LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

IcedTea6 1.8 released

[Posted April 14, 2010 by corbet]

From:  Matthias Klose <doko-AT-ubuntu.com>
To:  IcedTea <distro-pkg-dev-AT-openjdk.java.net>
Subject:  IcedTea6 1.8 Released!
Date:  Wed, 14 Apr 2010 12:46:52 +0200
Message-ID:  <4BC59D1C.8000307@ubuntu.com>
Archive-link:  Article, Thread 



IcedTea6-1.8 release
====================

We are proud to announce the release of IcedTea6 1.8.

The IcedTea project provides a harness to build the source code from
OpenJDK7 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.


New in release 1.8 (2010-04-13):

- Updated to OpenJDK6 b18.
  - Nimbus Look 'n' Feel backported from OpenJDK7.
  - JAXP and JAXWS now external dependencies rather than being in-tree.
  - Updated timezone data
  - Addition of security updates applied in IcedTea6 1.6.2.
  - Many bug fixes:
    http://blogs.sun.com/darcy/resource/OpenJDK_6/openjdk6-b1...
- Latest security updates and hardening patches:
  - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299)
  - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp
(6894807)
  - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
  - (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes
(6626217)
  - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses
(6893954)
  - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  - (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs
(6887703)
  - (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
  - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks
(6893947)
  - (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes
(6892265)
  - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
  - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName
OIDs
  - 6910590: Application can modify command array in ProcessBuilder
  - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
- Old plugin removed; NPPlugin is now the default and is controlled by
  --enable/disable-plugin.  As with the old plugin, it produces a
  IcedTeaPlugin.so library rather than IcedTeaNPPlugin.so.
- Dependence on the binary plugs mechanism removed.  The plugin and NetX
  code is now imported into the JDK build in the same manner as langtools,
  CORBA, JAXP and JAXWS.
- Fix for plugin buffer overflow: https://bugzilla.mozilla.org/show_bug.cgi?id=555342
- Fix issue with ant -diagnostics on ant 1.8.0 due to changed exit code
- Zero/Shark
  - Shark is now able to build itself.
  - For ARM, add Thumb2 JIT.
  - Fixed Shark sharkCompiler mattr memory corruption bug when using llvm 2.7.

The tarball can be downloaded here:

http://icedtea.classpath.org/download/source/icedtea6-1.8...


The following people helped with this release: Gary Benson, Deepak
Bhole, Andrew John Hughes, Mark Wielaard, Nobuhiro Iwamatsu, Matthias
Klose, Ed Nevill, Pavel Tisnovsky, Xerxes RÃ¥nby, and many others.

We would also like to thank the bug reporters and testers!

To get started:
$ hg clone http://icedtea.classpath.org/hg/release/icedtea6-1.8
$ cd icedtea6-1.8

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java
--enable-systemtap --enable-nss ...]
$ make
(Log in to post comments)

IcedTea6 1.8 released

Posted Apr 15, 2010 8:58 UTC (Thu) by mjw (subscriber, #16740) [Link]

Yes a disturbingly large number of security issues (and hardening!) patches were added already. But those were also added to the minor release updates. The the key aspect of this release are actually the non-security related patches.

- Nimbus Look 'n' Feel
- Shark (llvm based hotspot backend) fully bootstrapping itself
- Thumb2 JIT for ARM
- New applet NP Plugin official (support new firefox, chrome, etc) http://dbhole.wordpress.com/2010/04/14/icedtea-1-8-releas...

IcedTea6 1.8 released

Posted Apr 15, 2010 10:07 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

It is pretty annoying that Java does not just inherit the GTK system theme's look and feel and instead needs changes done for specific themes. Other than OpenSolaris including it by default, what's special about Nimbus? Don't see the point.

IcedTea6 1.8 released

Posted Apr 16, 2010 17:58 UTC (Fri) by jonabbey (subscriber, #2736) [Link]

Nimbus is my preferred cross-platform look and feel.. it is twenty times more pleasant to use than Metal.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds