My thoughts on Slackware, life and everything

Tag: openjdk (Page 7 of 9)

New IcedTea for OpenJDK 7u17

In order to match the recent Oracle security update for its Java platform, Java 7u17, the IcedTea developers have released version 2.3.8 of the IcedTea “build harness”, with which a fresh OpenJDK 7u17 can be built. This 17th update to Java7 addresses several vulnerabilities, the same as Oracle’s update.

It may be worth noting that security experts advise you to disable the Java plugin of your web browser unless you absolutely need it, and in such a case, set the Java Applet security to “high” so that you will be prompted when a Java applet attempts to load in your browser. See for instance the US-CERT statement about these vulnerabilities.

Nevertheless, I think that Java is an important piece of software which a lot of people use and need. After all, the whole world has been complaining for decennia about the vulnerabilities in Sendmail… And that is still widely used, because its vulnerability depends entirely upon the careless administrator (and I still prefer Sendmail over Postfix). Therefore it is only logical that you will get new packages from my repository for the latest OpenJDK.

Anyway.

Here is the list (taken from the mailing list this time because Andrew has not yet updated his blog) of the vulnerabilities which are being addressed by this update, and their CVE numbers:

If you wait a little, you will be able to read all about it on Andrew John Hughes‘s blog. GNU/Andrew is the release manager for IcedTea.

Apart from these critical vulnerabilities (of which one was already actively exploited) there are some other bug fixes which are explicitly mentioned:

  • PR1303: Correct #ifdef to #if
  • PR1340: Simplify the rhino class rewriter to avoid use of concurrency
  • Revert 7017193 and add the missing free call, until a better fix is ready.

Packages for OpenJDK 7u17, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations. Here are a few:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

Eric

OpenJDK 7u15 bugfix release ready

Quite rapidly, new versions of the icedtea “build harness” have been released, which create an updated OpenJDK 7u15. The 15th update to Java7 addresses several vulnerabilities.

Read all about it on Andrew John Hughes‘s blog article. GNU/Andrew is the release manager for Icedtea.

Here is the list (taken from that page) of the vulnerabilities which have been plugged and their CVE numbers:

Packages for OpenJDK, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations. Here are a few:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

Eric

 

OpenJDK 7u13_b20 available: a security update

The icedtea “build harness” which I use to compile my OpenJDK and icedtea-web packages had a series of updates past week. Icedtea is available in several flavours, and it is able to build OpenJDK versions of Java 6 and 7 (and pre-release versions of Java 8 even, but that is beside the point here).

Several updates for icedtea 1.x (the version which creates OpenJDK 6 binaries) were released last week, mainly because it had been a year since the last release and updates were long overdue.

Andrew John Hughes, the release manager for Icedtea, had originally planned for icedtea 2.x releases as well, last week, but apparently the patches submitted by Oracle caused regressions which took their time to be fixed. Eventually, there is a new release: icedtea-2.3.6 builds an OpenJDK 7u13_b20. That version number (Java 7 Update 13) brings OpenJDK back in line with the versioning of Oracle’s binary-only Java. Note that this “update 13” does not really mean OpenJDK is equal to the Oracle release. Icedtea adds a lot of patches and additional functionality to the OpenJDK. Icedtea also allows for the compilation of an open-source equivalent of Oracle’s closed-source Java Browser Applet: icedtea-web.

An impressive lists of vulnerabilities which have been plugged by the OpenJDK 7u13 release:

 * S6563318, CVE-2013-0424: RMI data sanitization
* S6664509, CVE-2013-0425: Add logging context
* S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time
* S6776941: CVE-2013-0427: Improve thread pool shutdown
* S7141694, CVE-2013-0429: Improving CORBA internals
* S7173145: Improve in-memory representation of splashscreens
* S7186945: Unpack200 improvement
* S7186946: Refine unpacker resource usage
* S7186948: Improve Swing data validation
* S7186952, CVE-2013-0432: Improve clipboard access
* S7186954: Improve connection performance
* S7186957: Improve Pack200 data validation
* S7192392, CVE-2013-0443: Better validation of client keys
* S7192393, CVE-2013-0440: Better Checking of order of TLS Messages
* S7192977, CVE-2013-0442: Issue in toolkit thread
* S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies
* S7200491: Tighten up JTable layout code
* S7200493, CVE-2013-0444: Improve cache handling
* S7200499: Better data validation for options
* S7200500: Launcher better input validation
* S7201064: Better dialogue checking
* S7201066, CVE-2013-0441: Change modifiers on unused fields
* S7201068, CVE-2013-0435: Better handling of UI elements
* S7201070: Serialization to conform to protocol
* S7201071, CVE-2013-0433: InetSocketAddress serialization issue
* S8000210: Improve JarFile code quality
* S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class
* S8000539, CVE-2013-0431: Introspect JMX data handling
* S8000540, CVE-2013-1475: Improve IIOP type reuse management
* S8000631, CVE-2013-1476: Restrict access to class constructor
* S8001235, CVE-2013-0434: Improve JAXP HTTP handling
* S8001242: Improve RMI HTTP conformance
* S8001307: Modify ACC_SUPER behavior
* S8001972, CVE-2013-1478: Improve image processing
* S8002325, CVE-2013-1480: Improve management of images

