GNU/Andrew’s Blog

Many thanks to Omair Majid for preparing the 1.12.1 release while I was still returning home from FOSDEM. Much appreciated!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new security release is now available for the OpenJDK 6 series: 1.12.1. Regarding 7, we’ve hit bootstrapping issues that we’re trying to work around so it can still be built with OpenJDK 6, but if you fancy rolling your own using an earlier build of 7, the forests are already up-to-date for 2.3 as is the IcedTea7 2.3 repository.

The update contains the following security fixes:

• S6563318, CVE-2013-0424: RMI data sanitization
• S6664509, CVE-2013-0425: Add logging context
• S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
• S6776941: CVE-2013-0427: Improve thread pool shutdown
• S7141694, CVE-2013-0429: Improving CORBA internals
• S7173145: Improve in-memory representation of splashscreens
• S7186945: Unpack200 improvement
• S7186946: Refine unpacker resource usage
• S7186948: Improve Swing data validation
• S7186952, CVE-2013-0432: Improve clipboard access
• S7186954: Improve connection performance
• S7186957: Improve Pack200 data validation
• S7192392, CVE-2013-0443: Better validation of client keys
• S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
• S7192977, CVE-2013-0442: Issue in toolkit thread
• S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
• S7200491: Tighten up JTable layout code
• S7200500: Launcher better input validation
• S7201064: Better dialogue checking
• S7201066, CVE-2013-0441: Change modifiers on unused fields
• S7201068, CVE-2013-0435: Better handling of UI elements
• S7201070: Serialization to conform to protocol
• S7201071, CVE-2013-0433: InetSocketAddress serialization issue
• S8000210: Improve JarFile code quality
• S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
• S8000540, CVE-2013-1475: Improve IIOP type reuse management
• S8000631, CVE-2013-1476: Restrict access to class constructor
• S8001235, CVE-2013-0434: Improve JAXP HTTP handling
• S8001242: Improve RMI HTTP conformance
• S8001307: Modify ACC_SUPER behavior
• S8001972, CVE-2013-1478: Improve image processing
• S8002325, CVE-2013-1480: Improve management of images

Full details can be found below.

What’s New?

New in release 1.12.1 (2012-02-04)

• Security fixes
  • S6563318, CVE-2013-0424: RMI data sanitization
  • S6664509, CVE-2013-0425: Add logging context
  • S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  • S6776941: CVE-2013-0427: Improve thread pool shutdown
  • S7141694, CVE-2013-0429: Improving CORBA internals
  • S7173145: Improve in-memory representation of splashscreens
  • S7186945: Unpack200 improvement
  • S7186946: Refine unpacker resource usage
  • S7186948: Improve Swing data validation
  • S7186952, CVE-2013-0432: Improve clipboard access
  • S7186954: Improve connection performance
  • S7186957: Improve Pack200 data validation
  • S7192392, CVE-2013-0443: Better validation of client keys
  • S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  • S7192977, CVE-2013-0442: Issue in toolkit thread
  • S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  • S7200491: Tighten up JTable layout code
  • S7200500: Launcher better input validation
  • S7201064: Better dialogue checking
  • S7201066, CVE-2013-0441: Change modifiers on unused fields
  • S7201068, CVE-2013-0435: Better handling of UI elements
  • S7201070: Serialization to conform to protocol
  • S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  • S8000210: Improve JarFile code quality
  • S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  • S8000540, CVE-2013-1475: Improve IIOP type reuse management
  • S8000631, CVE-2013-1476: Restrict access to class constructor
  • S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  • S8001242: Improve RMI HTTP conformance
  • S8001307: Modify ACC_SUPER behavior
  • S8001972, CVE-2013-1478: Improve image processing
  • S8002325, CVE-2013-1480: Improve management of images
• Backports
  • S7010849: 5/5 Extraneous javac source/target options when building sa-jdi

The tarball can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.12.1.tar.gz (sig)

SHA256 checksum:

• 8e73a3939ba8c2cca888defc6c90811c959273a9bc7bd1352338a72cefcf1157 icedtea6-1.12.1.tar.gz

The tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using Omair’s public key. See details below.

• PGP Key: 66484681 (http://pgp.mit.edu/)
• Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681

The following people helped with these releases:

• Andrew John Hughes (applying all security patches & backports, release testing)
• Omair Majid (identification of ordering issues with security patches, porting security patches to 1.12)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-1.12.1.tar.gz
$ cd icedtea-1.12.1

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!