Hot on the heels of the Oracle release of its Java SE 7 Update 21, there is a new icedtea version which brings the free and open source version of Java – OpenJDK – to version 7 Update 21 as well. The OpenJDK 7u21 release addresses several vulnerabilities.
The announcement was made on the mailing list first, but Andrew John Hughes wrote a more official blurb on his blog.
Here is the list (taken from Andrew’s post) of the vulnerabilities which have been plugged and their CVE numbers:
- S6657673, CVE-2013-1518: Issues with JAXP
- S8000724, CVE-2013-2417: Improve networking serialization
- S8001031, CVE-2013-2419: Better font processing
- S8001040, CVE-2013-1537: Rework RMI model
- S8001329, CVE-2013-1557: Augment RMI logging
- S8003543, CVE-2013-2415: Improve processing of MTOM attachments
- S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames
- S8004986, CVE-2013-2383: Better handling of glyph table
- S8004987, CVE-2013-2384: Improve font layout
- S8004994, CVE-2013-1569: Improve checking of glyph table
- S8006435, CVE-2013-2424: Improvements in JMX
- S8007617, CVE-2013-2420: Better validation of images
- S8007667, CVE-2013-2430: Better image reading
- S8007918, CVE-2013-2429: Better image writing
- S8009049, CVE-2013-2436: Better method handle binding
- S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap
- S8009305, CVE-2013-0401: Improve AWT data transfer
- S8009677, CVE-2013-2423: Better setting of setters
- S8009699, CVE-2013-2421: Methodhandle lookup
- S8009814, CVE-2013-1488: Better driver management
- S8009857, CVE-2013-2422: Problem with plugin
My packages for OpenJDK have been compiled on Slackware 13.37 (and are useable on 13.37 as well as 14.0 and -current!). Get them preferably from a mirror site:
- http://alien.slackbook.org/slackbuilds/openjdk/ , the primary location (bandwidth-capped)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror
I am happy to announce that I was able to build an ARM version of the OpenJDK again. The build with the “cacao” VM was failing for several months now, and I switched to the “jamvm” which is a small (but fully compliant), efficient Java virtual Machine with JIT compiler.. Sources and packages to be found at http://taper.alienbase.nl/mirrors/alienarm/
Further packages that are recommended/required:
- Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin). Note that I updated my icedtea-web package less than a week ago, which pugs a few vulnerabilities (CVE-2013-1927 and CVE-2013-1926 to be precise).
- Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.
Eric
Recent comments