[SECURITY] IcedTea 1.11.11 & 1.12.5 for OpenJDK 6 Released!

Andrew John Hughes gnu.andrew at redhat.com
Wed Apr 24 14:35:01 PDT 2013


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

The 1.12.5 release updates our OpenJDK 6 support on the 1.12.x branch
to include the latest security updates. We recommend that users of this
branch upgrade to the latest release as soon as possible. The security
fixes are as follows:

 * S6657673, CVE-2013-1518: Issues with JAXP
 * S7200507: Refactor Introspector internals
 * S8000724, CVE-2013-2417: Improve networking serialization
 * S8001031, CVE-2013-2419: Better font processing
 * S8001040, CVE-2013-1537: Rework RMI model
 * S8001322: Refactor deserialization
 * S8001329, CVE-2013-1557: Augment RMI logging
 * S8003335: Better handling of Finalizer thread
 * S8003445: Adjust JAX-WS to focus on API
 * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
 * S8004261: Improve input validation
 * S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
 * S8004986, CVE-2013-2383: Better handling of glyph table
 * S8004987, CVE-2013-2384: Improve font layout
 * S8004994, CVE-2013-1569: Improve checking of glyph table
 * S8005432: Update access to JAX-WS
 * S8005943: (process) Improved Runtime.exec
 * S8006309: More reliable control panel operation
 * S8006435, CVE-2013-2424: Improvements in JMX
 * S8006790: Improve checking for windows
 * S8006795: Improve font warning messages
 * S8007406: Improve accessibility of AccessBridge
 * S8007617, CVE-2013-2420: Better validation of images
 * S8007667, CVE-2013-2430: Better image reading
 * S8007918, CVE-2013-2429: Better image writing
 * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
 * S8009305, CVE-2013-0401: Improve AWT data transfer
 * S8009699, CVE-2013-2421: Methodhandle lookup
 * S8009814, CVE-2013-1488: Better driver management
 * S8009857, CVE-2013-2422: Problem with plugin
 * RH952389: Temporary files created with insecure permissions

The 1.11.11 release is an amendment for the previous 1.11.10 security
release, adding a number of build fixes and resolutions for issues
found when running the OpenJDK 6 TCK.  Most notable is:

 * RH952389: Temporary files created with insecure permissions

which amends the fix for S8003543 to work correctly with OpenJDK 6.

In addition, IcedTea includes the usual IcedTea patches to allow
builds against system libraries and to support more estoric
architectures.

If you find an issue with one of these releases, please report it to
our bug database (http://icedtea.classpath.org/bugzilla) under the
appropriate component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the releases can be found below.

What’s New?
===========

New in release 1.12.5 (2013-04-24):

* New features
  - JAXP, JAXWS & JAF supplied as patches rather than drops to aid subsequent patching.
  - PR1380: Add AArch64 support to Zero
* Security fixes
  - S6657673, CVE-2013-1518: Issues with JAXP
  - S7200507: Refactor Introspector internals
  - S8000724, CVE-2013-2417: Improve networking serialization
  - S8001031, CVE-2013-2419: Better font processing
  - S8001040, CVE-2013-1537: Rework RMI model
  - S8001322: Refactor deserialization
  - S8001329, CVE-2013-1557: Augment RMI logging
  - S8003335: Better handling of Finalizer thread
  - S8003445: Adjust JAX-WS to focus on API
  - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  - S8004261: Improve input validation
  - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  - S8004986, CVE-2013-2383: Better handling of glyph table
  - S8004987, CVE-2013-2384: Improve font layout
  - S8004994, CVE-2013-1569: Improve checking of glyph table
  - S8005432: Update access to JAX-WS
  - S8005943: (process) Improved Runtime.exec
  - S8006309: More reliable control panel operation
  - S8006435, CVE-2013-2424: Improvements in JMX
  - S8006790: Improve checking for windows
  - S8006795: Improve font warning messages
  - S8007406: Improve accessibility of AccessBridge
  - S8007617, CVE-2013-2420: Better validation of images
  - S8007667, CVE-2013-2430: Better image reading
  - S8007918, CVE-2013-2429: Better image writing
  - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  - S8009305, CVE-2013-0401: Improve AWT data transfer
  - S8009699, CVE-2013-2421: Methodhandle lookup
  - S8009814, CVE-2013-1488: Better driver management
  - S8009857, CVE-2013-2422: Problem with plugin
  - RH952389: Temporary files created with insecure permissions
* Backports
  - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  - S7036559: ConcurrentHashMap footprint and contention improvements
  - S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom BeanInfo: Class param (with WeakCache from S6397609)
  - S6501644: sync LayoutEngine *code* structure to match ICU
  - S6886358: layout code update
  - S6963811: Deadlock-prone locking changes in Introspector
  - S7017324: Kerning crash in JDK 7 since ICU layout update
  - S7064279: Introspector.getBeanInfo() should release some resources in timely manner
  - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
  - S7133220: Additional patches to JAXP 1.4.5 update 1 for 7u4 (partial for S6657673)
  - S8009530: ICU Kern table support broken
* Bug fixes
  - OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)
  - PR1362: Fedora 19 / rawhide FTBFS SIGILL
  - PR1338: Remove dependence on libXp
  - PR1339: Simplify the rhino class rewriter to avoid use of concurrency
  - PR1336: Bootstrap failure on Fedora 17/18
  - PR1319: Correct #ifdef to #if
  - PR1402: Support glibc < 2.17 with AArch64 patch
  - Give xalan/xerces access to their own internal packages.

New in release 1.11.11 (2013-04-24):

* Security fixes
  - RH952389: Temporary files created with insecure permissions
* Backports
  - S7133220: Additional patches to JAXP 1.4.5 update 1 for 7u4 (partial for S6657673)
  - S6657673: Issues with JAXP (include fragment dependent on S7133220)
  - S8009530: ICU Kern table support broken
* Bug fixes
  - PR1402: Support glibc < 2.17 with AArch64 patch
  - Give xalan/xerces access to their own internal packages.

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.11.11.tar.gz
* http://icedtea.classpath.org/download/source/icedtea6-1.12.5.tar.gz

SHA256 checksums:

6db6124645686ab5e91d2952d8b601bc0789b8fd5f1af86e46a5242ec60dc8e6  icedtea6-1.11.11.tar.gz
c61d6eb2f98d5c4059bb6eb6d808dd0954cf7d35c14290e5c77c3d7db75d2b35  icedtea6-1.12.5.tar.gz

Each tarball is accompanied by a digital signature available at the
above ‘sig’ link. This is produced using my public key. See details
below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

* Elliott Baron (backport of 7133220, remainder of 6657673 & creation of RH952389 & access fixes)
* Andrew Hughes (application of security fixes & backports, PR1402, PR1336, PR1339, PR1338, PR1319, OJ3, release management)
* Omair Majid (build testing, patches for S8007667, S8007918, S8009305,S8009814, S8009857)
* Chris Phillips (PR1362 patch for ARM issue)
* Roman Kennke (S8004986 / S8004987 / S8004994 patch)
* Andreas Schwab (PR1380 patch for AArch64 Zero support)
* Jon VanAlten (S8009063 patch and S7036559 dependency backport)
* Jiri Vanek (patch correction)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz
$ cd icedtea-${version}

where ${version} is the version being used (1.11.11 or 1.12.5).

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${version}/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130424/5ccf24b2/attachment.bin 


More information about the distro-pkg-dev mailing list