July ’15 OpenJDK security update: 7u85_b01
A new release of IcedTea is available. Version 2.6.1 came right after last week’s 2.6.0 which paved the way for OpenJDK 7 “Update 85 Build 01” (resulting in a Slackware package openjdk-7u85_b01). This latest version of icedtea encompasses the July 2015 security updates for Java7. The release announcement can be found on the blog of release maintainer Andrew Hughes.
The upcoming release of icedtea 3.0.0 will move us to OpenJDK 8, but for now it is Java 7 you’ll still be using if you install my packages. A bit of patience is required.
A list of CVE’s is associated with the new release. Here are all security fixes mentioned in the post:
- S8043202, CVE-2015-2808: Prohibit RC4 cipher suites
- S8067694, CVE-2015-2625: Improved certification checking
- S8071715, CVE-2015-4760: Tune font layout engine
- S8071731: Better scaling for C1
- S8072490: Better font morphing redux
- S8072887: Better font handling improvements
- S8073334: Improved font substitutions
- S8073773: Presume path preparedness
- S8073894: Getting to the root of certificate chains
- S8074330: Set font anchors more solidly
- S8074335: Substitute for substitution formats
- S8074865, CVE-2015-2601: General crypto resilience changes
- S8074871: Adjust device table handling
- S8075374, CVE-2015-4748: Responding to OCSP responses
- S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling
- S8075738: Better multi-JVM sharing
- S8075833, CVE-2015-2613: Straighter Elliptic Curves
- S8075838: Method for typing MethodTypes
- S8075853, CVE-2015-2621: Proxy for MBean proxies
- S8076328, CVE-2015-4000: Enforce key exchange constraints
- S8076376, CVE-2015-2628: Enhance IIOP operations
- S8076397, CVE-2015-4731: Better MBean connections
- S8076401, CVE-2015-2590: Serialize OIS data
- S8076405, CVE-2015-4732: Improve serial serialization
- S8076409, CVE-2015-4733: Reinforce RMI framework
- S8077520, CVE-2015-2632: Morph tables into improved form
- PR2487, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
Note about usage:
Remember that I release packages for the JRE (runtime) and the JDK (development kit) simultaneously, but you only need to install one of the two. The JRE is sufficient if you only want to run Java programs (including Java web plugins). Only in case where you’d want to develop Java programs and need a Java compiler, you are in need of the JDK package. Get them here.
Optionally: If you want to use Java in a web browser (which supports NPAPI plugins – this excludes Chrome & Chromium but you’ll be OK with all Mozilla [-compatible] browsers) then you’ll have to install my icedtea-web package too. While Oracle’s JDK contains a browser plugin, that one is closed-source and therefore Icedtea offers an open source variant which does a decent job.
If you want to compile this OpenJDK package yourself, you need to install apache-ant additionally. Note that the previous requirements of xalan & xerces packages have been dropped; ant will provide all required build functionality on its own now.
Have fun! Eric