Status of java in hardy

Andreas Heinlein aheinlein at gmx.com
Fri May 15 08:24:35 BST 2009


Stefan Lesicnik schrieb:
> On Tue, May 12, 2009 at 11:42 AM, Andreas Heinlein <aheinlein at gmx.com> wrote:
>   
>> Hello,
>>
>> I am wondering what the security status of openjdk, sun-java6 and
>> sun-java5 in hardy is. After the latest security holes were discovered
>> in the Sun JRE 6u12 and Sun JRE6u13 was released, fixes were released as
>> well for openjdk packages for intrepid and jaunty, because openjdk is in
>> main for these distributions.
>>
>> I contacted Kees Cook for updated hardy packages, and he told me that
>> since openjdk is in universe for hardy, he cannot do anything except
>> wait for updated packages. Several weeks have passed since then, updated
>> debian lenny packages for openjdk6b11 have been released in the
>> meantime, but still no hardy update.
>>
>> He pointed me to a CVE tracker of ubuntu packages
>> (http://people.ubuntu.com/~ubuntu-security/cve/universe-all.html#universe)
>> which shows e.g. CVE-2009-1096 is still open for hardy.
>>
>> If I'm correct, this means that there is currently no security-hole free
>> java runtime for hardy, at least none with a usable web browser plugin
>> (I do not consider gcjwebplugin usable...). This is bad, especially
>> since hardy is a LTS release.
>>
>> Can someone here tell me how to "Push" things a little in order to get
>> this fixed?
>>     
>
>
> Hi Andreas,
>
> Packages located in universe are generally maintained by motu-swat and
> contributors. We would love to have your assistance within the
> motu-swat team.
>
> The following resources will assist you in getting started. Also feel
> free to drop by #ubuntu-hardened or hunt me down on irc :)
>
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> https://wiki.ubuntu.com/SecurityTeam
> https://wiki.ubuntu.com/StableReleaseUpdates
> https://wiki.ubuntu.com/MOTU/GettingStarted
>
> Regards,
>
> Stefan
>
> stefanlsd (freenode)
>   
Hello,

thank you very much. I took a look into this, but it looks like more
than a days work to get started with this.

But for now, I need to get this issue fixed; and I imagine there are
quite a lot of people out there which need a bug-free JRE for hardy. I
consider this so severe that I would even suggest moving openjdk to main
for hardy, if that would be possible.

Do you know who maintained openjdk in the past, and how we can ask
him/her for help? I would not even know where to start; try to port the
debian package or backport the fixes myself? This is surely something
more difficult than merely repackaging an upstream software.

Bye,
Andreas



More information about the Ubuntu-motu mailing list