Bug 642531

Summary: VUL-0: Icedtea6 1.9.1 released
Product: [openSUSE] openSUSE 11.4 Reporter: Michal Vyskocil <mvyskocil>
Component: JavaAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P1 - Urgent CC: meissner, security-team
Version: Factory   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191-released/
Whiteboard: maint:released:11.1:36878 maint:released:11.2:36878 maint:released:11.3:36878
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 648260    
Deadline: 2010-10-29   

Description Michal Vyskocil 2010-09-29 10:53:53 UTC 
The new icedtea6 1.9 has been released [1]. It includes an OpenJDK6 b20 with HotSpot 17 with a very impressive list of fixes, but no one seems to be a security issue, even few ones like [2] S6541756: Reduce executable C-heap might be considered as a security improvement.

[1] http://blog.fuseyism.com/index.php/2010/09/10/icedtea6-19-released/
[2] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6541756
Comment 1 Michal Vyskocil 2010-09-29 10:54:50 UTC 
security team: please decide if you consider this as a security update, or not. Thanks
Comment 2 Ludwig Nussel 2010-09-29 11:08:51 UTC 
we like security enhancements but don't create security updates for them only :-) so please use the regular maintenance process if you want to release the package as update.
Comment 3 Michal Vyskocil 2010-10-22 10:13:58 UTC 
Hi Ludwig,

with the icedtea6 1.9.1 release [1], the situation had changed :). There are doxen of shiny new CVEs fixed by this release.

S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation - this is very probably the same fix as in Sun Java u22 [2], RFC 5746 conforming renegotiation. The older one has been just turn it off [3].

[1] http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191-released/
[2] http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
[3] http://lists.opensuse.org/opensuse-java/2010-10/msg00002.html
Comment 4 Ludwig Nussel 2010-10-22 11:39:13 UTC 
yeehaw!
Comment 5 Swamp Workflow Management 2010-10-22 11:46:35 UTC 
The SWAMPID for this issue is 36651.
This issue was rated as important.
Please submit fixed packages until 2010-10-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Michal Vyskocil 2010-10-22 13:29:27 UTC 
Update prepared, waiting on 11.1-ppc (and on the end of 11.1 support).
Comment 7 Michal Vyskocil 2010-11-01 13:40:52 UTC 
Submitted fixed packages for

11.3 51892, 11.2 51893, 11.1 51894
Comment 11 Swamp Workflow Management 2010-11-17 10:04:04 UTC 
Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-demo-debuginfo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-devel-debuginfo, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-plugin-debuginfo, java-1_6_0-openjdk-src
Products:
openSUSE 11.1 (debug, i586, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 12 Marcus Meissner 2010-12-03 16:03:08 UTC 
released

(openjdk is not on SLE )