Alien Pastures

My thoughts on Slackware, life and everything

Month: April 2016 (Page 1 of 2)

April security updates for (open) Java 7 and 8

April 25, 2016 / / 12 Comments

icedteaUpdates are available both for Java 7 and java 8. These updates sync the OpenJDK releases to the April 2016 updates from Oracle’s Java.

Java 8

The recently released icedtea-3.0.1 builds OpenJDK 8u91_b14 aka Java 8 Update 91, with security fixes and CVE‘s related to Oracle’s April 2016 updates:

  • S8129952, CVE-2016-0686: Ensure thread consistency
  • S8132051, CVE-2016-0687: Better byte behavior
  • S8138593, CVE-2016-0695: Make DSA more fair
  • S8139008: Better state table management
  • S8143167, CVE-2016-3425: Better buffering of XML strings
  • S8143945, CVE-2016-3426: Better GCM validation
  • S8144430, CVE-2016-3427: Improve JMX connections
  • S8146494: Better ligature substitution
  • S8146498: Better device table adjustments

Java 8 contains its own JavaScript engine so there is no longer a dependency on a separate “rhino” package.

Download locations:

Java 7

If your applications are not yet ready for Java 8, I still maintain the Java 7 packages under new names:”openjdk7″ and “openjre7”. Note that my Java 7 and Java 8 packages (e.g. openjdk7 and openjdk) can not co-exist on your computer because they use the same installation directory.

The icedtea-2.6.6 release builds OpenJDK 7u101_b00 aka Java 7 Update 101. There’s a list of security fixes attached to this release, almost identical to the Java 8 list:

  • S8129952, CVE-2016-0686: Ensure thread consistency
  • S8132051, CVE-2016-0687: Better byte behavior
  • S8138593, CVE-2016-0695: Make DSA more fair
  • S8139008: Better state table management
  • S8143167, CVE-2016-3425: Better buffering of XML strings
  • S8144430, CVE-2016-3427: Improve JMX connections
  • S8146494: Better ligature substitution
  • S8146498: Better device table adjustments

The Java 7 package (openjre7 as well as openjdk7) has one dependency: rhino provides JavaScript support for OpenJDK.

Download locations:

Note about usage:

Remember that I release packages for the JRE (runtime environment) and the JDK (development kit) simultaneously, but you only need to install one of the two. The JRE is sufficient if you only want to run Java programs (including Java web plugins). Only in case where you’d want to develop Java programs and need a Java compiler, you are in need of the JDK package.

Optionally: If you want to use Java in a web browser then you’ll have to install my icedtea-web package too. While Oracle’s JDK contains a browser plugin, that one is closed-source and therefore Icedtea offers an open source variant which does a decent job. Note that icedtea-web is a NPAPI plugin – this prevents use of Java in Chrome & Chromium because those browsers only support PPAPI plugins, but you’ll be OK with all Mozilla [-compatible] browsers of course.

Have fun! Eric

KDE 5_16.04 for Slackware-current

April 21, 2016 / / 54 Comments

plasma5_startupYou may already have tried it through the PLASMA5 variant of the Slackware Live Edition which I uploaded yesterday, and here is the announcement of the addition of KDE 5_16.04 to my ‘ktown’ repository – the April release of the combined KDE Frameworks 5.21.0, Plasma 5.6.3 and Applications 16.04.0.

What’s new in KDE 5_16.04?

