OpenJDK 7u6_b30 with IcedTea 2.3.1 fixes 0day exploit

 There is a 0-day (zero-day) exploit out for Java7 (both Oracle Java7 and OpenJDK 7).The attack is mounted through your web browser’s Java plugin.

People using Java6 are not affected by the exploit. This includes everybody who is running a stable version of Slackware. There is no more Java in slackware-current, except for a SlackBuild script which wraps the official Oracle Java7 binaries into a Slackware package. This would make your Java7 on slackware-current vulnerable.

People using OpenJDK7/icedtea-web are not vulnerable to a browser based attack since the icedtea-web browser plugin will prevent the privilege escalation. However, the OpenJDK 7u5_b21 package which I have is still flawed.

Unfortunately, Oracle is taking a long time to respond to this threat. Users of OpenJDK are better off. There was an update of the icedtea build framework. The new version 2.3.1 will build OpenJDK 7u6_b30 and that release has been patched for the exploit.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u6_b30 here:

You will find packages for icedtea-web (the mozilla-compatible brwoser plugin) too at those URLs, as well as the mandatory rhino package (the JavaScript engine). Without this, the OpenJDK will not work.

Notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (much smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

Good luck! Eric

19 thoughts on “OpenJDK 7u6_b30 with IcedTea 2.3.1 fixes 0day exploit


  1. Pingback: How to install the latest Java in Slackware | It's like my RATTATA is in the top percentage

  2. Glad you got an update out so quickly. A little on topic, I haven’t been able to play Minecraft using your openJDK and Minecraft packages since it updated to 1.3. Moth single player with the built in server and multiplayer.
    Have you had any problems? This update hasn’t helped.


  3. The [common] jre form works perfectly.

    I did notice, and ‘why’ is not entirely clear, that libreoffice 3.5.4 now works much smoother (no lag on opening or ‘calc’ ops in particular) and faster than it did before switching from the old, pre-oracle-license-switch.


  4. Hi Eric,

    And just when you thought you could put this aside for a while, … IcedTea 2.3.2 is out 😉


  5. Hi moldavia

    I tried it here, by upgrading minecraft to 1.3.2 using my OpenJDK 7u6_b30 (slackware64-current).
    Minecraft works fine here, running around in my own single-player world. What does not work for you?

    Eric



  6. Hi Eric,
    It seems to be a problem with java security.
    From the crash log…
    “java.lang.ExceptionInInitializerError
    at axv.b(SourceFile:92)
    at net.minecraft.server.MinecraftServer.run(SourceFile:291)
    at ep.run(SourceFile:539)
    Caused by: java.security.ProviderException: Error parsing configuration
    at sun.security.pkcs11.Config.getConfig(Config.java:88)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
    at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
    at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
    at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
    at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
    at java.security.Security.insertProviderAt(Security.java:362)
    at java.security.Security.addProvider(Security.java:409)
    at hw.(SourceFile:40)
    … 3 more”

    Running x86 here, but my current is a bit outdated. I haven’t updated Slackware since a package upgrade in -current broke XFCE 4.6.2. Maybe I’ll try upgrading to RC4. Maybe I’m missing something, or something is outdated.


  7. Hi moldavia

    I strongly suggest that you first get updated in your Slackware configuration. If you are running an outdated -current then that may be your problem. XFCE 4.6.2 is no longer part of Slackware-current – there was an update to 4.10 some time ago.
    Perhaps it is a lack of upgrading to slackware’s newer ca-certificates package which causes this.

    Eric


  8. I was thinking the same thing about openssl and ca-certificates. All updated, and no luck. I’ll keep trying. The latest release, 7u7 didn’t help either. Maybe I’ll try openJRE see if there’s any change.


  9. I think I have tracked it down. From the crash log..
    “Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)”
    I don’t know Java enough to say where this file comes from, but it is indeed missing, and not in the package for openJRE or openJDK.


  10. Strange, this.

    I had no issues in the past with MineCraft and OpenJRE. The OpenJRE package does not have a nss.cfg file but it seems I will have to add it after the fact (the OpenJDK package _does_ have this file).

    You can do the following to fix this issue if you are using the jre package:

    For 32-bit Slackware:

    # cat < /etc/java/nss.cfg
    name = NSS
    nssLibraryDirectory = /usr/lib/seamonkey
    nssDbMode = noDb
    attributes = compatibility
    EOT

    And then create a symlink:
    # ln -sf /etc/java/nss.cfg /usr/lib/java/jre/lib/security/nss.cfg

    For 64-bit Slackware:

    # cat < /etc/java/nss.cfg
    name = NSS
    nssLibraryDirectory = /usr/lib64/seamonkey
    nssDbMode = noDb
    attributes = compatibility
    EOT

    And then create a symlink:
    # ln -sf /etc/java/nss.cfg /usr/lib64/java/jre/lib/security/nss.cfg

    Eric


  11. Success! Sort of. I ran cat command to create the nss.cfg, but it didn’t like it. So, I uninstalled openJRE and reinstalled openJDK 7u7. Everything seems to be working good now. Minecraft will create a single player world without errors now, and I can connect to a multiplayer server.
    Thanks for the help, and keep up the great packages!


