[SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!

Andrew John Hughes gnu.andrew at redhat.com
Wed Apr 17 05:07:13 PDT 2013


The IcedTea project provides a harness to build the source code from
OpenJDK 6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new security release, 1.11.10.  This contains the following security
fixes:

  * S6657673, CVE-2013-1518: Issues with JAXP
  * S7200507: Refactor Introspector internals
  * S8000724, CVE-2013-2417: Improve networking serialization
  * S8001031, CVE-2013-2419: Better font processing
  * S8001040, CVE-2013-1537: Rework RMI model
  * S8001322: Refactor deserialization
  * S8001329, CVE-2013-1557: Augment RMI logging
  * S8003335: Better handling of Finalizer thread
  * S8003445: Adjust JAX-WS to focus on API
  * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  * S8004261: Improve input validation
  * S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  * S8004986, CVE-2013-2383: Better handling of glyph table
  * S8004987, CVE-2013-2384: Better handling of glyph table
  * S8004994, CVE-2013-1569: Better handling of glyph table
  * S8005432: Update access to JAX-WS
  * S8005943: (process) Improved Runtime.exec
  * S8006309: More reliable control panel operation
  * S8006435, CVE-2013-2424: Improvements in JMX
  * S8006790: Improve checking for windows
  * S8006795: Improve font warning messages
  * S8007406: Improve accessibility of AccessBridge
  * S8007617, CVE-2013-2420: Better validation of images
  * S8007667, CVE-2013-2430: Better image reading
  * S8007918, CVE-2013-2429: Better image writing
  * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  * S8009305, CVE-2013-0401: Improve AWT data transfer
  * S8009699, CVE-2013-2421: Methodhandle lookup
  * S8009814, CVE-2013-1488: Better driver management
  * S8009857. CVE-2013-2422: Problem with plugin

Full details of the release can be found below.

What’s New?
—————–
New in release 1.11.10 (2013-04-17):

* New features
  - JAXP, JAXWS & JAF supplied as patches rather than drops to aid subsequent patching.
  - PR1380: Add AArch64 support to Zero
* Security fixes
  - S6657673, CVE-2013-1518: Issues with JAXP
  - S7200507: Refactor Introspector internals
  - S8000724, CVE-2013-2417: Improve networking serialization
  - S8001031, CVE-2013-2419: Better font processing
  - S8001040, CVE-2013-1537: Rework RMI model
  - S8001322: Refactor deserialization
  - S8001329, CVE-2013-1557: Augment RMI logging
  - S8003335: Better handling of Finalizer thread
  - S8003445: Adjust JAX-WS to focus on API
  - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  - S8004261: Improve input validation
  - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  - S8004986, CVE-2013-2383: Better handling of glyph table
  - S8004987, CVE-2013-2384: Improve font layout
  - S8004994, CVE-2013-1569: Improve checking of glyph table
  - S8005432: Update access to JAX-WS
  - S8005943: (process) Improved Runtime.exec
  - S8006309: More reliable control panel operation
  - S8006435, CVE-2013-2424: Improvements in JMX
  - S8006790: Improve checking for windows
  - S8006795: Improve font warning messages
  - S8007406: Improve accessibility of AccessBridge
  - S8007617, CVE-2013-2420: Better validation of images
  - S8007667, CVE-2013-2430: Better image reading
  - S8007918, CVE-2013-2429: Better image writing
  - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  - S8009305, CVE-2013-0401: Improve AWT data transfer
  - S8009699, CVE-2013-2421: Methodhandle lookup
  - S8009814, CVE-2013-1488: Better driver management
  - S8009857. CVE-2013-2422: Problem with plugin
* Backports
  - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  - S7036559: ConcurrentHashMap footprint and contention improvements
  - S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom BeanInfo: Class param (with WeakCache from S6397609)
  - S6501644: sync LayoutEngine *code* structure to match ICU
  - S6886358: layout code update
  - S6963811: Deadlock-prone locking changes in Introspector
  - S7017324: Kerning crash in JDK 7 since ICU layout update
  - S7064279: Introspector.getBeanInfo() should release some resources in timely manner
  - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
* Bug fixes
  - OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)
  - PR1362: Fedora 19 / rawhide FTBFS SIGILL
  - PR1319: Correct #ifdef to #if
  - PR1339: Simplify the rhino class rewriter to avoid use of concurrency

The tarballs can be downloaded from:
 
* http://icedtea.classpath.org/download/source/icedtea6-1.11.10.tar.gz

SHA256 checksums:

6c362135db9e0477eb9308b02a2adef26fc56cdabf2eda3286ce4301eb6e951e  icedtea6-1.11.10.tar.gz

Each tarball is accompanied by a digital signature (available at the
above URL + '.sig').  This is produced using my public key.  See
details below.

The following people helped with these releases:

* Andrew John Hughes (applying most security patches, backports & bug fixes, release management)
* Omair Majid (build testing, reproducer runs, patches for S8007667, S8007918, S8009305, S8009814, S8009857)
* Chris Phillips (PR1362 patch for ARM issue)
* Roman Kennke (S8004986 / S8004987 / S8004994 patch)
* Andreas Schwab (PR1380 patch for AArch64 Zero support) 
* Jon VanAlten (S8009063 patch and S7036559 dependency backport)

We would also like to thank the bug reporters and testers!
 
To get started:

$ tar xzf icedtea6-1.11.10.tar.gz
 
Full build requirements and instructions are in INSTALL:

$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-1.11.10/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07



More information about the distro-pkg-dev mailing list