  • Frameworks 5.21.0 is an enhancement release with one new framework: kactivities-stats. See https://www.kde.org/announcements/kde-frameworks-5.21.0.php
  • Plasma 5.6.3 is the third iteration of the 5.6 series, a jump from the previous 5.5.x release in my repository. I have upgraded Qt5 to 5.6.0 to accompany this Plasma release. Lots of visual improvements, the task manager is much more informative about running tasks and the weather applet is back…
  • Two packages were removed that I added to ‘plasma-extra’ to cover for the period after release of Frameworks 5.20.0 and before Plasma 5.6.0. The package ‘kactivities-workspace’ has been absorbed in Plasma and
    Applications packages, and ‘kactivitymanagerd’ is now part of Plasma itself. See https://www.kde.org/announcements/plasma-5.6.3.php .
  • Applications 16.04.0 was just released. KColorChooser, KFloppy, KMahjongg and KRDC have now been ported to KDE Frameworks 5, and the Kontact Suite (KDEPIM) has been subject to massive bughunting (and -fixing). Lots of PIM related libraries were split-off into their own source tarballs, resulting in 16 new packages. For the announcement, see https://www.kde.org/announcements/announce-applications-16.04.0.php .
  • KDE Telepathy now officially has a voice & video GUI application. Previously I shipped a beta release of the “ktp-call-ui” package. Also I upgraded or recompiled the complete stack of “deps/telepathy” packages.
  • ktorrent (and libktorrent) have also been ported to KF5, and packages for these have been added to kde/applications-extra/ .
  • Phonon, and its plugins for gstreamer and VLC backends, have been upgraded offering improvements for the Qt5 build, better volume slider and muting support, and use of the VLC 2.2 API. Remember, if you actually want to use the VLC backend for phonon you will have to install a VLC package separately (it is not included with the ‘ktown’ releases).
  • And finally (as hinted before), QT5 was updated to the latest release 5.6.0. A new package was also added (qt5-webkit) because the Qt5 WebKit source code has been removed from Qt5 since 5.6.0 and it needs to be compiled/packaged separately now.
  • New source tarballs I did not compile into packages: minuet (music education software) because it required several additional dependencies; breeze-grub (a theme for GRUB which blends in with the Plasma 5 theme);
  • I removed the “kde-workspace” package from “kde/kde4” because I think it is no longer needed. Let me know if that was an incorrect assumption.

Installing or upgrading Frameworks 5, Plasma 5 and Applications

You can skip the remainder of the article if you already have my Plasma 5 installed and are familiar with the upgrade process. Otherwise, stay with me and read the rest.

As always, the accompanying README file contains full installation & upgrade instructions. Note that the packages are available in several subdirectories below “kde”, instead of directly in “kde”. This makes it easier for me to do partial updates of packages. The subdirectories are “kde4”, “kde4-extragear”, “frameworks”, “kdepim”, “plasma”, “plasma-extra”, “applications”, “applications-extra” and “telepathy”.

Upgrading to this KDE 5 is not difficult, especially if you already are running KDE 5_16.02. You will have to remove old KDE 4 packages manually. If you do not have KDE 4 installed at all, you will have to install some of Slackware’s own KDE 4 packages manually.

Note:

If you are using slackpkg+, have already moved to KDE 5_16.01 and are adventurous, you can try upgrading using the following set of commands. This should “mostly” work but you still need to check the package lists displayed by slackpkg to verify that you are upgrading all the right packages. Feel free to send me improved instructions if needed. In below example I am assuming that you tagged my KDE 5 repository with the name “ktown_testing” in the configuration file “/etc/slackpkg/slackpkgplus.conf“):
# slackpkg update
# slackpkg install ktown_testing (to get the newly added packages from my repo)
# slackpkg install-new (to get the new official Slackware packages that were part of my deps previously)
# slackpkg upgrade ktown_testing (upgrade all existing packages to their latest versions)
# removepkg xembed-sni-proxy ktux amor kde-base-artwork kde-wallpapers kdeartwork (they don’t exist in the repo anymore)
# slackpkg upgrade-all (upgrade the remaining dependencies that were part of my repo previously)

And doublecheck that you have not inadvertently blacklisted my packages in “/etc/slackpkg/blacklist“! Check for the existence of a line in that blacklist file that looks like “[0-9]+alien” and remove it if you find it!

Recommended reading material

There have been several posts now about KDE 5 for Slackware-current. All of them contain useful information, tips and gotchas that I do not want to repeat here, but if you want to read them, here they are: http://alien.slackbook.org/blog/tag/kde5/

A note on Frameworks

The KDE Frameworks are extensions on top of Qt 5.x and their usability is not limited to the KDE Software Collection. There are other projects such as LXQT which rely (in part) on the KDE Frameworks, and if you are looking for a proper Frameworks repository which is compatible with Slackware package managers such as slackpkg+, then you can use these URL’s to assure yourself of the latest Frameworks packages for Slackware-current (indeed, this is a sub-tree of my KDE 5 “testing” repository):

Where to get the new packages for Plasma 5

Download locations are listed below (you will find the sources in ./source/5/ and packages in /current/5/ subdirectories). If you are interested in the development of KDE 5 for Slackware, you can peek at my git repository too.

Using a mirror is preferred because you get more bandwidth from a mirror and it’s friendlier to the owners of the master server!

Have fun! Eric

Slackware Live Edition Beta 8

April 20, 2016 / / 42 Comments

blueSW-64pxYesterday I uploaded new ISO images for the Slackware Live Edition. They are based on the liveslak scripts version 0.8.0 (beta 8). This version of Slackware Live Edition is using Slackware64-current dated “Fri Apr 15 20:37:37 UTC 2016” as the base. Indeed, that is Slackware 14.2 Release Candidate 2, we are getting nearer a stable release.

