IcedTea-Web 1.2 vs Java 1.7 vulnerability

NoOp glgxg at sbcglobal.net
Wed Jan 16 19:46:14 UTC 2013 

On 01/12/2013 02:57 PM, Jonathan Lathrop wrote:
> Do the CERT warnings about the vulnerability in Java1.7 and earlier 
> versions also apply to IcedTea-Web 1.2 ?
> 
> 
> When I go to a Java version identification web site it says I have 
> SunMicrosystems  Java 1.6.24  which  is not on the list from CERT. 
> However Oracle Java 1.6.24 is on the list.    I am using FireFox 17.02 
> on Ubuntu 12.04 LTS...
> 
> I have disabled IcedTea in FireFox out of caution ...  Should I have 
> worried about it or do these warnings not apply to Linux
> 
>   Enlightenment would be appreciated.
> 

It is an OpenJDK problem as well. I've just posted this on the Mozilla
SeaMonkey user support nntp group (applies to Firefox as well):

(Apologies to those that already know how to update-alternatives. I'm
leaving the full post intact for those that may not know how):

====
Given the Zero-Day Java 7 vulnerabilities (see Paul B Gallagher's
thread: 'Java 7u10 vulnerability in browsers' and for those using
OpenJDK & Icedtea for Java JRE:

Security releases for OpenJDK and Icedtea were released yesterday (Tues
Jan 17).

<<http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/>>
<http://blog.fuseyism.com/index.php/2013/01/16/security-and-browser-plugins/>

 This confirms that OpenJDK7 and IcedTea7 were vulnerable - of course I
reckon that it will take awhile for the builds to get pushed to the
distro's.

Note that "OpenJDK 6 is not affected.". So if you are using OpenJDK7 I'd
recommend installing OpenJDK6 (you can leave OpenJDK7 installed[1]), and
then using update-alternatives to set OpenJDK6 as the system JRE.

For Debian/Ubuntu users:

$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install openjdk-6-jre
$ sudo apt-get install icedtea6-plugin

$ sudo update-alternatives --config java
$ sudo update-alternatives --config mozilla-javaplugin.so

Ensure that you are using OpenJDK6 instead of OpenJDK7. Example:
~$ java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

If you enable Java in SeaMonkey (I recommend using Prefbar to turn Java
on/off), the IcedTead plugin (Ubuntu in this example) in about:config
will show:

IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.3))

    File: /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
    Version:
    The IcedTea-Web Plugin executes Java applets.

I'd also check your LibreOffice/ApacheOO installs & select OpenJDK6:
Tools|Options|Java| select 'Sun Microsystems, Inc. 1.6.0_24
Note: I do not know of the current zero-day vulnerablity affecting
LibreOffice/ApacheOO - but to be cautious I revert to OpenJDK6.

[1] I keep openJDK7 installed so that it will be updated when the distro
packagers issue the security update.
====

More information about the ubuntu-users mailing list