Security

Archived Posts from this Category

Wed 24 Nov 2010

[SECURITY] IcedTea6 1.7.6, 1.8.3 and 1.9.2 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
1 Comment 

We are pleased to announce a new set of security releases, IcedTea6 1.7.6, IcedTea6 1.8.3 and IcedTea6 1.9.2.

This update contains the following security updates:

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What’s New?

IcedTea6 1.7.6

  • Allow the building of NetX to be disabled.
  • Security updates
  • Backports
    • S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
  • NetX
    • Do not prompt user multiple times for the same certificate.
    • PR592: NetX can create invalid desktop entry files

IcedTea6 1.8.3

  • Allow the building of NetX to be disabled.
  • Security updates
  • Backports
    • S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
  • NetX
    • Do not prompt user multiple times for the same certificate.
    • PR592: NetX can create invalid desktop entry files

IcedTea6 1.9.2

  • Upgrade to latest revision of hs19 (b09).
  • Allow the building of NetX to be disabled.
  • Additional S390 size_t fixes.
  • Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs.
  • Security updates
  • Backports
    • S6622432: RFE: Performance improvements to java.math.BigDecimal
    • S6850606: Regression from JDK 1.6.0_12
    • S6876282: BigDecimal’s divide(BigDecimal bd, RoundingFormat r) produces incorrect result
    • S6991430, PR579: Zero PowerPC fix.
    • S6703377: freetype: glyph vector outline is not translated correctly
    • S6853592: VM test nsk.regression.b4261880 fails with “X Error of failed request: BadWindow” inconsistently.
  • Bug fixes
    • RH647737: Disable compressed oops in hs19 to avoid Eclipse failures.
    • RH643674: Update fontconfig files for Fedora 11, 12, 13 and 14.
  • NetX
    • Do not prompt user multiple times for the same certificate.
    • PR592: NetX can create invalid desktop entry files

The tarballs can be downloaded from:

SHA256 sums

  • b28c8bd39d9bd8a28efaaa38280288a3faa6bec0d756323c0555ad3d8c5d77f5 icedtea6-1.7.6.tar.gz
  • d65a16345e8f6a702e5db1efbe02d0c41b565d4d1afce2d011169588fe8aa6ad icedtea6-1.8.3.tar.gz
  • abed4d2258fd6f047b08926fa9dbde86bdf7f47b08c82c195abb7244163cf99b icedtea6-1.9.2.tar.gz

The following people helped with these releases:

  • Deepak Bhole
  • Dan Horák
  • Andrew John Hughes
  • Matthias Klose
  • Omair Majid
  • Pavel Tisnovsky
  • Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-.tar.gz
$ cd icedtea6-

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make
 

Tue 12 Oct 2010

[SECURITY] IcedTea6 1.7.5, 1.8.2 and 1.9.1 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
No Comments 

We are pleased to announce a new set of security releases, IcedTea6 1.7.5, IcedTea6 1.8.2 and IcedTea6 1.9.1.

This update contains the following security updates:

See: http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation.

What’s New?

IcedTea6 1.7.5

  • Security updates
  • Fixes
    • G244901: Skip test_gamma on hardened (PaX-enabled) kernels
    • G266295: Provide font configuration for Gentoo.
    • Provide font configuration for RHEL 6.
    • RH633510: OpenJDK should use NUMA even if glibc doesn’t provide it
  • Backports
    • S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
    • S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398).
    • S6638712: Inference with wildcard types causes selection of inapplicable method
    • S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
    • S6623943: javax.swing.TimerQueue’s thread occasionally fails to start
  • NetX
    • Fix browser command in BasicService.showDocument(URL)
    • Run programs that inherit main(String[]) in their main-class
    • Work with JNLP files that use spec version 1.6
    • RH601281: Possible NullPointerException in splash screen code
    • New man page for javaws
  • Plugin
    • RH560193: Fix ziperror when applet jar contained another 0-byte jar
    • PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.8.2