For background info on my project “Slackware Live Edition” please read the previous articles.

I created an ISO for the following Live OS variants:

  • SLACKWARE (full Slackware, no 3rd party software)
  • XFCE (trimmed-down but quite functional version of Slackware, fits on a CDROM media)
  • PLASMA5 (full Slackware minus KDE4, and then extended with Plasma 5 and packages from the AlienBOB repository such as calibre, chromium, ffmpeg, libreoffice, openjdk, p7zip, qbittorrent, veracrypt, vlc)
  • MATE (full Slackware minus KDE4, and then extended with the Mate Desktop Environment)

What’s new in 0.8.0?

The ISO images I mentioned above are all 64bit. This time, to humor the complainer on LQ who felt insulted because I was neglecting 32bit Slackware users, I have added a 32bit version of the SLACKWARE variant too.

New functionality of the Live OS:

  • Two new boot parameters “nfsroot” and “nic” add support for network booting the Live OS (PXE client).
    The Live filesystem will be assembled from squashfs modules located on a NFS export. A network-booted Live OS will have no persistence due to a limitation still present in the overlayfs (no writable filesystem layer on NFS). See the documentation on how to use this new network-boot feature.
    A future version of liveslak will allow you to run Slackware Live Edition as a PXE server as well as a PXE client. You can bring a single USB stick to a LAN party and in a few minutes’ time, all computers (connected through cables and switches) will be running your Slackware Live Edition…
  • The “setup2hd” hard disk installer was largely re-written to address a ‘logical error’ in determining what needed to be installed. This time, the script will really and properly install the full OS minus the Live modifications to your hard drive.
  • More customization options were added to liveslak, for those who develop their own variant of Slackware Live. This includes a “post-installation hook” in the “setup2hd” script which allows you to write a custom post-installation script that does things I do not want to add to the setup2hd script itself.
    The purpose of these customizations is that you do not have to edit the liveslak scripts themselves which makes it easier to maintain your custom product as I keep developing liveslak.
  • The initrd.img file is now compressed with XZ instead of GZIP. This reduces its size with roughly 30% – which is the space I needed to add network kernel modules and firmware to the initrd in order to support network booting. The XFCE ISO still fits on a CDROM!
    I could not detect longer boot-up times due to the switch to XZ compression.
  • An option was added to enable 32bit EFI support in the 32bit version of Slackware Live Edition – however this is disabled by default, since UEFI-capable computers are 64bit machines and you should probably be using the 64bit OS then.
  • Small improvements and bug fixes were applied to liveslak. Check out the commit log if you are interested.

Download the ISO images

As stated above, you can choose between several variants of Slackware Live Edition. There’s ISO images for the SLACKWARE, XFCE, PLASMA5 and MATE flavours using the latest Slackware-current packages available (Fri Apr 15 20:37:37 UTC 2016) as well as the latest Plasma 5 release  which I yet have to upload to ‘ktown‘ (Frameworks 5.21.0, Plasma 5.6.3 and Applications 16.04.0 on top of Qt5 5.6.0). And Mate was updated to 1.14.

Download locations for the ISO images plus their MD5 checksum and GPG signature should be available soon at any of the following locations – look in the “0.8.0” subdirectory for ISOs based on the liveslak-0.8.0 scripts. I made a symlink called “latest” which will always point to the latest set of ISO images.

Good to know when you boot the ISO

The Slackware Live Edition comes with two user accounts: user ‘root’ (with password ‘root’) and user ‘live’ (with password ‘live’). My advice: login as user live and use “su” or “sudo” to get root access.
Note: the “su” and “sudo” commands will ask for the ‘live’ user’s password!

Consult the documentation for assistance with the various boot parameters you can use to tailor the Live OS to your needs.

Slackware Live Edition is able to boot both on BIOS-based computers (where syslinux takes care of the boot menu) and UEFI systems (where grub builds the boot menu, which looks quite similar to the syslinux menu):

slackwarelive-0.4.0_syslinux

I will soon update the original blog article (http://alien.slackbook.org/blog/slackware-live-edition/) because that is what most sites are linking to. The information in there is not reflecting the liveslak’s current capabilities and may present the wrong picture. I will save the original article under a different name.

