IcedTea6-1.8 release

Matthias Klose released IcedTea6 1.8. He still doesn’t have a blog (or is that old fashioned already in these web 3.0 micro-message-blogging days). So here is the release announcement he made:

IcedTea6-1.8 release

We are proud to announce the release of IcedTea6 1.8.

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

New in release 1.8 (2010-04-13):

  • Updated to OpenJDK6 b18.
    • Nimbus Look ‘n’ Feel backported from OpenJDK7.
    • JAXP and JAXWS now external dependencies rather than being in-tree.
    • Updated timezone data
    • Addition of security updates applied in IcedTea6 1.6.2.
    • Many bug fixes
  • Latest security updates and hardening patches:
    • (CVE-2010-0837): JAR “unpack200” must verify input parameters (6902299)
    • (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
    • (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
    • (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
    • (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
    • (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
    • (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
    • (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
    • (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
    • (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
    • (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
    • (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
    • (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
    • (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
    • (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
    • (CVE-2009-3555): TLS: MITM attacks via session renegotiation
    • 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
    • 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
    • 6910590: Application can modify command array in ProcessBuilder
    • 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
    • 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
  • Old plugin removed; NPPlugin is now the default and is controlled by –enable/disable-plugin. As with the old plugin, it produces a library rather than
  • Dependence on the binary plugs mechanism removed. The plugin and NetX code is now imported into the JDK build in the same manner as langtools, CORBA, JAXP and JAXWS.
  • Fix for plugin buffer overflow:
  • Fix issue with ant -diagnostics on ant 1.8.0 due to changed exit code
  • Zero/Shark
    • Shark is now able to build itself.
    • For ARM, add Thumb2 JIT.
    • Fixed Shark sharkCompiler mattr memory corruption bug when using llvm 2.7.

The tarball can be downloaded here:

The following people helped with this release: Gary Benson, Deepak Bhole, Andrew John Hughes, Mark Wielaard, Nobuhiro Iwamatsu, Matthias Klose, Ed Nevill, Pavel Tisnovsky, Xerxes RĂ„nby, and many others.

We would also like to thank the bug reporters and testers!

To get started:

$ hg clone
$ cd icedtea6-1.8

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java --enable-systemtap --enable-nss ...]
$ make