sun java outdated

Only 6u29 is secure. Maybe Mint could build it's own package of Oracle (Sun) Java? Upstream is defaulting on this: https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/884252

Good thing someone filed this.

Good that it was noticed, i trust the Mint team wil fix this soon.

Good thing someone filed this !.

Ubuntu is being tracked in bug #881746

Hopefully this will be fixed with the final release

You're not explaining why it's insecure and what the security issues are.

openJDK would replace Sun Java if and only if we can verify that it doesn't cause any regressions for users in terms of features and compatibility with online games and applets.

I'm not an expert in this,but is it possible to make openjdk the standard?Mint users who want to use the Sun Java instead can download it from oracle.Better a safer standard,than an older version of sun java who is vulnerable.I'm a normal user and openjdk works fine for me.In case of problems i download the newest version of Oracle.I refer to this link: https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/884252

@Clement Lefebvre:

The security issues involved are the following:

1. Oracle release notes of 6u29:
http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html

2. Oracle cites no less than 20 security fixes:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

3. An in-depth related bug report:
https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/881746

4. There's an extensive ZDnet blog post about this:
http://www.zdnet.com/blog/security/java-update-plugs-20-critical-security-holes/9670

Immediate action is required. This is *very* serious.

Either Mint should build it's own deb package of 6u29, or provide an installation script comparable to the one available for Adobe Flash Player (which pulls the package from the site of the manufacturer). Or switch to OpenJDK.

Changed back to confirmed, because I've supplied the requested information.

Pjotr: After reading the material you linked to, can you describe in your own words what the problem is? i.e. what the attacker would do and how it would affect you as a user?

Thanks.

Clément Lefebvre: I'll try, but I'm handicapped by the fact that Oracle doesn't disclose details about security risks:

"As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Document, the readme files, and FAQs."

Source: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Enfin, I'll try....

The vulnerabilities in 6u26 allow remote exploits without authorizations. This means among other things, that an attacker can create an attack website containing malicious Java applications or Java applets. Those can enable him to hijack confidential sessions on my system with sensitive websites such as online banking, e-commerce and payment websites.

I hope this is enough. About the solution: I suppose that you are also restrained by Oracle's new licensing policy, from creating a deb installer for the secure 6u29. But an installation script that pulls 6u29 from Oracle's site (comparable to the script for Adobe Flash Player) is apparently still allowed.

Now I don't know how to make such an installation script, but I've written a detailed how-to for installing Oracle (Sun) Java 6u29 manually: http://sites.google.com/site/easylinuxtipsproject/java
Maybe you can create an installation script from this manual?

Changed the status back to "Confirmed", because I've given the requested information.

@Clément Lefebvre: the insecure 6u26 is present in the final edition of Linux Mint 12. Maybe because this bug was reported too late in the final stage of development of Mint 12? Anyway: when will Java be upgraded to the secure 6u29?

Hi Pjotr,

OK, there's different aspects to this..

1. It was included because this came to late and the risk of creating a regression was greater than the security issue. It's consistent in our policy, and it's geared towards our user base (mostly because most of our users are 1. desktop users 2. not specific targets like web servers 3. behind NAT/Firewall routers 4. using centralized app sources) stability and features are more important than security. So in the case of Java, our main concern is that things continue to work for everybody, and then once that's guaranteed, that security is there as well.

2. About the licensing from Oracle... I need to look into it. According to Canonical it's a deal breaker.... we need to make our own opinion of course, but it doesn't look good to be honest.

3. Whether we can make our own Deb that downloads the content like it's done with Flash to workaround the problematic licensing... we probably can. I'd love for the community to help on this. You got a script there, so we're not starting from scratch. Fro the future, that's a possibility.

4. About OpenJDK, it's another alternative. They need to make sure they're fully on par with the Oracle implementation and that the Java content people use on the Web is fully compatible with it. If/when they achieve this we'll use OpenJDK by default and be done with Oracle Java.

5. About the security risks, I'm glad we got to that and we can agree on the fact that neither you or me have a clue about them. The situation is: Oracle is telling everyone to upgrade to their latest version because there are "loads" of security risks. How long have these security holes been there? Nobody knows. What are they? Nobody knows. Have I had that security hole in my Java for the last 5 years? maybe? I don't know.. that's not a valid bug to me, and the fact that the licensing has changed in the meantime is also interesting.

