[SECURITY] IcedTea 1.11.14 for OpenJDK 6 Released!

Andrew gnu.andrew at redhat.com
Tue Nov 12 19:37:42 PST 2013

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as a PulseAudio sound driver, the ability to build
against system libraries and support for alternative virtual machines
and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.11.x series with 
the October 2013 security errata and a number of bug fixes.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the
distro-pkg-dev at openjdk.java.net OpenJDK mailing list and patches are
always welcome.

Full details of the release can be found below.

What's New?

New in release 1.11.14 (2013-11-13):

* Security fixes
  - S8006900, CVE-2013-3829: Add new date/time capability
  - S8008589: Better MBean permission validation
  - S8011071, CVE-2013-5780: Better crypto provider handling
  - S8011081, CVE-2013-5772: Improve jhat
  - S8011157, CVE-2013-5814: Improve CORBA portablility
  - S8012071, CVE-2013-5790: Better Building of Beans
  - S8012147: Improve tool support
  - S8012277: CVE-2013-5849: Improve AWT DataFlavor
  - S8012425, CVE-2013-5802: Transform TransformerFactory
  - S8013503, CVE-2013-5851: Improve stream factories
  - S8013506: Better Pack200 data handling
  - S8013510, CVE-2013-5809: Augment image writing code
  - S8013514: Improve stability of cmap class
  - S8013739, CVE-2013-5817: Better LDAP resource management
  - S8013744, CVE-2013-5783: Better tabling for AWT
  - S8014085: Better serialization support in JMX classes
  - S8014093, CVE-2013-5782: Improve parsing of images
  - S8014102, CVE-2013-5778: Improve image conversion
  - S8014341, CVE-2013-5803: Better service from Kerberos servers
  - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass problematic in some class loader configurations
  - S8014530, CVE-2013-5825: Better digital signature processing
  - S8014534: Better profiling support
  - S8014987, CVE-2013-5842: Augment serialization handling
  - S8015614: Update build settings
  - S8015731: Subject java.security.auth.subject to improvements
  - S8015743, CVE-2013-5774: Address internet addresses
  - S8016256: Make finalization final
  - S8016653, CVE-2013-5804: javadoc should ignore ignoreable characters in names
  - S8016675, CVE-2013-5797: Make Javadoc pages more robust
  - S8017196, CVE-2013-5850: Ensure Proxies are handled appropriately
  - S8017287, CVE-2013-5829: Better resource disposal
  - S8017291, CVE-2013-5830: Cast Proxies Aside
  - S8017298, CVE-2013-4002: Better XML support
  - S8017300, CVE-2013-5784: Improve Interface Implementation
  - S8017505, CVE-2013-5820: Better Client Service
  - S8019292: Better Attribute Value Exceptions
  - S8019617: Better view of objects
  - S8020293: JVM crash
  - S8021290, CVE-2013-5823: Better signature validation
  - S8022940: Enhance CORBA translations
  - S8023683: Enhance class file parsing
* Backports
  - S4075303: Use javap to enquire about a specific inner class
  - S4111861: static final field contents are not displayed
  - S4348375: Javap is not internationalized
  - S4459541: "javap -l" shows line numbers as signed short; they should be unsigned
  - S4501660: change diagnostic of -help as 'print this help message and exit'
  - S4501661: disallow mixing -public, -private, and -protected options at the same time
  - S4776241: unused source file in javap...
  - S4870651: javap should recognize generics, varargs, enum
  - S4876942: javap invoked without args does not print help screen
  - S4880663: javap could output whitespace between class name and opening brace
  - S4884240: additional option required for javap
  - S4975569: javap doesn't print new flag bits
  - S6271787: javap dumps LocalVariableTypeTable attribute in hex, needs to print a table
  - S6305779: javap: support annotations
  - S6439940: Clean up javap implementation
  - S6469569: wrong check of searchpath in JavapEnvironment
  - S6474890: javap does not open .zip files in -classpath
  - S6587786: Javap throws error : "ERROR:Could not find <classname>" for JRE classes
  - S6622215: javap ignores certain relevant access flags
  - S6622216: javap names some attributes incorrectly
  - S6622232: javap gets whitespace confused
  - S6622260: javap prints negative bytes incorrectly in hex
  - S6708729: update jdk Makefiles for new javap
  - S6715767: javap on java.lang.ClassLoader crashes
  - S6819246: improve support for decoding instructions in classfile library
  - S6824493: experimental support for additional info for instructions
  - S6841419: classfile: add constant pool iterator
  - S6841420: classfile: add new methods to ConstantClassInfo
  - S6843013: missing files in fix for 6824493
  - S6852856: javap changes to facilitate subclassing javap for variants
  - S6867671: javap whitespace formatting issues
  - S6868539: javap should use current names for constant pool tags
  - S6902264: fix indentation of tableswitch and lookupswitch
  - S6925851: Localize JRE into pt_BR
  - S6954275: XML signatures with reference data larger 16KB and cacheRef on fails to validate
  - S7035073: Add missing timezones to TimeZoneNames_pt_BR.java
  - S7146431: java.security files out-of-sync
  - S8000450: Restrict access to com/sun/corba/se/impl package
  - S8002070: Remove the stack search for a resource bundle for Logger to use
  - S8003992: File and other classes in java.io do not handle embedded nulls properly
  - S8004188: Rename src/share/lib/security/java.security to java.security-linux
  - S8006882: Proxy generated classes in sun.proxy package breaks JMockit
  - S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive
  - S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance
  - S8010939: Deadlock in LogManager
  - S8011139: (reflect) Revise checking in getEnclosingClass
  - S8011950: java.io.File.createTempFile enters infinite loop when passed invalid data
  - S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows
  - S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21
  - S8012453: (process) Runtime.exec(String) fails if command contains spaces [win]
  - S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer
  - S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup
  - S8013827: File.createTempFile hangs with temp file starting with 'com1.4'
  - S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10
  - S8014745: Provide a switch to allow stack walk search of resource bundle
  - S8015144: Performance regression in ICU OpenType Layout library
  - S8015965: (process) Typo in name of property to allow ambiguous commands
  - S8015978: Incorrect transformation of XPath expression "string(-0)"
  - S8016357: Update hotspot diagnostic class
  - S8017566: Backout 8000450 - Cannot access to com.sun.corba.se.impl.orb.ORBImpl
  - S8019584: javax/management/remote/mandatory/loading/MissingClassTest.java failed in nightly against jdk7u45: java.io.InvalidObjectException: Invalid notification: null
  - S8019969: nioNetworkChannelInet6/SetOptionGetOptionTestInet6 test case crashes
  - S8019979: Replace CheckPackageAccess test with better one from closed repo
  - S8021355: REGRESSION: Five closed/java/awt/SplashScreen tests fail since 7u45 b01 on Linux, Solaris
  - S8021366: java_util/Properties/PropertiesWithOtherEncodings fails during 7u45 nightly testing
  - S8021577: JCK test api/javax_management/jmx_serial/modelmbean/ModelMBeanNotificationInfo/serial/index.html#Input has failed since jdk 7u45 b01
  - S8021933: Add extra check for fix # JDK-8014530
  - S8021969: The index_AccessAllowed jnlp can not load successfully with exception thrown in the log.
  - S8022661: InetAddress.writeObject() performs flush() on object output stream
  - S8022682: Supporting XOM
  - S8023964: java/io/IOException/LastErrorString.java should be @ignore-d
  - S8024914: Swapped usage of idx_t and bm_word_t types in bitMap.inline.hpp
  - S8025128: File.createTempFile fails if prefix is absolute path
  - S8025255: (tz) Support tzdata2013g
  - OJ19: Fix test cases from 8010118 to work with OpenJDK 6
  - OJ20: Resolve merge issues with JAXP security fixes
  - OJ21: Remove @Override annotation added on interface by 2013/10/15 security fixes

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea6-1.11.14.tar.gz


* http://icedtea.classpath.org/download/source/icedtea6-1.11.14.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea6-1.11.14.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea6-1.11.14.tar.xz.sig

These are produced using my public key. See details below.

    PGP Key: 248BDC07 (https://keys.indymedia.org/)
    Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

SHA256 checksums:

b36ed4d4215e3048cb8722c63dc60343dda9a2b9b933244c11c68b21cee73ce9  icedtea6-1.11.14.tar.gz
6bc4e124117d5cfd5b65caf8f85a9eeac9f8c13700049b060526c4c1426e3de1  icedtea6-1.11.14.tar.gz.sig
364506acceffed4bab0aff50ec688c99ce9093ccd87439271d5db73488cf2409  icedtea6-1.11.14.tar.xz
1cd390bf295e19d73e41f5aec96f9ab1f15dc9f344b86137857f882443b2eef5  icedtea6-1.11.14.tar.xz.sig

The following people helped with these releases:

* Andrew Hughes (all backports and fixes & release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-1.11.14.tar.gz


$ tar x -I xz -f icedtea6-1.11.14.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea6-1.11.14/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131113/65cc1765/attachment.bin 

More information about the distro-pkg-dev mailing list