Mark-of-the-Beast security bug --- community collaboration?

Dr Andrew John Hughes gnu_andrew at
Wed Feb 9 13:23:56 UTC 2011

On 8 February 2011 11:01, Mark Wielaard <mark at> wrote:
> On Tue, 2011-02-08 at 10:59 +0100, Mark Wielaard wrote:
>> > It would be great if we could find this and patch
>> > OpenJDK 6 deployments ASAP.
>> There has been extensive discussion on the core-libs mailinglist, with a
>> patch and some historic digging to find where the issue came from.
>> Short story, it was already found through the Free Software Jacks
>> testsuite in 2001 (!).
>> reported by the Jikes compiler hacker Eric Blake.
>> The bug report even has a
>> suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
>> that didn't make it in.
>> It was rediscovered through the php issue a week ago.
>> Andrew Haley almost immediate posted a new patch for it last week.
>> Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
>> With possibly more security fixes following next week.
> For those that cannot wait and need a fix right now Marc Schoenefeld of
> the Red Hat Security Response Team created a script that will create a
> jar that you can use with -Xbootclasspath/p:prevent_double_dos.jar to
> mitigate the DoS bug till there are full new security releases:
> Cheers,
> Mark

The security releases for IcedTea6 (1.7.9, 1.8.6, 1.9.6) are on the
server and in Mercurial.  I'm about to do a full announcement.  Oracle
decided to spring a 'surprise' release on us:
so we'll push one out too.


Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (

Support Free Java!
Contribute to GNU Classpath and the OpenJDK

PGP Key: F5862A37 (
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the discuss mailing list