  • Security updates
  • Fixes:
    • G244901: Skip test_gamma on hardened (PaX-enabled) kernels
    • G266295: Provide font configuration for Gentoo.
    • Provide font configuration for RHEL 6.
    • RH633510: OpenJDK should use NUMA even if glibc doesn’t provide it
  • Backports:
    • S6951319: enable solaris builds using Sun Studio 12 update 1 (fixes PR398)
    • S6539464, RH500077: Ensure java.lang.Math functions provide consistent results.
    • S6638712: Inference with wildcard types causes selection of inapplicable method
    • S6650759: Inference of formal type parameter (unused in formal parameters) is not performed
    • S6623943: javax.swing.TimerQueue’s thread occasionally fails to start
  • NetX:
    • Fix browser command in BasicService.showDocument(URL)
    • Run programs that inherit main(String[]) in their main-class
    • Run JNLP files that use 1.6 as the spec version
    • RH601281: Possible NullPointerException in splash screen code
    • New man page for javaws
  • Plugin
    • RH560193: Fix zip error when applet jar contained another 0-byte jar
    • PR519: 100% CPU usage when displaying applets in Webkit based browsers

IcedTea6 1.9.1

The tarballs can be downloaded from:

SHA256 sums:

  • 1b62ac07d13f0b3a9acb503aeb38668f40bd9de8e81e0165d5d8e816bf274b4d icedtea6-1.7.5.tar.gz
  • 93d7f427fde99f2df7b457c811405af8311e0bce4192ff99516b3227d5daa716 icedtea6-1.8.2.tar.gz
  • d773a6eb60f560d291206bfdeb83b1da03b79c7c09b7ae53da1877e57ddb3cea icedtea6-1.9.1.tar.gz

The following people helped with these releases:

  • Deepak Bhole
  • Andrew John Hughes
  • Matthias Klose
  • Omair Majid
  • Man Lung Wong
  • Andrew Su
  • Pavel Tisnovsky
  • Jiri Vanek

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-${ver}.tar.gz
$ cd icedtea6-${ver}

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
 

Wed 28 Jul 2010

[SECURITY] IcedTea6 1.8.1 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
[4] Comments 

[Reposted on behalf of Matthias Klose, release manager for 1.8]

We are proud to announce the release of IcedTea6 1.8.1.

This update contains the following security updates:

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What’s New?

  • S6678385, RH551835: Fixes jvm crashes when window is resized.
  • Produces the “expected” behavior for full screen applications, when running the Metacity window manager.
  • PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.
  • IcedTeaNPPlugin.
    • RH524387: javax.net.ssl.SSLKeyException: RSA premaster secret error
    • Set context classloader for all threads in an applet’s threadgroup
    • PR436: Close all applet threads on exit
    • PR480: NPPlugin with NoScript extension.
    • PR488: Question mark changing into underscore in URL.
    • RH592553: Fix bug causing 100% CPU usage.
    • Don’t generate a random pointer from a pthread_t in the debug output.
    • Add ForbiddenTargetException for legacy support.
    • Use variadic macro for plugin debug message printing.
    • Don’t link the plugin with libxul libraries.
    • Fix race conditions in plugin initialization code that were causing hangs.
    • RH506730: BankID (Norwegian common online banking authentication system) applet fails to load.
    • PR491: pass java_{code,codebase,archive} parameters to Java.
    • Adds javawebstart.version property and give user permission to read that property.
  • NetX:
    • Fix security flaw in NetX that allows arbitrary unsigned apps to set any java property.
    • Fix a flaw that allows unsigned code to access any file on the machine (accessible to the user) and write to it.
    • Make path sanitization consistent; use a blacklisting approach.
    • Make the SingleInstanceServer thread a daemon thread.
    • Handle JNLP files which use native libraries but do not indicate it
    • Allow JNLP classloaders to share native libraries
    • Added encoding support
  • PulseAudio:
    • Eliminate spurious exception throwing.
  • Zero/Shark:
    • PR483: Fix miscompilation of sun.misc.Unsafe::getByte.
    • PR324,PR481: Fix Shark VM crash.
    • Fix Zero build on Hitachi SH.
  • SystemTap support:
    • PR476: Enable building SystemTap support on GCC 4.5.

