Main menu:

Sponsoring

Please consider a small donation:

 

Also appreciated: support me by clicking the ads (costs nothing) :-)

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

July 2014
M T W T F S S
« Jun    
 123456
78910111213
14151617181920
21222324252627
28293031  

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

OpenJDK 7u6_b30 with IcedTea 2.3.1 fixes 0day exploit

 There is a 0-day (zero-day) exploit out for Java7 (both Oracle Java7 and OpenJDK 7).The attack is mounted through your web browser’s Java plugin.

People using Java6 are not affected by the exploit. This includes everybody who is running a stable version of Slackware. There is no more Java in slackware-current, except for a SlackBuild script which wraps the official Oracle Java7 binaries into a Slackware package. This would make your Java7 on slackware-current vulnerable.

People using OpenJDK7/icedtea-web are not vulnerable to a browser based attack since the icedtea-web browser plugin will prevent the privilege escalation. However, the OpenJDK 7u5_b21 package which I have is still flawed.

Unfortunately, Oracle is taking a long time to respond to this threat. Users of OpenJDK are better off. There was an update of the icedtea build framework. The new version 2.3.1 will build OpenJDK 7u6_b30 and that release has been patched for the exploit.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u6_b30 here:

You will find packages for icedtea-web (the mozilla-compatible brwoser plugin) too at those URLs, as well as the mandatory rhino package (the JavaScript engine). Without this, the OpenJDK will not work.

Notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (much smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

Good luck! Eric

Comments

Comment from sinic
Posted: August 30, 2012 at 18:35

Oracle has finally released an upgrade (7u7).

Pingback from How to install the latest Java in Slackware | It's like my RATTATA is in the top percentage
Posted: August 30, 2012 at 20:59

[...] a Slackware package here (64-bit here). Just follow the instructions in the README file. Again, here is some information about installing [...]

Comment from moldavia
Posted: August 31, 2012 at 02:22

Glad you got an update out so quickly. A little on topic, I haven’t been able to play Minecraft using your openJDK and Minecraft packages since it updated to 1.3. Moth single player with the built in server and multiplayer.
Have you had any problems? This update hasn’t helped.

Comment from lazardo
Posted: August 31, 2012 at 07:30

The [common] jre form works perfectly.

I did notice, and ‘why’ is not entirely clear, that libreoffice 3.5.4 now works much smoother (no lag on opening or ‘calc’ ops in particular) and faster than it did before switching from the old, pre-oracle-license-switch.

Comment from Jean-Francois Blavier
Posted: August 31, 2012 at 22:20

Hi Eric,

And just when you thought you could put this aside for a while, … IcedTea 2.3.2 is out ;-)

Comment from alienbob
Posted: September 1, 2012 at 00:10

Hi moldavia

I tried it here, by upgrading minecraft to 1.3.2 using my OpenJDK 7u6_b30 (slackware64-current).
Minecraft works fine here, running around in my own single-player world. What does not work for you?

Eric

Comment from alienbob
Posted: September 1, 2012 at 00:10

Hi Jean-Francois

Yeah… compiling as we speak.

Cheers, Eric

Comment from moldavia
Posted: September 1, 2012 at 02:04

Hi Eric,
It seems to be a problem with java security.
From the crash log…
“java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
at java.security.Security.insertProviderAt(Security.java:362)
at java.security.Security.addProvider(Security.java:409)
at hw.(SourceFile:40)
… 3 more”

Running x86 here, but my current is a bit outdated. I haven’t updated Slackware since a package upgrade in -current broke XFCE 4.6.2. Maybe I’ll try upgrading to RC4. Maybe I’m missing something, or something is outdated.

Comment from alienbob
Posted: September 1, 2012 at 12:09

Hi moldavia

I strongly suggest that you first get updated in your Slackware configuration. If you are running an outdated -current then that may be your problem. XFCE 4.6.2 is no longer part of Slackware-current – there was an update to 4.10 some time ago.
Perhaps it is a lack of upgrading to slackware’s newer ca-certificates package which causes this.

Eric

Comment from moldavia
Posted: September 2, 2012 at 18:54

I was thinking the same thing about openssl and ca-certificates. All updated, and no luck. I’ll keep trying. The latest release, 7u7 didn’t help either. Maybe I’ll try openJRE see if there’s any change.

Comment from moldavia
Posted: September 2, 2012 at 20:16

I think I have tracked it down. From the crash log..
“Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)”
I don’t know Java enough to say where this file comes from, but it is indeed missing, and not in the package for openJRE or openJDK.

Comment from alienbob
Posted: September 2, 2012 at 22:32

Strange, this.

I had no issues in the past with MineCraft and OpenJRE. The OpenJRE package does not have a nss.cfg file but it seems I will have to add it after the fact (the OpenJDK package _does_ have this file).

