IcedTea-Web 1.1.7, 1.2.2 and 1.3.1 [security releases] released!

A potential heap buffer overflow issue has been found and fixed in
IcedTea-Web. It is recommended that all IcedTea-Web users update to this
new version.

We would like to thank Arthur Gerkis for reporting this issue.

The fixed issue is:
RH869040, CVE-2012-4540: Heap-based buffer overflow after triggering event attached to applet

Other fixes are listed in the NEWS files:
1.1.7 NEWS file
1.2.2 NEWS file
1.3.1 NEWS file

Please note that this will be the last 1.1.x release as we are not aware
of any distribution currently using 1.1.

The following people helped with these releases:
Adam Domurad
Omair Majid
Saad Mohammad
Jiri Vanek

Checksums:
709ef1880e259d0d0661d57323448e03524153fe3ade21366d55aff5a49608bb icedtea-web-1.1.7.tar.gz
e9e3c3dc413b01b965c0fc7fdc73d89683ffe1422ca7fd218c98debab9bdb675 icedtea-web-1.2.2.tar.gz
20c7fd1eef6c79cbc6478bb01236a3eb2f0af6184eaed24baca59a3c37eafb56 icedtea-web-1.3.1.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.7.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.2.2.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.3.1.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

IcedTea-Web 1.3 released!

IcedTea-Web 1.3 is now released and available for download!

This release is the first of what we hope will be regular releases based on time rather than features. It includes many bug fixes and new features. Some of the highlights include:

• New features:
• Web Start launch errors are now printed to give proper indication as to the cause
• Significant performance improvement when loading applets that refer to missing classes
• Support for latest versions of Chromium
• Security warning dialog improvements to better clarify security request
• Support build with GTK2 and GTK3
• Cookie write support (i.e set cookies in browser via Java/Applet)
• Bug fixes:
• Common:
• Applet window icon improved
• Plug-in:
• PR975: Ignore classpaths specified in jar manifests when using jnlp_href
• PR1011: Treat folders as such when specified in archive tags
• PR855: AppletStub getDocumentBase() now returns full URL
• PR722: Unsigned META-INF entries are ignored
• PR861: Jars can now load from non codebase hosts
• Web Start:
• PR898: Large signed JNLP files now supported
• PR811: URLs with spaces now handled correctly

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/a63733958565/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.3.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
d46ec10700732cea103da2aae64ff01e717cb1281b83e1797ce48cc53280b49f icedtea-web-1.3.tar.gz

Thanks to everyone who helped with this release:
Danesh Dadachanji
Adam Domurad
Peter Hatina
Lars Herschke
Andrew Hughes
Omair Majid
Thomas Meyer
Saad Mohammad
Martin Olsson
Pavel Tisnovsky
Jiri Vanek

IcedTea-Web 1.1.6 and 1.2.1 [security releases] released!

IcedTea-Web 1.1.6 and 1.2.1 have now been released. In addition to bug fixes, they include 2 security fixes and it is therefore recommended that everyone upgrade to this release. The security issues fixed are:

RH840592, CVE-2012-3422: Use of uninitialized instance pointers
RH841345, CVE-2012-3423: Incorrect handling of non 0-terminated strings

Other fixes are listed in the NEWS files:
1.1.6 NEWS file
1.2.1 NEWS file

The following people helped with these releases:
Danesh Dadachanji
Adam Domurad
Omair Majid
Saad Mohammad
Jiri Vanek

Checksums:
2e330475fdcd1a83b3f411a1aa475d8d45c585842444d20bb9160bed689dc1f1 icedtea-web-1.1.6.tar.gz
134efcd429086a643ba03ec6e4da991527c3e5dfcd6ed6680a83824ad3f0cfd6 icedtea-web-1.2.1.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.6.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.2.1.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

IcedTea-Web plug-in running on ARM

Thanks to great work by Chris Phillips and others, we now have a Zero based OpenJDK7 RPM building on Fedora ARM

Peter Robinson (Fedora project volunteer) then started an icedtea-web build on ARM based on the above, which went fine.

I decided to try icedtea-web with OpenJDK7 on ARM. I only had access to an F15 machine so I had to force install the F17 OpenJDK RPM (it works other than where -lpng would be needed). Here is the result — the IcedTea-Web plug-in running with Midori on Fedora ARM!

IcedTea-Web plug-in working on ARM

Now to wait for Andrew Haley’s JIT work to go in, to make it run faster 🙂

IcedTea-Web 1.1.5 released!

IcedTea-Web 1.1.5 is now out. It contains a couple of important bug fixes for those who wish to remain on the 1.1 line:

• Fixes:
• PR820: Firefox 10 and above crashes when LiveConnect is heavily used
• PR838: IcedTea-Web plugin crashes with chrome browser when javascript is executed

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.1/file/ab7e8272d45d/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.5.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
ab5c34a9dc6bff48baf1f1d1a34bf54bfb954ad93ee9e7e44d642fa991bcc919 icedtea-web-1.1.5.tar.gz

Thanks to everyone who helped with this release:
Matthias Klose
Denis Lila
Omair Majid
Thomas Meyer
Jiri Vanek

IcedTea-Web 1.2 released!

IcedTea-Web 1.2 is finally out! My apologies for the delayed release. We found some regressions when testing the final candidate and decided to hold off until everything was fixed.

