Ubuntu

version 1.6.0_15 is available

Reported by CeesSluis on 2009-08-05
380
This bug affects 19 people
Affects Status Importance Assigned to Milestone
Hardy Backports
Undecided
Unassigned
Intrepid Ibex Backports
Undecided
Unassigned
Jaunty Jackalope Backports
Undecided
Unassigned
The Dell Mini Project
Undecided
Unassigned
sun-java6 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned

Bug Description

A new update from Sun is available. See http://java.sun.com/javase/6/webnotes/6u15.html
This release contains fixes for one or more security vulnerabilities.

CeesSluis (testcees) on 2009-08-05
visibility: private → public
Changed in sun-java6 (Ubuntu):
status: New → Confirmed
Tom rooze.sen (tomrooze-sen) wrote :

Changed in sun-java6 (Ubuntu):
Security update please !.
status: New → Confirmed

Artur Rona (ari-tczew) on 2009-08-06
tags: added: upgrade
Pjotr12345 (computertip) wrote :

On my openSUSE 11.1 box, I received the 1.6.0_15 update yesterday.... When will Ubuntu follow? I have six Ubuntu boxes in my house...

Vistaus (djmusic121) wrote :

I agree that this update is high priority. I received it on my openSUSE 11.1 box too the day before yesterday... It's highly recommened by Sun to install this update, so Ubuntu: come on and push out the update.

Jane Atkinson (irihapeti) wrote :

The repository version of Firefox gets upgraded each time Mozilla puts out a new one, even on older versions such as Hardy. I think that the same thing should happen with Java.

There has already been one update to Java in Hardy, from 1.6.07 to 1.6.14, so it's not impossible.

JarG0n (aesenn) wrote :

When will this update be included in Ubuntu?

Nicola Ferralis (feranick) wrote :

It has just been uploaded in karmic.

Pjotr12345 (computertip) wrote :

You can apply a workaround to install the new JRE which is meant for Karmic, in Hardy, Intrepid and Jaunty.

This workaround is for 32-bit Ubuntu only! You have to adapt it for a 64 bit system.

1. Manually download these three files from Multiverse:

Bin:
[url]http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-bin_6-15-1_i386.deb[/url]

JRE:
[url]http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-jre_6-15-1_all.deb[/url]

Plugin:
[url]http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-plugin_6-15-1_i386.deb[/url]

2. Put these files in your home folder, don't leave them on the desktop.

3. Applications - Accessories - Terminal
Execute the following terminal commands (use copy/paste to place them in the terminal):
[code]sudo dpkg -i sun-java6-bin_6-15-1_i386.deb sun-java6-jre_6-15-1_all.deb[/code]

Press Enter. Your password will remain invisible, not even dots, this is normal.

and then:
[code]sudo dpkg -i sun-java6-plugin_6-15-1_i386.deb[/code]

Press Enter.

4. Ready. :)

Bad that we need a workaround... We shouldn't need one. The package maintainer isn't active enough. :(

Pjotr12345 (computertip) wrote :

Repost, this time without tags that don't work (sorry!):

You can apply a workaround to install the new JRE which is meant for Karmic, in Hardy, Intrepid and Jaunty.

This workaround is for 32-bit Ubuntu only! You have to adapt it for a 64 bit system.

1. Manually download these three files from Multiverse:

Bin:
http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-bin_6-15-1_i386.deb

JRE:
http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-jre_6-15-1_all.deb

Plugin:
http://nl.archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/sun-java6-plugin_6-15-1_i386.deb

2. Put these files in your home folder, don't leave them on the desktop.

3. Applications - Accessories - Terminal
Execute the following terminal commands (use copy/paste to place them in the terminal):

sudo dpkg -i sun-java6-bin_6-15-1_i386.deb sun-java6-jre_6-15-1_all.deb

Press Enter. Your password will remain invisible, not even dots, this is normal.

and then:

sudo dpkg -i sun-java6-plugin_6-15-1_i386.deb

Press Enter.

