LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Java Plug-in Security Hole [FIXED] (http://www.linuxquestions.org/questions/slackware-14/java-plug-in-security-hole-%5Bfixed%5D-4175424866/)

statguy 08-30-2012 08:38 PM

Java Plug-in Security Hole [FIXED]
 
I'm running Slack 13.37 (64bit). Firefox reports a security threat with the Java plug-in. My version of the plug-in (currently disables) is 1.6.0_25. I've been checking with slackpkg to see if there are any updates, but have not seen any.

Two questions.

Does anyone know if this security hole in the Java plug-in is a risk on Linux?

If so, how would one go about patching this?

willysr 08-30-2012 08:46 PM

You have to update Java packages by yourself using the SlackBuild provided in Slackware since Oracle didn't allow Java packages to be distributed by third party anymore

ReaperX7 08-30-2012 09:04 PM

I recommend using the AlienBOB packages here:

http://www.slackware.com/~alien/slac...s/icedtea-web/

http://www.slackware.com/~alien/slackbuilds/openjdk/

It's the more up-to-date and license friendly OpenJRE/OpenJDK package.

You'll need the icedtea-web package to add a Java plugin for Firefox.

J1NKL3 08-30-2012 09:38 PM

Download the package from Oracle and use the SlackBuild from the -current /extra

Alien Bob 08-31-2012 02:18 AM

Quote:

Originally Posted by statguy (Post 4768702)
I'm running Slack 13.37 (64bit). Firefox reports a security threat with the Java plug-in. My version of the plug-in (currently disables) is 1.6.0_25. I've been checking with slackpkg to see if there are any updates, but have not seen any.

Two questions.

Does anyone know if this security hole in the Java plug-in is a risk on Linux?

If so, how would one go about patching this?

That's strange, because Mozilla was going to issue that warning in Firefox only for Java 1.7 versions. The 1.6 series is not vulnerable to the 0day exploit.
By the way, do not expect Java updates from Slackware, there aren't going to be any. You'll have to do that yourself - the Java packages have been removed in Slackware 14 when that gets released.

Eric

tronayne 08-31-2012 08:42 AM

For right now you want to disable the Java plug-in in Firefox (and Seamonkey) if you've installed Oracle Java v. jdk-7u6 or jre-7u5 (JRE is included with JDK). You do that from Tools, Add-ons, Plugins. See http://www.us-cert.gov/current/#oracle_java_jre_1_7 at US-CERT. The Java plug-in should be disabled on every system's browser(s) (Linux, Solaris, Apple, Microsoft, etc.) if running the current Oracle Java version. You can go back to the prior version of Oracle Java that does not have the vulnerability; note, however, that Firefox will yammer at you that there's a new version of JRE (the vulnerable one, mind) and that you should upgrade... uh, don't.

Keep an eye on http://www.oracle.com/technetwork/java/index.html for a fixed version of JDK/JRE.

Hope this helps some.

Oops!

Fixed versions of JDK/JRE are available at Oracle's web site (above), dated yesterday.

statguy 08-31-2012 08:54 AM

Thanks all. So, if I understand Alien_Bob and tronayne correctly, my version 1.6.0_25 (slack pkg jre-6u25-x86_64-1) is not vulnerable so I can safely leave it enabled. Correct?

shadowsnipes 08-31-2012 08:56 AM

Quote:

Originally Posted by Alien Bob (Post 4768865)
That's strange, because Mozilla was going to issue that warning in Firefox only for Java 1.7 versions. The 1.6 series is not vulnerable to the 0day exploit.
By the way, do not expect Java updates from Slackware, there aren't going to be any. You'll have to do that yourself - the Java packages have been removed in Slackware 14 when that gets released.

Eric

I'm assuming java security updates are not going to be released for Slackware versions preceding 14.0. Given this, it might be a good idea for PV to release a statement to the security list announcing this and pointing to the slackbuild for manually creating updates.

AlleyTrotter 08-31-2012 09:35 AM

?
 
Quote:

Originally Posted by Alien Bob (Post 4768865)
...
By the way, do not expect Java updates from Slackware, there aren't going to be any. You'll have to do that yourself - the Java packages have been removed in Slackware 14 when that gets released.
Eric

Does this mean the 4,066 executables that come with Slackware will function without java?
||
Must I build/compile java myself to have a complete working Slackware distribution?