    • The tarball can be downloaded here:


    The following people helped with this release: Gary Benson, Deepak Bhole, Andrew John Hughes, Mark Wielaard, Matthias Klose, Omair Majid, Pavel Tisnovsky, Xerxes Rånby, Jon VanAlten, Man Lung Wong, and many others.

    We would also like to thank the bug reporters and testers!

    To get started:

    $ hg clone http://icedtea.classpath.org/hg/release/icedtea6-1.8.1
$ cd icedtea6-1.8.1

    Full build requirements and instructions are in INSTALL:

    $ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java
--enable-systemtap --enable-nss ...]
$ make
     

Wed 28 Jul 2010

[SECURITY] IcedTea6 1.7.4 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
1 Comment 

We are pleased to announce a new security release from the IcedTea6 1.7 branch, 1.7.4.

This update contains the following security updates:

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

Please note that the new NPPlugin is now the default as of this release. The old plugin is no longer supported and will be removed in any future 1.7 releases. Please only report bugs against NPPlugin.

What’s New?

—————–

  • NetX security issues:
  • Backport –with-tzdata-dir support from IcedTea6 1.8 to ensure that external timezone data works again.
  • Restore icedtea-override-metacity.patch to allow full screen apps and other expected behavioral improvements.
  • S6678385, RH551835: Fixes JVM crashes when window is resized.
  • S6668231: Presence of a critical subjectAltName causes JSSE’s SunX509 to fail trusted checks.
  • S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
  • S4891262: API spec, javax/accessibility: few invalid javadoc tags.
  • S6737212: Fixed javadoc warning messages in RowSet classes.
  • S6875861: javadoc build warning on java.util.Properites from unconventional @see ordering.
  • S6909563: Javadoc build warnings in rmi, security, management.
  • S6879689: Fix warning about ignored return value when compiling with -O2
  • S6917485: Corba doc warnings.
  • S6921068: Remove javadoc build warnings from specdefault tag.
  • PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.
  • Make the new plugin the default. This is now the main supported plugin. Use –disable-npplugin –enable-plugin to use the old one.
  • New plugin:
    • Added support for JSObject.finalize()
    • Liveconnect message processing design changes.
    • Message protocol overhaul to fix race conditions
    • PR166: Create FIFO pies in temp dir instead of ~/.icedteaplugin
    • Profiled memory usage and implemented proper cleanup for C++ side.
    • Update debug output string and function/structure names to change ‘GCJ’ references to ITNP/IcedTea NP Plugin
    • PR461: plugin working for NSS enabled builds with firefox including a private NSS copy
    • Removed unncessary debug and trace output
    • PR474: Patch from Paulo Cesar Pereira de Andrade, incrementing malloc size to account for NULL terminator.
    • RH524387: javax.net.ssl.SSLKeyException: RSA premaster secret error
    • Set context classloader for all threads in an applet’s threadgroup
    • PR436: Close all applet threads on exit
    • PR480: NPPlugin with NoScript extension.
    • PR488: Question mark changing into underscore in URL.
    • RH592553: Fix bug causing 100% CPU usage.
    • Don’t generate a random pointer from a pthread_t in the debug output.
    • Add ForbiddenTargetException for legacy support.
    • Use variadic macro for plugin debug message printing.
    • Don’t link the plugin with libxul libraries.
    • Fix race conditions in plugin initialization code that were causing hangs.
    • RH506730: BankID (Norwegian common online banking authentication system) applet fails to load.
    • PR491: pass java_{code,codebase,archive} parameters to Java.
    • Adds javawebstart.version property and give user permission to read that property.
  • NetX:
    • Make path sanitization consistent; use a blacklisting approach.
    • Make the SingleInstanceServer thread a daemon thread.
    • Handle JNLP files which use native libraries but do not indicate it
    • Allow JNLP classloaders to share native libraries
    • Added encoding support
  • PulseAudio provider:
    • Eliminate spurious exception throwing.
  • SystemTap support:
    • PR476: Enable building SystemTap support on GCC 4.5.
    • Fix HotSpot tapset object_alloc size variable.
  • NIO2 support:
    • Fix UnixNativeDispatcher to build on all systems, not just x86 and x86_64.



