GNU/Andrew's Blog » Security

[SECURITY] IcedTea6 1.8.13, 1.9.13, 1.10.6 and IcedTea 2.0.1 Released! (Valentine’s Release)

gnu_andrew — Wed, 15 Feb 2012 07:38:23 +0000

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative
virtual machines.

A new set of security releases is now available for IcedTea6, which uses OpenJDK6 as its base:

IcedTea6 1.8.13 (based on OpenJDK6 b18)
IcedTea6 1.9.13 (based on OpenJDK6 b20)
IcedTea6 1.10.6 (based on OpenJDK6 b22)

and one for IcedTea 2.x, which uses OpenJDK7 as its base:

IcedTea 2.0.1 (based on OpenJDK7 u1 + u3 security patches)

All updates contain the following security fixes:

S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
S7088367, CVE-2011-3563: Fix issues in java sound
S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
S7110687, CVE-2012-0503: Issues with TimeZone class
S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
S7110704, CVE-2012-0506: Issues with some method in corba
S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server

Full details of each release can be found below. For details of the 1.11.1 security release, see Omair’s e-mail.

*PLEASE NOTE*: With this release, the 1.8 series is now NO LONGER SUPPORTED. We strongly recommend that you upgrade to a new release series; either 1.9.13, 1.10.6 or 1.11.1 for OpenJDK6. Alternatively, make the jump to OpenJDK7 with 2.0.1 or the new 2.1.0 (to be released shortly).

What’s New?

New in release 2.0.1 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- S7103610: _NET_WM_PID and WM_CLIENT_MACHINE are not set

New in release 1.10.6 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

New in release 1.9.13 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

New in release 1.8.13 (2012-02-14)

Security fixes
- S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
- S7088367, CVE-2011-3563: Fix issues in java sound
- S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
- S7110687, CVE-2012-0503: Issues with TimeZone class
- S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
- S7110704, CVE-2012-0506: Issues with some method in corba
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
- S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
Bug fixes
- RH580478: Desktop files should not use hardcoded path

The tarballs can be downloaded from:

SHA256 checksums:

9d3c4d3676c2286003cf9beb9fc3ee442d2c04b3f8b229be140fe636c9e70101 icedtea-2.0.1.tar.gz
4bdd8ff2e6a93455425eeabd6c073137bf3816ad16ce6e89979ec1521e03c7f1 icedtea6-1.10.6.tar.gz
1c972e03be7021e1b789e6077df9c74af7df239182d20d2478f7a60bc68e3c61 icedtea6-1.9.13.tar.gz
be3afacb9a08cdf932e4772f7f5575c53f21a2a60456eb4e8e63e18fa4e2e41b icedtea6-1.8.13.tar.gz

Each tarball is accompanied by a digital signature (available at the above URL + ‘.sig’). This is produced using my public key:

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

Deepak Bhole (reproducer for S7112642)
Andrew Haley (backport of S7126960 reproducer to IcedTea6)
Andrew John Hughes (all other fixes and release management)
Omair Majid (preparation of security patches for IcedTea6-1.11, reproducer for S7110704)
Roman Kennke (replacement reproducer for S7110683)
Jiri Vanek (RH580478)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf 
$ cd

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs[=x] --enable-pulse-java --enable-systemtap ...]
$ make

Happy Hacking!

[SECURITY: IcedTea-Web] IcedTea6 1.8.11 and 1.9.11 Released!

gnu_andrew — Tue, 08 Nov 2011 15:00:42 +0000

A new set of security releases is now available for versions of IcedTea which include the plugin and Web Start support now developed in the IcedTea-Web project:

IcedTea6 1.8.11
IcedTea6 1.9.11

Where possible, we recommend using IcedTea-Web in preference to these older versions, in order to obtain the latest bug fixes and features.

All updates contain the following security fixes:

RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass

Full details of each release can be found below.

What’s New?

New in release 1.9.11 (2011-11-08)

Security fixes
- RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass

New in release 1.8.11 (2011-11-08)

Security fixes
- RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass

The tarballs can be downloaded from:

SHA256 checksums:

6eb418ec0609080a71bda16896124d6e1ac23b2f54af52e05fc22c719e12ca29 icedtea6-1.8.11.tar.gz
fd3b32f8dd1010fa8b752f0224fb25a8fe102c9f82652f0ded32138fd4ba3714 icedtea6-1.9.11.tar.gz

Each tarball is accompanied by a digital signature (available at the above URL + ‘.sig’). This is produced using my public key. See details below in the signature.