4. Ready. :)

Bad that we need a workaround... We shouldn't need one. The package maintainer isn't active enough. :(

Vistaus (djmusic121) wrote :

@feranick: Great that is has been uploaded in Karmic, but where is the version for the rest of the versions (Jaunty, Hardy etc.)?

@Irihapeti: Did you even read the bug description?
"This release contains fixes for one or more security vulnerabilities."
So you actually want people to have an insecure system because of an insecure Java?

Btw, Pjotrs workaround works great every time. As always, thanks for providing the workaround :)

James Stansell (jamesstansell) wrote :

@vistaus, i think @irihapeti was agreeing with you

Nicola Ferralis (feranick) wrote :

@Vistaus

I maintain a unofficial backport PPA for Jaunty and hardy, where v15 builds are available. I know, they are not official backports, but that's all I can do.

Hardy: https://launchpad.net/~hardybleed/+archive/ppa

Jaunty: https://launchpad.net/~jauntybleed/+archive/ppa

Nicola Ferralis (feranick) wrote :

I added hardy, intrepid and jaunty backports to the bug report.

Changed in sun-java6 (Ubuntu):
status: Confirmed → Fix Released
Nicola Ferralis (feranick) wrote :

Marked "fix released" as it is not updated in Karmic. Bug still open for backports.

Pjotr12345 (computertip) wrote :

@feranick: I appreciate your efforts with the PPA. But "fix released" does not apply here, I think.

"Fix released" would be, when the *package maintainer* would make these packages available through the normal Multiverse updates for Hardy, Intrepid and Jaunty.

Pjotr12345 (computertip) on 2009-08-16
Changed in sun-java6 (Ubuntu):
status: Fix Released → Confirmed
Pjotr12345 (computertip) wrote :

Why don't the responsible package maintainers answer here? Isn't Launchpad meant for contacting them?

Why this silence on this important security issue? :-(

Sounds like this may be an opportunity for a new package maintainer.

On 8/17/09, Pjotr12345 <email address hidden> wrote:
> Why don't the responsible package maintainers answer here? Isn't
> Launchpad meant for contacting them?
>
> Why this silence on this important security issue? :-(
>
> --
> version 1.6.0_15 is available
> https://bugs.launchpad.net/bugs/409559
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Sent from my mobile device

"The world is a dangerous place, not because of the people who are
evil, but because of the people who don't do anything about it." -
Albert Einstein

http://www.CampaignForLiberty.org

Pjotr12345 (computertip) wrote :

It's utterly unacceptable that the responsible package maintainer doesn't react here. I suggest that those of us who are Ubuntu Members, discuss this matter on a higher level of authority.

This matter needs to be dealt with: this negligence by the package maintainer, is putting many computers at risk. Needlessly.

Jamie Strandboge (jdstrand) wrote :

This was fixed in Karmic:

sun-java6 (6-15-1) unstable; urgency=medium

  * New upstream version.
    Release notes at http://java.sun.com/javase/6/webnotes/6u15.html
    Addresses CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625,
    CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674,
    CVE-2009-2675, CVE-2009-2676, CVE-2009-2690.
  * Set section names to java.
  * Orphan the package.

Changed in sun-java6 (Ubuntu Hardy):
status: New → Confirmed
Changed in sun-java6 (Ubuntu Intrepid):
status: New → Confirmed
Changed in sun-java6 (Ubuntu Jaunty):
status: New → Confirmed
Changed in sun-java6 (Ubuntu Karmic):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Please note that while I am not the package maintainer, sun-java6 is in multiverse and is community supported. It and sun-java5 were originally provided in Ubuntu multiverse to help developers have access to java when there was no free alternative. As of Ubuntu 8.10, openjdk-6 is in 'main', officially supported and receives regular security updates.

