My thoughts on Slackware, life and everything

Month: January 2013

Update for OpenJDK 7 with IcedTea 2.3.4 plugs 0-day exploit.

The past week was buzzing with the 0-day exploit for Oracle’s Java browser plugin, but according to CERT, the OpenJDK was affected as well by the underlying bug. Oracle “hastily” patched this critical vulnerability (CVE-2012-3174) although now it seems that only this particular “attack vector” was patched but the underlying vulnerability remains, leaving the way open to other exploits.

Come what may, an update of IcedTea followed soon after, which will build OpenJDK packages which incorporate fixes for the vulnerability. The version of IcedTea which I use (upped to 2.3.4) builds a OpenJDK 7 Update 9 package – the same version as we already have (no idea why they did not lift the update version to 10 or 11 unless this was a hasty fix for this particular 0-day exploit), so what I did for my openjdk & openjre packages was increase the package BUILD number from “1alien” to “2alien” so that you can use upgradepkg to upgrade to the new package.

It appears that one of the main developers: GNU.Andrew (Andrew John Hughes from Redhat) has not yet updated his blog with news of the new icedtea releases. The aforementioned mailinglist post was his, so I expect that he will update his blog with all the details soon.

Here is the list with security fixes in the IcedTea 2.3.4 build of OpenJDK 7u9:

  • Security fixes:
    • S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries
    • S8006017, CVE-2013-0422: Improve lookup resolutions
    • S8006125: Update MethodHandles library interactions
  • Backports:
    • S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  • Bug fixes:
    • G422525: Fix building with PaX enabled kernels.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u9_b30 build 2alien here and upgrade as soon as you can:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_09”
OpenJDK Runtime Environment (IcedTea7 2.3.4) (Slackware)
OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)
$ javac -version
javac 1.7.0_09

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Good luck! Eric

 

Alien tip: Volume change percentages in KDE

I have felt frustrated at times, when I press the Volume Up/Down buttons on my keyboard and the sound volume in KDE becomes just too loud, or just too soft. When you are running the KDE desktop, the increments in volume change are controlled by KMix, the KDE mixer. By default, the sound volume changes with increments of 4% which means that with a few keypresses you go from almost inaudible sound to full blast. And there is no way to change that 4% increment value into something more fitting… pretty annoying.

Although… something changed with KDE 4.8!

You can change the volume increment value since KDE 4.8, but this option is not exposed in any KDE GUI. Fortunately we Slackers are not afraid to use the vi editor and therefore you can change the increment to any other value (2.5% is a nice comfortable incremental change):

  • Stop the KMix program if it is running (right-click on its icon in the systray and select “Exit“)
  • Open the KMix confguration file in a text editor: “vi $HOME/.kde/share/config/kmixrc
  • Add the following line to the [Global] section of that file to get a 2.5% increment value instead of the default 4%:
    • VolumePercentageStep=2.5
  • Start KMix again (for instance, Alt-F2 and enter “kmix”)
  • Try your Volume Up/Down buttons – they are more fine-grained now!

Cheers, Eric

KDE 4.9.5 was released. Next should be 4.10.

When I announced the “final release in the 4.9 series” last month I had no idea that there would be another incremental bugfix release… but the KDE 4.9 Release Schedule page was updated shortly after and here we are with KDE Software Compilation 4.9.5! What happened was that too many bugs had crept in the software right before release of 4.9.4 which were only discovered after the sources had been officially released. You can check out the release notes if you want to read more about this release of KDE 4.9..

And similar to this adding a rather unexpected extension to the 4.9 series, the developers are also talking about adding an extra Release Candidate before giving the green light to KDE SC 4.10. Several proposals for improvements in Dolphin and Akonadi/nepomuk are considered important enough that these patches should be added before releasing 4.10. This seems to be irritating several other distro packager teams who – unlike Slackware – have fixed release dates and therefore, fixed freeze periods. Well, we don’t suffer from a week’s delay and I would say, add those patches and make 4.10 a solid first release!

In spite of that (my opinion is irrelevant in the above story) the recent slips in the KDE release schedule and discovery of too many critical last-moment bugs make me a bit wary about possible resource issues in the KDE developer community. I hope this is not the start of a trend.

Another thing should be mentioned. I don’t know how many people use Kolab groupware in their organization (or at home) but if you do, you will have noticed that support for Kolab has disappeared from Slackware KDE packages after 4.8.x (meaning that Slackware’s own KDE still supports Kolab groupware). I discussed the lack of Kolab support in KDE 4.9 with one of the people using my packages. Indeed KDE 4.9 and later needs a couple of additional packages in order to be able to support the Kolab groupware server like it did in earlier versions. You will need libkolab, libkolabxml and this in turn needs xerces-c to compile. I added SlackBuild scripts and sources for these kolab dependencies in the “deps” directory of the KDE 4.9.5 sources, and xerces-c can be obtained from slackbuilds.org. So: if you need Kolab support, then you have to build packages for these dependencies (first xerces-c, then libkolabxml, then libkolab) and then rebuild the kdepim-runtime package of KDE 4.9.5.

I have no idea if this will ever end up in Slackware proper but it is not hard to add yourself.

Anyway. On with the show.

As you may expect, the Slackware packages for KDE SC 4.9.5 are ready for download and installation. Remember: my ktown packages for KDE are meant to be used on Slackware-current, since that is what they are built on. But the development of -current still has not deviated too much from the latest stable release (14.0), so that these KDE 4.9.5 packages work without any issue on Slackware 14. That is why you will find the packages in a “14.0” directory.

How to upgrade to KDE 4.9.5? Whether you are upgrading from the stock KDE 4.8.5 of Slackware 14.0/current, or if you are upgrading from my previous 4.9.4 packages, you will find all the installation/upgrade instructions that you need in the accompanying README file.

You are strongly advised to read and follow these instructions!

Highlights for the new set of Slackware packages:

  • You will find five updated dependencies compared to Slackware’s own KDE 4.8.5: akonadi, qt, shared-desktop-ontologies, soprano, virtuoso-ose.
  • Some of the “extragear” of the KDE in Slackware 14/current has been updated: with new versions of kdevelop, kdevplatform and oxygen-gtk2.
  • The “extragear” section also introduces two new packages: oxygen-gtk3 (compared to the stable Slackware) which should give any software which uses the GTK+3 widget set a nice integrated look and feel when you run it in KDE; and kio-mtp which is required in order to access and manage files on devices running Android 4.0 and later. I heard that the version which I added to the KDE 4.9.4 set did not work so well, therefore I upgraded to the latest git snapshot. Feedback is welcome.
  • Compared to KDE 4.8.5, there were two package removals:
    • kdemultimedia has been split up into several smaller individual packages.
    • ksecrets has been removed completely in the 4.9.x series.

Download locations (using a mirror is preferred:

Have fun! Eric

© 2024 Alien Pastures

Theme by Anders NorenUp ↑