The following people helped with these releases:

Deepak Bhole (RH742515)
Andrew John Hughes (release management)
Omair Majid (additional patch preparation work)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

[SECURITY] IcedTea6 1.8.10, 1.9.10 and 1.10.4 Released!

gnu_andrew — Tue, 18 Oct 2011 23:53:31 +0000

A new set of security releases is now available:

IcedTea6 1.8.10
IcedTea6 1.9.10
IcedTea6 1.10.4

All updates contain the following security fixes:

S7000600, CVE-2011-3547: InputStream skip() information leak
S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
S7055902, CVE-2011-3521: IIOP deserialization code execution
S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
S7077466, CVE-2011-3556: RMI DGC server remote code execution
S7083012, CVE-2011-3557: RMI registry privileged code execution
S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

The 1.9.10 and 1.10.4 updates also include:

S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer

The patch for this issue did not apply to the older versions of HotSpot (14 and 16) supported by the 1.8 release series. It is believed that the underlying issue is also not present in these versions, but for safety, we recommend using the latest 1.10.x release series where possible.

Full details of each release can be found below.

What’s New?

New in release 1.10.4 (2011-10-18)

Security fixes
- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
- S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
Bug fixes
- RH727195: Japanese font mappings are broken
Backports
- S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal dialog
Zero/Shark
- PR690: Shark fails to JIT using hs20.
- PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.

New in release 1.9.10 (2011-10-18)

Security fixes
- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
- S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
NetX
- PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
Fixes
- G356743: Support libpng 1.5.

New in release 1.8.10 (2011-10-18)

Security fixes
- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
- S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
NetX
- PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest
- PR764: icedtea 1.8.9 fails to build in CachedJarFileCallback.java
Fixes
- G356743: Support libpng 1.5.

The tarballs can be downloaded from:

Each tarball is accompanied by a digital signature. This is produced using my public key:

pub   4096R/248BDC07 2011-09-28 [expires: 2012-09-27]
      Key fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
uid                  Dr Andrew John Hughes 
uid                  Dr Andrew John Hughes 
sub   4096R/954E386D 2011-09-28 [expires: 2012-09-27]

SHA256 checksums:

c4a17b55de875a49efa192cfe015f1cb0cf02aeac03f7fc7afe2a3e9fdef64b83 icedtea6-1.8.10.tar.gz
3f41d433ed362f2bb81536585511d901b19864b98a97abab8ccd0b4ba00803a6 icedtea6-1.9.10.tar.gz
15491d7f2f81436aaf87f964d923b95b4bda8f6689198b4999961070b6c68851 icedtea6-1.10.4.tar.gz

The following people helped with these releases:

Deepak Bhole (PR794, S6826104)
Andrew John Hughes (all other fixes and release management)
Xerxes Rånby (PR690, PR696)
Jiri Vanek (RH727195)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

[SECURITY] IcedTea6 1.8.9 & 1.9.9 Released!

gnu_andrew — Wed, 20 Jul 2011 14:08:43 +0000

There is a new set of security releases: IcedTea6 1.8.9 and IcedTea6 1.9.9. This security issue concerns IcedTea-Web, which is not part of the IcedTea6 1.10 series, hence there will be no IcedTea6 1.10 security update. However, an IcedTea6 1.10 bug fix update will follow shortly.

This update contains the following security updates:

RH718164, CVE-2011-2513: Home directory path disclosure to untrusted apps

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What Else Is New?

New in release 1.8.9 (2011-07-20)

Bug fixes
- PR744: icedtea6-1.10.2 : patching error
- PR748: Icedtea6 fails to build with Linux 3.0.

New in release 1.9.9 (2011-07-20)

Bug Fixes
- PR744: icedtea6-1.10.2 : patching error
- PR748: Icedtea6 fails to build with Linux 3.0.
Shark
- PR632: patches/security/20110215/6878713.patch breaks shark zero build

The tarballs can be downloaded from:

SHA256 sums

e12e06c2ee642396f1d080d871a42fa4db38aced10bf13c20644f752ef03741f icedtea6-1.8.9.tar.gz
c2419896f8925822b0135bcd2db37affcb2b9f6f50d782e7f6b8d23afb5beb39 icedtea6-1.9.9.tar.gz

The following people helped with these releases:

Andrew John Hughes
Omair Majid
Xerxes Rånby
Pavel Tisnovsky
Mark Wielaard

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

IcedTea6 1.8.8, 1.9.8 and 1.10.2 Released!

gnu_andrew — Wed, 08 Jun 2011 16:06:09 +0000

There is a new set of security releases: IcedTea6 1.8.8, IcedTea6 1.9.8 and IcedTea6 1.10.2.

