Bug 642531 - VUL-0: Icedtea6 1.9.1 released
Summary: VUL-0: Icedtea6 1.9.1 released
Status: RESOLVED FIXED
Alias: None
Product: openSUSE 11.4
Classification: openSUSE
Component: Java (show other bugs)
Version: Factory
Hardware: Other Other
: P1 - Urgent : Normal (vote)
Target Milestone: ---
Deadline: 2010-10-29
Assignee: Security Team bot
QA Contact: E-mail List
URL: http://blog.fuseyism.com/index.php/20...
Whiteboard: maint:released:11.1:36878 maint:relea...
Keywords:
Depends on:
Blocks: 648260
  Show dependency treegraph
 
Reported: 2010-09-29 10:53 UTC by Michal Vyskocil
Modified: 2010-12-03 16:03 UTC (History)
2 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Vyskocil 2010-09-29 10:53:53 UTC 
The new icedtea6 1.9 has been released [1]. It includes an OpenJDK6 b20 with HotSpot 17 with a very impressive list of fixes, but no one seems to be a security issue, even few ones like [2] S6541756: Reduce executable C-heap might be considered as a security improvement.

[1] http://blog.fuseyism.com/index.php/2010/09/10/icedtea6-19-released/
[2] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6541756
Comment 1 Michal Vyskocil 2010-09-29 10:54:50 UTC 
security team: please decide if you consider this as a security update, or not. Thanks
Comment 2 Ludwig Nussel 2010-09-29 11:08:51 UTC 
we like security enhancements but don't create security updates for them only :-) so please use the regular maintenance process if you want to release the package as update.
Comment 3 Michal Vyskocil 2010-10-22 10:13:58 UTC 
Hi Ludwig,

with the icedtea6 1.9.1 release [1], the situation had changed :). There are doxen of shiny new CVEs fixed by this release.

S6914943, CVE-2009-3555: TLS: MITM attacks via session renegotiation - this is very probably the same fix as in Sun Java u22 [2], RFC 5746 conforming renegotiation. The older one has been just turn it off [3].

[1] http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191-released/
[2] http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
[3] http://lists.opensuse.org/opensuse-java/2010-10/msg00002.html
Comment 4 Ludwig Nussel 2010-10-22 11:39:13 UTC 
yeehaw!
Comment 5 Swamp Workflow Management 2010-10-22 11:46:35 UTC 
The SWAMPID for this issue is 36651.
This issue was rated as important.
Please submit fixed packages until 2010-10-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Michal Vyskocil 2010-10-22 13:29:27 UTC 
Update prepared, waiting on 11.1-ppc (and on the end of 11.1 support).
Comment 7 Michal Vyskocil 2010-11-01 13:40:52 UTC 
Submitted fixed packages for

11.3 51892, 11.2 51893, 11.1 51894
Comment 11 Swamp Workflow Management 2010-11-17 10:04:04 UTC 
Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-demo-debuginfo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-devel-debuginfo, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-plugin-debuginfo, java-1_6_0-openjdk-src
Products:
openSUSE 11.1 (debug, i586, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 12 Marcus Meissner 2010-12-03 16:03:08 UTC 
released

(openjdk is not on SLE )