[SECURITY] IcedTea 1.13.4 for OpenJDK 6 Released!

Andrew Hughes gnu.andrew at redhat.com
Tue Jul 15 20:25:02 UTC 2014 

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with
the July 2014 security fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========
New in release 1.13.4 (2014-07-15):

* Security fixes
  - S8029755, CVE-2014-4209: Enhance subject class
  - S8030763: Validate global memory allocation
  - S8031346, CVE-2014-4244: Enhance RSA key handling
  - S8031540: Introduce document horizon
  - S8032536: JVM resolves wrong method in some unusual cases
  - S8033055: Issues in 2d
  - S8033301, CVE-2014-4266: Build more informative InfoBuilder
  - S8034267: Probabilistic native crash
  - S8034272: Do not cram data into CRAM arrays
  - S8035004, CVE-2014-4252: Provider provides less service
  - S8035009, CVE-2014-4218: Make Proxy representations consistent
  - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification
  - S8035699, CVE-2014-4268: File choosers should be choosier
  - S8036571: (process) Process process arguments carefully
  - S8036800: Attribute OOM to correct part of code
  - S8037046: Validate libraries to be loaded
  - S8037157: Verify <init> call
  - S8037076, CVE-2014-2490: Check constant pool constants
  - S8037162, CVE-2014-4263: More robust DH exchanges
  - S8037167, CVE-2014-4216: Better method signature resolution
  - S8039520, CVE-2014-4262: More atomicity of atomic updates
* Import of OpenJDK6 b32
  - OP32: OpenJDK6-b31 isn't compatible with Windows platform
  - OJ33: Update copyright headers introduced by the fix for OPENJDK6-32
  - OJ34: OpenJDK6-b31 backport of JDK-6638712 to openjdk6
  - OJ35: backport of JDK-6650759 to openjdk6
  - OJ36: Fix a mistake in backport of 8035119
  - S8013611: Modal dialog fails to obtain keyboard focus
  - S8013836: getFirstDayOfWeek reports wrong day for pt-BR locale
  - S8028111: XML readers share the same entity expansion counter
  - S8028285: RMI Thread can no longer call out to AWT
  - S8029038: Revise fix for XML readers share the same entity expansion counter
  - S8042582: Test java/awt/KeyboardFocusmanager/ChangeKFMTest/ChangeKFMTest.html fails on Windows x64
  - S8042590: Running form URL throws NPE
  - S8042789: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader
* Backports
 - S7027300, RH1098399: Unsynchronized HashMap access causes endless loop
 - S7183251: Netbeans editor renders text wrong on JDK 7u6 build

The tarballs can be downloaded from:

    http://icedtea.classpath.org/download/source/icedtea6-1.13.4.tar.gz
    http://icedtea.classpath.org/download/source/icedtea6-1.13.4.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

    http://icedtea.classpath.org/download/source/icedtea6-1.13.4.tar.gz.sig
    http://icedtea.classpath.org/download/source/icedtea6-1.13.4.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

302b17575ad98bbf6a1d4d8768d2ea1f1b070f153c660ebe493b6509d56ed0e7  icedtea6-1.13.4.tar.gz
9a6f5ef3eecfffd31a1738a5582c16dacefb081130bc11b1e6ce027e3840dc85  icedtea6-1.13.4.tar.gz.sig
7ca52ac37fe8bd9734ffe3630ef74ba2a22dadcd47cb8eba2b34d906bddb186f  icedtea6-1.13.4.tar.xz
341684678d8564085d0e4509f39c14582bd1d463bca6f9f3546e6db8c4535ec8  icedtea6-1.13.4.tar.xz.sig

The checksums can be downloaded from:

    http://icedtea.classpath.org/download/source/icedtea6-1.13.4.sha256

The following people helped with these releases:

    Andrew Hughes (all other backports, release management)
    Omair Majid (update to new b32 release tarball)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.13.4.tar.gz

or:

$ tar x -I xz -f icedtea6-1.13.4.tar.xz

then:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.4/configure
$ make

Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140715/10eaa9dd/signature.asc>

More information about the distro-pkg-dev mailing list