This update contains the following security updates:

S6213702, CVE-2011-0872: (so) non-blocking sockets with TCP urgent disabled get still selected for read ops (win)
S6618658, CVE-2011-0865: Vulnerability in deserialization
S7012520, CVE-2011-0815: Heap overflow vulnerability in FileDialog.show()
S7013519, CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D code
S7013969, CVE-2011-0867: NetworkInterface.toString can reveal bindings
S7013971, CVE-2011-0869: Vulnerability in SAAJ
S7016340, CVE-2011-0870: Vulnerability in SAAJ
S7016495, CVE-2011-0868: Crash in Java 2D transforming an image with scale close to zero
S7020198, CVE-2011-0871: ImageIcon creates Component with null acc
S7020373, CVE-2011-0864: JSR rewriting can overflow memory address size variables

What Else Is New?

IcedTea6 1.8.8

Backports
- S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
- S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
- PR632: patches/security/20110215/6878713.patch breaks shark zero build
- Fixed AccessControlContext which was thrown while working with Color class in a PropertyEditor
Plugin
- PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615

IcedTea6 1.9.8

Backports
- S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
- S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
- S6980392, PR642: simple correction in testcase, added missing bracket
- Fixed AccessControlContext which was thrown while working with Color class in a PropertyEditor
Plugin
- PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615
Shark
- PR689: Shark fails to find LLVM 2.9 System headers during build

IcedTea6 1.10.2

Backports
- S7043054: REGRESSION – wrong userBounds in Paint.createContext()
- S7043963, RH698295: Window manager workaround in AWT was not applied to mutter. Now it is.
Shark
- PR689: Shark fails to find LLVM 2.9 System headers during build.

The tarballs can be downloaded from:

SHA256 sums

61c0036df25aa0108dba91ab3dd8334e45dd85f8caa6dadf997b10b63a7d280f icedtea6-1.8.8.tar.gz
ad63b3c4f87df5bf189b3fd2ef5e82f916b4bb22fb3ff107105a14583b38fbc3 icedtea6-1.9.8.tar.gz
488af9a6ddebc38344aabdb62798d403ccc477be1076118788f0b146aa3db5ba icedtea6-1.10.2.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

[SECURITY] IcedTea6 1.7.10, 1.8.7 and 1.9.7 Released!

gnu_andrew — Tue, 15 Feb 2011 21:33:52 +0000

There is a new set of security releases: IcedTea6 1.7.10, IcedTea6 1.8.7 and IcedTea6 1.9.7. .

This update contains the following security updates:

S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
S6907662, CVE-2010-4465: Swing timer-based security manager bypass
S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
S6985453, CVE-2010-4471: Java2D font-related system property leak
S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
RH677332, CVE-2011-0706: Multiple signers privilege escalation

There is also an update for IcedTea-Web.

What’s New?

IcedTea6 1.7.10

Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- Fix latent JAXP bug caused by missing import

IcedTea6 1.8.7

Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- Fix latent JAXP bug caused by missing import

IcedTea6 1.9.7

Security updates
- S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption
- S6907662, CVE-2010-4465: Swing timer-based security manager bypass
- S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation
- S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- G344659: Fix issue when building on SPARC
- Fix latent JAXP bug caused by missing import

The tarballs can be downloaded from:

SHA256 sums:

dbca9d7598352d178651c8cc28ff887c59a27f0125785a58e9f9723611137f78 icedtea6-1.7.10.tar.gz
c6b16e89cd3da5ddb9cdc9c8615773c6cef214d1d611030a07bae92a19e8562a icedtea6-1.8.7.tar.gz
fe89234ca7f5dbb8696aa0e97a342c51901c10c0254f8fd563c6ccf7bf532fcc icedtea6-1.9.7.tar.gz

The following people helped with these releases:

Andrew John Hughes
Omair Majid

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

You can track future security updates by subscribing to the security feed.

[SECURITY] IcedTea6 1.7.9, 1.8.6, 1.9.6 Released!

gnu_andrew — Wed, 09 Feb 2011 12:31:24 +0000

We are pleased to announce a new set of security releases, IcedTea6 1.7.9, IcedTea6 1.8.6 and IcedTea6 1.9.6.