New features and important bug fixes include:

• New features:
• Signed JNLP support
• Support for client authentication certificates
• Cache size enforcement now supported via itweb-settings
• Applet parameter passing through JNLP files now supported
• Better icons for access warning dialog
• Security Dialog UI revamped to make it look less threatening when appropriate
• Bug fixes:
• Common:
• Plug-in/Web Start can now handle corrupted cache
• PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.
• Plug-in:
• PR852: Classloader not being flushed after last applet from a site is closed
• PR820: Firefox 10 and above no longer crashes when LiveConnect is heavily used
• MIME descriptions for Java 7 are now defined
• Build against mozilla-plugin.pc is now supported
• Web Start:
• PR618: Can’t install OpenDJ, JavaWebStart fails with Input stream is null error.
• PR766: javaws fails to parse a node that contains CDATA
• PR765: JNLP file with all resource jars marked as ‘lazy’ fails to validate signature and stops the launch of application
• PR808: javaws is unable to start when missing jars are enumerated before main jar
• Close the splashscreen in case of error (not just successful launch).

Full notes with bug ids are available in the NEWS file:
http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/58c02a3ace5d/NEWS

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.2.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
3f8d22b655df207409dd3451ba02907f61a12ac051e4df4d44bb5ed47c4f778d icedtea-web-1.2.tar.gz

Thanks to everyone who helped with this release:
Danesh Dadachanji
Lars Herschke
Andrew Hughes
Matthias Klose
Denis Lila
Omair Majid
Thomas Meyer
Saad Mohammad
Andrew Su
Jiri Vanek

IcedTea-Web 1.0.6 and 1.1.4 (security releases) released

IcedTea-Web 1.0.6 and 1.1.4 have been released. These are security fix only
releases and address a security issue classified as having moderate impact.

What’s new in 1.0.6 and 1.1.4:

• RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass

The following people helped with this release:
Omair Majid

Checksums:
44a770da85fd2e342ab09e065798a07d04601ea51879df4a5e88f804e4f02eba icedtea-web-1.0.6.tar.gz
b17a742af0153b7887cf667a160f8519afad125bc515b0f4783c66e7ee1a7f26 icedtea-web-1.1.4.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.0.6.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.1.4.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

IcedTea-Web 1.0.5 and 1.1.3 released (fixes for Elluminate and others)

IcedTea-Web 1.0.5 and 1.1.3 have been released and are available for download now:

IcedTea-Web 1.0.5
IcedTea-Web 1.1.3

These are maintenance releases and the main motivation for pushing the releases is to make the Elluminate Web Start application work again.

Fixes in 1.0.5:

• Plug-in:
• PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
• Common:
• PR768: Signed applets/Web Start apps don’t work with OpenJDK7 and up
• PR794: IcedTea-Web does not work if a Web Start app jar has a Class-Path element in the manifest (e.g. Elluminate)

Fixes in 1.1.3:

• Plug-in:
• PR782: Support building against npapi-sdk as well
• Common:
• PR794: IcedTea-Web does not work if a Web Start app jar has a Class-Path element in the manifest (e.g. Elluminate)

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sums:
ccfed2fc6fadf6ce42df43558252b0f02a8f5ed99c24e3eb64b4ca0e0d82a6c2 icedtea-web-1.0.5.tar.gz
012390dfa8bb9a4b17b30640dfc21011c848f5017d2a21d945e933f5d514edb3 icedtea-web-1.1.3.tar.gz

Thanks to Omair Majid for help with this release!

IcedTea-Web 1.1.2 released (maintenance release)

IcedTea-Web 1.1.2 has been released and is available for download now!

This is a maintenance release and contains bug fixes. Furthermore, this release also adds support for use with Java 7 (IcedTea7).

Fixes include:

• Plug-in:
• PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
• RH718693: MindTerm SSH Applet doesn’t work
• Common:
• PR768: Signed applets/Web Start apps don’t work with OpenJDK7 and up
• PR769: IcedTea-Web does not work with some ssl sites with OpenJDK7
• RH734081: Javaws cannot use proxy settings from Firefox
• New (--with-jre-home=) option to allow use with only JRE installed

Available for download here:
http://icedtea.classpath.org/download/source/icedtea-web-1.1.2.tar.gz

Build instructions are here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web

SHA256 sum:
3051f3bf1e1d07ad7aaa28b204821a7c0631848d20ba7942fc23440e774649e4 icedtea-web-1.1.2.tar.gz

Thanks to Omair Majid for help with this release!

IcedTea-Web 1.0.4 and 1.1.1 (security releases) released

IcedTea-Web 1.0.4 and 1.1.1 have been released. These are security fix only releases and address a couple of security issues.

What’s new in 1.0.4 and 1.1.1:

RH718164, CVE-2011-2513: Home directory path disclosure to untrusted applications
RH718170, CVE-2011-2514: Java Web Start security warning dialog manipulation

The following people helped with this release:
Omair Majid

Checksums:
d3e841be0cca8daef70404df5fdfe678559e1b12cd0ae3d658da68f61ab888e1 icedtea-web-1.0.4.tar.gz
0051005302e698f2468e6cae275b8c58869c85be04c269f2f266389a4e6a66c7 icedtea-web-1.1.1.tar.gz

Download links:
http://icedtea.classpath.org/download/source/icedtea-web-1.0.4.tar.gz
http://icedtea.classpath.org/download/source/icedtea-web-1.1.1.tar.gz

After extracting, it can be built as per instructions here:
http://icedtea.classpath.org/wiki/IcedTea-Web#Building_IcedTea-Web