There is a 0-day (zero-day) exploit out for Java7 (both Oracle Java7 and OpenJDK 7).The attack is mounted through your web browser’s Java plugin.
People using Java6 are not affected by the exploit. This includes everybody who is running a stable version of Slackware. There is no more Java in slackware-current, except for a SlackBuild script which wraps the official Oracle Java7 binaries into a Slackware package. This would make your Java7 on slackware-current vulnerable.
People using OpenJDK7/icedtea-web are not vulnerable to a browser based attack since the icedtea-web browser plugin will prevent the privilege escalation. However, the OpenJDK 7u5_b21 package which I have is still flawed.
Unfortunately, Oracle is taking a long time to respond to this threat. Users of OpenJDK are better off. There was an update of the icedtea build framework. The new version 2.3.1 will build OpenJDK 7u6_b30 and that release has been patched for the exploit.
Get my packages (Slackware 13,37 and newer) for OpenJDK 7u6_b30 here:
- http://slackware.com/~alien/slackbuilds/openjdk/ , the primary location (but slow)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror
- Note that the slackware.org.uk mirror is no longer being updated with my stuff after verbal abuse from its operator. Remove that server from any of your scripts and use another mirror like taper.
You will find packages for icedtea-web (the mozilla-compatible brwoser plugin) too at those URLs, as well as the mandatory rhino package (the JavaScript engine). Without this, the OpenJDK will not work.
Notes:
- You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (much smaller) openjre package instead.
- If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation so that you will get the proper Java environment.
- Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .
Good luck! Eric
Oracle has finally released an upgrade (7u7).
Glad you got an update out so quickly. A little on topic, I haven’t been able to play Minecraft using your openJDK and Minecraft packages since it updated to 1.3. Moth single player with the built in server and multiplayer.
Have you had any problems? This update hasn’t helped.
The [common] jre form works perfectly.
I did notice, and ‘why’ is not entirely clear, that libreoffice 3.5.4 now works much smoother (no lag on opening or ‘calc’ ops in particular) and faster than it did before switching from the old, pre-oracle-license-switch.
Hi Eric,
And just when you thought you could put this aside for a while, … IcedTea 2.3.2 is out 😉
Hi moldavia
I tried it here, by upgrading minecraft to 1.3.2 using my OpenJDK 7u6_b30 (slackware64-current).
Minecraft works fine here, running around in my own single-player world. What does not work for you?
Eric
Hi Jean-Francois
Yeah… compiling as we speak.
Cheers, Eric
Hi Eric,
It seems to be a problem with java security.
From the crash log…
“java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
at java.security.Security.insertProviderAt(Security.java:362)
at java.security.Security.addProvider(Security.java:409)
at hw.(SourceFile:40)
… 3 more”
Running x86 here, but my current is a bit outdated. I haven’t updated Slackware since a package upgrade in -current broke XFCE 4.6.2. Maybe I’ll try upgrading to RC4. Maybe I’m missing something, or something is outdated.
Hi moldavia
I strongly suggest that you first get updated in your Slackware configuration. If you are running an outdated -current then that may be your problem. XFCE 4.6.2 is no longer part of Slackware-current – there was an update to 4.10 some time ago.
Perhaps it is a lack of upgrading to slackware’s newer ca-certificates package which causes this.
Eric
I was thinking the same thing about openssl and ca-certificates. All updated, and no luck. I’ll keep trying. The latest release, 7u7 didn’t help either. Maybe I’ll try openJRE see if there’s any change.
I think I have tracked it down. From the crash log..
“Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)”
I don’t know Java enough to say where this file comes from, but it is indeed missing, and not in the package for openJRE or openJDK.
Strange, this.
I had no issues in the past with MineCraft and OpenJRE. The OpenJRE package does not have a nss.cfg file but it seems I will have to add it after the fact (the OpenJDK package _does_ have this file).
You can do the following to fix this issue if you are using the jre package:
For 32-bit Slackware:
# cat </etc/java/nss.cfg
name = NSS
nssLibraryDirectory = /usr/lib/seamonkey
nssDbMode = noDb
attributes = compatibility
EOT
And then create a symlink:
# ln -sf /etc/java/nss.cfg /usr/lib/java/jre/lib/security/nss.cfg
For 64-bit Slackware:
# cat </etc/java/nss.cfg
name = NSS
nssLibraryDirectory = /usr/lib64/seamonkey
nssDbMode = noDb
attributes = compatibility
EOT
And then create a symlink:
# ln -sf /etc/java/nss.cfg /usr/lib64/java/jre/lib/security/nss.cfg
Eric
Success! Sort of. I ran cat command to create the nss.cfg, but it didn’t like it. So, I uninstalled openJRE and reinstalled openJDK 7u7. Everything seems to be working good now. Minecraft will create a single player world without errors now, and I can connect to a multiplayer server.