The tarball can be downloaded from:

The following people helped with the 1.7 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Nobuhiro Iwamatsu, Matthias Klose, Martin Matejovic, Omair Majid, Edward Nevill, Xerxes Rånby, Robert Schuster, Pavel Tisnovsky, Jon VanAlten, Mark Wielaard and Man Lung Wong.

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.7.4.tar.gz
$ cd icedtea6-1.7.4

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
 

Mon 26 Jul 2010

[SECURITY] IcedTea6 1.6.3 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
[2] Comments 

We are pleased to announce a new minor release from the IcedTea6 1.6 branch, 1.6.3.

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.


Please note that although a version of our Free Software plugin and Web Start implementation are included with the 1.6.3 release, this version is no longer supported or maintained. For plugin and Web Start usage, we recommend that you upgrade to the 1.7 or 1.8 release series.

What’s New?

—————–

  • Enable debuginfo for saproc and jsig
  • Add missing mkbc.c
  • Increase ThreadStackSize by 512kb on 32-bit Zero platforms
  • Make the original HotSpot build work for normal builds and disable Zero/Shark builds with it
  • Latest security updates and hardening patches:
    • (CVE-2010-0837): JAR “unpack200″ must verify input parameters (6902299)
    • (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
    • (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
    • (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
    • (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
    • (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
    • (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
    • (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
    • (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
    • (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
    • (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
    • (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
    • (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
    • (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
    • (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
    • (CVE-2009-3555): TLS: MITM attacks via session renegotiation
    • 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
    • 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
    • 6910590: Application can modify command array in ProcessBuilder
    • 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
    • 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
  • Add stack markings to the x86 assembly so as not to use executable stack.
  • PR179: Rewrite Rhino class files to avoid bootclasspath issue
  • PR356: Support ECC via NSS
  • PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.
  • Backport tzdata support from 1.8 (–with-tzdata-dir).
  • Fix issue with ant -diagnostics on ant 1.8.0 due to changed exit code
  • S6678385, RH551835: Fixes JVM crashes when window is resized.
  • S6668231: Presence of a critical subjectAltName causes JSSE’s SunX509 to fail trusted checks.
  • S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
  • S4891262: API spec, javax/accessibility: few invalid javadoc tags.
  • S6737212: Fixed javadoc warning messages in RowSet classes.
  • S6875861: javadoc build warning on java.util.Properites from unconventional @see ordering.
  • S6909563: Javadoc build warnings in rmi, security, management.
  • S6879689: Fix warning about ignored return value when compiling with -O2
  • S6917485: Corba doc warnings.
  • S6921068: Remove javadoc build warnings from specdefault tag.
  • S6822370: ReentrantReadWriteLock: threads hung when there are no threads holding onto the lock
  • SystemTap support:
    • Enable SystemTap JNI tracing.
    • Add SystemTap jstack support.
    • PR476: Enable building SystemTap support on GCC 4.5.
    • Fix HotSpot tapset object_alloc size variable.
    • Fix JNI DEFINE_NEWSCALARARRAY usage of DT_RETURN_MARK_DECL_FOR.
    • Add hotspot_jni tapset.
    • tapsets/hotspot.stp.in (hotspot.gc_end): Match gc__end, not begin.
  • PulseAudio:
    • Corrected Pulse Audio library build on PPC32 and PPC64

    • The tarball can be downloaded from:

    The following people helped with the 1.6 release series:

    Lillian Angel, Gary Benson, Deepak Bhole, Kees Cook, Andrew Haley, Andrew John Hughes, Matthias Klose, Martin Matejovic, Ed Nevill, Pavel Tisnovsky, Jon VanAlten, Mark Wielaard and many others.