If someone from the community wants to come up with a way to provide updates for sun-java* packages, I suggest bringing it up on the ubuntu-motu mailing list.

Pjotr12345 (computertip) wrote :

@ Jamie Strandboge:

Thanks for your reaction.

OpenJDK still can't replace JRE entirely. There are still some websites that only function well for a visitor, when that visitor has JRE installed. A pity, but that's how it is. And that's why we need security updates for JRE.

All that has to be done, is to make the Karmic JRE packages available for Hardy, Intrepid and Jaunty. No change necessary. So this can be done very easily and quickly.

If you already have installed Sun Java JRE from Multiverse in 8.04, 8.10 or 9.04, then all you have to do is install the Karmic packages and it works fine. I already provided a workaround: https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/409559/comments/8

But that's only a workaround. May people won't know it's available. Therefore we need a regular security update. So: how can I bring this matter up on the ubuntu-motu mailing list?

Pjotr12345 (computertip) wrote :

Thanks feranick. I posted the following message on the MOTU mailing list:

----------------
Hello,

Hereby I request your attention for the following matter. It concerns
Multiverse and not Universe, but the matter is grave enough to bring
this to your attention.

Sun Java JRE doesn't receive security updates for Hardy, Intrepid and
Jaunty. The latest security update is only for Karmic. This is a huge
problem. A structural problem as well: this is not the first time that
Sun Java JRE security updates aren't ported to current stable Ubuntu
versions.

OpenJDK still can't replace JRE entirely. There are still some
websites that only function well for a visitor, when that visitor has
JRE installed. A pity, but that's how it is. And that's why we need
security updates for JRE: most desktop users have it installed on
their computers. We can't leave them unprotected.

All that has to be done for the current JRE security update
(1.6.0_15), is to make the Karmic JRE packages available for Hardy,
Intrepid and Jaunty. No change necessary. So this can be done very
easily and quickly.

If you already have installed Sun Java JRE from Multiverse in 8.04,
8.10 or 9.04, then all you have to do is install the Karmic packages
and it works fine. I already provided a workaround:
https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/409559/comments/8

But that's only a workaround. Many people won't know it's available.
Therefore we need a regular security update. Plus we need a structural
change in the handling of security updates for Sun Java JRE: this is
not an incident. Can you make this happen?

This is the current bug report on Launchpad:
https://bugs.launchpad.net/bugs/409559

Greeting, Pjotr.
------------------

I will keep you informed on the handling of this matter by the MOTU's.

Johan van Dijk (johanvandijk) wrote :

According to the popcon statistics [1] and [2], sun-java6 is one of the most popular multiverse packages, and it is the most used one.
If sun-java6 is installed on nearly 550,000 computers, and if more than 60,000 people use it regularly, isn't it strange that Ubuntu doesn't provide security updates? The real number of users is even higher, because participating in the popcon survey is optional.

[1]: http://popcon.ubuntu.com/multiverse/by_inst
[2]: http://popcon.ubuntu.com/multiverse/by_vote

tlu (thomas-ludwig-gmx) wrote :

@Pjotr: Couldn't agree more. This is a disaster from a security viewpoint. We're always telling Windows users that they need something like Secunia PSI to make sure that they will keep their applications updated. And we're telling them: Switch to Ubuntu, and you won't have this problem. - And now this disaster for such a widely used package (thanks Johan for the figures). Pjotr is right that this seems to be a structural problem. I'm anxious to see the reaction on MOTU.

Magnus (koma-lysator) wrote :

Indeed: this is urgent.
I hope and believe that MOTU realizes this.

Jamie Strandboge (jdstrand) wrote :

Please pick up the discussion in the ubuntu-motu mailing list. Pjotr sent a message with the subject of 'Structural problem with Sun Java JRE'. It hasn't gotten any feedback yet (possibly because the title didn't convey the urgency).