  12. I had the same problem with Minecraft and OpenJRE recently (openjre-7u7_b30-i486-1alien in fact).

    I got java exception not when starting the game, but when trying to create new level (or to load existing).
    (For some time minecraft runs internally server when runs in standalone mode.)

    java.lang.ExceptionInInitializerError
    at axv.b(SourceFile:92)
    at net.minecraft.server.MinecraftServer.run(SourceFile:291)
    at ep.run(SourceFile:539)
    Caused by: java.security.ProviderException: Error parsing configuration
    at sun.security.pkcs11.Config.getConfig(Config.java:88)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
    at sun. at hw.(SourceFile:40)reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    …………………………
    at hw.(SourceFile:40)
    … 3 more
    Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)
    …………………………

    Obviously missing “nss.cfg” file caused the problem.
    I searched previous openjre packages in /var/adm/removed_packages for such file with no success.
    So I decided to create one. Got the file from sources, namely “inicedtea-2.3.2” –> “nss.cfg.in”

    nss.cfg.in:
    —————————————-
    name = NSS
    nssLibraryDirectory = @NSS_LIBDIR@
    nssDbMode = noDb
    attributes = compatibility
    —————————————–

    For some reason java didn’t like “@NSS_LIBDIR@” part:
    (may be environment variable NSS_LIBDIR could do the trick?)

    java.lang.ExceptionInInitializerError
    at axv.b(SourceFile:92)
    at net.minecraft.server.MinecraftServer.run(SourceFile:291)
    at ep.run(SourceFile:539)
    Caused by: java.security.ProviderException: Error parsing configuration
    at sun.security.pkcs11.Config.getConfig(Config.java:88)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
    at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
    ьt hw.(SourceFile:40)
    … 3 more
    Caused by: sun.security.pkcs11.ConfigurationException: Unexpected value: Token[‘@’], line 2
    at sun.security.pkcs11.Config.excToken(Config.java:367)
    at sun.security.pkcs11.Config.parseWord(Config.java:528)
    at sun.security.pkcs11.Config.parseLine(Config.java:576)
    at sun.security.pkcs11.Config.parseLibrary(Config.java:647)
    at sun.security.pkcs11.Config.parse(Config.java:425)
    at sun.security.pkcs11.Config.(Config.java:216)
    at sun.security.pkcs11.Config.getConfig(Config.java:84)
    … 20 more
    …………………………

    After seaching the web for same problem, from another discussion, solution was missing path
    to library: “libnss3.so” in above mentioned “nss.cfg”

    Well, on my slackware (slightly outdated current) I found the library in these packages:

    mozilla-firefox-14.0.1-i486-1_slack13.37
    mozilla-thunderbird-14.0-i486-1_slack13.37
    seamonkey-2.11-i486-1_slack13.37
    seamonkey-solibs-2.11-i486-1_slack13.37
    xulrunner-1.9.2.19-i486-1sl

    and each was on its own directory ( with the one in xulrunner a little older, from nov’2011 ).

    So quick and dirty, I picked the one from firefox package, so my “nss.cfg” finally became:

    nss.cfg:
    —————————————-
    name = NSS
    #nssLibraryDirectory = @NSS_LIBDIR@
    nssLibraryDirectory = /usr/lib/firefox-14.0.1
    nssDbMode = noDb
    attributes = compatibility
    —————————————–

    And voila!!! My minecraft is back up and running!!!

    P.S.
    —————————————————————————–
    Still in openjdk.SlackBuild file
    ( http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/build )
    there is lines treating noughty file:

    —————————————————————————–

    cat $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg | sed -e ‘s/seamonkey-.*$/seamonkey/’ > $PKG1/etc/java/nss.cfg.new
    ln -sf /etc/java/nss.cfg $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg

    # The openjre package does not have a nss.cfg:
    cat $CWD/slack-desc.jre > $PKG2/install/slack-desc
    zcat $CWD/doinst.sh.gz | grep -v nss.cfg.new > $PKG2/install/doinst.sh

    —————————————————————————–

    but in my “/etc/java” a have only these three files:
    java.policy
    java.security
    java.cfg

    So in my humble opinion there is going something wrong with package build process.


  13. Hey vsprintf

    Had you not seen the post two positions above your own? I explained how to add the nss.cfg there.

    The next time I compile a OpenJDK package I will add a nss.cfg file to the JRE.

    Eric


  14. Yes I read it, so lot of my post became irrelevant.
    According to “openjdk.SlackBuild” though, “nss.cfg” should be in the package anyway.
    On the other hand, you can always delete my posts.

    Sincerely


  15. Pingback: Installing JAVA to Slackware64 14.0 | Xathrya Sabertooth


  16. Pingback: Installing JAVA to Slackware64 14.0 - Xathrya.ID

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.