Main menu:

Sponsoring

Please consider a small donation:

 

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

November 2014
M T W T F S S
« Oct    
 12
3456789
10111213141516
17181920212223
24252627282930

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

Update for OpenJDK 7 with IcedTea 2.3.4 plugs 0-day exploit.

The past week was buzzing with the 0-day exploit for Oracle’s Java browser plugin, but according to CERT, the OpenJDK was affected as well by the underlying bug. Oracle “hastily” patched this critical vulnerability (CVE-2012-3174) although now it seems that only this particular “attack vector” was patched but the underlying vulnerability remains, leaving the way open to other exploits.

Come what may, an update of IcedTea followed soon after, which will build OpenJDK packages which incorporate fixes for the vulnerability. The version of IcedTea which I use (upped to 2.3.4) builds a OpenJDK 7 Update 9 package – the same version as we already have (no idea why they did not lift the update version to 10 or 11 unless this was a hasty fix for this particular 0-day exploit), so what I did for my openjdk & openjre packages was increase the package BUILD number from “1alien” to “2alien” so that you can use upgradepkg to upgrade to the new package.

It appears that one of the main developers: GNU.Andrew (Andrew John Hughes from Redhat) has not yet updated his blog with news of the new icedtea releases. The aforementioned mailinglist post was his, so I expect that he will update his blog with all the details soon.

Here is the list with security fixes in the IcedTea 2.3.4 build of OpenJDK 7u9:

  • Security fixes:
    • S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries
    • S8006017, CVE-2013-0422: Improve lookup resolutions
    • S8006125: Update MethodHandles library interactions
  • Backports:
    • S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  • Bug fixes:
    • G422525: Fix building with PaX enabled kernels.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u9_b30 build 2alien here and upgrade as soon as you can:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_09″
OpenJDK Runtime Environment (IcedTea7 2.3.4) (Slackware)
OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)
$ javac -version
javac 1.7.0_09

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Good luck! Eric

 

Comments

Comment from weput
Posted: January 16, 2013 at 01:07

Thank you eric

Comment from Mike Langdon (mlangdn)
Posted: January 16, 2013 at 01:33

Thanks Eric!

Comment from Ignacio P.
Posted: January 16, 2013 at 20:52

Thanks Eric!!

You Rocks!

Long life to Slackware!! :P

Comment from DEF
Posted: January 17, 2013 at 01:20

Thanks !
By any chance, will you also update the Slackware ARM package ?

Comment from alienbob
Posted: January 17, 2013 at 09:59

Hi DEF

Rebuilding the slackwarearm package is a task for MoZes (Stuart Winter). I gave him the updated sources and he has already built a new package. I assume that it will hit his repository soon.

Eric

Comment from Eduardo
Posted: January 17, 2013 at 19:16

Thank you eric!

Comment from gegechris99
Posted: January 17, 2013 at 22:40

Thank you Eric for timely update of openjre

I see only icedtea-web 1.3.1 on server taper.alienbase.nl. Is it just a sync issue?

Comment from gegechris99
Posted: January 17, 2013 at 22:44

Sorry about misguided comment on IcedTea-web.

I read too quickly your post which mentioned IcedTea 2.3.4 to build openJDK (and not IcedTea-web).

Write a comment