Potential Server Seed impact for 14.04: removal of OpenJDK/Tomcat7 from Ubuntu main
sunnychan
ubuntu at sunnychan.hk
Sun Jan 26 12:40:17 UTC 2014
I am not really an Ubuntu user but I want to contribute to this
conversation.The main source of recent security vulnerability is down to the
Java Plug-in and Webstart (so called "deployment" component) of the OpenJDK.
You need to bear in mind that most server process (e.g. Tomcat process) are
not run under the security manager and therefore no sandbox to escape. As a
result majority of the security doesn't applies if you disable Java Plug-in
and Webstart.I did a little analysis last year and look at a number of pass
security vulnerability whether something that would affect a server
processes, etc. This information is actually given in Oracle security
notification pages:
Java Patch Release Info URL Total number of fixes Fixes that affect Client
components Fixes that affect Client and Server components
January 2014 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA>
January patch 38 35 3
October 2013 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA>
October 2013 patch 51 40 11
June 2013 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html>
June 2013 patch 40 35 4
Feb 2013 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>
Feb 2013 patch 50 43 5
October 2012 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html>
October 2012 30 26 3
June 2012 <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html>
June 2012 14 9 4
Notice that in majority of the cases if no "client" components is being
used, the number of security vulnerability affecting Java is substantially
lower. This is why Oracle has now introduced a Server JRE
<http://www.oracle.com/technetwork/java/javase/downloads/server-jre7-downloads-1931105.html>
which removed Java Plug-in and Webstart components to reduce the security
risk.I would suggest for Ubuntu to re-organise the Java packages on the
server so that Java Plug-in and Webstart is being separated and only
distribute a "server JRE" type of packaging in Ubuntu server.Sunny
--
View this message in context: http://ubuntu.5.x6.nabble.com/Potential-Server-Seed-impact-for-14-04-removal-of-OpenJDK-Tomcat7-from-Ubuntu-main-tp5054500p5054839.html
Sent from the ubuntu-devel mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20140126/dfabe6e5/attachment.html>
More information about the ubuntu-devel
mailing list