This update contains the following security updates:

S4421494, CVE-2010-4476: infinite loop while parsing double literal.

What’s New?

IcedTea6 1.7.9

Security updates
- S4421494, CVE-2010-4476: infinite loop while parsing double literal.

IcedTea6 1.8.6

Security updates
- S4421494, CVE-2010-4476: infinite loop while parsing double literal.

IcedTea6 1.9.6

Security updates
- S4421494, CVE-2010-4476: infinite loop while parsing double literal.

The tarballs can be downloaded from:

SHA256 sums:

496b615ccad2a950783b1a2f30a8657956f8c9d9bccb6ab9effc1164ab830792 icedtea6-1.7.9.tar.gz
d392c95e76b5bdf21fb4bce8fc5cdc530bdf5bda014cb96fa9cd3efdfdbeff87 icedtea6-1.8.6.tar.gz

100e61fbc3157b4839413951b0247f7ccabb0dcff6d037fbb372d5a13088adc2 icedtea6-1.9.6.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

[SECURITY] IcedTea6 1.7.8, 1.8.5, 1.9.5 Released!

gnu_andrew — Tue, 01 Feb 2011 13:49:57 +0000

We are pleased to announce a new set of security releases, IcedTea6 1.7.8, IcedTea6 1.8.5 and IcedTea6 1.9.5.

This update contains the following security updates:

What’s New?

IcedTea6 1.7.8

Security updates
- RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
Backports
- S6687968: PNGImageReader leaks native memory through an Inflater
- S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
- S6782079: PNG: reading metadata may cause OOM on truncated images
Fixes:
- RH647157, RH582455: Update fontconfig files for rhel 6
- PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.8.5

Security updates
- RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
Backports
- S6687968: PNGImageReader leaks native memory through an Inflater
- S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
- S6782079: PNG: reading metadata may cause OOM on truncated images
Fixes
- RH647157, RH582455: Update fontconfig files for rhel 6
- PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.9.5

Security updates
- RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
Backports
- S6687968: PNGImageReader leaks native memory through an Inflater
- S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
- S6782079: PNG: reading metadata may cause OOM on truncated images
Fixes
- RH647157, RH582455: Update fontconfig files for rhel 6
- PR619: Improper finalization by the plugin can crash the browser

The tarballs can be downloaded from:

SHA256 sums:

a1cbb4e5962d1fed0c816cebce33b6896b61a9f19b404f5e91439b9e7ffcd97c icedtea6-1.7.8.tar.gz
1ee081368587507e7ea75bd3351be0eafadd3f7020930db68448bcec6fa5c452 icedtea6-1.8.5.tar.gz
dac8ad42c452b3211b4daf26446da090f1f6c45952d9dbf52f66447adef73a29 icedtea6-1.9.5.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

[SECURITY] IcedTea6 1.7.7, 1.8.4, 1.9.4 Released!

gnu_andrew — Tue, 18 Jan 2011 13:42:13 +0000

We are pleased to announce a new set of security releases, IcedTea6 1.7.7, IcedTea6 1.8.4 and IcedTea6 1.9.4.

This update contains the following security updates:

RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass

What’s New?

IcedTea6 1.7.7

Security updates
- RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
Backports
- S6438179, RH569121: XToolkit.isTraySupported() result has nothing to do with the system tray
- S4356282: RFE: JDK should support OpenType/CFF fonts
- S6954424, RH525870: Support OpenType/CFF fonts in JDK 7
- S6795356, PR590: Leak caused by javax.swing.UIDefaults.ProxyLazyValue.acc
- S6967436, RH597227: lines longer than 2^15 can fill window.
- S6967433: dashed lines broken when using scaling transforms.
- S6976265: No STROKE_CONTROL
- S6967434, PR450, RH530642: Round joins/caps of scaled up lines have poor quality.
Fixes:
- S7003777, RH647674: JTextPane produces incorrect content after parsing the html text