Thanks for the help, and keep up the great packages!
I had the same problem with Minecraft and OpenJRE recently (openjre-7u7_b30-i486-1alien in fact).
I got java exception not when starting the game, but when trying to create new level (or to load existing).
(For some time minecraft runs internally server when runs in standalone mode.)
java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at sun. at hw.(SourceFile:40)reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
…………………………
at hw.(SourceFile:40)
… 3 more
Caused by: java.io.FileNotFoundException: /usr/lib/java/jre/lib/security/nss.cfg (No such file or directory)
…………………………
Obviously missing “nss.cfg” file caused the problem.
I searched previous openjre packages in /var/adm/removed_packages for such file with no success.
So I decided to create one. Got the file from sources, namely “inicedtea-2.3.2” –> “nss.cfg.in”
nss.cfg.in:
—————————————-
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
—————————————–
For some reason java didn’t like “@NSS_LIBDIR@” part:
(may be environment variable NSS_LIBDIR could do the trick?)
java.lang.ExceptionInInitializerError
at axv.b(SourceFile:92)
at net.minecraft.server.MinecraftServer.run(SourceFile:291)
at ep.run(SourceFile:539)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
?t hw.(SourceFile:40)
… 3 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected value: Token[‘@’], line 2
at sun.security.pkcs11.Config.excToken(Config.java:367)
at sun.security.pkcs11.Config.parseWord(Config.java:528)
at sun.security.pkcs11.Config.parseLine(Config.java:576)
at sun.security.pkcs11.Config.parseLibrary(Config.java:647)
at sun.security.pkcs11.Config.parse(Config.java:425)
at sun.security.pkcs11.Config.(Config.java:216)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
… 20 more
…………………………
After seaching the web for same problem, from another discussion, solution was missing path
to library: “libnss3.so” in above mentioned “nss.cfg”
Well, on my slackware (slightly outdated current) I found the library in these packages:
mozilla-firefox-14.0.1-i486-1_slack13.37
mozilla-thunderbird-14.0-i486-1_slack13.37
seamonkey-2.11-i486-1_slack13.37
seamonkey-solibs-2.11-i486-1_slack13.37
xulrunner-1.9.2.19-i486-1sl
and each was on its own directory ( with the one in xulrunner a little older, from nov’2011 ).
So quick and dirty, I picked the one from firefox package, so my “nss.cfg” finally became:
nss.cfg:
—————————————-
name = NSS
#nssLibraryDirectory = @NSS_LIBDIR@
nssLibraryDirectory = /usr/lib/firefox-14.0.1
nssDbMode = noDb
attributes = compatibility
—————————————–
And voila!!! My minecraft is back up and running!!!
P.S.
—————————————————————————–
Still in openjdk.SlackBuild file
( http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/build )
there is lines treating noughty file:
—————————————————————————–
…
cat $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg | sed -e ‘s/seamonkey-.*$/seamonkey/’ > $PKG1/etc/java/nss.cfg.new
ln -sf /etc/java/nss.cfg $PKG1/usr/lib${LIBDIRSUFFIX}/java/jre/lib/security/nss.cfg
…
# The openjre package does not have a nss.cfg:
cat $CWD/slack-desc.jre > $PKG2/install/slack-desc
zcat $CWD/doinst.sh.gz | grep -v nss.cfg.new > $PKG2/install/doinst.sh
…
—————————————————————————–
but in my “/etc/java” a have only these three files:
java.policy
java.security
java.cfg
So in my humble opinion there is going something wrong with package build process.
Hey vsprintf
Had you not seen the post two positions above your own? I explained how to add the nss.cfg there.
The next time I compile a OpenJDK package I will add a nss.cfg file to the JRE.
Eric
Yes I read it, so lot of my post became irrelevant.
According to “openjdk.SlackBuild” though, “nss.cfg” should be in the package anyway.
On the other hand, you can always delete my posts.
Sincerely
Just fyi regarding nss.cfg on Slackware ARM, it’s present in /etc/java, but it’s empty.