    We would also like to thank the bug reporters and testers!

    To get started:

    $ tar xzf icedtea6-1.6.3.tar.gz
$ cd icedtea6-1.6.3

    Full build requirements and instructions are in INSTALL:
    $ ./configure [--enable-zero --with-openjdk --enable-pulse-java
    --enable-systemtap ...]
    $ make

     

Wed 31 Mar 2010

[SECURITY] IcedTea6 1.7.2 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
1 Comment 

We are pleased to announce the release of IcedTea6 1.7.2 (2010/03/31)!

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?

Security Updates and Hardening Patches

  • (CVE-2010-0837): JAR “unpack200″ must verify input parameters (6902299)
  • (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807
  • (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
  • (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
  • (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
  • (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  • (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
  • (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  • (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  • (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
  • (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
  • (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
  • (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
  • (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  • (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  • (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  • 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  • 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
  • 6910590: Application can modify command array in ProcessBuilder
  • 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  • 6932480: Crash in CompilerThread/Parser. Unloaded array klass?

Bug fixes

  • Backport of 6822370: ReentrantReadWriteLock: threads hung when there are no threads holding onto the lock
  • Increase ThreadStackSize by 512kb on 32-bit Zero platforms
  • Check cacerts database is valid

The tarball can be downloaded from:

The following people helped with the 1.7 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Nobuhiro Iwamatsu, Matthias Klose, Martin Matejovic, Edward Nevill, Xerxes Rånby, Robert Schuster,Jon VanAlten, Mark Wielaard and Man Lung Wong.

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.7.2.tar.gz
$ cd icedtea6-1.7.2

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --with-openjdk --enable-pulse-java --enable-systemtap ...]
$ make
 

Mon 9 Nov 2009

[SECURITY] IcedTea6 1.5.3 & 1.6.2 Released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
[5] Comments 

We are pleased to announce two new security releases, IcedTea6 1.5.3 and 1.6.2.

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–
- Security fixes for:
—————–

  • (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533)
  • (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445)
  • (CVE-2009-3881) resurrected classloaders can still have children (6636650)
  • (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026)
  • (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138)
  • (CVE-2009-3880) UI logging information leakage (6664512)
  • (CVE-2009-3879) GraphicsConfiguration information leak (6822057)
  • (CVE-2009-3884) zoneinfo file existence information leak (6824265)
  • (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062)
  • (CVE-2009-3873) JPEG Image Writer quantization problem (6862968)
  • (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
  • (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911)
  • (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357)
  • (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643)
  • (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358)

The tarballs and 1.6 nosrc RPM can be downloaded from:

The following people helped with the 1.5 and 1.6 release series:

Lillian Angel, Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Matthias Klose, Martin Matejovic, Ed Nevill, Mark Wielaard and many others.

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea6-1.6.2.tar.gz
$ cd icedtea6-1.6.2

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make

 

Tue 7 Apr 2009

[SECURITY] IcedTea7 1.9.1 released!

Posted by gnu_andrew under IcedTea , OpenJDK , Security
No Comments 

We are pleased to announce a new minor release of IcedTea[7], containing a number of security updates:

New in release 1.9.1 (2009-04-07)

  • Security fixes for:
    • 6536193
    • 6610888
    • 6610896
    • 6630639
    • 6632886
    • 6636360
    • 6652463
    • 6656633
    • 6658158
    • 6691246
    • 6717680
    • 6721651
    • 6737315
    • 6792554
    • 6804996
    • 6804997
    • 6804998
  • LCMS security fixes.

