[SECURITY] IcedTea6 1.8.13, 1.9.13, 1.10.6 and IcedTea 2.0.1 Released!

Dr Andrew John Hughes ahughes at redhat.com
Wed Feb 15 00:22:57 PST 2012 

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available for IcedTea6, which
uses OpenJDK6 as its base:

* IcedTea6 1.8.13 (based on OpenJDK6 b18)
* IcedTea6 1.9.13 (based on OpenJDK6 b20)
* IcedTea6 1.10.6 (based on OpenJDK6 b22)

and one for IcedTea 2.x, which uses OpenJDK7 as its base:

* IcedTea 2.0.1 (based on OpenJDK7 u1 + u3 security patches)
 
All updates contain the following security fixes:
 
* S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
* S7088367, CVE-2011-3563: Fix issues in java sound
* S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
* S7110687, CVE-2012-0503: Issues with TimeZone class
* S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
* S7110704, CVE-2012-0506: Issues with some method in corba
* S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
* S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
* S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server

Full details of each release can be found below.

*PLEASE NOTE*: With this release, the 1.8 series is now NO LONGER SUPPORTED.
We strongly recommend that you upgrade to a new release series; either 1.9.13,
1.10.6 or 1.11.1 for OpenJDK6.  Alternatively, make the jump to OpenJDK7 with
2.0.1 or the new 2.1.0 (to be released shortly).

What’s New?
—————–

New in release 2.0.1 (2012-02-14):

* Security fixes
  - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
  - S7088367, CVE-2011-3563: Fix issues in java sound
  - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
  - S7110687, CVE-2012-0503: Issues with TimeZone class
  - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
  - S7110704, CVE-2012-0506: Issues with some method in corba
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
* Bug fixes
  - S7103610: _NET_WM_PID and WM_CLIENT_MACHINE are not set

New in release 1.10.6 (2012-02-14):

* Security fixes
  - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
  - S7088367, CVE-2011-3563: Fix issues in java sound
  - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
  - S7110687, CVE-2012-0503: Issues with TimeZone class
  - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
  - S7110704, CVE-2012-0506: Issues with some method in corba
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
* Bug fixes
  - RH580478: Desktop files should not use hardcoded path

New in release 1.9.13 (2012-02-14):

* Security fixes
  - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
  - S7088367, CVE-2011-3563: Fix issues in java sound
  - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
  - S7110687, CVE-2012-0503: Issues with TimeZone class
  - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
  - S7110704, CVE-2012-0506: Issues with some method in corba
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
* Bug fixes
  - RH580478: Desktop files should not use hardcoded path

New in release 1.8.13 (2012-02-14):

* Security fixes
  - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
  - S7088367, CVE-2011-3563: Fix issues in java sound
  - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
  - S7110687, CVE-2012-0503: Issues with TimeZone class
  - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
  - S7110704, CVE-2012-0506: Issues with some method in corba
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
* Bug fixes
  - RH580478: Desktop files should not use hardcoded path

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea-2.0.1.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.10.6.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.9.13.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.8.13.tar.gz

SHA256 checksums:

9d3c4d3676c2286003cf9beb9fc3ee442d2c04b3f8b229be140fe636c9e70101  icedtea-2.0.1.tar.gz
4bdd8ff2e6a93455425eeabd6c073137bf3816ad16ce6e89979ec1521e03c7f1  icedtea6-1.10.6.tar.gz
1c972e03be7021e1b789e6077df9c74af7df239182d20d2478f7a60bc68e3c61  icedtea6-1.9.13.tar.gz
be3afacb9a08cdf932e4772f7f5575c53f21a2a60456eb4e8e63e18fa4e2e41b  icedtea6-1.8.13.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Deepak Bhole (reproducer for S7112642)
* Andrew Haley (backport of S7126960 reproducer to IcedTea6)
* Andrew John Hughes (all other fixes and release management)
* Omair Majid (preparation of security patches for IcedTea6-1.11, reproducer for 7110704)
* Roman Kennke (replacement reproducer for S7110683)
* Jiri Vanek (RH580478)

We would also like to thank the bug reporters and testers!
 
To get started:
$ tar xzf <tarball name>
$ cd <tarball name minus .tar.gz suffix>
 
Full build requirements and instructions are in INSTALL:
$ ./configure [--with-parallel-jobs[=x] --enable-pulse-java --enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120215/33f3b5fd/attachment.bin

More information about the distro-pkg-dev mailing list