Tue 15 Feb 2011
[SECURITY] IcedTea6 1.7.10, 1.8.7 and 1.9.7 Released!
Posted by gnu_andrew under IcedTea , OpenJDK , Security1 Comment
There is a new set of security releases: IcedTea6 1.7.10, IcedTea6 1.8.7 and IcedTea6 1.9.7. .
This update contains the following security updates:
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
There is also an update for IcedTea-Web.
The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.
What’s New?
IcedTea6 1.7.10
- Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
- Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- Fix latent JAXP bug caused by missing import
IcedTea6 1.8.7
- Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
- Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- Fix latent JAXP bug caused by missing import
IcedTea6 1.9.7
- Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
- Bug fixes
The tarballs can be downloaded from:
- http://icedtea.classpath.org/download/source/icedtea6-1.7.10.tar.gz
- http://icedtea.classpath.org/download/source/icedtea6-1.8.7.tar.gz
- http://icedtea.classpath.org/download/source/icedtea6-1.9.7.tar.gz
SHA256 sums:
- dbca9d7598352d178651c8cc28ff887c59a27f0125785a58e9f9723611137f78 icedtea6-1.7.10.tar.gz
- c6b16e89cd3da5ddb9cdc9c8615773c6cef214d1d611030a07bae92a19e8562a icedtea6-1.8.7.tar.gz
- fe89234ca7f5dbb8696aa0e97a342c51901c10c0254f8fd563c6ccf7bf532fcc icedtea6-1.9.7.tar.gz
The following people helped with these releases:
- Andrew John Hughes
- Omair Majid
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea6-<ver>.tar.gz $ cd icedtea6-<ver>
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...] $ make
You can track future security updates by subscribing to the security feed.
Pingback: IcedTea-Web 1.0.1 released! | Deepak’s Blog