Thanks
john

Trying to find where I saw 4066 packages in Slackware (Obviously wrong)

Now I remember!
<TAB><TAB>
Display all 4066 possibilities? (y or n)?

tronayne 08-31-2012 09:36 AM

Oracle Java Security Hole Fixed
 
Late yesterday (30 Aug 2012) Oracle released Java 7u7, fixing the security vulnerability in 7u6; see http://www.us-cert.gov/current/#oracle_java_jre_1_7, particularly the Update notice.

If you're using JDK/JRE you can download either (note that JRE is included with JDK) at http://www.oracle.com/technetwork/ja...ads/index.html, selecting either JDK or JRE (or, what the heck, both).

The --current SlackBuild (in the extra directory) may be used to build a Slackware package. For example, the JDK download is jdk-7u7-linux-x64.tar.gz (96039818 bytes) that builds to jdk-7u7-x86_64-1.txz (72560324 bytes) on a Slackware 64-bit v. 13.37 stable system (YMMV, however).

Probably be a good idea, if you're using Oracle Java, to upgrade to this version ASAP.

Hope this helps some.

tronayne 08-31-2012 10:01 AM

Oracle does not allow redistribution of Java anymore -- it's still free, but a distribution cannot include the software, you have to go get it and install it yourself (this is not a Big Deal when, in the extra directory (presently in current, will be included in releases), you will find java.SlackBuild which will create a Slackware package from either the JDK or JRE "tar.gz" you download from Oracle (note that JRE is included in JDK; you only really want JDK if you're doing Java development, though).

There are options; e.g., Alien Bob's packages (detailed elsewhere) among others.

Note that there was a vulnerability in the Oracle packages that was fixed yesterday (30 Aug 2012); see http://www.linuxquestions.org/questi...ed-4175424966/. Details about the vulnerability can be found at US-CERT at http://www.us-cert.gov/current/#oracle_java_jre_1_7 and Java versions can be downloaded at http://www.oracle.com/technetwork/ja...ads/index.html.

Oracle is getting a well-earned reputation, methinks.

Hope this helps some.

anscal 08-31-2012 10:07 AM

Quote:

Originally Posted by ReaperX7 (Post 4768722)
I recommend using the AlienBOB packages here:

http://www.slackware.com/~alien/slac...s/icedtea-web/

http://www.slackware.com/~alien/slackbuilds/openjdk/

It's the more up-to-date and license friendly OpenJRE/OpenJDK package.

You'll need the icedtea-web package to add a Java plugin for Firefox.


Be aware that ALSO IcedTea and (as I understand it) openjdk are suffering from the same vulnerabilty.

See https://gnu.wildebeest.org/blog/mjw/...cve-2012-4681/ and http://thread.gmane.org/gmane.comp.j...beans.devel/34

(Links coming from a comment thread on LWN)

Alien Bob 08-31-2012 10:17 AM

Quote:

Originally Posted by AlleyTrotter (Post 4769182)
Does this mean the 4,771 packages that come with Slackware will function without java?
||
Must I build/compile java myself to have a complete working Slackware distribution?

Thanks
john

Slackware packages do not need java. If a 3rd party program wants Java you'll know soon ehough!
If you want a Java package for your Slackware, you can use my own OpenJDK package, or else you use the Slackware script in slackware-14.0/extra/source/java/ which wraps the Oracle binaries into a proper Slackware package.

Eric

AlleyTrotter 08-31-2012 10:29 AM

Quote:

Originally Posted by Alien Bob (Post 4769214)
Slackware packages do not need java. If a 3rd party program wants Java you'll know soon ehough!
If you want a Java package for your Slackware, you can use my own OpenJDK package, or else you use the Slackware script in slackware-14.0/extra/source/java/ which wraps the Oracle binaries into a proper Slackware package.

Eric

Thank you Eric
I do currently use a locally compiled java from your slackbuilds. It just seemed a little confusing to me on whether java is required for Slackware or not.

john

unSpawn 08-31-2012 11:03 AM

@tronayne: let's please keep similar topics grouped. I've merged your thread into this one and edited the thread title to reflect the status.


All times are GMT -5. The time now is 12:22 AM.