Jaunty Jackalope Backports

sun-java6 should be updated to 6u15

Bug #411733 reported by Luke Scalfati on 2009-08-11

This bug report is a duplicate of: Bug #409559: version 1.6.0_15 is available . Edit Remove

270

This bug affects 1 person

	Status	Importance	Assigned to
Hardy Backports	New	Undecided	Unassigned
Intrepid Ibex Backports	New	Undecided	Unassigned
Jaunty Jackalope Backports	New	Undecided	Unassigned
The Dell Mini Project	New	Undecided	Unassigned
sun-java6 (Ubuntu)	Confirmed	High	Unassigned

Bug Description

I'm running Ubuntu 9.04 i386

Turns out there's is a remote code execution vulnerability exploitable over the network in many applications in 6u14, that has been fixed in 6u15.
However, the latest update available from repos is 6u14_b08

Fix: make 6u15 available from repos.

NOTE: I got to know about this bug when Freenet (http://freenetproject.org ) refused to perform some tasks because of the "wrong" Java version being detected.
Freenet users on 6u15 report that the warning is gone.

I dont have any evidence of this bug, this report is based on the Freenet warning, the discussion on the Freenet mailing lists and the IRC channel (irc.freenode.net #freenet) where I was asked to link the following ceert-fi report: http://www.cert.fi/en/reports/2009/vulnerability2009085.html

Marc Deslauriers (mdeslaur) on 2009-08-11

Changed in sun-java6 (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium
visibility:	private → public

Revision history for this message

Wayne Scott (wsc9tt) wrote on 2009-08-11:

"remote code execution vulnerability"

then

"importance: Undecided → Medium"

huh?

Marc Deslauriers (mdeslaur) on 2009-08-11

Changed in sun-java6 (Ubuntu):
importance:	Medium → High

Revision history for this message

CeesSluis (testcees) wrote on 2009-08-12:

duplicate of https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/409559?

Revision history for this message

Nicola Ferralis (feranick) wrote on 2009-08-12:

It has been just uploaded in Karmic.

Revision history for this message

tlu (thomas-ludwig-gmx) wrote on 2009-08-13:

Yes, it's available for Karmic but unfortunately not for Jaunty and earlier. And Sun has just released 6u16 which doesn't contain any new fixes for security vulnerabilities, though.

Revision history for this message

Nicola Ferralis (feranick) wrote on 2009-08-13:

A separate file asking for a backport should be filed, I think. In any case there are custom PPA with updated java6 packages for Jaunty and Hardy:

https://launchpad.net/~hardybleed/+archive/ppa
https://launchpad.net/~jauntybleed/+archive/ppa

Revision history for this message

xor (xor) wrote on 2009-08-13:

I don't like the fact that remote code execution vulnerability is open for days even though there is a fixed version avaiable which only needs to be packaged :(

And it prevents me from development because I work on a XML-based peer-to-peer application :( Can someone fix this?

Revision history for this message

James Stansell (jamesstansell) wrote on 2009-08-13:

@xor, I know it's a bit of a pain that the packages aren't in all the repos, but since you're a dev you probably have the ability to grab them from a different repo and use them. The bits are always identical anyway, since they were actually compiled by Sun. I have frequently installed the sun-java6 packages from a different repo onto my system and never had any problem. (I usually just download from launchpad instead messing with a normal repo ...)

Revision history for this message

tlu (thomas-ludwig-gmx) wrote on 2009-08-14:

I agree with xor. The java packages are critical applications used by many people. Not applying the updates that fix their vulnerabilities in due time undermines the reputation of Ubuntu as a secure operating system. Fixing them only in Karmic is definitely not enough. And the solution proposed by James Stansell is surely not suitable for the ordinary user (who doesn't know about this problem in the first place).

Revision history for this message

Magnus (koma-lysator) wrote on 2009-08-20:

I agree.

This is important enough for a backport effort.

I could wait for Karmic if it was just a new feature added to the newer JRE.

But a remote exploit? No... This sounds more urgent.

Revision history for this message

Nicola Ferralis (feranick) wrote on 2009-08-20:

#10

Marking as duplicate of #409559. Please continue the discussion there.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #409559 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.