GNU/Andrew’s Blog

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new set of security releases is now available:

• IcedTea6 1.8.10
• IcedTea6 1.9.10
• IcedTea6 1.10.4

All updates contain the following security fixes:

• S7000600, CVE-2011-3547: InputStream skip() information leak
• S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
• S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
• S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
• S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
• S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
• S7055902, CVE-2011-3521: IIOP deserialization code execution
• S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
• S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
• S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
• S7077466, CVE-2011-3556: RMI DGC server remote code execution
• S7083012, CVE-2011-3557: RMI registry privileged code execution
• S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

The 1.9.10 and 1.10.4 updates also include:

• S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer

The patch for this issue did not apply to the older versions of HotSpot (14 and 16) supported by the 1.8 release series. It is believed that the underlying issue is also not present in these versions, but for safety, we recommend using the latest 1.10.x release series where possible.

Full details of each release can be found below.

What’s New?

New in release 1.10.4 (2011-10-18)

• Security fixes
  • S7000600, CVE-2011-3547: InputStream skip() information leak
  • S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  • S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  • S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  • S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  • S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  • S7055902, CVE-2011-3521: IIOP deserialization code execution
  • S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  • S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  • S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  • S7077466, CVE-2011-3556: RMI DGC server remote code execution
  • S7083012, CVE-2011-3557: RMI registry privileged code execution
  • S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
• Bug fixes
  • RH727195: Japanese font mappings are broken
• Backports
  • S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal dialog
• Zero/Shark
  • PR690: Shark fails to JIT using hs20.
  • PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.

New in release 1.9.10 (2011-10-18)

• Security fixes
  • S7000600, CVE-2011-3547: InputStream skip() information leak
  • S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  • S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  • S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  • S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  • S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  • S7055902, CVE-2011-3521: IIOP deserialization code execution
  • S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  • S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  • S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  • S7077466, CVE-2011-3556: RMI DGC server remote code execution
  • S7083012, CVE-2011-3557: RMI registry privileged code execution
  • S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
• NetX
  • PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
• Fixes
  • G356743: Support libpng 1.5.

New in release 1.8.10 (2011-10-18)

• Security fixes
  • S7000600, CVE-2011-3547: InputStream skip() information leak
  • S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  • S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  • S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  • S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
  • S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  • S7055902, CVE-2011-3521: IIOP deserialization code execution
  • S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  • S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  • S7077466, CVE-2011-3556: RMI DGC server remote code execution
  • S7083012, CVE-2011-3557: RMI registry privileged code execution
  • S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
• NetX
  • PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
  • PR764: icedtea 1.8.9 fails to build in CachedJarFileCallback.java
• Fixes
  • G356743: Support libpng 1.5.

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.8.10.tar.gz (signature)
• http://icedtea.classpath.org/download/source/icedtea6-1.9.10.tar.gz (signature)
• http://icedtea.classpath.org/download/source/icedtea6-1.10.4.tar.gz (signature)

Each tarball is accompanied by a digital signature. This is produced using my public key:

pub   4096R/248BDC07 2011-09-28 [expires: 2012-09-27]
      Key fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
uid                  Dr Andrew John Hughes <ahughes@redhat.com>
uid                  Dr Andrew John Hughes <gnu_andrew@member.fsf.org>
sub   4096R/954E386D 2011-09-28 [expires: 2012-09-27]

SHA256 checksums:

• c4a17b55de875a49efa192cfe015f1cb0cf02aeac03f7fc7afe2a3e9fdef64b83 icedtea6-1.8.10.tar.gz
• 3f41d433ed362f2bb81536585511d901b19864b98a97abab8ccd0b4ba00803a6 icedtea6-1.9.10.tar.gz
• 15491d7f2f81436aaf87f964d923b95b4bda8f6689198b4999961070b6c68851 icedtea6-1.10.4.tar.gz

The following people helped with these releases:

• Deepak Bhole (PR794, S6826104)
• Andrew John Hughes (all other fixes and release management)
• Xerxes Rånby (PR690, PR696)
• Jiri Vanek (RH727195)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!