GNU/Andrew’s Blog

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new security release is now available for the OpenJDK 6 series: 1.11.6. An update for the recent release, 1.12.1, will follow shortly,as will updates for 7: 2.1.5, 2.2.5, 2.3.5 and eventually a 2.4.1. (2.4.0 will sadly have to now be just another tag release). Regarding 7, we’ve hit bootstrapping issues that we’re trying to work around so it can still be built with OpenJDK 6, but if you fancy rolling your own using an earlier build of 7, the forests are already up-to-date for 2.3 and the IcedTea7 2.3 repository will be as well, shortly (allowing Classpath JDK builds too).

The update contains the following security fixes:

• S6563318, CVE-2013-0424: RMI data sanitization
• S6664509, CVE-2013-0425: Add logging context
• S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
• S6776941: CVE-2013-0427: Improve thread pool shutdown
• S7141694, CVE-2013-0429: Improving CORBA internals
• S7173145: Improve in-memory representation of splashscreens
• S7186945: Unpack200 improvement
• S7186946: Refine unpacker resource usage
• S7186948: Improve Swing data validation
• S7186952, CVE-2013-0432: Improve clipboard access
• S7186954: Improve connection performance
• S7186957: Improve Pack200 data validation
• S7192392, CVE-2013-0443: Better validation of client keys
• S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
• S7192977, CVE-2013-0442: Issue in toolkit thread
• S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
• S7200491: Tighten up JTable layout code
• S7200500: Launcher better input validation
• S7201064: Better dialogue checking
• S7201066, CVE-2013-0441: Change modifiers on unused fields
• S7201068, CVE-2013-0435: Better handling of UI elements
• S7201070: Serialization to conform to protocol
• S7201071, CVE-2013-0433: InetSocketAddress serialization issue
• S8000210: Improve JarFile code quality
• S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
• S8000540, CVE-2013-1475: Improve IIOP type reuse management
• S8000631, CVE-2013-1476: Restrict access to class constructor
• S8001235, CVE-2013-0434: Improve JAXP HTTP handling
• S8001242: Improve RMI HTTP conformance
• S8001307: Modify ACC_SUPER behavior
• S8001972, CVE-2013-1478: Improve image processing
• S8002325, CVE-2013-1480: Improve management of images

Full details can be found below.

What’s New?

New in release 1.11.6 (2012-02-03)

• Security fixes
  • S6563318, CVE-2013-0424: RMI data sanitization
  • S6664509, CVE-2013-0425: Add logging context
  • S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  • S6776941: CVE-2013-0427: Improve thread pool shutdown
  • S7141694, CVE-2013-0429: Improving CORBA internals
  • S7173145: Improve in-memory representation of splashscreens
  • S7186945: Unpack200 improvement
  • S7186946: Refine unpacker resource usage
  • S7186948: Improve Swing data validation
  • S7186952, CVE-2013-0432: Improve clipboard access
  • S7186954: Improve connection performance
  • S7186957: Improve Pack200 data validation
  • S7192392, CVE-2013-0443: Better validation of client keys
  • S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  • S7192977, CVE-2013-0442: Issue in toolkit thread
  • S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  • S7200491: Tighten up JTable layout code
  • S7200500: Launcher better input validation
  • S7201064: Better dialogue checking
  • S7201066, CVE-2013-0441: Change modifiers on unused fields
  • S7201068, CVE-2013-0435: Better handling of UI elements
  • S7201070: Serialization to conform to protocol
  • S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  • S8000210: Improve JarFile code quality
  • S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  • S8000540, CVE-2013-1475: Improve IIOP type reuse management
  • S8000631, CVE-2013-1476: Restrict access to class constructor
  • S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  • S8001242: Improve RMI HTTP conformance
  • S8001307: Modify ACC_SUPER behavior
  • S8001972, CVE-2013-1478: Improve image processing
  • S8002325, CVE-2013-1480: Improve management of images
• Backports
  • S7010849: 5/5 Extraneous javac source/target options when building sa-jdi

The tarball can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.11.6.tar.gz (sig)

SHA256 checksum:

• 1d4efe74bf8902c6682512ddb3cf71620e4fe107d1fb364b71453b551860fcca icedtea6-1.11.6.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

• PGP Key: 248BDC07 (https://keys.indymedia.org/)
• Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

• Andrew John Hughes (applying all security patches & backports, release management)
• Omair Majid (identification of ordering issues with security patches)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-1.11.6.tar.gz
$ cd icedtea-1.11.6

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!