LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2013-2197 (java-1.6.0-openjdk)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 16 Update: java-1.6.0-openjdk-1.6.0.0-71.1.11.6.fc16 


Date:
    	      Sat, 09 Feb 2013 11:28:38 +0000


Message-ID:
    	      <20130209112838.32C0C208B4@bastion01.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-2197
2013-02-09 10:45:50
--------------------------------------------------------------------------------

Name        : java-1.6.0-openjdk
Product     : Fedora 16
Version     : 1.6.0.0
Release     : 71.1.11.6.fc16
URL         : http://icedtea.classpath.org/
Summary     : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.

--------------------------------------------------------------------------------
Update Information:

This is rebuild of  	java-1.6.0-openjdk-1.6.0.0-69.1.11.6.fc16  with removed 7201064 and added
8005615 so:

        kept rewritten java-1.6.0-openjdk-java-access-bridgesecurity.patch
        kept  icedtea6 1.11.6
        Security fixes:
        S8005615, fix for S6664509
        S6563318, CVE-2013-0424: RMI data sanitization
        S6664509, CVE-2013-0425: Add logging context
        S6664528, CVE-2013-0426: Find log level matching its name or value given at construction
time
        S6776941: CVE-2013-0427: Improve thread pool shutdown
        S7141694, CVE-2013-0429: Improving CORBA internals
        S7173145: Improve in-memory representation of splashscreens
        S7186945: Unpack200 improvement
        S7186946: Refine unpacker resource usage
        S7186948: Improve Swing data validation
        S7186952, CVE-2013-0432: Improve clipboard access
        S7186954: Improve connection performance
        S7186957: Improve Pack200 data validation
        S7192392, CVE-2013-0443: Better validation of client keys
        S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
        S7192977, CVE-2013-0442: Issue in toolkit thread
        S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
        S7200491: Tighten up JTable layout code
        S7200500: Launcher better input validation
        S7201066, CVE-2013-0441: Change modifiers on unused fields
        S7201068, CVE-2013-0435: Better handling of UI elements
        S7201070: Serialization to conform to protocol
        S7201071, CVE-2013-0433: InetSocketAddress serialization issue
        S8000210: Improve JarFile code quality
        S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
        S8000540, CVE-2013-1475: Improve IIOP type reuse management
        S8000631, CVE-2013-1476: Restrict access to class constructor
        S8001235, CVE-2013-0434: Improve JAXP HTTP handling
        S8001242: Improve RMI HTTP conformance
        S8001307: Modify ACC_SUPER behavior
        S8001972, CVE-2013-1478: Improve image processing
        S8002325, CVE-2013-1480: Improve management of images
        Backports
        S7010849: 5/5 Extraneous javac source/target options when building sa-jdi