Pjotr12345 (computertip) wrote :

It's not possible for me, to pick up the discussion in the MOTU mailing list. Probably because I'm not a MOTU myself. I can only post by sending an e-mail to the janitor. That way, I can't react in a topic thread.

The MOTU's aren't responding. I'm running out of options here... Much to my dismay. :-(

For the time being, I have to conclude that openSUSE 11.1 (which does update Sun Java JRE) is a safer distro to advise to other people, than Ubuntu. Sad.

tlu (thomas-ludwig-gmx) wrote :

Yes, it's more than sad. It's rather a breach of trust. Is there another way to ring the alarm bell?

Pjotr is right that this is a structural problem. Considering the subscribers to this bug, I wonder why his posting in the MOTU list was even necessary.

And I'm beginning to wonder how many other packages that aren't that prominent like the java one have security leaks that have not been patched, either. I mean, if such a serious bug is neglected (against better judgement) everything is possible.

Matthias Klose (doko) wrote :

> It's rather a breach of trust

huh? care to elaborate?

instead of complaining, prepare a package and send it to http://revu.ubuntuwire.com/ for review. It's not rocket science, just spend the time you use for these "me too" mails for something useful.

tlu (thomas-ludwig-gmx) wrote :

@Matthias Klose: It must be possible to critisize something without being a developer. IMO, it's a breach of trust from a user's perspective. Why?

1. A patch is available for Karmic (and in some ppa's). Even without being a developer, I cannot imagine that it's so difficult to provide a patched version for other Ubuntu versions too.
2. Ubuntu has always been promoted as a safe OS that patches security leaks as fast as possible. But now we have a situation where a package with a serious leak has not been patched for several weeks although it's used by hundreds of thousands of users.
3. Nobody said that you, Matthias, or somebody else is the culprit. But if the Ubuntu Security Team and others are subscribed to this bug which has been open for weeks and there is still no reaction, something is terribly wrong. That's what Pjotr meant when he was talking about a structural problem. Is it a lack of manpower?

Considering all these facts, you should not be too astonished that someone who's been a convinced Ubuntu advocate for years is becoming more and more irritated.

Marc Deslauriers (mdeslaur) wrote :

Software in the multiverse and universe repositories is not supported by the Ubuntu Security Team. See:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Official%20Support

Packages in multiverse and universe need to be updated by the Ubuntu community by following the procedures here:

https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

As soon as someone volunteers to submit updates for this issue, the security team will get them published into the proper repositories.

Pjotr12345 (computertip) wrote :

@Matthias Klose and Marc Deslauriers:

The updated Sun Java JRE packages are *already* present in Multiverse, right now only for Karmic. They only need to be made available for Hardy, Intrepid and Jaunty as well. No extra work needed.

This JRE update works fine in Hardy, Intrepid and Jaunty, which I've tested by applying the workaround which I mentioned earlier in this thread. So there is no need to upload new packages (which I wouldn't know how to do anyway).

Please make the updated Sun Java JRE available through the normal updates, for Hardy, Intrepid and Jaunty. It's really urgent.

Vistaus (djmusic121) wrote :

@Marc Deslauriers:

1 I know the Ubuntu Security Team isn't responsible for this, but why are they subscribed to this bug if they aren't responsible for it?
2 Even though it's community maintained, a security vulnebelarity is a security vulnebelarity and should be fixed, even if it's from within the community.
3 Even though it's community maintained, a fix for Karmic has rolled out. The packages for Karmic work fine in Hardy, Intrepid and Jaunty. So why aren't the Karmic packages pushed out for the other supported versions? It'll only takes 5 minutes (or maybe even less) to push them through the updates of 8.04, 8.10 and 9.04

@Matthias: Sent in packages for review? Have you even read all the commments on this bug? The packages you've made for Karmic work fine in Hardy, Intrepid and Jaunty. So why not push the Karmic packages out for Hardy, Intrepid and Jaunty? It'll only cost you 5 minutes or less to push them out.

