My thoughts on Slackware, life and everything

April security updates for (open) Java 7 and 8

icedteaUpdates are available both for Java 7 and java 8. These updates sync the OpenJDK releases to the April 2016 updates from Oracle’s Java.

Java 8

The recently released icedtea-3.0.1 builds OpenJDK 8u91_b14 aka Java 8 Update 91, with security fixes and CVE‘s related to Oracle’s April 2016 updates:

  • S8129952, CVE-2016-0686: Ensure thread consistency
  • S8132051, CVE-2016-0687: Better byte behavior
  • S8138593, CVE-2016-0695: Make DSA more fair
  • S8139008: Better state table management
  • S8143167, CVE-2016-3425: Better buffering of XML strings
  • S8143945, CVE-2016-3426: Better GCM validation
  • S8144430, CVE-2016-3427: Improve JMX connections
  • S8146494: Better ligature substitution
  • S8146498: Better device table adjustments

Java 8 contains its own JavaScript engine so there is no longer a dependency on a separate “rhino” package.

Download locations:

Java 7

If your applications are not yet ready for Java 8, I still maintain the Java 7 packages under new names:”openjdk7″ and “openjre7”. Note that my Java 7 and Java 8 packages (e.g. openjdk7 and openjdk) can not co-exist on your computer because they use the same installation directory.

The icedtea-2.6.6 release builds OpenJDK 7u101_b00 aka Java 7 Update 101. There’s a list of security fixes attached to this release, almost identical to the Java 8 list:

  • S8129952, CVE-2016-0686: Ensure thread consistency
  • S8132051, CVE-2016-0687: Better byte behavior
  • S8138593, CVE-2016-0695: Make DSA more fair
  • S8139008: Better state table management
  • S8143167, CVE-2016-3425: Better buffering of XML strings
  • S8144430, CVE-2016-3427: Improve JMX connections
  • S8146494: Better ligature substitution
  • S8146498: Better device table adjustments

The Java 7 package (openjre7 as well as openjdk7) has one dependency: rhino provides JavaScript support for OpenJDK.

Download locations:

Note about usage:

Remember that I release packages for the JRE (runtime environment) and the JDK (development kit) simultaneously, but you only need to install one of the two. The JRE is sufficient if you only want to run Java programs (including Java web plugins). Only in case where you’d want to develop Java programs and need a Java compiler, you are in need of the JDK package.

Optionally: If you want to use Java in a web browser then you’ll have to install my icedtea-web package too. While Oracle’s JDK contains a browser plugin, that one is closed-source and therefore Icedtea offers an open source variant which does a decent job. Note that icedtea-web is a NPAPI plugin – this prevents use of Java in Chrome & Chromium because those browsers only support PPAPI plugins, but you’ll be OK with all Mozilla [-compatible] browsers of course.

Have fun! Eric

11 Comments

  1. Jen

    Many thanks for this and all you do!

  2. Mike Langdon

    Thanks Eric!

  3. Andrew

    The release notes for these are now up; http://bitly.com/it20606 and http://bitly.com/it30001

  4. alienbob

    Thanks Andrew, I have applied those URLs to the main article.

  5. Cristian

    This is unrelated to the Java security updates but related to GCC.

    Today I checked the Distrowatch website for Ubuntu GNOME and I saw GCC 5.3.1 as officially listed there.

    I already emailed the Slackware project about this update to GCC. I think more people should know about it and let’s get 5.3.1 to be the final GCC version for Slackware 14.2

    Version 5.3.1 somehow is not listed on the official GNU page for GCC yet Ubuntu GNOME seems to have it.

    Let’s make some noise to get the deal done.

    Thanks

  6. Cristian

    The website is:

    http://distrowatch.com/table.php?distribution=ubuntugnome

    gcc (6.1.0) 5.3.1 5.2.1 4.9.2 4.9.1 4.8.2 4.8.1 4.7.3

  7. alienbob

    Cristian

    There is no GCC 5.3.1 release. Ubuntu can say all they want, but they are not the GCC developers.

  8. Cristian

    Pat just replied to my email. He said that the version I saw is just what the distribution chose to use from a private build. He said that it is not an official release and thus unsupported. So, in this case 5.3.0 is here to stay for the final Slackware 14.2 release as Pat indicated in the email.

  9. gegechris99

    Hello,

    There seems to be any issue with md5sum of rhino package for 64bit current. I cannot install the package using slackpkg. Please refer to this post in LQ: http://www.linuxquestions.org/questions/slackware-14/slackpkg-vs-third-party-package-repository-4175427364/page36.html#post5540838

  10. alienbob

    I will update the rhino package, that will take care of things.
    That .asc file for rhino is more than 4 years old so I guess something hickup-ed when generating the most recent CHECKSUMS.md5 repository file.

  11. gegechris99

    Thanks. I just updated the new rhino package using slackpkg.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