Mark-of-the-Beast security bug --- community collaboration?

Mark Wielaard mark at
Tue Feb 8 09:59:01 UTC 2011

On Mon, 2011-02-07 at 16:29 -0600, Tom Marble wrote:
> Normally security issues would not be raised to the level
> of the 'discuss' list, but in the interest of getting
> as many 'eyes on the bug' such that the entire community
> can find and patch OpenJDK 6 quickly I respectfully
> would like to call everyone's attention to:
> It would be great if we could find this and patch
> OpenJDK 6 deployments ASAP.

There has been extensive discussion on the core-libs mailinglist, with a
patch and some historic digging to find where the issue came from.

Short story, it was already found through the Free Software Jacks
testsuite in 2001 (!). 
reported by the Jikes compiler hacker Eric Blake. The bug report even has a
suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
that didn't make it in.
It was rediscovered through the php issue a week ago.
Andrew Haley almost immediate posted a new patch for it last week.
Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
With possibly more security fixes following next week.



More information about the discuss mailing list