Status of java in hardy

Andreas Heinlein aheinlein at
Fri May 15 08:24:35 BST 2009

Stefan Lesicnik schrieb:
> On Tue, May 12, 2009 at 11:42 AM, Andreas Heinlein <aheinlein at> wrote:
>> Hello,
>> I am wondering what the security status of openjdk, sun-java6 and
>> sun-java5 in hardy is. After the latest security holes were discovered
>> in the Sun JRE 6u12 and Sun JRE6u13 was released, fixes were released as
>> well for openjdk packages for intrepid and jaunty, because openjdk is in
>> main for these distributions.
>> I contacted Kees Cook for updated hardy packages, and he told me that
>> since openjdk is in universe for hardy, he cannot do anything except
>> wait for updated packages. Several weeks have passed since then, updated
>> debian lenny packages for openjdk6b11 have been released in the
>> meantime, but still no hardy update.
>> He pointed me to a CVE tracker of ubuntu packages
>> (
>> which shows e.g. CVE-2009-1096 is still open for hardy.
>> If I'm correct, this means that there is currently no security-hole free
>> java runtime for hardy, at least none with a usable web browser plugin
>> (I do not consider gcjwebplugin usable...). This is bad, especially
>> since hardy is a LTS release.
>> Can someone here tell me how to "Push" things a little in order to get
>> this fixed?
> Hi Andreas,
> Packages located in universe are generally maintained by motu-swat and
> contributors. We would love to have your assistance within the
> motu-swat team.
> The following resources will assist you in getting started. Also feel
> free to drop by #ubuntu-hardened or hunt me down on irc :)
> Regards,
> Stefan
> stefanlsd (freenode)

thank you very much. I took a look into this, but it looks like more
than a days work to get started with this.

But for now, I need to get this issue fixed; and I imagine there are
quite a lot of people out there which need a bug-free JRE for hardy. I
consider this so severe that I would even suggest moving openjdk to main
for hardy, if that would be possible.

Do you know who maintained openjdk in the past, and how we can ask
him/her for help? I would not even know where to start; try to port the
debian package or backport the fixes myself? This is surely something
more difficult than merely repackaging an upstream software.


More information about the Ubuntu-motu mailing list