But this version of IcedTea supposedly also brings a fix for building on ARM architectures using Zero’s HotSpot – all patches apply again. I hope Stuart Winter will be happy.

Packages for OpenJDK, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations.  Here are a few:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_13”
OpenJDK Runtime Environment (IcedTea7 2.3.6) (Slackware)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
$ javac -version
javac 1.7.0_13

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Eric

 

Update for OpenJDK 7 with IcedTea 2.3.4 plugs 0-day exploit.

The past week was buzzing with the 0-day exploit for Oracle’s Java browser plugin, but according to CERT, the OpenJDK was affected as well by the underlying bug. Oracle “hastily” patched this critical vulnerability (CVE-2012-3174) although now it seems that only this particular “attack vector” was patched but the underlying vulnerability remains, leaving the way open to other exploits.

Come what may, an update of IcedTea followed soon after, which will build OpenJDK packages which incorporate fixes for the vulnerability. The version of IcedTea which I use (upped to 2.3.4) builds a OpenJDK 7 Update 9 package – the same version as we already have (no idea why they did not lift the update version to 10 or 11 unless this was a hasty fix for this particular 0-day exploit), so what I did for my openjdk & openjre packages was increase the package BUILD number from “1alien” to “2alien” so that you can use upgradepkg to upgrade to the new package.

It appears that one of the main developers: GNU.Andrew (Andrew John Hughes from Redhat) has not yet updated his blog with news of the new icedtea releases. The aforementioned mailinglist post was his, so I expect that he will update his blog with all the details soon.

Here is the list with security fixes in the IcedTea 2.3.4 build of OpenJDK 7u9:

  • Security fixes:
    • S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries
    • S8006017, CVE-2013-0422: Improve lookup resolutions
    • S8006125: Update MethodHandles library interactions
  • Backports:
    • S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
  • Bug fixes:
    • G422525: Fix building with PaX enabled kernels.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u9_b30 build 2alien here and upgrade as soon as you can:

Further packages that are recommended/required:

  • Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
  • Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

  • You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
  • If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
  • Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_09”
OpenJDK Runtime Environment (IcedTea7 2.3.4) (Slackware)
OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)
$ javac -version
javac 1.7.0_09

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Good luck! Eric

 

Java in Slackware ARM

I am slaving away on my ARM port. It is mostly a side activity at the moment, I am doing a lot of other things which are higher on the priority list while I am getting the core ARM package set on par with the Slackware 14 versions. But it did already enable me to build a working version of the OpenJDK packages using the same SlackBuild script (well, a teeny bit of editing was needed) which I am using for the “Intel-compatible” versions of Slackware.

MoZes (Stuart Winter, the maintainer of Slackware ARM) decided that this was a good enough time to use this SlackBuild script and finally add a working Java to Slackware ARM.

From his site comes this message:

Thanks to the work of Eric Hameleers, Slackware ARM v14.0 and -current now sports OpenJDK and OpenJRE packages. A JRE has always been absent from Slackware ARM, so I’m particularly pleased to be able to now strike one off the “missing package list”. I hope it’s useful!

Slackware 14.0 has the packages in patches and -current has them in extra/openjdk. You’ll need to install the “rhino” package as this is a run-time dependency.

This is also good news for people who want to experiment with Java on their Raspberri Pi or Pandora Box for which ARMedslack community builds are available.

Eric

« Older posts Newer posts »

© 2024 Alien Pastures

Theme by Anders NorenUp ↑