFile
  - S8026826: JDK 7 fix for 8010935 broke the build
  - S8027837: JDK-8021257 causes CORBA build failure on emdedded platforms
* Bug fixes
  - Fix path in nss-not-enabled-config.patch.

New in release 1.12.8 (2014-01-22):

* Security fixes
  - S6727821: Enhance JAAS Configuration
  - S7068126, CVE-2014-0373: Enhance SNMP statuses
  - S8010935: Better XML handling
  - S8011786, CVE-2014-0368: Better applet networking
  - S8021257, CVE-2013-5896: com.sun.corba.se.** should be on restricted package list
  - S8022904: Enhance JDBC Parsers
  - S8022927: Input validation for byte/endian conversions
  - S8022935: Enhance Apache resolver classes
  - S8022945: Enhance JNDI implementation classes
  - S8023057: Enhance start up image display
  - S8023069, CVE-2014-0411: Enhance TLS connections
  - S8023245, CVE-2014-0423: Enhance Beans decoding
  - S8023301: Enhance generic classes
  - S8023672: Enhance jar file validation
  - S8024306, CVE-2014-0416: Enhance Subject consistency
  - S8024530: Enhance font process resilience
  - S8024867: Enhance logging start up
  - S8025014: Enhance Security Policy
  - S8025018, CVE-2014-0376: Enhance JAX-P set up
  - S8025026, CVE-2013-5878: Enhance canonicalization
  - S8025034, CVE-2013-5907: Improve layout lookups
  - S8025448: Enhance listening events
  - S8025758, CVE-2014-0422: Enhance Naming management
  - S8025767, CVE-2014-0428: Enhance IIOP Streams
  - S8026172: Enhance UI Management
  - S8026176: Enhance document printing
  - S8026193, CVE-2013-5884: Enhance CORBA stub factories
  - S8026204: Enhance auth login contexts
  - S8026417, CVE-2013-5910: Enhance XML canonicalization
  - S8027201, CVE-2014-0376: Enhance JAX-P set up
* Backports
  - S6995424: Eliminate dependency to a deprecated API com.sun.security.auth.PolicyFile
  - S8026826: JDK 7 fix for 8010935 broke the build
  - S8027837: JDK-8021257 causes CORBA build failure on emdedded platforms
* Bug fixes
  - Fail if a C and C++ compiler are not detected.
  - Fix path in nss-not-enabled-config.patch.
* SystemTap support:
  - Ensure all patches are applied.

The tarballs can be downloaded from:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.8.tar.gz
    http://icedtea.classpath.org/download/source/icedtea6-1.13.1.tar.gz

or:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.8.tar.xz
    http://icedtea.classpath.org/download/source/icedtea6-1.13.1.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

    http://icedtea.classpath.org/download/source/icedtea6-1.12.8.tar.gz.sig
    http://icedtea.classpath.org/download/source/icedtea6-1.12.8.tar.xz.sig
    http://icedtea.classpath.org/download/source/icedtea6-1.13.1.tar.gz.sig
    http://icedtea.classpath.org/download/source/icedtea6-1.13.1.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

c2ad74af29af774f778675d3fde952f4defebb2be44f565253d788e2e7af39d4  icedtea6-1.12.8.tar.gz
dd6655700b5f68ba17480e62f13eb963ada63392d046bdf499eaf8f9f269526b  icedtea6-1.12.8.tar.gz.sig
cb584a3983e146b91f64c31594f8c599604fbc91fd3560503fdd65b04c6bfb7c  icedtea6-1.12.8.tar.xz
e973decd9dd68d7d84b57105abd5dba6cfe1431e052061e30d1ca137108f3a23  icedtea6-1.12.8.tar.xz.sig
3d4d0a02304884ddf9f2123c227501b77d318cffb1b912c204dbc992f66bd4b6  icedtea6-1.13.1.tar.gz
f295b4373edb7a819a1a461e7c18ca447056b0618ee47a28377e98cf1118ac0d  icedtea6-1.13.1.tar.gz.sig
5b2fe75660282889217fe997e9c8f9e70982f2c72fc2ca59db80e7da7380d7c1  icedtea6-1.13.1.tar.xz
dd9ab64a6c21df07059d05065eedaa16bacb530c1a0961a614689426edd1cf5d  icedtea6-1.13.1.tar.xz.sig

The following people helped with these releases:

* Andrew Hughes (all other backports & fixes & release management)
* Omair Majid (security backports & NSS config fix)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-${release_version}.tar.gz

or:

$ tar x -I xz -f icedtea6-${release_version}.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-${release_version}/configure
$ make

where ${release_version} is either 1.12.8 or 1.13.1.

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140122/99dc47ec/attachment.bin 