GNU/Andrew’s Blog

We are pleased to announce a new set of security releases, IcedTea6 1.7.5, IcedTea6 1.8.2 and IcedTea6 1.9.1.

This update contains the following security updates:

• S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation
• S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
• S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
• S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
• S6938813, CVE-2010-3557: OpenJDK Swing mutable static
• S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
• S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
• S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
• S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
• S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
• S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
• S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
• S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
• S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
• S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
• S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
• S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
• S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection

See: http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation.

What’s New?

IcedTea6 1.7.5

• Security updates
  • S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation
  • S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  • S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  • S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  • S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  • S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  • S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  • S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  • S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  • S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  • S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  • S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  • S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  • S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  • S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  • S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  • S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  • S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  • S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
• Fixes
  • G244901: Skip test_gamma on hardened (PaX-enabled) kernels
  • G266295: Provide font configuration for Gentoo.
  • Provide font configuration for RHEL 6.
  • RH633510: OpenJDK should use NUMA even if glibc doesn’t provide it
• Backports
  • S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
  • S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398).
  • S6638712: Inference with wildcard types causes selection of inapplicable method
  • S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  • S6623943: javax.swing.TimerQueue’s thread occasionally fails to start
• NetX
  • Fix browser command in BasicService.showDocument(URL)
  • Run programs that inherit main(String[]) in their main-class
  • Work with JNLP files that use spec version 1.6
  • RH601281: Possible NullPointerException in splash screen code
  • New man page for javaws
• Plugin
  • RH560193: Fix ziperror when applet jar contained another 0-byte jar
  • PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.8.2

• Security updates
  • S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation
  • S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  • S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  • S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  • S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  • S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  • S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  • S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  • S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  • S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  • S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  • S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  • S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  • S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  • S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  • S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  • S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  • S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  • S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
• Fixes:
  • G244901: Skip test_gamma on hardened (PaX-enabled) kernels
  • G266295: Provide font configuration for Gentoo.
  • Provide font configuration for RHEL 6.
  • RH633510: OpenJDK should use NUMA even if glibc doesn’t provide it
• Backports:
  • S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398)
  • S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
  • S6638712: Inference with wildcard types causes selection of inapplicable method
  • S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  • S6623943: javax.swing.TimerQueue’s thread occasionally fails to start
• NetX:
  • Fix browser command in BasicService.showDocument(URL)
  • Run programs that inherit main(String[]) in their main-class
  • Run JNLP files that use 1.6 as the spec version
  • RH601281: Possible NullPointerException in splash screen code
  • New man page for javaws
• Plugin
  • RH560193: Fix zip error when applet jar contained another 0-byte jar
  • PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.9.1

• HotSpot 19 supported; use –with-hotspot-build=hs19 to enable.
• Security updates
  • S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation
  • S6559775, CVE-2010-3568: OpenJDK Deserialization Race condition
  • S6891766, CVE-2010-3554: OpenJDK corba reflection vulnerabilities
  • S6925710, CVE-2010-3562: OpenJDK IndexColorModel double-free
  • S6938813, CVE-2010-3557: OpenJDK Swing mutable static
  • S6957564, CVE-2010-3548: OpenJDK DNS server IP address information leak
  • S6958060, CVE-2010-3564: OpenJDK kerberos vulnerability
  • S6963023, CVE-2010-3565: OpenJDK JPEG writeImage remote code execution
  • S6963489, CVE-2010-3566: OpenJDK ICC Profile remote code execution
  • S6966692, CVE-2010-3569: OpenJDK Serialization inconsistencies
  • S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has unsafe reflection usage
  • S6925672, CVE-2010-3561: Privileged ServerSocket.accept allows receiving connections from any host
  • S6952017, CVE-2010-3549: HttpURLConnection chunked encoding issue (Http request splitting)
  • S6952603, CVE-2010-3551: NetworkInterface reveals local network address to untrusted code
  • S6961084, CVE-2010-3541: limit setting of some request headers in HttpURLConnection
  • S6963285, CVE-2010-3567: Crash in ICU Opentype layout engine due to mismatch in character counts
  • S6980004, CVE-2010-3573: limit HTTP request cookie headers in HttpURLConnection
  • S6981426, CVE-2010-3574: limit use of TRACE method in HttpURLConnection
  • S6990437: Update with correct copyright info for source and test files from SSR10_02 fixes
• Backports
  • S6638712: Inference with wildcard types causes selection of inapplicable method
  • S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
  • S6623943: javax.swing.TimerQueue’s thread occasionally fails to start
• Fixes
  • Fix build failure on S390
  • RH633510: OpenJDK should use NUMA even if glibc doesn’t provide it
• NetX
  • New man page for javaws
• Plugin
  • PR519: 100% CPU usage when displaying applets in Webkit based browsers

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.7.5.tar.gz
• http://icedtea.classpath.org/download/source/icedtea6-1.8.2.tar.gz
• http://icedtea.classpath.org/download/source/icedtea6-1.9.1.tar.gz

SHA256 sums:

• 1b62ac07d13f0b3a9acb503aeb38668f40bd9de8e81e0165d5d8e816bf274b4d icedtea6-1.7.5.tar.gz
• 93d7f427fde99f2df7b457c811405af8311e0bce4192ff99516b3227d5daa716 icedtea6-1.8.2.tar.gz
• d773a6eb60f560d291206bfdeb83b1da03b79c7c09b7ae53da1877e57ddb3cea icedtea6-1.9.1.tar.gz

The following people helped with these releases:

• Deepak Bhole
• Andrew John Hughes
• Matthias Klose
• Omair Majid
• Man Lung Wong
• Andrew Su
• Pavel Tisnovsky
• Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-${ver}.tar.gz
$ cd icedtea6-${ver}

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make