IcedTea-Web 1.2 vs Java 1.7 vulnerability
NoOp
glgxg at sbcglobal.net
Wed Jan 16 19:46:14 UTC 2013
On 01/12/2013 02:57 PM, Jonathan Lathrop wrote:
> Do the CERT warnings about the vulnerability in Java1.7 and earlier
> versions also apply to IcedTea-Web 1.2 ?
>
>
> When I go to a Java version identification web site it says I have
> SunMicrosystems Java 1.6.24 which is not on the list from CERT.
> However Oracle Java 1.6.24 is on the list. I am using FireFox 17.02
> on Ubuntu 12.04 LTS...
>
> I have disabled IcedTea in FireFox out of caution ... Should I have
> worried about it or do these warnings not apply to Linux
>
> Enlightenment would be appreciated.
>
It is an OpenJDK problem as well. I've just posted this on the Mozilla
SeaMonkey user support nntp group (applies to Firefox as well):
(Apologies to those that already know how to update-alternatives. I'm
leaving the full post intact for those that may not know how):
====
Given the Zero-Day Java 7 vulnerabilities (see Paul B Gallagher's
thread: 'Java 7u10 vulnerability in browsers' and for those using
OpenJDK & Icedtea for Java JRE:
Security releases for OpenJDK and Icedtea were released yesterday (Tues
Jan 17).
<<http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/>>
<http://blog.fuseyism.com/index.php/2013/01/16/security-and-browser-plugins/>
This confirms that OpenJDK7 and IcedTea7 were vulnerable - of course I
reckon that it will take awhile for the builds to get pushed to the
distro's.
Note that "OpenJDK 6 is not affected.". So if you are using OpenJDK7 I'd
recommend installing OpenJDK6 (you can leave OpenJDK7 installed[1]), and
then using update-alternatives to set OpenJDK6 as the system JRE.
For Debian/Ubuntu users:
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install openjdk-6-jre
$ sudo apt-get install icedtea6-plugin
$ sudo update-alternatives --config java
$ sudo update-alternatives --config mozilla-javaplugin.so
Ensure that you are using OpenJDK6 instead of OpenJDK7. Example:
~$ java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
If you enable Java in SeaMonkey (I recommend using Prefbar to turn Java
on/off), the IcedTead plugin (Ubuntu in this example) in about:config
will show:
IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.3))
File: /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Version:
The IcedTea-Web Plugin executes Java applets.
I'd also check your LibreOffice/ApacheOO installs & select OpenJDK6:
Tools|Options|Java| select 'Sun Microsystems, Inc. 1.6.0_24
Note: I do not know of the current zero-day vulnerablity affecting
LibreOffice/ApacheOO - but to be cautious I revert to OpenJDK6.
[1] I keep openJDK7 installed so that it will be updated when the distro
packagers issue the security update.
====
More information about the ubuntu-users
mailing list