--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb  6 2013 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-1.71.1.11.6
- removed patch8 revertTwoWrongSecurityPatches2013-02-06.patch
- added patch8:   7201064.patch to be reverted
- added patch9:   8005615.patch to fix the 6664509.patch
* Wed Feb  6 2013 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-1.70.1.11.6
- added patch8 revertTwoWrongSecurityPatches2013-02-06.patch
  to remove   6664509 and 7201064 from 1.11.6 tarball
* Tue Jan 15 2013 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-1.69.1.11.6
- Rewritten java-1.6.0-openjdk-java-access-bridge-security.patch 
- Updated to icedtea6 1.11.6
 - Security fixes
  - S6563318, CVE-2013-0424: RMI data sanitization
  - S6664509, CVE-2013-0425: Add logging context
  - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
  - S6776941: CVE-2013-0427: Improve thread pool shutdown
  - S7141694, CVE-2013-0429: Improving CORBA internals
  - S7173145: Improve in-memory representation of splashscreens
  - S7186945: Unpack200 improvement
  - S7186946: Refine unpacker resource usage
  - S7186948: Improve Swing data validation
  - S7186952, CVE-2013-0432: Improve clipboard access
  - S7186954: Improve connection performance
  - S7186957: Improve Pack200 data validation
  - S7192392, CVE-2013-0443: Better validation of client keys
  - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
  - S7192977, CVE-2013-0442: Issue in toolkit thread
  - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
  - S7200491: Tighten up JTable layout code
  - S7200500: Launcher better input validation
  - S7201064: Better dialogue checking
  - S7201066, CVE-2013-0441: Change modifiers on unused fields
  - S7201068, CVE-2013-0435: Better handling of UI elements
  - S7201070: Serialization to conform to protocol
  - S7201071, CVE-2013-0433: InetSocketAddress serialization issue
  - S8000210: Improve JarFile code quality
  - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
  - S8000540, CVE-2013-1475: Improve IIOP type reuse management
  - S8000631, CVE-2013-1476: Restrict access to class constructor
  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
  - S8001242: Improve RMI HTTP conformance
  - S8001307: Modify ACC_SUPER behavior
  - S8001972, CVE-2013-1478: Improve image processing
  - S8002325, CVE-2013-1480: Improve management of images
 - Backports
  - S7010849: 5/5 Extraneous javac source/target options when building sa-jdi
* Fri Oct 12 2012 Deepak Bhole <dbhole@redhat.com> - 1:1.6.0.0-68.1.11.5
- Updated to IcedTea6-1.11.5
- Updated java-1.7.0-openjdk-java-access-bridge-security.patch
- Change permission of sa-jdi.jar to 644 (upstream for future)
- Resolves rhbz#s 856124, 865346, 865348, 865350, 865352, 865354, 865357,
  865359, 865363, 865365, 865370, 865428, 865471, 865434, 865511, 865514,
  865519, 865531, 865541, 865568
* Fri Aug 31 2012 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-68.1.11.4
- Updated to IcedTea6 1.11.4
* Fri Jun  8 2012 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-67.1.11.3
- Updated to IcedTea6 1.11.3
- Modified patch3, java-1.6.0-openjdk-java-access-bridge-security.patch:
  - com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
  - packages added to patch and to package.definition
- Access gnome bridge jar forced to be 644
* Thu May 31 2012 Jiri Vanek <jvanek@redhat.com> 1:6.0.0-0-66.1.11.2
- Updated to IcedTea6-1.11.2
- Bug fixes
  - RH789154: javac error messages no longer contain the full path to the offending file:
  - PR797: Compiler error message does not display entire file name and path
  - PR881: Sign tests (wsse.policy.basic) failures with OpenJDK6
  - PR886: 6-1.11.1 fails to build CACAO on ppc
  - Specify both source and target in IT_GET_DTDTYPE_CHECK.
  - Install nss.cfg into j2re-image too.
  - PR584: Don't use shared Eden in incremental mode.
- Backports
  - S6792400: Avoid loading of Normalizer resources for simple uses
* Sat Feb 11 2012 Jiri Vanek <jvanek@redhat.com> 1:6.0.0-0-65.1.11.1
- Security update to IcedTea6-1.11.1
- Security fixes
  - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
  - S7088367, CVE-2011-3563: Fix issues in java sound
  - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
  - S7110687, CVE-2012-0503: Issues with TimeZone class
  - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
  - S7110704, CVE-2012-0506: Issues with some method in corba
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
  - S7126960, CVE-2011-5035: (httpserver) Add property to limit number of request headers to the
HTTP Server
- Bug fixes
  - PR865: Patching fails with patches/ecj/jaxws-getdtdtype.patch
* Wed Feb  1 2012 Jiri Vanek <jvanek@redhat.com> 1:6.0.0-0-64.1.11
- Updated for ARM build based on fixes by Andrew Haley (aph at redhat dot com)
- Added patch100: name-arm-asm-int-fix.patch
* Tue Jan 31 2012 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-63.1.11
- sync with master
- IcedTea6 bumped to 1.11 release
- full release info at:
  http://mail.openjdk.java.net/pipermail/distro-pkg-dev/201...
- removed and deleted patches:
     patch5  makefile-xalan-deps.patch
     patch6  glibc-name-clash.patch
   all were upstreamed
* Tue Jan 24 2012 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-62.1.10.5
- updated to icedtea6 1.10.5
- Backports
    S7034464, Support transparent large pages on Linux
    S7037939, NUMA: Disable adaptive resizing if SHM large pages are used
    S7102369, RH751203: remove java.rmi.server.codebase property parsing from registyimpl
    S7094468, RH751203: rmiregistry clean up
    S7103725, RH767129: REGRESSION – 6u29 breaks ssl connectivity using
TLS_DH_anon_WITH_AES_128_CBC_SHA
    S6851973, PR830: ignore incoming channel binding if acceptor does not set one
    S7091528, javadoc attempts to parse .class files
* Fri Nov 25 2011 Omair Majid <omajid@redhat.com> - 1:1.6.0.0-61.1.10.4
- Fix rhbz#741821
* Tue Nov  1 2011 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-60.1.10.4
- omajid have added Patch6 as (probably temporally) solution for S7103224 for buildability on
newest glibc libraries.
* Thu Oct 13 2011 Jiri Vanek <jvanek@redhat.com> - 1:1.6.0.0-60.1.10.4
- updated to icedtea6 1.10.4
- Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
- Bug fixes
  - RH727195 : Japanese font mappings are broken
- Backports
  - S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal
dialog
- Zero/Shark
  - PR690: Shark fails to JIT using hs20.
  - PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update java-1.6.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds