Security update: OpenJDK 7u55 (created with icedtea 2.4.7)

On “patch tuesday”, two days ago, Oracle released their April update of the Java SE platform.

The new version of Java is “7 update 55” and addresses several vulnerabilities. The IcedTea team have now prepared version 2.4.7 of their OpenJDK build framework which will compile an OpenJDK version in sync with Oracle’s release. Please read the announcement on Andrew’s blog for all the release details.

Update 55 Build 14 of OpenJDK 7  addresses these critical issues:

* Security fixes:

• S8023046: Enhance splashscreen support
• S8025005: Enhance CORBA initializations
• S8025010, CVE-2014-2412: Enhance AWT contexts
• S8025030, CVE-2014-2414: Enhance stream handling
• S8025152, CVE-2014-0458: Enhance activation set up
• S8026067: Enhance signed jar verification
• S8026163, CVE-2014-2427: Enhance media provisioning
• S8026188, CVE-2014-2423: Enhance envelope factory
• S8026200: Enhance RowSet Factory
• S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling
• S8026736, CVE-2014-2398: Enhance Javadoc pages
• S8026797, CVE-2014-0451: Enhance data transfers
• S8026801, CVE-2014-0452: Enhance endpoint addressing
• S8027766, CVE-2014-0453: Enhance RSA processing
• S8027775: Enhance ICU code.
• S8027841, CVE-2014-0429: Enhance pixel manipulations
• S8028385: Enhance RowSet Factory
• S8029282, CVE-2014-2403: Enhance CharInfo set up
• S8029286: Enhance subject delegation
• S8029699: Update Poller demo
• S8029730: Improve audio device additions
• S8029735: Enhance service mgmt natives
• S8029740, CVE-2014-0446: Enhance handling of loggers
• S8029745, CVE-2014-0454: Enhance algorithm checking
• S8029750: Enhance LCMS color processing (in-tree LCMS)
• S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg)
• S8029844, CVE-2014-0455: Enhance argument validation
• S8029854, CVE-2014-2421: Enhance JPEG decodings
• S8029858, CVE-2014-0456: Enhance array copies
• S8030731, CVE-2014-0460: Improve name service robustness
• S8031330: Refactor ObjectFactory
• S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS)
• S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng)
• S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader
• S8031395: Enhance LDAP processing
• S8032686, CVE-2014-2413: Issues with method invoke
• S8033618, CVE-2014-1876: Correct logging output
• S8034926, CVE-2014-2397: Attribute classes properly
• S8036794, CVE-2014-0461: Manage JavaScript instances

Please update your installed openjdk or openjre packages with this new version! You’ll notice that browsers like Firefox and Chrome/Chromium no longer load Java applets by default and ask you for explicit approval to load and run them.

You can visit the following URL after you upgraded your OpenJDK package (assuming you also upgraded to my latest icedtea-web package): http://java.com/en/download/testjava.jsp to verify that your Java plus the web plugin are working properly.

Get my packages – they have been compiled on Slackware 13.37 and are usable on 13.37 as well as 14.0, 14.1 and -current! Get them preferably from a mirror site (faster downloads):

• http://slackware.com/~alien/slackbuilds/openjdk/ , the primary location
• http://alien.slackbook.org/slackbuilds/openjdk/ , the community mirror (bandwidth-capped)
• http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast US mirror
• http://slackware.org.uk/people/alien/slackbuilds/openjdk/ , fast UK mirror, needs a day to get in sync

Further packages that are recommended/required:

• Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
• Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

Note that you should only install one of the two packages, either openjdk or openjre, do not install both at the same time or things will break! The openjdk package contains the jre (java runtime) as well as the java development kit.

Eric