Security update for Sun Java JRE 6: update 17

Bug #477812 reported by Pjotr12345 on 2009-11-07
This bug affects 13 people
Affects Status Importance Assigned to Milestone
sun-java6 (Debian)
Fix Released
sun-java6 (Ubuntu)
Nominated for Intrepid by aus
Nominated for Jaunty by aus
Nominated for Karmic by aus
Nominated for Lucid by aus
sun-java6 (openSUSE)

Bug Description

Binary package hint: sun-java6-jre

Sun has issued a security update for JRE 6: update 17. This is a list of the security fixes involved:

When can we expect this security update for 8.04 Hardy Heron LTS?

Pjotr12345 (computertip) on 2009-11-07
visibility: private → public
Changed in sun-java6 (Ubuntu):
status: New → Confirmed
Pjotr12345 (computertip) wrote :

I would very much appreciate a reaction from the developers.... This is an important matter, as it concerns the security of an LTS version.

Pjotr12345 (computertip) wrote :

Why don't I receive any reply? Don't the developers realize the importance of this security issue?

Does Launchpad still function as a bug squashing tool, or is it completely jammed because of the overwhelming flood of reports?

In other words: does it still make sense to report bugs, or has it become a complete waste of time, because no-one will respond anyway?

William (kc-cobradevil) wrote :

Hello All

i'm also interested in this update because of the internet solution we provide for our company is based on firefox on hardy LTS.
Probably this bug is known and a solution is being investigated and tested.

With kind regards


aus (aus.) on 2009-11-17
Changed in sun-java6 (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Matthias Klose (doko) on 2009-11-17
Changed in sun-java6 (Ubuntu):
assignee: Matthias Klose (doko) → nobody
Pjotr12345 (computertip) wrote :

*Please* clarify us about this! I'm very disappointed that we get no information at all!

- Is anything being done at all, to provide this security update for JRE, or is JRE officially abandoned?

- If a security update is in progress, when can we expect it, and for which versions of Ubuntu?

For those of us who find it unacceptable to wait any longer for this important security update (like I), I have published a how-to for manual installation:

Jamie Strandboge (jdstrand) wrote :


This issue was discussed the last time around and a policy formalized in*. Please note that sun-java packages are in multiverse and are supported by the community. If you are able and would like to help improve the situation, feel free to provide an updated package and it can be reviewed and uploaded.

Pjotr12345 (computertip) wrote :

@Jamie Strandboge: thanks for responding!

Unfortunately I don't have the skills for building packages. All I could do was publish an instruction for manual installation of the latest JRE (available on the Sun website), in English and in Dutch:



I know about the formal policy for JRE, as we discussed a previous security update for JRE, in earlier Launchpad thread. But if there are no people around who can help implement this formal policy, then the policy is useless....

I fully understand that you are all very busy and even overloaded with work. And I appreciate your efforts very much.

However, if there isn't enough manpower available for implementing the formal policy for JRE, then please drop JRE altogether and remove it entirely from the repositories. Better no JRE at all, than an insecure JRE....

Accepted sun-java6 into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Changed in sun-java6 (Ubuntu Hardy):
status: New → Fix Committed
Pjotr12345 (computertip) wrote :

I tested the proposed update in 8.04, and it works fine. :-)

Thank you, Martin Pitt!

Pjotr12345 [2009-11-23 15:53 -0000]:
> I tested the proposed update in 8.04, and it works fine. :-)

Great, thanks for testing. What did you test in particular? Some apps,
browser plugin, etc.?

> Thank you, Martin Pitt!

Thanks go to Matthias Klose, he prepared the package. :-)

Pjotr12345 (computertip) wrote :

I will redirect my thanks, then: thank you, Matthias Klose!

This is how I tested this update:
- I removed my manual installation of 6u17, by deleting /opt/java
- then I installed 6u16 from the repo's
- then I turned on "proposed"
- then I updated to 6u17

After that, I played a game of online chess on Yahoo Games, in Epiphany-browser. I've only tested through the browser plugin, therefore.

I also used Frostwire, but that particular app uses OpenJDK "under the hood", I think, because I downloaded the adapted Frostwire deb from

Am I correct in assuming that only Hardy LTS will get this JRE update, and not the other current Ubuntu versions?

Martin Pitt (pitti) on 2009-11-30
tags: added: verification-done
removed: verification-needed
Artur Rona (ari-tczew) on 2009-12-01
Changed in sun-java6 (Debian):
importance: Undecided → Unknown
status: New → Unknown
Jarek (dr-destroyer) wrote :

Is there any chance for 6u17 to be released for Karmic?
Sun-java6* is very important package for many users. It should not be abandoned.

Changed in sun-java6 (Debian):
status: Unknown → Fix Released
Pjotr12345 (computertip) wrote :

@ Jarek:
I agree, but in the meantime you can apply this how-to for manual installation of JRE 6u17:

I've tried to make it as easy as possible.

Jarek (dr-destroyer) wrote :

@ Pjotr12345

There are also other possibiliyies:
- use java-package ( and create deb package yourself - created packages are other than those supplied by ubuntu and debian (there is only one big package for whole JDK)
- install packages from debian sid - 6u17 is already published: - I didn't try this way this time, but I have successfully installed sun-java6 packages from debian earlier.

Kevin (kevinshlee) wrote :

Sun released JDK & JRE 6 Update 18 (1.6.0_18)

Yet my Ubuntu (9.10 Karmic Koala desktop 64bit) still has 1.6.0_15. When can we have the new one?

Yves Glodt (yglodt) wrote :

To Ubuntu: please see this also in the perspective of people like me who use tomcat with sun-java6. I do not really care about the browser plugin, but for java app-hosting in tomcat it is important to have a *sun* jvm, since openjdk is not on par yet.

Steve Beattie (sbeattie) wrote :

This was fixed in hardy with the 6-17-0ubuntu1.8.04 update; closing that task.

Changed in sun-java6 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

All releases have 6.24 now.

Changed in sun-java6 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.