IcedTea6 1.8.4

Security updates
- RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
Backports
- S6438179, RH569121: XToolkit.isTraySupported() result has nothing to do with the system tray
- S4356282: RFE: JDK should support OpenType/CFF fonts
- S6954424, RH525870: Support OpenType/CFF fonts in JDK 7
- S6795356, PR590: Leak caused by javax.swing.UIDefaults.ProxyLazyValue.acc
- S6967436, RH597227: lines longer than 2^15 can fill window.
- S6967433: dashed lines broken when using scaling transforms.
- S6976265: No STROKE_CONTROL
- S6967434, PR450, RH530642: Round joins/caps of scaled up lines have poor quality.
Fixes:
- S7003777, RH647674: JTextPane produces incorrect content after parsing the html text

IcedTea6 1.9.4

Security updates
- RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
Backports
- S4356282: RFE: JDK should support OpenType/CFF fonts
- S6954424, RH525870: Support OpenType/CFF fonts in JDK 7
- S6795356, PR590: Leak caused by javax.swing.UIDefaults.ProxyLazyValue.acc
- S6967436, RH597227: lines longer than 2^15 can fill window.
- S6967433: dashed lines broken when using scaling transforms.
- S6976265: No STROKE_CONTROL
- S6967434, PR450, RH530642: Round joins/caps of scaled up lines have poor quality.
- S6438179, RH569121: XToolkit.isTraySupported() result has nothing to do with the system tray
Fixes
- S7003777, RH647674: JTextPane produces incorrect content after parsing the html text

The tarballs can be downloaded from:

SHA256 sums:

4c35574df1214c2e2533b282d6045f79f61eb702d59cd4ac73eec973f4c51fb6 icedtea6-1.7.7.tar.gz
0f89e920a829f3f1a6057065c85520b910504a0be1fbc94f8db2390242edc784 icedtea6-1.8.4.tar.gz
2194b59d8c17ad6ff2fb495e10f9e6023993df5f8ce8a3739bf057f6562ef077 icedtea6-1.9.4.tar.gz

The following people helped with these releases:

Andrew John Hughes
Denis Lila
Omair Majid

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

[SECURITY] IcedTea6 1.7.6, 1.8.3 and 1.9.2 Released!

gnu_andrew — Wed, 24 Nov 2010 13:48:44 +0000

We are pleased to announce a new set of security releases, IcedTea6 1.7.6, IcedTea6 1.8.3 and IcedTea6 1.9.2.

This update contains the following security updates:

RH645843, CVE-2010-3860: IcedTea System property information leak via public static

What’s New?

IcedTea6 1.7.6

Allow the building of NetX to be disabled.
Security updates
- RH645843, CVE-2010-3860: IcedTea System property information leak via public static
Backports
- S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
NetX
- Do not prompt user multiple times for the same certificate.
- PR592: NetX can create invalid desktop entry files

IcedTea6 1.8.3

Allow the building of NetX to be disabled.
Security updates
- RH645843, CVE-2010-3860: IcedTea System property information leak via public static
Backports
- S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
NetX
- Do not prompt user multiple times for the same certificate.
- PR592: NetX can create invalid desktop entry files

IcedTea6 1.9.2

Upgrade to latest revision of hs19 (b09).
Allow the building of NetX to be disabled.
Additional S390 size_t fixes.
Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs.
Security updates
- RH645843, CVE-2010-3860: IcedTea System property information leak via public static
Backports
- S6622432: RFE: Performance improvements to java.math.BigDecimal
- S6850606: Regression from JDK 1.6.0_12
- S6876282: BigDecimal’s divide(BigDecimal bd, RoundingFormat r) produces incorrect result
- S6991430, PR579: Zero PowerPC fix.
- S6703377: freetype: glyph vector outline is not translated correctly
- S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
Bug fixes
- RH647737: Disable compressed oops in hs19 to avoid Eclipse failures.
- RH643674: Update fontconfig files for Fedora 11, 12, 13 and 14.
NetX
- Do not prompt user multiple times for the same certificate.
- PR592: NetX can create invalid desktop entry files

The tarballs can be downloaded from:

SHA256 sums

b28c8bd39d9bd8a28efaaa38280288a3faa6bec0d756323c0555ad3d8c5d77f5 icedtea6-1.7.6.tar.gz
d65a16345e8f6a702e5db1efbe02d0c41b565d4d1afce2d011169588fe8aa6ad icedtea6-1.8.3.tar.gz
abed4d2258fd6f047b08926fa9dbde86bdf7f47b08c82c195abb7244163cf99b icedtea6-1.9.2.tar.gz

The following people helped with these releases:

Deepak Bhole
Dan Horák
Andrew John Hughes
Matthias Klose
Omair Majid
Pavel Tisnovsky
Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make