We are pleased to announce two new security releases, IcedTea6 1.5.3 and 1.6.2.

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–
- Security fixes for:
—————–

  • (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533)
  • (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445)
  • (CVE-2009-3881) resurrected classloaders can still have children (6636650)
  • (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026)
  • (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138)
  • (CVE-2009-3880) UI logging information leakage (6664512)
  • (CVE-2009-3879) GraphicsConfiguration information leak (6822057)
  • (CVE-2009-3884) zoneinfo file existence information leak (6824265)
  • (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062)
  • (CVE-2009-3873) JPEG Image Writer quantization problem (6862968)
  • (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
  • (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911)
  • (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357)
  • (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643)
  • (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358)

The tarballs and 1.6 nosrc RPM can be downloaded from:

The following people helped with the 1.5 and 1.6 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Matthias Klose, Martin Matejovic, Ed Nevill, Mark Wielaard and many others.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.6.2.tar.gz
$ cd icedtea6-1.6.2

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make