GNU/Andrew’s Blog

The IcedTea project provides a harness to build the source code from OpenJDK6 and OpenJDK7 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new set of security releases is now available:

• IcedTea6 1.10.9
• IcedTea6 1.11.4
• IcedTea 2.3.2

All updates contain the following security fixes:

• S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
• S7163201, CVE-2012-0547: Simplify toolkit internals references

In addition, 2.3.2 contains:

• S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects

Full details of each release can be found below.

What’s New?

New in release 1.10.9 (2012-08-31):

• Security fixes
  • S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
  • S7163201, CVE-2012-0547: Simplify toolkit internals references
• OpenJDK
  • S7182135: Impossible to use some editors directly
  • S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
  • S6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
  • S6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1
  • S7110373: krb5 test in openjdk6 without test infrastructure

New in release 1.11.4 (2012-08-31):

• Security fixes
  • S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
  • S7163201, CVE-2012-0547: Simplify toolkit internals references
• OpenJDK
  • S7182135: Impossible to use some editors directly
  • S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE

New in release 2.3.2 (2012-08-31):

• Security fixes
  • S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
  • S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
  • S7163201, CVE-2012-0547: Simplify toolkit internals references
• OpenJDK
  • Fix Zero FTBFS issues with 2.3
  • S7180036: Build failure in Mac platform caused by fix # 7163201
  • S7182135: Impossible to use some editors directly
  • S7183701: [TEST] closed/java/beans/security/TestClassFinder.java – compilation failed
  • S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
• Bug fixes
  • PR1149: Zero-specific patch files not being packaged

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.10.9.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea6-1.11.4.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea-2.3.2.tar.gz (sig)

SHA256 checksums:

• ac55c57607177da579af46d9081e8cc53a5033e411704a1b0b074093b629427b icedtea6-1.10.9.tar.gz
• 7bc0037514aedbbd5e65edcb2fa300a18285688d27b359c2144fcf563174e4fd icedtea6-1.11.4.tar.gz
• d7e87de527934fcbb06c162e0e119d9b118069f3f52a1420d303fe19c5d74ef2 icedtea-2.3.2.tar.gz

Each tarball is accompanied by a digital signature (see above links). This is produced using my public key. See details below.

• PGP Key: 248BDC07 (https://keys.indymedia.org/)
• Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

• Andrew John Hughes (all other patches/merging, reproducer testing & release management)
• Matthias Klose (testing of 2.3.2 pre-release)
• Chris Phillips (Zero FTBFS fix)
• Roman Kennke (Zero FTBFS fix)
• Jiri Vanek (testing of pre-releases for all three)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea${ver}.tar.gz
$ cd icedtea${ver}

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!