OpenJDK7 update 7 with IcedTea 2.3.2 fixes more flaws
It took a day for the developers to release a new version of IcedTea, fixing another three CVE’s (critical security bugs) in OpenJDK 7. New on the fix list are these security fixes:
- CVE-2012-1682: XMLDecoder security issue via ClassFinder
- CVE-2012-3136: Improve long term persistence of java.beans objects
- CVE-2012-0547: Simplify toolkit internals references
Get my packages (Slackware 13,37 and newer) for OpenJDK 7u7_b30 here:
- http://slackware.com/~alien/slackbuilds/openjdk/ , the primary location (but slow)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror
- Note that the slackware.org.uk mirror is no longer being updated with my stuff after verbal abuse from its operator. Remove that server from any of your scripts and use another mirror like taper.
If you want a Java browset-plugin you should install icedtea-web (OpenJDK itself does not contain such a plugin). You will also need the rhino package which contains the JavaScript engine for OpenJDK.
I will repeat these notes:
- You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (much smaller) openjre package instead.
- If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation so that you will get the proper Java environment.
- Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .
Good luck! Eric
Posted: 1 September, 2012 in Slackware, Software.
Tags: cve, java, openjdk
Comments
Comment from gauchao
Posted: September 1, 2012 at 16:50
Thank you, Eric. Everything is working perfectly here (Slack 64 13.37).
Comment from Thomas Løcke
Posted: September 2, 2012 at 09:08
Thanks a lot Eric. These packages works a charm (Slackware64 -current).
Comment from chili
Posted: September 6, 2012 at 04:45
Maybe I am confused, but at the beginning of the article you talk about a new version 2.3.2 of icedtea-web. But I only find version 1.2.1 on your mirrors?
Comment from Jean-Francois Blavier
Posted: September 6, 2012 at 05:30
Hi chili,
IcedTea 2.3.2 is just a build harness for OpenJDK7. You want the resulting package produced by the build, e.g. “openjre-7u7_b30-i486-1alien.txz”
icedtea-web is something else entirely: it is a plugin for web-browers.
Comment from Jean-Francois Blavier
Posted: September 6, 2012 at 05:37
Hi Eric,
Just a note to say that “icedtea-web-1.3″ was released Sept 5. These don’t get announced on blog.fuseyism.com.
Pingback from [SOLVED] Java plugin alert
Posted: September 15, 2012 at 21:42
[...] Try Eric's OpenJRE and iced-tea packages, mentioned here: http://alien.slackbook.org/blog/open…es-more-flaws/ [...]
Comment from Dimitris Tzemos
Posted: September 19, 2012 at 05:31
Hi Eric.
There is a bug in openjre and openjdk.
/usr/bin/javaws don’ run.
a link have to be created in folder /usr/lib64/java/ and /usr/lib/java/
ln -sf jre/bin bin
because in file /usr/bin/javaws at first line the JAVA=/usr/lib64/java/bin/java should be JAVA=/usr/lib64/java/jre/bin/java
or for 32 bit
JAVA=/usr/lib/java/jre/bin/java
Comment from alienbob
Posted: September 21, 2012 at 08:12
Hi Dimitris
Yeah I just noticed. The JRE package did not have this problem before… I tested this earlier.
I’ll try to find ou what changed and fix this in the next package.
Thanks, Eric
Pingback from Java no Slackware Current | mundo GNU
Posted: March 17, 2013 at 13:43
[...] OpenJDK7 update 7 with IcedTea 2.3.2 fixes more flaws [...]
Comment from lukkon
Posted: September 1, 2012 at 15:18
unfortunately there is new vulnerability: https://www.computerworld.com/s/article/9230812/Researchers_find_critical_vulnerability_in_Java_7_patch_hours_after_release