You can do the following to fix this issue if you are using the jre package:

For 32-bit Slackware:

# cat < /etc/java/nss.cfg
name = NSS
nssLibraryDirectory = /usr/lib/seamonkey
nssDbMode = noDb
attributes = compatibility
EOT

And then create a symlink:
# ln -sf /etc/java/nss.cfg /usr/lib/java/jre/lib/security/nss.cfg

For 64-bit Slackware:

# cat < /etc/java/nss.cfg
name = NSS
nssLibraryDirectory = /usr/lib64/seamonkey
nssDbMode = noDb
attributes = compatibility
EOT

And then create a symlink:
# ln -sf /etc/java/nss.cfg /usr/lib64/java/jre/lib/security/nss.cfg

Eric

Comment from moldavia
Posted: September 3, 2012 at 00:35

Success! Sort of. I ran cat command to create the nss.cfg, but it didn’t like it. So, I uninstalled openJRE and reinstalled openJDK 7u7. Everything seems to be working good now. Minecraft will create a single player world without errors now, and I can connect to a multiplayer server.
Thanks for the help, and keep up the great packages!

Comment from vsprintf
Posted: September 5, 2012 at 19:59

I had the same problem with Minecraft and OpenJRE recently (openjre-7u7_b30-i486-1alien in fact).

I got java exception not when starting the game, but when trying to create new level (or to load existing).
(For some time minecraft runs internally server when runs in standalone mode.)

java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at sun. at hw.(SourceFile:40)reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
…………………………
at hw.(SourceFile:40)
… 3 more
Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)
…………………………

Obviously missing “nss.cfg” file caused the problem.
I searched previous openjre packages in /var/adm/removed_packages for such file with no success.
So I decided to create one. Got the file from sources, namely “inicedtea-2.3.2″ –> “nss.cfg.in”

nss.cfg.in:
—————————————-
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
—————————————–

For some reason java didn’t like “@NSS_LIBDIR@” part:
(may be environment variable NSS_LIBDIR could do the trick?)

java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
ьt hw.(SourceFile:40)
… 3 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected value: Token['@'], line 2
at sun.security.pkcs11.Config.excToken(Config.java:367)
at sun.security.pkcs11.Config.parseWord(Config.java:528)
at sun.security.pkcs11.Config.parseLine(Config.java:576)
at sun.security.pkcs11.Config.parseLibrary(Config.java:647)
at sun.security.pkcs11.Config.parse(Config.java:425)
at sun.security.pkcs11.Config.(Config.java:216)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
… 20 more
…………………………

After seaching the web for same problem, from another discussion, solution was missing path
to library: “libnss3.so” in above mentioned “nss.cfg”

Well, on my slackware (slightly outdated current) I found the library in these packages:

mozilla-firefox-14.0.1-i486-1_slack13.37
mozilla-thunderbird-14.0-i486-1_slack13.37
seamonkey-2.11-i486-1_slack13.37
seamonkey-solibs-2.11-i486-1_slack13.37
xulrunner-1.9.2.19-i486-1sl

and each was on its own directory ( with the one in xulrunner a little older, from nov’2011 ).

So quick and dirty, I picked the one from firefox package, so my “nss.cfg” finally became:

nss.cfg:
—————————————-
name = NSS
#nssLibraryDirectory = @NSS_LIBDIR@
nssLibraryDirectory = /usr/lib/firefox-14.0.1
nssDbMode = noDb
attributes = compatibility
—————————————–

And voila!!! My minecraft is back up and running!!!

P.S.
—————————————————————————–
Still in openjdk.SlackBuild file
( http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/build )
there is lines treating noughty file:

—————————————————————————–

cat $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg | sed -e ‘s/seamonkey-.*$/seamonkey/’ > $PKG1/etc/java/nss.cfg.new
ln -sf /etc/java/nss.cfg $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg

# The openjre package does not have a nss.cfg:
cat $CWD/slack-desc.jre > $PKG2/install/slack-desc
zcat $CWD/doinst.sh.gz | grep -v nss.cfg.new > $PKG2/install/doinst.sh

—————————————————————————–

but in my “/etc/java” a have only these three files:
java.policy
java.security
java.cfg

So in my humble opinion there is going something wrong with package build process.

Comment from alienbob
Posted: September 5, 2012 at 21:15

Hey vsprintf

Had you not seen the post two positions above your own? I explained how to add the nss.cfg there.

The next time I compile a OpenJDK package I will add a nss.cfg file to the JRE.

Eric

Comment from vsprintf
Posted: September 6, 2012 at 10:24

Yes I read it, so lot of my post became irrelevant.
According to “openjdk.SlackBuild” though, “nss.cfg” should be in the package anyway.
On the other hand, you can always delete my posts.

Sincerely

Pingback from Installing JAVA to Slackware64 14.0 | Xathrya Sabertooth
Posted: January 15, 2013 at 14:21

[...] a Slackware package here (64-bit here). Just follow the instructions in the README file. Again, here is some information about installing [...]

Comment from _marc
Posted: August 9, 2013 at 12:46

Just fyi regarding nss.cfg on Slackware ARM, it’s present in /etc/java, but it’s empty.

Write a comment