Mon 3 Sep 2012
[SECURITY] IcedTea 2.1.2 & 2.2.2 Released!
Posted by gnu_andrew under IcedTea , OpenJDK , SecurityNo Comments
We are pleased to announce the release of IcedTea 2.1.2, based on OpenJDK7 u2, and IcedTea 2.2.2, based on OpenJDK7 u4, with additional security fixes.
The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative
virtual machines.
These releases includes fixes for the zero-day issues that arose this week:
- RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531.
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
- S7163201, CVE-2012-0547: Simplify toolkit internals references
Patches are welcome; please contact the mailing list (distro-pkg-dev at openjdk.java.net) and/or file bugs under the appropriate component.
Full details of the release can be found below.
What’s New?
New in release 2.2.2 (2012-08-31)
- Security fixes
- RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531.
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
- S7163201, CVE-2012-0547: Simplify toolkit internals references
- OpenJDK
- Fix Zero FTBFS issues
- PR1101: Undefined symbols on GNU/Linux SPARC
- S7180036: Build failure in Mac platform caused by fix # 7163201
- S7182135: Impossible to use some editors directly
- S7183701: [TEST] closed/java/beans/security/TestClassFinder.java – compilation failed
- S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
- S7188168: 7071904 broke the DEBUG_BINARIES option on Linux
- S7190813: (launcher) RPATH needs to have additional paths
New in release 2.1.2 (2012-09-02):
- Security fixes
- RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531.
- S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
- S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects
- S7163201, CVE-2012-0547: Simplify toolkit internals references
- OpenJDK
- PR1101: Undefined symbols on GNU/Linux SPARC
- S7182135: Impossible to use some editors directly
- S7183701: [TEST] closed/java/beans/security/TestClassFinder.java – compilation failed
- S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE
- S7190813: (launcher) RPATH needs to have additional paths
- ARM
- ARM: Fix trashed thread ptr after recursive re-entry from
- ARM: Rename a bunch of misleadingly-named functions
- Enable _adapter_opt_spread* jsr 292 code, now passes
- Fix call to handle_special_method(). Fix compareAndSwapLong.
The tarballs can be downloaded from:
- http://icedtea.classpath.org/download/source/icedtea-2.1.2.tar.gz (sig)
- http://icedtea.classpath.org/download/source/icedtea-2.2.2.tar.gz (sig)
SHA256 checksums:
- c7ebdb84581dca48a4389e12790d2d506b9cfc05f16612169284d5a5e3a02269 icedtea-2.1.2.tar.gz
- e645fdcae825e0c60093962cb0a8fbf194c94a5e669162b3b357d99a6e36c86d icedtea-2.2.2.tar.gz
Each tarball is accompanied by a digital signature (see above links). This is produced using my public key. See details below.
- PGP Key: 248BDC07 (https://keys.indymedia.org/)
- Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
The following people helped with these releases:
- Andrew Haley (ARM fixes)
- Andrew John Hughes (all other patches/merging, reproducer testing & release management)
- Chris Phillips (Zero FTBFS & ARM fixes)
- Roman Kennke (Zero FTBFS fix)
We would also like to thank the bug reporters and testers!
To get started:
$ tar xzf icedtea${ver}.tar.gz
$ cd icedtea${ver}
Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...] $ make