Spinoffs

  • There is now a Live ISO for people who want to experiment with the Cinelerra CV non-linear video editor. It is using the liveslak scripts and all the customization I enabled in those scripts. It is called CINELIVE, see https://cinelerra-cv.org/cinelive.php .
  • FluxFlux , a Linux Live for older computers, plans to switch to liveslak: https://fluxflux.net/?p=647 but the project seems to be stalled for the moment.

Have fun! Eric

Chromium turns 50 (where’s the cake)

April 18, 2016 / / 9 Comments

chromium_iconFive days ago, Chromium 50 was announced on the Google Chrome Releases blog. The 64bit package was built soon after, but then I needed my server’s processing power for the new KDE Plasma5 releases that have become available (Frameworks, Plasma) or will soon become available (Applications) and those required an update of the Qt5 package to 5.6.0… timeconsuming to build I can assure you! Especially if the build fails right at the end of 7 hours of compilation and a patch needs to be written…

So reserving time to compile the 32bit package for chromium took a while. And remember, even though I can still provide a 32bit Chromium browser, Google has ceased providing a 32bit version of their own Chrome browser – which means, no more updates to the 32bit PepperFlash and Widevine plugins.

This new release (50.0.2661.75) addresses a couple of security issues – some of these have a CVE number:

  • [$7500][590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
  • [$5000][589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
  • [591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP’s Zero Day Initiative.
  • [$1500][589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
  • [$1500][582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
  • [$500][570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
  • [$1000][567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
  • [$500][573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
  • [602697] CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives.

 

As always, it is strongly advised to upgrade to this new version of Chromium. Get my chromium packages in one of the usual locations:

The widevine and pepperflash plugin packagess for chromium can be found in the same repository. The 64bit versions of these plugins were both updated with new libraries extracted from the official Google Chrome for Linux.

Have fun! Eric

Icedtea 3.0.0 brings Java 8 to Slackware

April 11, 2016 / / 8 Comments

icedteaFinally! IcedTea 3.0.0 has been released and it compiles OpenJDK 8u77.

Java 8 has been available for considerable time, but I have been waiting for icedtea to support it before creating packages. According to release maintainer Andrew Hughes the main cause for this delay was having to start from scratch due to the new build system and basically lack of time.

I want to use IcedTea as a “build harness” for OpenJDK because it makes openjdk interoperate with the free icedtea-web browser plugin and adds support for Java Virtual Machines for other architectures than just x86 and x86_64 (CACAO and JamVM in addition to Hotspot). Note that in this initial release of the icedtea-built OpenJDK, the alternative Java VMs are crash-prone – only Hotspot works properly. This means that currently OpenJDK for the ARM platform will be pretty slow because Hotspot is a zero-assembler VM.

So, Slackers can now upgrade their machines to OpenJDK 8 “Update 77 Build 03“. The Slackware packages are openjdk-8u77_b03 and openjre-8u77_b03. Get them from a mirror location below.

No security fixes and CVE‘s to report this time, since this is a first release. An icedtea-3.0.1 release with security fixes is expected in two weeks.

Java 7

For those of you who are not ready to migrate to Java 8, I have renamed the previous openjdk/openjre 7 packages to “openjdk7” and “openjre7”. Please use openjdk7 instead of openjdk (likewise, use openjre7 instead of openjre) and be aware that the Java 7 and Java 8 packages (e.g. openjdk7 and openjdk) can not co-exist on your computer because they use the same installation directory. If you think that is an issue and you want – or need – to have both installed simultaneously, let me know in a comment to this article.

Note about usage:

Remember that I release packages for the JRE (runtime environment) and the JDK (development kit) simultaneously, but you only need to install one of the two. The JRE is sufficient if you only want to run Java programs (including Java web plugins). Only in case where you’d want to develop Java programs and need a Java compiler, you are in need of the JDK package.

The Java package (openjre as well as openjdk) has one dependency: rhino provides JavaScript support for OpenJDK. Rhino used to be an external dependency but since OpenJDK 8 it is internalized through the “nashorn” library.

Optionally: If you want to use Java in a web browser then you’ll have to install my icedtea-web package too. While Oracle’s JDK contains a browser plugin, that one is closed-source and therefore Icedtea offers an open source variant which does a decent job. Note that icedtea-web is a NPAPI plugin – this prevents use of Java in Chrome & Chromium because those browsers only support PPAPI plugins, but you’ll be OK with all Mozilla [-compatible] browsers of course.

Download locations:

Have fun! Eric

« Older posts

© 2024 Alien Pastures

Theme by Anders NorenUp ↑