[Slackbuilds-users] The latest jdk on slackbuilds.org

Wed Apr 17 13:48:16 UTC 2013

I can only reiterate the warning found in US-CERT TA13-064A (see Alert 
(TA13-064A) Oracle Java Contains Multiple Vulnerabilities 
<http://www.us-cert.gov/ncas/alerts/TA13-064A>), which is talking about 
Java 7 Update 17 (7u17); down a ways is the following:

*"Disable Java in Web Browsers*

This and previous Java vulnerabilities have been widely targeted by 
attackers, and new Java vulnerabilities are likely to be discovered. To 
defend against these vulnerabilities, consider disabling Java in web 
browsers until adequate updates are available. As with any software, 
unnecessary features should be disabled or removed as appropriate for 
your environment.

Starting with Java 7 Update 10, it is possible to disable Java content 
in web browsers through the Java control panel applet. According to 
Setting the Security Level of the Java Client 
<http://www.us-cert.gov/redirect?url=http%3A%2F%2Fdocs.oracle.com%2Fjavase%2F7%2Fdocs%2Ftechnotes%2Fguides%2Fjweb%2Fclient-security.html%23disable>,

For installations where the highest level of security is required, it is 
possible to entirely prevent /any/ Java apps (signed or unsigned) from 
running in a browser by de-selecting Enable Java content in the browser 
in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 10, see the solution 
section of Vulnerability Note VU#636312 
<http://www.kb.cert.org/vuls/id/636312#solution> for instructions on how 
to disable Java on a per-browser basis."

Given that Oracle updated in less than 24 hours to 21, and given the 
known problems, disabling the Java plug-in in every browser you use is a 
Real Good Idea. Bradly's comment about Swiss cheese is, I think, not 
harsh enough -- Oracle's stewardship is more along the lines of 
Microsoft's: you can drive a semi in, turn it around, load up with 
whatever you want then drive off.

It would not be a bad idea in any event to subscribe to US-CERT 
<http://www.us-cert.gov/>; down at the bottom of the page you can 
subscribe to Alerts which are periodically issued when Bad Things Are 
Afoot. You can also review Bulletins and Tips (and subscribe too for those).

If you really want (or must) have the Java plug-in your browsers, that's 
pretty easy: simply make a symbolic link in /usr/lib64/mozilla/plugins 
to /usr/lib64/java/jre/lib/amd64/libnpjp2.so (assuming you've installed 
JDK, which includes JRE) using the SlackBuild from the extra directory 
on your Slackware media -- the file you want to link to is libnpjp2.so. 
Of course, if you're using 32-bit, the "64" won't be there but otherwise 
the file is the same name. This is one of those don't do it unless you 
really know what the consequences may be kind of things, just be aware 
of that. And, if you do this, disable the damned thing in the browser 
unless you must have it for some reason.

Hope this helps some.

A riddle, wrapped in a mystery, inside an enigma but that's my story and I'm stickin' to it.