Java has Huge Security Vulnerability, should be updated to 6update2

I'm going to set the Status to "Confirmed"; as per http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102934-1

---
A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Sun acknowledges, with thanks, Chris Evans of the Google Security Team, for bringing these issues to our attention.

These issues are also referenced in the following documents:

CVE-2007-2788 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788

CVE-2007-2789 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
---

while the update is now available under the DLJ, the bundles are missing components; waiting for feedback from Sun

sun-java6 (6-02-0ubuntu1) gutsy; urgency=low

  * New upstream bug fix release. Closes LP: #126059.

  * WARNING: Remove the sun-java6-db package. Apparently the javadb
    sources are not included in the DLJ bundles while these are still
    included in the standard bundles. The fix will most likely have
    to wait until the 6u3 update. Please don't use the 6-02 package
    for any backport.

  * sun-java6-bin: Make libnss-mdns a recommendation. Closes: #432661.
  * sun-java6-plugin: Change the dependency iceape -> iceape-browser.
    Closes: #432593.

 -- Matthias Klose <email address hidden> Wed, 18 Jul 2007 15:08:01 +0200

So Feisty users are being left with the security vulnerability? I know it's a multiverse package but with the way Sun/Canonical, were trumpeting the partnership when Feisty was released, I expected a bit more support than your average multiverse package..

the sources are still available from Sun, correct? while it certainly is convenient to package the sources with the binary, it's not a requirement. the sources just must be readily available, correct? and it's certainly not a good reason to leave a broken/insecure version of java in the distribution.

@Alvin

The sources for the DLJ bundles against which this bug was filed are
not available under the GPL. We sincerely hope to have a 100% GPL
version of OpenJDK (JDK 7 alpha) available as soon as possible -- with
help from the community.

As doko mentions JDK6u2 has been updated to the Ubuntu archive.

Note that backporting JDK 6u2 to Feisty is a completely separate decision.

And we are trying to improve our response time to bugs -- especially
security bugs. This was one of the primary reasons for open sourcing
Java.

you're right, of course. i was griping about the lack of a backport on the wrong bug report.