November 2009


We are pleased to announce the release of IcedTea7 1.12 – Bigger and Bolder and Rougher and Tougher!

The IcedTea project provides a harness to build the source code from
OpenJDK7 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–

  • Updated to OpenJDK7 milestone 5; includes:
    • From Project Coin:
      • 6860965: Support for binary literals (e.g. 2 can be written 0b10)
      • 6860965: Support for underscored literals (e.g. 123456 can be
        written 123_456)
      • 6827009: Support for strings in switch statements (e.g. case “a”)
      • 6840638: Improved inferencing with generics, e.g.
        Map map = new HashMap<>();
    • jsr166y from http://gee.cs.oswego.edu/dl/concurrency-interest/:
      • 6865571: Add a lightweight task framework known as ForkJoin
      • 6445158: Phaser – an improved CyclicBarrier
      • 6865579: Add TransferQueue/LinkedTransferQueue
    • 6890308, 6891677: The Zero assembler port
    • JIBX is no longer required to build Nimbus.
    • Many bug fixes
  • Security fixes:
    • (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533)
    • (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445)
    • (CVE-2009-3881) resurrected classloaders can still have children (6636650)
    • (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026)
    • (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138)
    • (CVE-2009-3880) UI logging information leakage (6664512)
    • (CVE-2009-3879) GraphicsConfiguration information leak (6822057)
    • (CVE-2009-3884) zoneinfo file existence information leak (6824265)
    • (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062)
    • (CVE-2009-3873) JPEG Image Writer quantization problem (6862968)
    • (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
    • (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911)
    • (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357)
    • (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643)
    • (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358)
  • The NSS crypto. provider may be turned on with –enable-nss if
    the NSS libraries and headers are available via pkg-config.
  • Makefile reorganisation
    • icedtea-ecj is now icedtea-boot and patches/ecj is now
      patches/boot.
    • The icedtea-against-icedtea target is now icedtea-stage2.
      The icedtea-against-ecj target is now icedtea-stage1.
    • The Java code for the plugin is now built by the
      liveconnect.stamp and liveconnect-dist.stamp targets
      rather than hijacking the OpenJDK build.
  • Upgraded to VisualVM 1.2.1

—————–

The tarball can be downloaded from:

The following people helped with the release:

Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Thomas Hurka, Matthias Klose, Xerxes Rånby, Jon VonAlten, Mark Wielaard and many others.

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-1.12.tar.gz
$ cd icedtea6-1.12

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-shark --enable-visualvm --with-jdk-home --enable-pulse-java --enable-systemtap etc...]
$ make

Happy hacking!

We are pleased to announce two new security releases, IcedTea6 1.5.3 and 1.6.2.

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–
- Security fixes for:
—————–

  • (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533)
  • (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445)
  • (CVE-2009-3881) resurrected classloaders can still have children (6636650)
  • (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026)
  • (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138)
  • (CVE-2009-3880) UI logging information leakage (6664512)
  • (CVE-2009-3879) GraphicsConfiguration information leak (6822057)
  • (CVE-2009-3884) zoneinfo file existence information leak (6824265)
  • (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062)
  • (CVE-2009-3873) JPEG Image Writer quantization problem (6862968)
  • (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
  • (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911)
  • (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357)
  • (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643)
  • (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358)

The tarballs and 1.6 nosrc RPM can be downloaded from:

The following people helped with the 1.5 and 1.6 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Matthias Klose, Martin Matejovic, Ed Nevill, Mark Wielaard and many others.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.6.2.tar.gz
$ cd icedtea6-1.6.2

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make

OpenJDK7 b75 was just promoted, but it seems nothing from the build forest made it, due to bootstrap issues caused by a HotSpot change that wasn’t fully tested. Hence, you’ll find a changeset for the Zero assembler port in the HotSpot tree, but not the corresponding changeset for the JDK tree.

Similarly, a changeset I committed to fix building OpenJDK7 with itself, following the FontManager refactoring, was also missed. If your build fails due to a missing method in the sun.awt.FontManager class, this is why.

Both fixes have been integrated into the IcedTea forest so users of either that, or its downstream IcedTea7 will have both Zero and a working bootstrap. I’ve alerted the JDK7 project to both these issues, so hopefully these two changesets will appear in milestone 5.

Update

The changes will be in M5; the initial set of patches for b76 is available in this webrev from Tim Bell.

Update 2

Second part of Zero is in b76.