So as you can see, I disagree on the urgency of the situation and on the situation itself. I also disagree on OpenJDK being a viable alternative, but I agree with you on the solution to update to the latest Oracle Java. If we can get the DEB you describe, and do things the way Canonical did with Adobe Flash, then we can all move on towards a situation that satisfies all parties involved.

Let's leave this as confirmed and get to that stage. There are a lot of urgent tasks that require our attention. When we have some time we'll work on this as well. In the meantime if the community produces the implementation, things will go quicker and we'll be able to update Java sooner.

Sorry for the long comment, and it's not exactly what you wanted, but I hope it explains our position on this.

I'm also marking OpenJDK for review as a potential replacement for Java in Mint 13.

@Clément Lefebvre: thanks for your reaction. I see your point and I largely agree.

Nevertheless, a solution should come rather quickly, I think. Both for intrinsic reasons and for the public image of Mint as a reliable and secure distro.

I can't make scripts myself, but I'll see if I can find somebody who is able and willing to make a script, from the how-to that I've written for installing 6u29 manually.... If so, I'll post it here.

Thanks Clement for marking OpenJdk to revieuw as a replacement for Java in Mint 13.When it is not possible to find a programmer to write a script for manually installing Java this might be the best solution for this time.

https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/881746

Good news: a software developer, member of the Dutch Ubuntu community, has kindly created a script that pulls Oracle Java from the Oracle website and installs it. I've tested a prototype on a 32 bit system, and it works fine.

He's not quite done with it yet (needs testing on 64 bit and some final polishing, and still needs to be transformed into a .deb package), but I expect he'll present it here within a week.

This is a **critical** bug and precludes any use of Firefox on a Linux Mint installation. Exploits for this are live and in the wild. I wrote a simple proof of concept that launches gnome-terminal from your browser:

http://www.ugcs.caltech.edu/~patrick/Exploit.html

The script Pjotr mentioned is ready for use (well, testing on a larger scale, anyway...).

http://www.duinsoft.nl/packages.php

Excellent work, Frank!

@Clément Lefebvre: will you consider to put this in a Mint repo (when Frank agrees, of course)? The timing is perfect, since Canonical has pulled Oracle Java a couple of days ago....

*Thanx for the hard job,well done!
*
2011/12/19 Pjotr12345 <email address hidden>

> Excellent work, Frank!
>
> @Clément Lefebvre: will you consider to put this in a Mint repo (when
> Frank agrees, of course)? The timing is perfect, since Canonical has
> pulled Oracle Java a couple of days ago....
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/890278
>
> Title:
> sun java outdated
>
> Status in The Linux Mint Distribution:
> Confirmed
> Status in “sun-java6” package in Ubuntu:
> Invalid
>
> Bug description:
> The sun java package in Mint 12 RC is version 1.6.0.26 and is
> vulnerable.Is it possible to replace it standard for the openjdk
> package?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/linuxmint/+bug/890278/+subscriptions
>

--
*
*

@Clément Lefebvre: the English page for the new installation script is here:
http://www.duinsoft.nl/packages.php?t=en

The author, Frank de Bruijn, has made it available under the GPL, so you can use it freely. The need for a secure Oracle Java is urgent, so I hope that you can find the time to act quickly.... See this news:
http://www.zdnet.com/blog/security/web-malware-exploitation-kits-updated-with-new-java-exploit/9849?tag=content;selector-blogs

Looking at the licensing issue again, it appears the main reason for Debian (and consequently Ubuntu) to switch to OpenJDK is the proprietary nature of the Oracle JRE/JDK.

At Linux Mint, we don't have such an issue with proprietary software. We "prefer" open-source than closed-source alternatives except when there's a significant trade-off in terms of features and compatibility.

So if I'm right in interpreting this license http://www.oracle.com/technetwork/java/javase/terms/license/index.html and this indeed allows us to redistribute the Oracle JDK, then we're in a similar situation than with Adobe Flash... where the proprietary option is significantly better than the open-source one and the licensing allows us to use and redistribute it.

