Main menu:

Sponsoring

Please consider a small donation:

 

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

December 2014
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

OpenJDK 7u13_b20 available: a security update

The icedtea “build harness” which I use to compile my OpenJDK and icedtea-web packages had a series of updates past week. Icedtea is available in several flavours, and it is able to build OpenJDK versions of Java 6 and 7 (and pre-release versions of Java 8 even, but that is beside the point here).

Several updates for icedtea 1.x (the version which creates OpenJDK 6 binaries) were released last week, mainly because it had been a year since the last release and updates were long overdue.

Andrew John Hughes, the release manager for Icedtea, had originally planned for icedtea 2.x releases as well, last week, but apparently the patches submitted by Oracle caused regressions which took their time to be fixed. Eventually, there is a new release: icedtea-2.3.6 builds an OpenJDK 7u13_b20. That version number (Java 7 Update 13) brings OpenJDK back in line with the versioning of Oracle’s binary-only Java. Note that this “update 13″ does not really mean OpenJDK is equal to the Oracle release. Icedtea adds a lot of patches and additional functionality to the OpenJDK. Icedtea also allows for the compilation of an open-source equivalent of Oracle’s closed-source Java Browser Applet: icedtea-web.

An impressive lists of vulnerabilities which have been plugged by the OpenJDK 7u13 release:

 * S6563318, CVE-2013-0424: RMI data sanitization
* S6664509, CVE-2013-0425: Add logging context
* S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
* S6776941: CVE-2013-0427: Improve thread pool shutdown
* S7141694, CVE-2013-0429: Improving CORBA internals
* S7173145: Improve in-memory representation of splashscreens
* S7186945: Unpack200 improvement
* S7186946: Refine unpacker resource usage
* S7186948: Improve Swing data validation
* S7186952, CVE-2013-0432: Improve clipboard access
* S7186954: Improve connection performance
* S7186957: Improve Pack200 data validation
* S7192392, CVE-2013-0443: Better validation of client keys
* S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
* S7192977, CVE-2013-0442: Issue in toolkit thread
* S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
* S7200491: Tighten up JTable layout code
* S7200493, CVE-2013-0444: Improve cache handling
* S7200499: Better data validation for options
* S7200500: Launcher better input validation
* S7201064: Better dialogue checking
* S7201066, CVE-2013-0441: Change modifiers on unused fields
* S7201068, CVE-2013-0435: Better handling of UI elements
* S7201070: Serialization to conform to protocol
* S7201071, CVE-2013-0433: InetSocketAddress serialization issue
* S8000210: Improve JarFile code quality
* S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
* S8000539, CVE-2013-0431: Introspect JMX data handling
* S8000540, CVE-2013-1475: Improve IIOP type reuse management
* S8000631, CVE-2013-1476: Restrict access to class constructor
* S8001235, CVE-2013-0434: Improve JAXP HTTP handling
* S8001242: Improve RMI HTTP conformance
* S8001307: Modify ACC_SUPER behavior
* S8001972, CVE-2013-1478: Improve image processing
* S8002325, CVE-2013-1480: Improve management of images

But this version of IcedTea supposedly also brings a fix for building on ARM architectures using Zero’s HotSpot – all patches apply again. I hope Stuart Winter will be happy.

Packages for OpenJDK, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations.  Here are a few:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_13″
OpenJDK Runtime Environment (IcedTea7 2.3.6) (Slackware)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
$ javac -version
javac 1.7.0_13

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Eric

 

Write a comment