In order to match the recent Oracle security update for its Java platform, Java 7u17, the IcedTea developers have released version 2.3.8 of the IcedTea “build harness”, with which a fresh OpenJDK 7u17 can be built. This 17th update to Java7 addresses several vulnerabilities, the same as Oracle’s update.
It may be worth noting that security experts advise you to disable the Java plugin of your web browser unless you absolutely need it, and in such a case, set the Java Applet security to “high” so that you will be prompted when a Java applet attempts to load in your browser. See for instance the US-CERT statement about these vulnerabilities.
Nevertheless, I think that Java is an important piece of software which a lot of people use and need. After all, the whole world has been complaining for decennia about the vulnerabilities in Sendmail… And that is still widely used, because its vulnerability depends entirely upon the careless administrator (and I still prefer Sendmail over Postfix). Therefore it is only logical that you will get new packages from my repository for the latest OpenJDK.
Anyway.
Here is the list (taken from the mailing list this time because Andrew has not yet updated his blog) of the vulnerabilities which are being addressed by this update, and their CVE numbers:
- S8007014, CVE-2013-0809: Improve image handling
- S8007675, CVE-2013-1493: Improve color conversion
If you wait a little, you will be able to read all about it on Andrew John Hughes‘s blog. GNU/Andrew is the release manager for IcedTea.
Apart from these critical vulnerabilities (of which one was already actively exploited) there are some other bug fixes which are explicitly mentioned:
- PR1303: Correct #ifdef to #if
- PR1340: Simplify the rhino class rewriter to avoid use of concurrency
- Revert 7017193 and add the missing free call, until a better fix is ready.
Packages for OpenJDK 7u17, compiled on Slackware 13.37 (and useable on 13.37 as well as 14.0 and -current!), can be found at the usual locations. Here are a few:
- http://alien.slackbook.org/slackbuilds/openjdk/ , the primary location (bandwidth-capped)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror
Further packages that are recommended/required:
- Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
- Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.
Eric
Recent comments