sun java 6u26 needs packaging

Bug #797718 reported by Jörn Dreyer on 2011-06-15
304
This bug affects 11 people
Affects Status Importance Assigned to Milestone
sun-java6 (Ubuntu)
High
Brian Thomason
Lucid
High
Brian Thomason
Maverick
High
Brian Thomason
Natty
High
Brian Thomason
Oneiric
High
Brian Thomason

Bug Description

I am responsible for several ubuntu server machines running web services based on java. Maybe I misunderstand the update policy for security relevant fixes butI wonder why update 6.26 is not yet packaged for ubuntu lucid / natty in the partner repository?

From http://jdk-distros.java.net/developer.html

Java SE 6u26
Linux
jdk-6u26-dlj-linux-i586.bin (82 MB, md5sum: d54e58b69e4db80f267435be679a66b9)
jdk-6u26-dlj-linux-amd64.bin (82 MB, md5sum: 43f4e9699afce82d3ebae841c59d02fb)

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 17 new security fixes across Java SE products.

Details on the release: http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

visibility: private → public
Changed in sun-java6 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Brian Thomason (brian-thomason)
Mikko Rantalainen (mira) wrote :

It's worth noting that 5 of those 17 security problems are specific to windows only. Still, this update would fix 12 CVE security vulnerabilities concerning Linux. Added CVE References.

Matthias Klose (doko) on 2011-07-07
Changed in sun-java6 (Ubuntu):
importance: Medium → High
milestone: none → oneiric-alpha-3
Changed in sun-java6 (Ubuntu Lucid):
importance: Undecided → High
milestone: none → lucid-updates
status: New → Confirmed
Changed in sun-java6 (Ubuntu Maverick):
assignee: nobody → Brian Thomason (brian-thomason)
importance: Undecided → High
milestone: none → maverick-updates
status: New → Confirmed
Changed in sun-java6 (Ubuntu Natty):
assignee: nobody → Brian Thomason (brian-thomason)
importance: Undecided → High
milestone: none → natty-updates
status: New → Confirmed
Changed in sun-java6 (Ubuntu Lucid):
assignee: nobody → Brian Thomason (brian-thomason)
kaushal (kaushalshriyan) wrote :

Any ETA about java6 u26 availability on lucid and hardy

Mikko Rantalainen (mira) wrote :

According to comment https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/784604/comments/8 the Java 6 update 26 was available in the Debian archive weeks ago. I'd expect Ubuntu port to be pretty fast.

Brian Thomason (brian-thomason) wrote :

Expect this on Monday or Tuesday.

Heimen Stoffels (vistaus) wrote :

Thanks Brian! But that's still more than a month too late. When will the Ubuntu Security Team treat Sun Java as an important update? Because it's not the first time this happens. We've already had multiple discussions about Sun Java-updates and you guys are always late. Please treat Sun Java as a number one-package when it comes to security fixes, just like you do with Firefox and Adoble Flash Player.

Brian Thomason (brian-thomason) wrote :

Hi Vistaus,

The security team isn't responsible for packages in the Canonical Partner Repository - that would rest solely with me. One month is too long - I need to get back in contact with the Debian developer and sync their packages soon after they are released.

Flash updates are handled promptly because we have a good relationship with Adobe in that regard. Unfortunately, no such relationship exists with Oracle at this point.

-Brian

What about an automatic sync from debian as soon as a new package is updated?

Pjotr12345 (computertip) wrote :

@LocutusOfBorg: +1

That looks like a splendid idea! That would solve this awful and recurring security problem once and for all.

@Brian Thomason: what do you think of this suggestion? Is it technically possible?

NoOp (glgxg) wrote :

I finally got tired of waiting & added:
deb http://http.us.debian.org/debian sid main non-free
to my /etc/apt/sources.list. Updated java6 & then disabled the repo.

$ apt-cache policy sun-java6-jre
sun-java6-jre:
  Installed: 6.26-1
  Candidate: 6.26-1

No, unfortunately it isn't technically possible at this time to automate that, and I'm not sure it's desirable. Just because the update works soundly on Debian Sid does not mean it works on top of Lucid in the same manner.

That being said, I just uploaded this fix to Lucid and Maverick and Natty will follow shortly.

Pjotr12345 (computertip) wrote :

@Brian Thomason: OK.... I see.

Yet, the update procedure of Sun Java JRE needs structural improvement. Security fixes like the current one, should become available much sooner in the future. Do you have ideas how this can be achieved?

Thanks for the current upload, by the way. :-)

kaushal (kaushalshriyan) wrote :

is it going to be available in Hardy

Changed in sun-java6 (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in sun-java6 (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in sun-java6 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in sun-java6 (Ubuntu Oneiric):
status: Confirmed → Fix Released
kaushal (kaushalshriyan) wrote :

Please update about comment#12

Pjotr12345 (computertip) wrote :

@kaushal: 8.04 Hardy Heron is already dead on the desktop since April (although not yet dead on the server), so I suppose the answer is: no, this update won't be made available for Hardy.

Eric Zimmerman (eric-zimtek) wrote :

I am still not seeing this in maverick updates. Can anyone confirm?

On 07/30/2011 05:16 PM, Eric Zimmerman wrote:
> I am still not seeing this in maverick updates. Can anyone confirm?
>

It's there:
https://launchpad.net/ubuntu/+source/sun-java6

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers