IcedTea-Web 1.1.7, 1.2.2 and 1.3.1 [security releases] released!

A potential heap buffer overflow issue has been found and fixed in
IcedTea-Web. It is recommended that all IcedTea-Web users update to this
new version.

We would like to thank Arthur Gerkis for reporting this issue.

The fixed issue is:
RH869040, CVE-2012-4540: Heap-based buffer overflow after triggering event attached to applet

Other fixes are listed in the NEWS files:
1.1.7 NEWS file
1.2.2 NEWS file
1.3.1 NEWS file

Please note that this will be the last 1.1.x release as we are not aware
of any distribution currently using 1.1.

The following people helped with these releases:
Adam Domurad
Omair Majid
Saad Mohammad
Jiri Vanek

Checksums:
709ef1880e259d0d0661d57323448e03524153fe3ade21366d55aff5a49608bb icedtea-web-1.1.7.tar.gz
e9e3c3dc413b01b965c0fc7fdc73d89683ffe1422ca7fd218c98debab9bdb675 icedtea-web-1.2.2.tar.gz
20c7fd1eef6c79cbc6478bb01236a3eb2f0af6184eaed24baca59a3c37eafb56 icedtea-web-1.3.1.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.7.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.2.2.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.3.1.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

Posted in IcedTea, Java | Leave a comment

IcedTea-Web 1.3 released!

IcedTea-Web 1.3 is now released and available for download!

This release is the first of what we hope will be regular releases based on time rather than features. It includes many bug fixes and new features. Some of the highlights include:

  • New features:
    • Web Start launch errors are now printed to give proper indication as to the cause
    • Significant performance improvement when loading applets that refer to missing classes
    • Support for latest versions of Chromium
    • Security warning dialog improvements to better clarify security request
    • Support build with GTK2 and GTK3
    • Cookie write support (i.e set cookies in browser via Java/Applet)

  • Bug fixes:
    • Common:
      • Applet window icon improved

    • Plug-in:
      • PR975: Ignore classpaths specified in jar manifests when using jnlp_href
      • PR1011: Treat folders as such when specified in archive tags
      • PR855: AppletStub getDocumentBase() now returns full URL
      • PR722: Unsigned META-INF entries are ignored
      • PR861: Jars can now load from non codebase hosts

    • Web Start:
      • PR898: Large signed JNLP files now supported
      • PR811: URLs with spaces now handled correctly

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/a63733958565/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.3.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
d46ec10700732cea103da2aae64ff01e717cb1281b83e1797ce48cc53280b49f icedtea-web-1.3.tar.gz

Thanks to everyone who helped with this release:
Danesh Dadachanji
Adam Domurad
Peter Hatina
Lars Herschke
Andrew Hughes
Omair Majid
Thomas Meyer
Saad Mohammad
Martin Olsson
Pavel Tisnovsky
Jiri Vanek

Posted in IcedTea | 4 Comments

IcedTea-Web 1.1.6 and 1.2.1 [security releases] released!

IcedTea-Web 1.1.6 and 1.2.1 have now been released. In addition to bug fixes, they include 2 security fixes and it is therefore recommended that everyone upgrade to this release. The security issues fixed are:

RH840592, CVE-2012-3422: Use of uninitialized instance pointers
RH841345, CVE-2012-3423: Incorrect handling of non 0-terminated strings

Other fixes are listed in the NEWS files:
1.1.6 NEWS file
1.2.1 NEWS file

The following people helped with these releases:
Danesh Dadachanji
Adam Domurad
Omair Majid
Saad Mohammad
Jiri Vanek

Checksums:
2e330475fdcd1a83b3f411a1aa475d8d45c585842444d20bb9160bed689dc1f1 icedtea-web-1.1.6.tar.gz
134efcd429086a643ba03ec6e4da991527c3e5dfcd6ed6680a83824ad3f0cfd6 icedtea-web-1.2.1.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.6.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.2.1.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

Posted in IcedTea | Leave a comment

IcedTea-Web plug-in running on ARM

Thanks to great work by Chris Phillips and others, we now have a Zero based OpenJDK7 RPM building on Fedora ARM

Peter Robinson (Fedora project volunteer) then started an icedtea-web build on ARM based on the above, which went fine.