JarG0n (aesenn) wrote :

Marc,

Most everyone knows the software isn't supported. Therein lies the root
cause of this issue. Many apps that use java recommend the official
distribution of java, not the open source version.

No disrespect intended here sir, but I believe is flat out irresponsible for
Canonical, and the Ubuntu Security Team, to refuse to recognize the sheer
number of users that use this package, and retort existing policy, citing
that it is not supported.

Someone needs to recognize the need here, and make it an officially
supported package. As a long time Ubuntu user, and someone who recommends
Ubuntu to everyone, it is *embarassing* to use a top of the line
distribution of GNU/Linux, commercially supported, that allows such a
package security vulnerability to remain absent for so long.

The official version of java needs to be supported, but not installed by
default.

On Sat, Aug 22, 2009 at 1:02 PM, Marc Deslauriers <
<email address hidden>> wrote:

> Software in the multiverse and universe repositories is not supported by
> the Ubuntu Security Team. See:
>
> https://wiki.ubuntu.com/SecurityTeam/FAQ#Official%20Support
>
> Packages in multiverse and universe need to be updated by the Ubuntu
> community by following the procedures here:
>
> https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
>
> As soon as someone volunteers to submit updates for this issue, the
> security team will get them published into the proper repositories.
>
> --
> version 1.6.0_15 is available
> https://bugs.launchpad.net/bugs/409559
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
"The world is a dangerous place, not because of the people who are evil, but
because of the people who don't do anything about it." - Albert Einstein

http://www.CampaignForLiberty.org

Matthias Klose (doko) wrote :

@Vistaus: As you can see at https://jdk-distros.dev.java.net/ 6u16 was released. Updating to 6u15 isn't good enough. No, it's not packaged, and I don't plan to do so. Looking at the Debian package you'll see that it is now unsupported (orphaned), the package in Ubuntu is community maintained. So either the community steps up to maintain the package, or we can remove it as well. If it does you just 5min, then please invest the time, and prepare uploads for all releases. I know it does cost me more than this, if you can do it quicker, please do it.

@JarG0n: There is a certified and supported Java6 version in jaunty, and we'll likely have the version in karmic certified as well. Please use this one. It is correct that the java webplugin in IcedTea isn't 100% compatible with the closed-source/proprietary sun plugin, but it is worth checking your applets with this plugin as well and to use this one.

Pjotr12345 (computertip) wrote :

@Matthias Klose:
But 6u15 *is* sufficient. Because Sun says in the Release Notes, that 6u16 doesn't contain security updates compared with 6u15:
http://java.sun.com/javase/6/webnotes/6u16.html

Essential quote:

Bug Fixes
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.

The 6u15 packages are already present in Multiverse. Please release them for Hardy, Intrepid and Jaunty.

Pjotr12345 (computertip) wrote :

@Matthias Klose: please react to the questions that I asked you. It's a vital matter. Thanks in advance.

@everyone: maybe we should consider mobilizing our LoCo Teams. I could try to persuade the leadership of my LoCo Team, Ubuntu-NL (Netherlands and Belgium) to put an official collective request for this update, to Mark Shuttleworth. Either directly, or through Jono Bacon, the Community Manager.

Jamie Strandboge (jdstrand) wrote :

This is a community matter. I asked that this be brought up in #ubuntu-motu because there seems to be a lack of interest from the community to maintain this package and I hoped that more people than those in this bug could respond and help. No one did. People complain, but no one wants to put in the effort required to actually fix it. Multiverse is community supported. You are the community. Would someone from the community *please* prepare updates?

