[SECURITY] IcedTea 2.2.8 Released!

Andrew John Hughes gnu_andrew at member.fsf.org
Tue Apr 30 15:57:10 PDT 2013


The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver and support for alternative
virtual machines.

This release updates our OpenJDK 7 support to include the latest
security updates. We recommend that users of the 2.2.x branch upgrade
to this latest release as soon as possible. The security fixes are as
follows:

 * S6657673, CVE-2013-1518: Issues with JAXP
 * S7200507: Refactor Introspector internals
 * S8000724, CVE-2013-2417: Improve networking serialization
 * S8001031, CVE-2013-2419: Better font processing
 * S8001040, CVE-2013-1537: Rework RMI model
 * S8001322: Refactor deserialization
 * S8001329, CVE-2013-1557: Augment RMI logging
 * S8003335: Better handling of Finalizer thread
 * S8003445: Adjust JAX-WS to focus on API
 * S8003543, CVE-2013-2415: Improve processing of MTOM attachments
 * S8004261: Improve input validation
 * S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
 * S8004986, CVE-2013-2383: Better handling of glyph table
 * S8004987, CVE-2013-2384: Improve font layout
 * S8004994, CVE-2013-1569: Improve checking of glyph table
 * S8005432: Update access to JAX-WS
 * S8005943: (process) Improved Runtime.exec
 * S8006309: More reliable control panel operation
 * S8006435, CVE-2013-2424: Improvements in JMX
 * S8006790: Improve checking for windows
 * S8006795: Improve font warning messages
 * S8007406: Improve accessibility of AccessBridge
 * S8007617, CVE-2013-2420: Better validation of images
 * S8007667, CVE-2013-2430: Better image reading
 * S8007918, CVE-2013-2429: Better image writing
 * S8008140: Better method handle resolution
 * S8009049, CVE-2013-2436: Better method handle binding
 * S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
 * S8009305, CVE-2013-0401: Improve AWT data transfer
 * S8009677, CVE-2013-2423: Better setting of setters
 * S8009699, CVE-2013-2421: Methodhandle lookup
 * S8009814, CVE-2013-1488: Better driver management
 * S8009857, CVE-2013-2422: Problem with plugin

In addition, IcedTea includes the usual IcedTea patches to allow
builds against system libraries and to support more estoric
architectures.

If you find an issue with one of these releases, please report it to
our bug database (http://icedtea.classpath.org/bugzilla) under the
appropriate component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net mailing list and patches are always
welcome.

Full details of the release can be found below.

What's New?
===========
New in release 2.2.8 (2013-04-30):

* Security fixes
  - S6657673, CVE-2013-1518: Issues with JAXP
  - S7200507: Refactor Introspector internals
  - S8000724, CVE-2013-2417: Improve networking serialization
  - S8001031, CVE-2013-2419: Better font processing
  - S8001040, CVE-2013-1537: Rework RMI model
  - S8001322: Refactor deserialization
  - S8001329, CVE-2013-1557: Augment RMI logging
  - S8003335: Better handling of Finalizer thread
  - S8003445: Adjust JAX-WS to focus on API
  - S8003543, CVE-2013-2415: Improve processing of MTOM attachments
  - S8004261: Improve input validation
  - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
  - S8004986, CVE-2013-2383: Better handling of glyph table
  - S8004987, CVE-2013-2384: Improve font layout
  - S8004994, CVE-2013-1569: Improve checking of glyph table
  - S8005432: Update access to JAX-WS
  - S8005943: (process) Improved Runtime.exec
  - S8006309: More reliable control panel operation
  - S8006435, CVE-2013-2424: Improvements in JMX
  - S8006790: Improve checking for windows
  - S8006795: Improve font warning messages
  - S8007406: Improve accessibility of AccessBridge
  - S8007617, CVE-2013-2420: Better validation of images
  - S8007667, CVE-2013-2430: Better image reading
  - S8007918, CVE-2013-2429: Better image writing
  - S8008140: Better method handle resolution
  - S8009049, CVE-2013-2436: Better method handle binding
  - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
  - S8009305, CVE-2013-0401: Improve AWT data transfer
  - S8009677, CVE-2013-2423: Better setting of setters
  - S8009699, CVE-2013-2421: Methodhandle lookup
  - S8009814, CVE-2013-1488: Better driver management
  - S8009857, CVE-2013-2422: Problem with plugin
* Backports
  - S7130662, RH928500: GTK file dialog crashes with a NPE
  - S8009530: ICU Kern table support broken

The tarball can be downloaded from:

http://icedtea.classpath.org/download/source/icedtea-2.2.8.tar.gz

SHA256 checksums:

f51a3b317a2d2877c2891050305805eb7be257c9e5892eecc04e1cb0e582cd84  icedtea-2.2.8.tar.gz

The tarball is accompanied by a digital signature,

http://icedtea.classpath.org/download/source/icedtea-2.2.8.tar.gz.sig

produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

* Andrew Hughes (application of security fixes & backports, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.2.8.tar.gz
$ cd icedtea-2.2.8

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.2.8/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!
-- 
Andii :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130430/1bdb294c/attachment.bin 


More information about the distro-pkg-dev mailing list