Or did I read that wrong?

We'll have a close look at this in preparation for Mint 13. OpenJDK is getting better and better, and the licensing on Oracle JDK isn't as restrictive as I thought... so we very well might still have the two options available to us going forward.

Not to mention the possibility to use a script like Pjotr's above.

In the meantime please don't hesitate to use this bug as a thread to give your opinion and thoughts about this.

The problem with the Oracle license is, that it only allows "unmodified" redistribution. Apparently the packaging as .deb, is seen as a modification....

So you'll have to use a script like the Duinsoft script that Frank de Bruijn has created, which pulls the package from the Oracle servers and installs it. He has kindly made it freely available under the GPL, so copying is no problem.

Suggestion: this could be performed automatically during installation of Mint on the hard disk. The LiveDVD might contain OpenJDK, in order to provide an almost full user experience in the live session. During installation of Mint, the script could be run, in order to obtain and install Oracle Java.

In my experience OpenJDK still isn't as good as Oracle Java: on some websites, I really need the closed Java.

The importance on this really should be raised to maximum. The version of the Java plugin that exists in Firefox on Linux Mint 12 contains known and published sandbox vulnerabilities that allow arbitrary Java code execution on the system simply by visiting a Web site that loads a malicious Java applet. This includes the extremely critical Rhino script engine vulnerability. Any users who have not manually disabled the Firefox Java plugin, or manually upgraded their Java and replaced the plugin using update-alternatives are vulnerable to these arbitrary code execution exploits if they visit a Web site with a malicious Java applet.

This vulnerability has existed since October of last year. If you aren't going to update the Java plugin to a version that is not vulnerable, then you should send out an update that disables the plugin.

The lax attitude being taken with this is concerning, to say the least. Again, even with a fully updated system, users are currently vulnerable to in the wild remote arbitrary code execution vulnerabilities that can be triggered simply by visiting a Web site with a malicious Java applet. These vulnerabilities have been known about since October.

Please, either find a way to update the plugin, or simply disable it. Because right now, you are exposing unaware end-users to an extremely serious security vulnerability.

Hi,

Thanks to all involved in participating to this bug report.

An early review of OpenJDK gave surprising results. Although it's still not on par with the Oracle implementation (some apps/applets don't run, others show different behavior or run slower), we were able to get satisfying results in most of our test use cases with this open-source implementation.

At this stage we're very likely to drop sun-java6-* from the software selection and to replace it with openjdk. We're planning to do so in the upcoming LMDE RC release and unless we identify new elements from user feedback, we'll be likely to do so in all releases going forward.

We won't force the removal of sun-java6 from people's machine but as soon as the decision was taken and we're sure 100% this is the direction we'll take, we'll let people know with an official announcement, explaining why we're doing this, and the options available to them.

Although we probably won't be using the scripts to download/install Oracle Java ourselves (there's more and more available, some very well done) these will come handy to users of Java apps/applets for which support in OpenJDK just isn't good enough, and for developers of course. For this reason we'll likely add one of these scripts to our repositories and make it easier for people to switch from OpenJDK to Oracle Java may they wish to do so.

Note: One of the key elements for us in deciding whether to go for openjdk or sun-java6 is the position of Oracle itself... even more so than the licensing terms.

Thank you for addressing this, Clement. In my experience, the only area I've seen compatibility issues with OpenJDK is in playing the free version of Minecraft: http://www.minecraft.net/classic/play
I've tested a few different versions:
Oracle 6u26 (default Mint 12)-works
Oracle 6u30-works
(could not find a linux version of 6u31 on Oracle's site)
Oracle 7u3-does NOT work
OpenJDK-does NOT work

I agree that the security of your users should take precedence over convenience. While Oracle may not provide all the details you need to know exactly how you can be made vulnerable, there are plenty of reports out there from the various security/AV vendors (look for their annual security reports) that talk about out-of-date Java installs being one of the top vectors for infection.

Does this bug apply to any of the currently supported releases (i.e. Maya, Nadia, Olivia, or Petra)? If not, this bug should be closed.