Day: April 22, 2013

Hot on the heels of the Oracle release of its Java SE 7 Update 21, there is a new icedtea version which brings the free and open source version of Java – OpenJDK – to version 7 Update 21 as well. The OpenJDK 7u21 release addresses several vulnerabilities.

The announcement was made on the mailing list first, but Andrew John Hughes wrote a more official blurb on his blog.

Here is the list (taken from Andrew’s post) of the vulnerabilities which have been plugged and their CVE numbers:

• S6657673, CVE-2013-1518: Issues with JAXP
• S8000724, CVE-2013-2417: Improve networking serialization
• S8001031, CVE-2013-2419: Better font processing
• S8001040, CVE-2013-1537: Rework RMI model
• S8001329, CVE-2013-1557: Augment RMI logging
• S8003543, CVE-2013-2415: Improve processing of MTOM attachments
• S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
• S8004986, CVE-2013-2383: Better handling of glyph table
• S8004987, CVE-2013-2384: Improve font layout
• S8004994, CVE-2013-1569: Improve checking of glyph table
• S8006435, CVE-2013-2424: Improvements in JMX
• S8007617, CVE-2013-2420: Better validation of images
• S8007667, CVE-2013-2430: Better image reading
• S8007918, CVE-2013-2429: Better image writing
• S8009049, CVE-2013-2436: Better method handle binding
• S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
• S8009305, CVE-2013-0401: Improve AWT data transfer
• S8009677, CVE-2013-2423: Better setting of setters
• S8009699, CVE-2013-2421: Methodhandle lookup
• S8009814, CVE-2013-1488: Better driver management
• S8009857, CVE-2013-2422: Problem with plugin

My packages for OpenJDK have been compiled on Slackware 13.37 (and are useable on 13.37 as well as 14.0 and -current!). Get them preferably from a mirror site:

• http://alien.slackbook.org/slackbuilds/openjdk/ , the primary location (bandwidth-capped)
• http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror

I am happy to announce that I was able to build an ARM version of the OpenJDK again. The build with the “cacao” VM was failing for several months now, and I switched to the “jamvm” which is a small (but fully compliant), efficient Java virtual Machine with JIT compiler.. Sources and packages to be found at http://taper.alienbase.nl/mirrors/alienarm/

Further packages that are recommended/required:

• Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin). Note that I updated my icedtea-web package less than a week ago, which pugs a few vulnerabilities (CVE-2013-1927 and CVE-2013-1926 to be precise).
• Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

Eric