I decided to try icedtea-web with OpenJDK7 on ARM. I only had access to an F15 machine so I had to force install the F17 OpenJDK RPM (it works other than where -lpng would be needed). Here is the result — the IcedTea-Web plug-in running with Midori on Fedora ARM!

IcedTea-Web plug-in working on ARM

IcedTea-Web plug-in working on ARM

Now to wait for Andrew Haley’s JIT work to go in, to make it run faster :)

Posted in IcedTea | 3 Comments

IcedTea-Web 1.1.5 released!

IcedTea-Web 1.1.5 is now out. It contains a couple of important bug fixes for those who wish to remain on the 1.1 line:

  • Fixes:
    • PR820: Firefox 10 and above crashes when LiveConnect is heavily used
    • PR838: IcedTea-Web plugin crashes with chrome browser when javascript is executed

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.1/file/ab7e8272d45d/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.5.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
ab5c34a9dc6bff48baf1f1d1a34bf54bfb954ad93ee9e7e44d642fa991bcc919 icedtea-web-1.1.5.tar.gz

Thanks to everyone who helped with this release:
Matthias Klose
Denis Lila
Omair Majid
Thomas Meyer
Jiri Vanek

Posted in IcedTea | Leave a comment

IcedTea-Web 1.2 released!

IcedTea-Web 1.2 is finally out! My apologies for the delayed release. We found some regressions when testing the final candidate and decided to hold off until everything was fixed.

New features and important bug fixes include:

  • New features:
    • Signed JNLP support
    • Support for client authentication certificates
    • Cache size enforcement now supported via itweb-settings
    • Applet parameter passing through JNLP files now supported
    • Better icons for access warning dialog
    • Security Dialog UI revamped to make it look less threatening when appropriate

  • Bug fixes:
    • Common:
      • Plug-in/Web Start can now handle corrupted cache
      • PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.

    • Plug-in:
      • PR852: Classloader not being flushed after last applet from a site is closed
      • PR820: Firefox 10 and above no longer crashes when LiveConnect is heavily used
      • MIME descriptions for Java 7 are now defined
      • Build against mozilla-plugin.pc is now supported

    • Web Start:
      • PR618: Can’t install OpenDJ, JavaWebStart fails with Input stream is null error.
      • PR766: javaws fails to parse a node that contains CDATA
      • PR765: JNLP file with all resource jars marked as ‘lazy’ fails to validate signature and stops the launch of application
      • PR808: javaws is unable to start when missing jars are enumerated before main jar
      • Close the splashscreen in case of error (not just successful launch).

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/58c02a3ace5d/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.2.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
3f8d22b655df207409dd3451ba02907f61a12ac051e4df4d44bb5ed47c4f778d icedtea-web-1.2.tar.gz

Thanks to everyone who helped with this release:
Danesh Dadachanji
Lars Herschke
Andrew Hughes
Matthias Klose
Denis Lila
Omair Majid
Thomas Meyer
Saad Mohammad
Andrew Su
Jiri Vanek

Posted in IcedTea | 1 Comment

IcedTea-Web 1.0.6 and 1.1.4 (security releases) released

IcedTea-Web 1.0.6 and 1.1.4 have been released. These are security fix only
releases and address a security issue classified as having moderate impact.

What’s new in 1.0.6 and 1.1.4:

  • RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass

The following people helped with this release:
Omair Majid

Checksums:
44a770da85fd2e342ab09e065798a07d04601ea51879df4a5e88f804e4f02eba icedtea-web-1.0.6.tar.gz
b17a742af0153b7887cf667a160f8519afad125bc515b0f4783c66e7ee1a7f26 icedtea-web-1.1.4.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.0.6.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.1.4.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

Posted in IcedTea | Leave a comment