The tarball can be downloaded here:

http://icedtea.classpath.org/download/source/icedtea-1.9.1.tar.gz

The following people helped with this release:
Lillian Angel, Andrew John Hughes

Full build requirements and instructions are in INSTALL:
$ ./configure
$ make

 

Fri 27 Mar 2009

[SECURITY] IcedTea7 1.9 Released! (last week)

Posted by gnu_andrew under IcedTea , OpenJDK , Release , Security
1 Comment 

(Delayed announcement here because this blog was down)

We are pleased to announce the release of IcedTea7 1.9!

IcedTea7 provides a means to build OpenJDK7 build drops using Free software tools, in addition to a number of additional features including additional platform support via the Zero/Shark and CACAO virtual machines, and the only Free 64-bit Java web plugin.

New in release 1.9 (2009-03-20)

  • Security fixes for:

    • CVE-2008-5360 – Temporary files have guessable file names.
    • CVE-2008-5350 – Allows to list files within the user home directory.
    • CVE-2008-5348 – Denial-Of-Service in kerberos authentication.
    • CVE-2008-5359 – Buffer overflow in image processing.
    • CVE-2008-5351 – UTF-8 decoder accepts non-shortest form sequences.
    • CVE-2008-5356 – Font processing vulnerability.
    • CVE-2008-5353 – Calendar object deserialization allows privilege escalation.
    • CVE-2008-5354 – Privilege escalation in command line applications.
    • CVE-2008-5357 – Truetype Font processing vulnerability.
    • CVE-2008-5352 – Jar200 Decompression buffer overflow.
    • CVE-2008-5358 – Buffer Overflow in GIF image processing.
  • Updated to OpenJDK7 b50 build.
  • XRender pipeline support: Java2D are noticably faster and running over a remote X connection feels like it is all local. Build by default (disable with –disable-xrender). Runtime enabled by running java -Dsun.java2d.xrender=True (default is to use the old X renderer for now).
  • IcedTeaPlugin now supports HTTPS sites and adds a user prompt for untrusted https certificates.
  • Use the ALSA ‘default’ device. Makes Java play nicer with PulseAudio.
  • VisualVM integration updated to 1.1.1
  • Gervill soft synthesizer integration updated to latest CVS version.
  • Integrated jtreg upgraded to 4_0-src-b02-15_oct_2008.
  • make check runs much faster now. jtreg -samevm support has been integrated into the langtools and jdk subsystems. Please package the test/jtreg-summary.log file with your distribution package so end users can compare the test results.
  • Shark (–enable-shark) now builds on 64 bit platforms, but is a pre-alpha technology preview and not recommended for use.
  • Better support for bootstrapping with different jar programs (supporting -J options).
  • If –with-pkgversion isn’t given the short mercurial rev node version will be used. Package distributors are encouraged to build packages with –with-pkgversion to uniquely identify their distribution version number when java -version is run to help distribution specific bug reporting.
  • Various freetype font, pisces renderer and awt X window size fixes to fix visual anomalies.
  • Build fixes for gcc 4.3 and 4.4-pre-release.
  • Added support for building against a specific openjdk src dir or hg revision (–with-openjdk-src-dir or –with-hg-revision).
  • Many other Plugin, Zero, Shark and PulseAudio bug fixes.
  • Build clean up.

The tarball can be downloaded here:

http://icedtea.classpath.org/download/source/icedtea-1.9.tar.gz

The following people helped with this release:
Gary Benson, Deepak Bhole, Andrew Haley, Andrew John Hughes, Tomas Hurka, Ioana Ivan, Matthias Klose, Omair Majid, Mark Reinhold, Christian Thalinger, Mark Wielaard, Lillian Angel

We would also like to thank the bug reporters and testers!

To get started:
$ hg clone http://icedtea.classpath.org/hg/icedtea
$ cd icedtea

Full build requirements and instructions are in INSTALL:
$ ./configure
$ make

 

« Previous Page