[SECURITY] Fedora 16 Update: java-1.7.0-openjdk-1.7.0.9-2.3.5.3.fc16

updates at fedoraproject.org updates at fedoraproject.org
Sat Feb 9 11:27:33 UTC 2013 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-2188
2013-02-09 10:45:21
--------------------------------------------------------------------------------

Name        : java-1.7.0-openjdk
Product     : Fedora 16
Version     : 1.7.0.9
Release     : 2.3.5.3.fc16
URL         : http://openjdk.java.net/
Summary     : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.

--------------------------------------------------------------------------------
Update Information:

The update contains the following security fixes:

    * S6563318, CVE-2013-0424: RMI data sanitization
    * S6664509, CVE-2013-0425: Add logging context
    * S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
    * S6776941: CVE-2013-0427: Improve thread pool shutdown
    * S7141694, CVE-2013-0429: Improving CORBA internals
    * S7173145: Improve in-memory representation of splashscreens
    * S7186945: Unpack200 improvement
    * S7186946: Refine unpacker resource usage
    * S7186948: Improve Swing data validation
    * S7186952, CVE-2013-0432: Improve clipboard access
    * S7186954: Improve connection performance
    * S7186957: Improve Pack200 data validation
    * S7192392, CVE-2013-0443: Better validation of client keys
    * S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
    * S7192977, CVE-2013-0442: Issue in toolkit thread
    * S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
    * S7200491: Tighten up JTable layout code
    * S7200500: Launcher better input validation
    * S7201064: Better dialogue checking
    * S7201066, CVE-2013-0441: Change modifiers on unused fields
    * S7201068, CVE-2013-0435: Better handling of UI elements
    * S7201070: Serialization to conform to protocol
    * S7201071, CVE-2013-0433: InetSocketAddress serialization issue
    * S8000210: Improve JarFile code quality
    * S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
    * S8000540, CVE-2013-1475: Improve IIOP type reuse management
    * S8000631, CVE-2013-1476: Restrict access to class constructor
    * S8001235, CVE-2013-0434: Improve JAXP HTTP handling
    * S8001242: Improve RMI HTTP conformance
    * S8001307: Modify ACC_SUPER behavior
    * S8001972, CVE-2013-1478: Improve image processing
    * S8002325, CVE-2013-1480: Improve management of images

This update backs out two of the recent security fixes (664509 and 7201064) that caused severe regressions.
This update backs out two of the recent security fixes (664509 and 7201064) that caused severe regressions.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb  7 2013 Omair Majid <omajid at redhat.com> - 1.7.0.9-2.3.5.3.fc16
- Sync logging fixes with upstream (icedtea7-forest and jdk7u)
* Thu Feb  7 2013 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.5.1.fc16
- Added patch for 8005615 to fix regression caused by fix for 6664509
* Wed Feb  6 2013 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.5.fc16.1
- Backed out 6664509 and 7201064.patch which cause regressions
* Sun Feb  3 2013 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.5.fc16
- Updated to 2.3.5
- Changed BR to java7-devel >= 1:1.7.0 as required by CORBA changes in 2.3.5
- Removed unnecessary GENSRCDIR flag
* Sun Feb  3 2013 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.4.fc16.1
- Updated to 2.3.5pre (2.3.4 + Feb. 2013 CPU)
* Mon Jan 14 2013 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.4.fc16
- Updated to 2.3.4
* Fri Oct 12 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.9-2.3.3.fc16
- Updated to IcedTea7-OpenJDK 2.3.3
- Updated java-1.7.0-openjdk-java-access-bridge-security.patch
- Change permission of sa-jdi.jar to 644 (upstream for future)
- Resolves rhbz#s 856124, 865346, 865348, 865350, 865352, 865354, 865357,
  865359, 865363, 865365, 865370, 865428, 865471, 865434, 865511, 865514,
  865519, 865531, 865541, 865568
* Wed Sep 19 2012 jiri Vanek <jvanek at redhat.com> - 1.7.0.6-2.3.2.fc16.1
- Updated to latest IcedTea7-forest 2.3
* Thu Aug 30 2012 jiri Vanek <jvanek at redhat.com> - 1.7.0.6-2.3.1.fc16.2
- Updated to IcedTea-Forest 2.3.1
- Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks 
  removed in 6788531.
- Commented out Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch as
  as already included in this Iced-Tea.
- Will be nice to verify after next upstream sync if it is still upstreamed
* Wed Aug 22 2012 Jiri Vanek <jvanek at redhat.com> - 1.7.0.6-2.3.fc16.3
- ALT_STRIP_POLICY replaced by STRIP_POLICY
* Fri Aug 17 2012 jiri Vanek <jvanek at redhat.com> - 1.7.0.6-2.3.fc16.1
- Updated to latest IcedTea7-forest-2.3
- Current build is u6
- Added Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch to remove 
  jvisualvm manpages from processing
* Mon Jun 11 2012 jiri Vanek <jvanek at redhat.com> - 1.7.0.3-2.2.1fc16.7
- Used newly prepared tarball with security fixes
- Bump to icedtea7-forest-2.2.1
- _mandir/man1/jcmd-name.1 added to alternatives
- Updated rhino.patch
- Modified partially upstreamed patch302 - systemtap.patch
- Temporarly disabled patch102 - java-1.7.0-openjdk-size_t.patch
- Removed already upstreamed patches 104,107,108,301
  - java-1.7.0-openjdk-arm-ftbfs.patch
  - java-1.7.0-openjdk-system-zlib.patch
  - java-1.7.0-openjdk-remove-mimpure-opt.patch
  - systemtap-alloc-size-workaround.patch
- patch 105 (java-1.7.0-openjdk-ppc-zero-jdk.patch) have become 104
- patch 106 (java-1.7.0-openjdk-ppc-zero-hotspot.patch) have become 105
- Access gnome brridge jar forced to be 644
* Fri May 25 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.6
- Miscellaneous fixes brought in from RHEL branch
- Resolves: rhbz#825255: Added ALT_STRIP_POLICY so that debug info is not stripped
- Moved Patch #7 (usage of system zlib) to #107
* Tue May  1 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.5
- Removed VisualVM requirements
* Mon Mar 26 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.4
- Merged with F17 branch
* Wed Mar 21 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.3
- Reverted fix for rh740762
* Mon Mar 12 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.2
- Resolved rh740762: java.library.path is missing some paths
* Fri Feb 24 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1.fc16.1
- Added flag so that debuginfo is built into classfiles (rhbz# 796400) 
- Updated rhino.patch to build scripting support (rhbz# 796398)
* Tue Feb 14 2012 Deepak Bhole <dbhole at redhat.com> - 1.7.0.3-2.1
- Updated to OpenJDK7u3/IcedTea7 2.1
- Security fixes:
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7082299, CVE-2011-3571: AtomicReferenceArray insufficient array type check
  - S7110687, CVE-2012-0503: Unrestricted use of TimeZone.setDefault
  - S7110700, CVE-2012-0505: Incomplete info in the deserialization exception
  - S7110683, CVE-2012-0502: KeyboardFocusManager focus stealing
  - S7088367, CVE-2011-3563: JavaSound incorrect bounds check
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
  - S7118283, CVE-2012-0501: Off-by-one bug in ZIP reading code
  - S7110704, CVE-2012-0506: CORBA fix
- Add patch to fix compilation with GCC 4.7
* Tue Nov 15 2011 Deepak Bhole <dbhole at redhat.com> - 1.7.0.1-2.0.3
- Added patch to fix bug in jdk_generic_profile.sh
- Compile with generic profile to use system libraries
- Made remove-intree-libraries.sh more robust
- Added lcms requirement
- Added patch to fix glibc name clash
- Updated java version to include -icedtea
* Sun Nov  6 2011 Deepak Bhole <dbhole at redhat.com> - 1.7.0.1-2.0.2
- Added missing changelog entry
* Sun Nov  6 2011 Deepak Bhole <dbhole at redhat.com> - 1.7.0.1-2.0.1
- Updated to IcedTea 2.0 tag in the IcedTea OpenJDK7 forest
- Removed obsoleted patches
- Added system timezone support
- Revamp version/release naming scheme to make it proper
- Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list