It takes more than simply uploading the Karmic package as is to Hardy, Intrepid and Jaunty. The versions have to be adjusted and the resulting packages *thoroughly* tested before they can be uploaded. The time isn't in changing the version number and uploading. It is making sure there are no regressions and verifying the test suite still works. Anecdotal 'works for me' is not enough. How does it work for you? What is your environment? What was not tested by you? Etc, etc... If there is a regression, who is supposed to fix it? This isn't a matter of policy, but resources. The steps are clear and the same for *all* community supported packages: use https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation and someone from the Ubuntu Security team will process it and get it into the archive on your behalf. If you need feedback or assistance in this process, Ubuntu Security, MOTU and/or MOTU-SWAT can help. Since a debdiff is not appropriate in this case (because this requires a new source package), do as Mathias said and get the package into http://revu.ubuntuwire.com. People can help with testing and review of the package there. See https://wiki.ubuntu.com/MOTU/Packages/REVU/ for details.

Simply stated, it is a community supported package and complaining that someone else isn't doing it for you doesn't help. People from the community must step up. Why should this package be any different from the thousands of other packages in universe that the community supports? If you want it fixed, coordinate to do the work. Rather than localizing LoCo teams and attempting to persuade leadership to go against their previous decision to support unsupported packages (keep in mind, it was put into multiverse in the first place for a reason), might I suggest utilizing these resources to coordinate the work by joining the ubuntu-java team (https://launchpad.net/~ubuntu-java) to define and execute a policy to properly maintain this package? This is what other people who care about a community supported package do.

Pjotr12345 (computertip) wrote :

@Jamie Strandboge:
I understand your point, but where does that leave me, a simple end user with no packaging skills at all? And more than half a million like me? Probably even millions, if you count out the distortion from the popcon statistics?

This means that probably the vast majority of Ubuntu desktop users is now vulnerable because of unpatched JRE packages. Because that's how popular JRE is. This is not just some package, that's the entire point.

No matter what the underlying philosophy is concerning JRE, this is an unacceptable situation and could cause major reputation damage to Ubuntu.

Imagine what this would do to Ubuntu's public safety image, if it became widely known. A public relations disaster that no spin doctor would be able to remedy.

Jamie Strandboge (jdstrand) wrote :

Pjotr,

This leaves you with:
a) using the workaround provided and installing sun-java6 packages from karmic. You can also install the software directly from Sun. Although a poor choice for Ubuntu in general, it gets you as a 'simple user' with the update.
b) figuring out how to build a package yourself with a new version number and submit it to REVU (see https://wiki.ubuntu.com/UbuntuDevelopment#Packaging), test them yourself and the submit them here for upload
c) helping to coordinate the ubuntu-java team to create the packages for you, test them and submit for upload.
d) asking someone who does know how to do this to prepare packages (Vistaus claims it'll take 5 minutes, perhaps that's a good start. Alternatively, try to get people in MOTU or MOTU-SWAT involved). You can then test those packages and have the packager submit them here for upload
e) taking it up again on the ubuntu-motu mailing list (perhaps with a different subject and asking you be kept in the CC) and try to get others to help get the package in shape

Again, this is a community supported package; use the community resources that are available to you (of which there are many). Ubuntu provides the packages in universe and multiverse as a convenience to its users, but needs the community to care for them. People using Ubuntu are not required to use the software in universe and multiverse. This is not new; this is not a public relations disaster; this is simply how Ubuntu is structured. Other teams manage to coordinate security updates for packages that are community supported (ClamAV and Seamonkey spring to mind), why can't you, the java community?

Magnus (koma-lysator) wrote :

Jamie,

There is another option that 'simple users' might fall back to:

f) Use another operating system until there is a mended version of Sun Java available for Ubuntu.

Unfortunately this negatively affects the quite good progress of Ubuntu bug #1, and that is probably what is most disturbing of this situation.

Maybe we can arrange a bounty of some kind? Perhaps that will motivate someone in the community?

Pjotr12345 (computertip) wrote :

@Jamie Strandboge:
Most of the options you mention are above my head, I'm sorry....

The thing is, that most Ubuntu desktop users won't know about the need for a manual update of JRE. I've done it already, my machines are secure. But I'm an exception.

May I therefore suggest two other possible approaches, both of which provide good security and both of which are simple:

1. Provide *untested* JRE security updates, which though untested for stability, are at least secure. Issue a warning that they haven't been tested for stability. Better to have untested JRE packages on your machine which are secure, than stable but insecure JRE packages.

This can be achieved by simply making the JRE packages in the development branch (right now: Karmic), available for the stable Ubuntu versions (right now: Hardy, Intrepid and Jaunty).

2. Remove JRE entirely from Multiverse, and only provide OpenJDK. OpenJDK is a Universe package and is being kept secure. When people want JRE anyway, then they are forced to download and install it manually. Therefore they will know that they have to periodically *update* JRE manually as well. They are aware of the risk then.

My favourite solution is number 1. JRE is being made by Sun; a good quality package, made by a big professional company. Not likely to disrupt your system, even if you haven't tested it for Ubuntu.

John Vivirito (gnomefreak) wrote :

On 08/23/2009 09:19 PM, Jamie Strandboge wrote:
> Pjotr,
>
> This leaves you with:
> a) using the workaround provided and installing sun-java6 packages from karmic. You can also install the software directly from Sun. Although a poor choice for Ubuntu in general, it gets you as a 'simple user' with the update.
> b) figuring out how to build a package yourself with a new version number and submit it to REVU (see https://wiki.ubuntu.com/UbuntuDevelopment#Packaging), test them yourself and the submit them here for upload
> c) helping to coordinate the ubuntu-java team to create the packages for you, test them and submit for upload.
> d) asking someone who does know how to do this to prepare packages (Vistaus claims it'll take 5 minutes, perhaps that's a good start. Alternatively, try to get people in MOTU or MOTU-SWAT involved). You can then test those packages and have the packager submit them here for upload
> e) taking it up again on the ubuntu-motu mailing list (perhaps with a different subject and asking you be kept in the CC) and try to get others to help get the package in shape
>
> Again, this is a community supported package; use the community
> resources that are available to you (of which there are many). Ubuntu
> provides the packages in universe and multiverse as a convenience to its
> users, but needs the community to care for them. People using Ubuntu are
> not required to use the software in universe and multiverse. This is not
> new; this is not a public relations disaster; this is simply how Ubuntu
> is structured. Other teams manage to coordinate security updates for
> packages that are community supported (ClamAV and Seamonkey spring to
> mind), why can't you, the java community?
>
If i wasnt afraid of Java packages i would be glad to do it.
I'm assuming the scripts are like flash script instead of a
"real" package.(real == lack of a better word)

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Daniel Holbach (dholbach) wrote :

Looks like we're in a situation like with the tor package. If nobody can do the hard work of updating it properly and adhere to the processes we will have to pull it out.

Can somebody who worked with the sun-java6 package outline the steps involved?

Pjotr12345 (computertip) wrote :

It appears that nobody is both able and willing to take this task upon himself... Well, it's a volunteer job ofcourse, so I don't blame anyone.

However, this being so, I urgently request that JRE will be removed entirely from the repositories of Hardy, Intrepid and Jaunty. JRE is much too widely used to provide an unpatched insecure version of it. Security first.

Magnus (koma-lysator) wrote :

I agree with Pjotr: Removing the package is something that easily can be done and that will remove the security problem for the time being.

Volodya (volodya) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Magnus wrote:
> I agree with Pjotr: Removing the package is something that easily can be
> done and that will remove the security problem for the time being.
>

How so? People who have already installed java-sun will have the vulnerability,
it will not go away because of removal of the package from repository.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqWosAACgkQuWy2EFICg+3tOQCgyizBHQ/fQghasUhGixeeHt/a
aE4AoNZWME4N38zmMHXrhIQ3D10jqj2E
=kIUV
-----END PGP SIGNATURE-----

Magnus (koma-lysator) wrote :

That is right, but it will prevent further installations of a package containing a serious security problem.

