Security update for Sun Java JRE 6: update 17

I would very much appreciate a reaction from the developers.... This is an important matter, as it concerns the security of an LTS version.

Why don't I receive any reply? Don't the developers realize the importance of this security issue?

Does Launchpad still function as a bug squashing tool, or is it completely jammed because of the overwhelming flood of reports?

In other words: does it still make sense to report bugs, or has it become a complete waste of time, because no-one will respond anyway?

Hello All

i'm also interested in this update because of the internet solution we provide for our company is based on firefox on hardy LTS.
Probably this bug is known and a solution is being investigated and tested.

With kind regards

William

*Please* clarify us about this! I'm very disappointed that we get no information at all!

- Is anything being done at all, to provide this security update for JRE, or is JRE officially abandoned?

- If a security update is in progress, when can we expect it, and for which versions of Ubuntu?

For those of us who find it unacceptable to wait any longer for this important security update (like I), I have published a how-to for manual installation: http://sites.google.com/site/easylinuxtipsproject/java

Pjotr,

This issue was discussed the last time around and a policy formalized in https://wiki.ubuntu.com/StableReleaseUpdates#sun-java*. Please note that sun-java packages are in multiverse and are supported by the community. If you are able and would like to help improve the situation, feel free to provide an updated package and it can be reviewed and uploaded.

@Jamie Strandboge: thanks for responding!

Unfortunately I don't have the skills for building packages. All I could do was publish an instruction for manual installation of the latest JRE (available on the Sun website), in English and in Dutch:

English:
http://sites.google.com/site/easylinuxtipsproject/java

Dutch:
http://sites.google.com/site/computertip/java

I know about the formal policy for JRE, as we discussed a previous security update for JRE, in earlier Launchpad thread. But if there are no people around who can help implement this formal policy, then the policy is useless....

I fully understand that you are all very busy and even overloaded with work. And I appreciate your efforts very much.

However, if there isn't enough manpower available for implementing the formal policy for JRE, then please drop JRE altogether and remove it entirely from the repositories. Better no JRE at all, than an insecure JRE....

Accepted sun-java6 into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I tested the proposed update in 8.04, and it works fine. :-)

Thank you, Martin Pitt!

Pjotr12345 [2009-11-23 15:53 -0000]:
> I tested the proposed update in 8.04, and it works fine. :-)

Great, thanks for testing. What did you test in particular? Some apps,
browser plugin, etc.?

> Thank you, Martin Pitt!

Thanks go to Matthias Klose, he prepared the package. :-)

I will redirect my thanks, then: thank you, Matthias Klose!

This is how I tested this update:
- I removed my manual installation of 6u17, by deleting /opt/java
- then I installed 6u16 from the repo's
- then I turned on "proposed"
- then I updated to 6u17

After that, I played a game of online chess on Yahoo Games, in Epiphany-browser. I've only tested through the browser plugin, therefore.

I also used Frostwire, but that particular app uses OpenJDK "under the hood", I think, because I downloaded the adapted Frostwire deb from getdeb.net.

Am I correct in assuming that only Hardy LTS will get this JRE update, and not the other current Ubuntu versions?

Is there any chance for 6u17 to be released for Karmic?
Sun-java6* is very important package for many users. It should not be abandoned.

@ Jarek:
I agree, but in the meantime you can apply this how-to for manual installation of JRE 6u17:
http://sites.google.com/site/easylinuxtipsproject/java

I've tried to make it as easy as possible.

@ Pjotr12345

Thanks.
There are also other possibiliyies:
- use java-package (http://wiki.debian.org/JavaPackage) and create deb package yourself - created packages are other than those supplied by ubuntu and debian (there is only one big package for whole JDK)
- install packages from debian sid - 6u17 is already published: http://packages.debian.org/search?suite=sid&searchon=names&keywords=sun-java6 - I didn't try this way this time, but I have successfully installed sun-java6 packages from debian earlier.

Sun released JDK & JRE 6 Update 18 (1.6.0_18)
http://java.sun.com/javase/downloads

Yet my Ubuntu (9.10 Karmic Koala desktop 64bit) still has 1.6.0_15. When can we have the new one?

To Ubuntu: please see this also in the perspective of people like me who use tomcat with sun-java6. I do not really care about the browser plugin, but for java app-hosting in tomcat it is important to have a *sun* jvm, since openjdk is not on par yet.

This was fixed in hardy with the 6-17-0ubuntu1.8.04 update; closing that task.

All releases have 6.24 now.