I'm running Slack 13.37 (64bit). Firefox reports a security threat with the Java plug-in. My version of the plug-in (currently disables) is 1.6.0_25. I've been checking with slackpkg to see if there are any updates, but have not seen any.

Two questions.

Does anyone know if this security hole in the Java plug-in is a risk on Linux?

If so, how would one go about patching this?

You have to update Java packages by yourself using the SlackBuild provided in Slackware since Oracle didn't allow Java packages to be distributed by third party anymore

1 members found this post helpful.

I recommend using the AlienBOB packages here:

http://www.slackware.com/~alien/slac...s/icedtea-web/

http://www.slackware.com/~alien/slackbuilds/openjdk/

It's the more up-to-date and license friendly OpenJRE/OpenJDK package.

You'll need the icedtea-web package to add a Java plugin for Firefox.

Download the package from Oracle and use the SlackBuild from the -current /extra

1 members found this post helpful.

That's strange, because Mozilla was going to issue that warning in Firefox only for Java 1.7 versions. The 1.6 series is not vulnerable to the 0day exploit.
By the way, do not expect Java updates from Slackware, there aren't going to be any. You'll have to do that yourself - the Java packages have been removed in Slackware 14 when that gets released.

Eric

For right now you want to disable the Java plug-in in Firefox (and Seamonkey) if you've installed Oracle Java v. jdk-7u6 or jre-7u5 (JRE is included with JDK). You do that from Tools, Add-ons, Plugins. See http://www.us-cert.gov/current/#oracle_java_jre_1_7 at US-CERT. The Java plug-in should be disabled on every system's browser(s) (Linux, Solaris, Apple, Microsoft, etc.) if running the current Oracle Java version. You can go back to the prior version of Oracle Java that does not have the vulnerability; note, however, that Firefox will yammer at you that there's a new version of JRE (the vulnerable one, mind) and that you should upgrade... uh, don't.

Keep an eye on http://www.oracle.com/technetwork/java/index.html for a fixed version of JDK/JRE.

Hope this helps some.

Oops!

Fixed versions of JDK/JRE are available at Oracle's web site (above), dated yesterday.

Thanks all. So, if I understand Alien_Bob and tronayne correctly, my version 1.6.0_25 (slack pkg jre-6u25-x86_64-1) is not vulnerable so I can safely leave it enabled. Correct?

I'm assuming java security updates are not going to be released for Slackware versions preceding 14.0. Given this, it might be a good idea for PV to release a statement to the security list announcing this and pointing to the slackbuild for manually creating updates.

Does this mean the 4,066 executables that come with Slackware will function without java?
||
Must I build/compile java myself to have a complete working Slackware distribution?

Thanks
john

Trying to find where I saw 4066 packages in Slackware (Obviously wrong)

Now I remember!
<TAB><TAB>
Display all 4066 possibilities? (y or n)?

Late yesterday (30 Aug 2012) Oracle released Java 7u7, fixing the security vulnerability in 7u6; see http://www.us-cert.gov/current/#oracle_java_jre_1_7, particularly the Update notice.

If you're using JDK/JRE you can download either (note that JRE is included with JDK) at http://www.oracle.com/technetwork/ja...ads/index.html, selecting either JDK or JRE (or, what the heck, both).

The --current SlackBuild (in the extra directory) may be used to build a Slackware package. For example, the JDK download is jdk-7u7-linux-x64.tar.gz (96039818 bytes) that builds to jdk-7u7-x86_64-1.txz (72560324 bytes) on a Slackware 64-bit v. 13.37 stable system (YMMV, however).

Probably be a good idea, if you're using Oracle Java, to upgrade to this version ASAP.

Hope this helps some.

Oracle does not allow redistribution of Java anymore -- it's still free, but a distribution cannot include the software, you have to go get it and install it yourself (this is not a Big Deal when, in the extra directory (presently in current, will be included in releases), you will find java.SlackBuild which will create a Slackware package from either the JDK or JRE "tar.gz" you download from Oracle (note that JRE is included in JDK; you only really want JDK if you're doing Java development, though).

There are options; e.g., Alien Bob's packages (detailed elsewhere) among others.

Note that there was a vulnerability in the Oracle packages that was fixed yesterday (30 Aug 2012); see http://www.linuxquestions.org/questi...ed-4175424966/. Details about the vulnerability can be found at US-CERT at http://www.us-cert.gov/current/#oracle_java_jre_1_7 and Java versions can be downloaded at http://www.oracle.com/technetwork/ja...ads/index.html.

Oracle is getting a well-earned reputation, methinks.

Hope this helps some.

Be aware that ALSO IcedTea and (as I understand it) openjdk are suffering from the same vulnerabilty.

See https://gnu.wildebeest.org/blog/mjw/...cve-2012-4681/ and http://thread.gmane.org/gmane.comp.j...beans.devel/34

(Links coming from a comment thread on LWN)

Slackware packages do not need java. If a 3rd party program wants Java you'll know soon ehough!
If you want a Java package for your Slackware, you can use my own OpenJDK package, or else you use the Slackware script in slackware-14.0/extra/source/java/ which wraps the Oracle binaries into a proper Slackware package.

Eric

1 members found this post helpful.

Thank you Eric
I do currently use a locally compiled java from your slackbuilds. It just seemed a little confusing to me on whether java is required for Slackware or not.

john

@tronayne: let's please keep similar topics grouped. I've merged your thread into this one and edited the thread title to reflect the status.