John Vivirito (gnomefreak) wrote :

On 08/27/2009 08:55 AM, Pjotr12345 wrote:
> It appears that nobody is both able and willing to take this task upon
> himself... Well, it's a volunteer job ofcourse, so I don't blame anyone.
>
> However, this being so, I urgently request that JRE will be removed
> entirely from the repositories of Hardy, Intrepid and Jaunty. JRE is
> much too widely used to provide an unpatched insecure version of it.
> Security first.
>
As i recall we are unable to remove packages from stable
releases. I tried it once and was told we do not remove
packages from stable releases.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Pjotr12345 (computertip) wrote :

@John Vivirito:

While I can understand that as a general practice, this case should be an exception.

Security is at stake here. Probably millions are using an insecure JRE right now, and don't know it. The least we can do, is to prevent new victims.

tlu (thomas-ludwig-gmx) wrote :

Since Jamie proposed to use OpenJDK as an alternative: I don't know about Firefox 3.0, but OpenJDK doesn't work properly under FF 3.5 - see https://bugs.launchpad.net/ubuntu/+source/firefox-3.5/+bug/359407 - and doesn't work at all under FF 3.6 (it doesn't even show up under about:plugins). So much for alternatives ...

John Vivirito (gnomefreak) wrote :

On 08/28/2009 08:30 AM, Pjotr12345 wrote:
> @John Vivirito:
>
> While I can understand that as a general practice, this case should be
> an exception.
>
> Security is at stake here. Probably millions are using an insecure JRE
> right now, and don't know it. The least we can do, is to prevent new
> victims.
>
Good point

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Jamie Strandboge (jdstrand) wrote :

The sun-java policy is being clarified and updated in https://wiki.ubuntu.com/StableReleaseUpdates#sun-java*. Updated sun-java5 packages are available in dapper-proposed and hardy-proposed. Updated sun-java6 package are available in hardy-proposed and jaunty-proposed.

Please comment in https://bugs.launchpad.net/ubuntu/+source/sun-java5/+bug/420360 on whether or not the sun-java5 packages work for you.

Please comment in https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/420426 on whether or not the sun-java6 packages work for you.

Thanks

Changed in sun-java6 (Ubuntu Hardy):
status: Confirmed → Fix Committed
Changed in sun-java6 (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Changed in sun-java6 (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Pjotr12345 (computertip) wrote :

@jgschellinger: why did you change the status in Fix Released? There's still no 6u16 in the normal updates for Jaunty (Main server).

Nicola Ferralis (feranick) wrote :

The current bug is for an update to version 15, which was released and thus the status changed to "Fix released". The fact that version 16 is out, it irrelevant to this bug. Given the complexity of this bug involving many distributions, it is not advise to modify the bug when new releases are available upstream. New bugs should be filed instead.

Changed in hardy-backports:
status: New → Invalid
Changed in intrepid-backports:
status: New → Invalid
Changed in jaunty-backports:
status: New → Invalid
Vistaus (djmusic121) wrote :

@fernanick: If update 15 is out for Jaunty, then why didn't I receive the update yet?

Volodya (volodya) wrote :

I can confirm that there update 14 is the latest available version from repositories on Jaunty. I have updated manually in the meantime, but there are many less than experienced users who will have a serious vulnerability on their machines.

Changed in sun-java6 (Ubuntu Jaunty):
status: Fix Released → Confirmed
James Stansell (jamesstansell) wrote :

only karmic has u15. The u16 packages are in -proposed in jaunty and hardy but not yet in -updates.

Changed in dell-mini:
status: New → Invalid
aus (aus.) on 2009-11-22
Changed in sun-java6 (Ubuntu Jaunty):
status: Confirmed → Fix Committed
status: Fix Committed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in sun-java6 (Ubuntu Intrepid):
status: Confirmed → Invalid
Changed in sun-java6 (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers