[SECURITY] IcedTea 1.13.9 for OpenJDK 6 Released!
Andrew Hughes
gnu_andrew at member.fsf.org
Fri Nov 13 04:42:18 UTC 2015
The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.
This release updates our OpenJDK 6 support in the 1.13.x series with
the October 2015 security fixes.
If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are
always welcome.
Full details of the release can be found below.
What's New?
===========
New in release 1.13.9 (2015-11-13):
* Security fixes
- S8048030, CVE-2015-4734: Expectations should be consistent
- S8068842, CVE-2015-4803: Better JAXP data handling
- S8076339, CVE-2015-4903: Better handling of remote object invocation
- S8076383, CVE-2015-4835: Better CORBA exception handling
- S8076387, CVE-2015-4882: Better CORBA value handling
- S8076392, CVE-2015-4881: Improve IIOPInputStream consistency
- S8076413, CVE-2015-4883: Better JRMP message handling
- S8078427, CVE-2015-4842: More supportive home environment
- S8078440: Safer managed types
- S8080541: More direct property handling
- S8080688, CVE-2015-4860: Service for DGC services
- S8081760: Better group dynamics
- S8086733, CVE-2015-4893: Improve namespace handling
- S8087350: Improve array conversions
- S8103671, CVE-2015-4805: More objective stream classes
- S8103675: Better Binary searches
- S8130078, CVE-2015-4911: Document better processing
- S8130193, CVE-2015-4806: Improve HTTP connections
- S8130864: Better server identity handling
- S8130891, CVE-2015-4843: (bf) More direct buffering
- S8131291, CVE-2015-4872: Perfect parameter patterning
- S8132042, CVE-2015-4844: Preserve layout presentation
* Import of OpenJDK6 b37
- OJ64: Backport hashtable to map changes from jaxp
- OJ65: Remove @Override annotation on interfaces added by 2015/10/20 security fixes
- OJ66: Revert 7110373 & 7149751 test removals now 6706974 is present (krb5 test infrastructure)
- OJ67: Fix copyright headers on imported files
- OJ68: Ensure SharedSecrets are initialised
- S6570619: (bf) DirectByteBuffer.get/put(byte[]) does not scale well
- S6590930: reed/write does not match for ccache
- S6648972: KDCReq.init always read padata
- S6676075: RegistryContext (com.sun.jndi.url.rmi.rmiURLContext) coding problem
- S6682516: SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed on all non-windows platforms
- S6710360: export Kerberos session key to applications
- S6733095: Failure when SPNEGO request non-Mutual
- S6785456: Read Kerberos setting from Windows environment variables
- S6821190: more InquireType values for ExtendedGSSContext
- S6843127: krb5 should not try to access unavailable kdc too often
- S6844193: support max_retries in krb5.conf
- S6844907: krb5 etype order should be from strong to weak
- S6844909: support allow_weak_crypto in krb5.conf
- S6849275: enhance krb5 reg tests
- S6853328: Support OK-AS-DELEGATE flag
- S6854308: more ktab options
- S6856069: PrincipalName.clone() does not invoke super.clone()
- S6857795: krb5.conf ignored if system properties on realm and kdc are provided
- S6857802: GSS getRemainingInitLifetime method returns milliseconds not seconds
- S6858589: more changes to Config on system properties
- S6862679: ESC: AD Authentication with user with umlauts fails
- S6877357: IPv6 address does not work
- S6888701: Change all template java source files to a .java-template file suffix
- S6893158: AP_REQ check should use key version number
- S6907425: JCK Kerberos tests fail since b77
- S6919610: KeyTabInputStream uses static field for per-instance value
- S6932525: Incorrect encryption types of KDC_REQ_BODY of AS-REQ with pre-authentication
- S6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
- S6950546: "ktab -d name etype" to "ktab -d name [-e etype] [kvno | all | old]"
- S6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
- S6952519: kdc_timeout is not being honoured when using TCP
- S6959292: regression: cannot login if session key and preauth does not use the same etype
- S6960894: Better AS-REQ creation and processing
- S6966259: Make PrincipalName and Realm immutable
- S6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
- S6984764: kerberos fails if service side keytab is generated using JDK ktab
- S6997740: ktab entry related test compilation error
- S7018928: test failure: sun/security/krb5/auto/SSL.java
- S7032354: no-addresses should not be used on acceptor side
- S7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
- S7142596: RMI JPRT tests are failing
- S7157610: NullPointerException occurs when parsing XML doc
- S7158329: NPE in sun.security.krb5.Credentials.acquireDefaultCreds()
- S7197159: accept different kvno if there no match
- S8004317: TestLibrary.getUnusedRandomPort() fails intermittently, but exception not reported
- S8005226: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently
- S8006534: CLONE - TestLibrary.getUnusedRandomPort() fails intermittently-doesn't retry enough times
- S8014097: add doPrivileged methods with limited privilege scope
- S8021191: Add isAuthorized check to limited doPrivileged methods
- S8022213: Intermittent test failures in java/net/URLClassLoader
- S8028583: Add helper methods to test libraries
- S8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
- S8058608: JVM crash during Kerberos logins using des3-cbc-md5 on OSX
- S8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
- S8072932: Test fails with java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getDomainCombiner")
- S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java
- S8079323: Serialization compatibility for Templates: need to exclude Hashtable from serialization
- S8087118: Remove missing package from java.security files
- S8098547: (tz) Support tzdata2015e
- S8130253: ObjectStreamClass.getFields too restrictive
- S8133196, RH1251935: HTTPS hostname invalid issue with InetAddress
- S8133321: (tz) Support tzdata2015f
- S8135043: ObjectStreamClass.getField(String) too restrictive
* Backports
- S6440786, PR363: Cannot create a ZIP file containing zero entries
- S6599383, PR363: Unable to open zip files more than 2GB in size
- S6763122, PR363: ZipFile ctor does not throw exception when file is not a zip file
- S6929479, PR363: Add a system property sun.zip.disableMemoryMapping to disable mmap use in ZipFile
- S7105461, PR2662: Large JTables are not rendered correctly with Xrender pipeline
- S7150134, PR2662: JCK api/java_awt/Graphics/index.html#DrawLine fails with OOM for jdk8 with XRender pipeline
* Bug fixes
- PR2513: Reset success following calls in LayoutManager.cpp
The tarballs can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.xz
We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.
The tarballs are accompanied by digital signatures available at:
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.xz.sig
PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
I’m transitioning to the use of a new key for signing releases over
the next year. Signatures made with this key are available at:
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.gz.sig.ec
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.xz.sig.ec
and the new key is:
PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
GnuPG >= 2.1 is required to be able to handle this newer key.
SHA256 checksums:
41baf774c52c1d2a0a094a6355635942e8ecb80cf7853fb6827da80f7818ba33 icedtea6-1.13.9.tar.gz
49a01399630b5477af4ac7e240aaddb04d93578d54d659b560f5f02e687fd98c icedtea6-1.13.9.tar.gz.sig
3a18bb1e540a0694ca1359e5adebaa5e1af66b4ba739b4e0d3ea733683a8330a icedtea6-1.13.9.tar.gz.sig.ec
61e0fb2ed0fc2d793a42e24d2192423f8a7ccb04f130d82d5889a0ecf52bc965 icedtea6-1.13.9.tar.xz
bf4c66cd3f64c2ca7510f8584c7bdd67012f4307d73e1f6232a1475df64c1caa icedtea6-1.13.9.tar.xz.sig
51acad266f7c8a6cfd0662a1deab21a91acea88c46af2de2521897e81077b902 icedtea6-1.13.9.tar.xz.sig.ec
The checksums can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea6-1.13.9.sha256
The following people helped with these releases:
* Andrew Hughes (all backports and bug fixes, release management)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea6-1.13.9.tar.gz
or:
$ tar x -I xz -f icedtea6-1.13.9.tar.xz
then:
$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.13.9/configure
$ make
Full build requirements and instructions are available in the INSTALL file.
Happy hacking!
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20151113/e18750e8/signature-0001.asc>
More information about the distro-pkg-dev
mailing list