New IcedTea for OpenJDK 7u17

In order to match the recent Oracle security update for its Java platform, Java 7u17, the IcedTea developers have released version 2.3.8 of the IcedTea “build harness”, with which a fresh OpenJDK 7u17 can be built. This 17th update to Java7 addresses several vulnerabilities, the same as Oracle’s update.

It may be worth noting that security experts advise you to disable the Java plugin of your web browser unless you absolutely need it, and in such a case, set the Java Applet security to “high” so that you will be prompted when a Java applet attempts to load in your browser. See for instance the US-CERT statement about these vulnerabilities.

Nevertheless, I think that Java is an important piece of software which a lot of people use and need. After all, the whole world has been complaining for decennia about the vulnerabilities in Sendmail… And that is still widely used, because its vulnerability depends entirely upon the careless administrator (and I still prefer Sendmail over Postfix). Therefore it is only logical that you will get new packages from my repository for the latest OpenJDK.

Anyway.

Here is the list (taken from the mailing list this time because Andrew has not yet updated his blog) of the vulnerabilities which are being addressed by this update, and their CVE numbers:

If you wait a little, you will be able to read all about it on Andrew John Hughes‘s blog. GNU/Andrew is the release manager for IcedTea.

Apart from these critical vulnerabilities (of which one was already actively exploited) there are some other bug fixes which are explicitly mentioned:

  • PR1303: Correct #ifdef to #if
  • PR1340: Simplify the rhino class rewriter to avoid use of concurrency
  • Revert 7017193 and add the missing free call, until a better fix is ready.

Packages for OpenJDK 7u17, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations. Here are a few:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

Eric

5 thoughts on “New IcedTea for OpenJDK 7u17



  1. Hey Eric, i saw the ‘icedtea-web’ folder in your ftp is updated to march 15, but the version still 1.3.1. I wonder if you has compiled the version 1.3.8 and doesn’t put on your ftp. The same happen to ‘rhino’. Thanks for your work, a hug from Brazil.


  2. Gustavo, don’t look at the directory timestamps. Only look at the packages.

    Icedtea-web is not the same as IcedTea. Icedtea-web is the separate browser plugin for OpenJDK, it will only work with a version of OpenJDK which has been compiled using IcedTea.

    And IcedTea 2.3.8 was used by me to compile OpenJDK 7u17.

    Eric



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.