GNU/Andrew’s Blog

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available for IcedTea6, which uses OpenJDK6 as its base:

IcedTea6 1.8.13 (based on OpenJDK6 b18)
IcedTea6 1.9.13 (based on OpenJDK6 b20)
IcedTea6 1.10.6 (based on OpenJDK6 b22)

and one for IcedTea 2.x, which uses OpenJDK7 as its base:

IcedTea 2.0.1 (based on OpenJDK7 u1 + u3 security patches)

All updates contain the following security fixes:

S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
S7088367, CVE-2011-3563: Fix issues in java sound
S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
S7110687, CVE-2012-0503: Issues with TimeZone class
S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
S7110704, CVE-2012-0506: Issues with some method in corba
S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server

Full details of each release can be found below. For details of the 1.11.1 security release, see Omair’s e-mail.

*PLEASE NOTE*: With this release, the 1.8 series is now NO LONGER SUPPORTED. We strongly recommend that you upgrade to a new release series; either 1.9.13, 1.10.6 or 1.11.1 for OpenJDK6. Alternatively, make the jump to OpenJDK7 with 2.0.1 or the new 2.1.0 (to be released shortly).

What’s New?

New in release 2.0.1 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- S7103610: _NET_WM_PID and WM_CLIENT_MACHINE are not set

New in release 1.10.6 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

New in release 1.9.13 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

New in release 1.8.13 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

The tarballs can be downloaded from:

SHA256 checksums:

9d3c4d3676c2286003cf9beb9fc3ee442d2c04b3f8b229be140fe636c9e70101 icedtea-2.0.1.tar.gz
4bdd8ff2e6a93455425eeabd6c073137bf3816ad16ce6e89979ec1521e03c7f1 icedtea6-1.10.6.tar.gz
1c972e03be7021e1b789e6077df9c74af7df239182d20d2478f7a60bc68e3c61 icedtea6-1.9.13.tar.gz
be3afacb9a08cdf932e4772f7f5575c53f21a2a60456eb4e8e63e18fa4e2e41b icedtea6-1.8.13.tar.gz

Each tarball is accompanied by a digital signature (available at the above URL + ‘.sig’). This is produced using my public key:

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

Deepak Bhole (reproducer for S7112642)
Andrew Haley (backport of S7126960 reproducer to IcedTea6)
Andrew John Hughes (all other fixes and release management)
Omair Majid (preparation of security patches for IcedTea6-1.11, reproducer for S7110704)
Roman Kennke (replacement reproducer for S7110683)
Jiri Vanek (RH580478)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf <tarball name>
$ cd <tarball name minus .tar.gz suffix>

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs[=x] --enable-pulse-java --enable-systemtap ...]
$ make

[SECURITY] IcedTea6 1.8.13, 1.9.13, 1.10.6 and IcedTea 2.0.1 Released! (Valentine’s Release)

What’s New?

New in release 2.0.1 (2012-02-14)

New in release 1.10.6 (2012-02-14)

New in release 1.9.13 (2012-02-14)

New in release 1.8.13 (2012-02-14)

Happy Hacking!

Archived Entry