Fri 31 Aug 2012
[SECURITY] IcedTea6 1.10.9 & 1.11.4 & IcedTea 2.3.2 Released!
Posted by gnu_andrew under IcedTea , OpenJDK , Security[2] Comments
The IcedTea project provides a harness to build the source code from OpenJDK6 and OpenJDK7 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.
A new set of security releases is now available:
- IcedTea6 1.10.9
- IcedTea6 1.11.4
- IcedTea 2.3.2
All updates contain the following security fixes:
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7163201, CVE-2012-0547: Simplify toolkit internals references
In addition, 2.3.2 contains:
- S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
Full details of each release can be found below.
What’s New?
New in release 1.10.9 (2012-08-31):
- Security fixes
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7163201, CVE-2012-0547: Simplify toolkit internals references
- OpenJDK
- S7182135: Impossible to use some editors directly
- S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
- S6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
- S6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1
- S7110373: krb5 test in openjdk6 without test infrastructure
New in release 1.11.4 (2012-08-31):
- Security fixes
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7163201, CVE-2012-0547: Simplify toolkit internals references
- OpenJDK
New in release 2.3.2 (2012-08-31):
- Security fixes
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
- S7163201, CVE-2012-0547: Simplify toolkit internals references
- OpenJDK
- Fix Zero FTBFS issues with 2.3
- S7180036: Build failure in Mac platform caused by fix # 7163201
- S7182135: Impossible to use some editors directly
- S7183701: [TEST] closed/java/beans/security/TestClassFinder.java – compilation failed
- S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
- Bug fixes
- PR1149: Zero-specific patch files not being packaged
The tarballs can be downloaded from:
- http://icedtea.classpath.org/download/source/icedtea6-1.10.9.tar.gz (sig)
- http://icedtea.classpath.org/download/source/icedtea6-1.11.4.tar.gz (sig)
- http://icedtea.classpath.org/download/source/icedtea-2.3.2.tar.gz (sig)
SHA256 checksums:
- ac55c57607177da579af46d9081e8cc53a5033e411704a1b0b074093b629427b icedtea6-1.10.9.tar.gz
- 7bc0037514aedbbd5e65edcb2fa300a18285688d27b359c2144fcf563174e4fd icedtea6-1.11.4.tar.gz
- d7e87de527934fcbb06c162e0e119d9b118069f3f52a1420d303fe19c5d74ef2 icedtea-2.3.2.tar.gz
Each tarball is accompanied by a digital signature (see above links). This is produced using my public key. See details below.
- PGP Key: 248BDC07 (https://keys.indymedia.org/)
- Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
The following people helped with these releases:
- Andrew John Hughes (all other patches/merging, reproducer testing & release management)
- Matthias Klose (testing of 2.3.2 pre-release)
- Chris Phillips (Zero FTBFS fix)
- Roman Kennke (Zero FTBFS fix)
- Jiri Vanek (testing of pre-releases for all three)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea${ver}.tar.gz
$ cd icedtea${ver}
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...] $ make
Pingback: Alien Pastures » Updated glibc multilib packages for Slackware 14-rc4
Pingback: Alien Pastures » OpenJDK7 update 7 with IcedTea 2.3.2 fixes more flaws