Oracle (Sun) Java JRE urgently needs security update

Bug #884252 reported by Pjotr12345 on 2011-10-31
282
This bug affects 7 people
Affects Status Importance Assigned to Milestone
sun-java6 (Ubuntu)
Undecided
Unassigned

Bug Description

Oracle has issued a security update for Java JRE: 6u29. This contains critical security fixes: http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html

The Partner repository of all Ubuntu versions before Oneiric, still contains the insecure 6u26. Including 10.04 LTS Lucid Lynx.

Pjotr12345 (computertip) on 2011-10-31
visibility: private → public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sun-java6 (Ubuntu):
status: New → Confirmed
Sylvestre Ledru (sylvestre) wrote :

Except if Canonical has a special agreement about the sun-java6 like Redhat seems to have, we cannot update sun-java6 because of the drop of the DLJ license.
For more information, see:
http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u
http://sylvestre.ledru.info/blog/sylvestre/2011/10/25/removal_of_sun_java6_from_debian

If Canonical has an agreement about this, please ping me (<email address hidden>) to see what we can do here.

Pjotr12345 (computertip) wrote :

@Sylvestre Ledru: that may be so, but the maintainers of the Partner repo still have the responsibility to keep sun-java6 secure for all those who have installed it in good faith. In my honest opinion, anyway.

Even an LTS edition (10.04) is endangered. Can't leave your users in the cold. Noblesse oblige....

Sylvestre Ledru (sylvestre) wrote :

Well, it is non-free. We cannot backport security fixes.
It is not about "noblesse", it is about license here...

Pjotr12345 (computertip) wrote :

@Sylvestre Ledru: OK, I see....

But can you at least inform all current users about the risk they have now, and what they can do about it? For example by a special popup message from update manager or something?

And a further urgent step should be, IMHO, the immediate complete removal of 6u26 from the Partner repo's of Lucid, Maverick and Natty . To prevent further damage...

Sylvestre Ledru (sylvestre) wrote :

I am way more involved into Debian. Therefor, I prefer to leave the removal decision to Ubuntu developers.

Sorry

Pjotr12345 (computertip) wrote :

@Sylvestre Ledru: the strange thing is: I have booted into OpenSUSE 11.4 yesterday, and lo and behold, I received an update for Oracle (Sun) Java JRE. The secure 6u29. Apparently they can still provide it.....

Sylvestre Ledru (sylvestre) wrote :

I don't know how they did it or if they have an agreement with Oracle but they might not be aware of the license change of the sun-java6

Pjotr12345 (computertip) wrote :

@Sylvestre Ledru: the current situation in Ubuntu strikes me as very unsatisfactory. I think that OpenJDK is the choice of preference (which it is anyhow, because it's default), but I stress the word "choice".

The license issue of non-free Java can be solved like the issue of non-free Flash: a package with script that downloads Java from the upstream's page and installs it. Please make this possible...

This would solve the dangerous insecurity that users of Lucid, Maverick and Natty are facing now (while being unaware of it!). Plus it would offer the choice to Oneiric users and beyond, to install Oracle Java JRE *if they choose to*. And sometimes, they are even forced to, because unfortunately OpenJDK doesn't *always* perform as well as Oracle Java.

Comme La Rochefoucauld a dit: il faut tenir à une résolution parce qu'elle est bonne, et non parce qu'on l'a prise....

You and I know how to install Oracle Java manually. I have even published a how-to on my website: http://sites.google.com/site/easylinuxtipsproject/java
But most people don't know how to do it manually. Which may cause beginners with Linux, to revert to their original operating system in frustration. That would not be good....

Sylvestre Ledru (sylvestre) wrote :

I understood your initial arguments.

Pjotr12345 (computertip) wrote :

I *urgently* request immediate action. This is a very, very serious issue:
http://www.zdnet.com/blog/security/java-update-plugs-20-critical-security-holes/9670

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers