[SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!
Andrew John Hughes
gnu.andrew at redhat.com
Wed Apr 17 05:07:13 PDT 2013
The IcedTea project provides a harness to build the source code from
OpenJDK 6 using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.
A new security release, 1.11.10. This contains the following security
fixes:
* S6657673, CVE-2013-1518: Issues with JAXP
* S7200507: Refactor Introspector internals
* S8000724, CVE-2013-2417: Improve networking serialization
* S8001031, CVE-2013-2419: Better font processing
* S8001040, CVE-2013-1537: Rework RMI model
* S8001322: Refactor deserialization
* S8001329, CVE-2013-1557: Augment RMI logging
* S8003335: Better handling of Finalizer thread
* S8003445: Adjust JAX-WS to focus on API
* S8003543, CVE-2013-2415: Improve processing of MTOM attachments
* S8004261: Improve input validation
* S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
* S8004986, CVE-2013-2383: Better handling of glyph table
* S8004987, CVE-2013-2384: Better handling of glyph table
* S8004994, CVE-2013-1569: Better handling of glyph table
* S8005432: Update access to JAX-WS
* S8005943: (process) Improved Runtime.exec
* S8006309: More reliable control panel operation
* S8006435, CVE-2013-2424: Improvements in JMX
* S8006790: Improve checking for windows
* S8006795: Improve font warning messages
* S8007406: Improve accessibility of AccessBridge
* S8007617, CVE-2013-2420: Better validation of images
* S8007667, CVE-2013-2430: Better image reading
* S8007918, CVE-2013-2429: Better image writing
* S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
* S8009305, CVE-2013-0401: Improve AWT data transfer
* S8009699, CVE-2013-2421: Methodhandle lookup
* S8009814, CVE-2013-1488: Better driver management
* S8009857. CVE-2013-2422: Problem with plugin
Full details of the release can be found below.
What’s New?
—————–
New in release 1.11.10 (2013-04-17):
* New features
- JAXP, JAXWS & JAF supplied as patches rather than drops to aid subsequent patching.
- PR1380: Add AArch64 support to Zero
* Security fixes
- S6657673, CVE-2013-1518: Issues with JAXP
- S7200507: Refactor Introspector internals
- S8000724, CVE-2013-2417: Improve networking serialization
- S8001031, CVE-2013-2419: Better font processing
- S8001040, CVE-2013-1537: Rework RMI model
- S8001322: Refactor deserialization
- S8001329, CVE-2013-1557: Augment RMI logging
- S8003335: Better handling of Finalizer thread
- S8003445: Adjust JAX-WS to focus on API
- S8003543, CVE-2013-2415: Improve processing of MTOM attachments
- S8004261: Improve input validation
- S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
- S8004986, CVE-2013-2383: Better handling of glyph table
- S8004987, CVE-2013-2384: Improve font layout
- S8004994, CVE-2013-1569: Improve checking of glyph table
- S8005432: Update access to JAX-WS
- S8005943: (process) Improved Runtime.exec
- S8006309: More reliable control panel operation
- S8006435, CVE-2013-2424: Improvements in JMX
- S8006790: Improve checking for windows
- S8006795: Improve font warning messages
- S8007406: Improve accessibility of AccessBridge
- S8007617, CVE-2013-2420: Better validation of images
- S8007667, CVE-2013-2430: Better image reading
- S8007918, CVE-2013-2429: Better image writing
- S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
- S8009305, CVE-2013-0401: Improve AWT data transfer
- S8009699, CVE-2013-2421: Methodhandle lookup
- S8009814, CVE-2013-1488: Better driver management
- S8009857. CVE-2013-2422: Problem with plugin
* Backports
- S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
- S7036559: ConcurrentHashMap footprint and contention improvements
- S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom BeanInfo: Class param (with WeakCache from S6397609)
- S6501644: sync LayoutEngine *code* structure to match ICU
- S6886358: layout code update
- S6963811: Deadlock-prone locking changes in Introspector
- S7017324: Kerning crash in JDK 7 since ICU layout update
- S7064279: Introspector.getBeanInfo() should release some resources in timely manner
- S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
* Bug fixes
- OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)
- PR1362: Fedora 19 / rawhide FTBFS SIGILL
- PR1319: Correct #ifdef to #if
- PR1339: Simplify the rhino class rewriter to avoid use of concurrency
The tarballs can be downloaded from:
* http://icedtea.classpath.org/download/source/icedtea6-1.11.10.tar.gz
SHA256 checksums:
6c362135db9e0477eb9308b02a2adef26fc56cdabf2eda3286ce4301eb6e951e icedtea6-1.11.10.tar.gz
Each tarball is accompanied by a digital signature (available at the
above URL + '.sig'). This is produced using my public key. See
details below.
The following people helped with these releases:
* Andrew John Hughes (applying most security patches, backports & bug fixes, release management)
* Omair Majid (build testing, reproducer runs, patches for S8007667, S8007918, S8009305, S8009814, S8009857)
* Chris Phillips (PR1362 patch for ARM issue)
* Roman Kennke (S8004986 / S8004987 / S8004994 patch)
* Andreas Schwab (PR1380 patch for AArch64 Zero support)
* Jon VanAlten (S8009063 patch and S7036559 dependency backport)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea6-1.11.10.tar.gz
Full build requirements and instructions are in INSTALL:
$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-1.11.10/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
Happy hacking!
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the distro-pkg-dev
mailing list