critical update 29 available

Debian Bug report logs - #645881
critical update 29 available

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: critical update 29 available

Date: Wed, 19 Oct 2011 12:21:56 +0200

Package: sun-java6
Severity: grave
Tags: security

Hi,

Upstream has released Java SE 6 update 29 yesterday:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
with security fixes.

Because some of the fixes, like for BEAST, are very high-profile, perhaps an
update through stable-updates can be arranged with the SRM instead of waiting
for the next point release? In any case a speedy fix of sid+wheezy would be
helpful.


thanks,
Thijs

Message #10 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Sylvestre Ledru <sylvestre@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 645881@bugs.debian.org

Cc: debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 12:50:15 +0200

CC debian release & security

Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit :
> Upstream has released Java SE 6 update 29 yesterday:
> http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
> with security fixes.

Well, that especially means that it is now time to consider the removal
of sun-java6 from Debian.

We, the distros, are no longer allowed by Oracle to redistribute this
version [1] [2].
The OpenJDK (6 or 7) is now the way to go.

About stable, I don't know what the security team would recommend
here ?!

Thanks,
Sylvestre
[1]
http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u
[2] http://jdk-distros.java.net/
The DLJ has finally been retired, and so has been this project.

Message #15 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Nico Kadel-Garcia <nkadel@gmail.com>

To: Sylvestre Ledru <sylvestre@debian.org>

Cc: Thijs Kinkhorst <thijs@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 07:10:15 -0400

On Wed, Oct 19, 2011 at 6:50 AM, Sylvestre Ledru <sylvestre@debian.org> wrote:
> CC debian release & security
>
> Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit :
>> Upstream has released Java SE 6 update 29 yesterday:
>> http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
>> with security fixes.
>
> Well, that especially means that it is now time to consider the removal
> of sun-java6 from Debian.
>
> We, the distros, are no longer allowed by Oracle to redistribute this
> version [1] [2].
> The OpenJDK (6 or 7) is now the way to go.
>
> About stable, I don't know what the security team would recommend
> here ?!

I can personally recommend the openjdk from other work I'm doing. The
improvement in the packaging alone justifies the switch for software
maintainers, but it's also worked well under load for me with Ant and
JBoss tests I've done recently.

Message #20 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 645881@bugs.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 13:32:30 +0200

* Thijs Kinkhorst:

> Upstream has released Java SE 6 update 29 yesterday:
> http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
> with security fixes.

Does the lack of a DLJ version affect us?  The special distributor
license is no longer available from Oracle:

| As a consequence, further Oracle JDK 6 (or Oracle JDK 7) releases on
| Linux and Solaris will not be provided under the DLJ. They will
| continue to be provided under the familiar Oracle JDK license, the
| BCL.

<http://robilad.livejournal.com/90792.html>

I'm not sure if the standard JDK license agreement is sufficient.

Message #25 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@ubuntu.com>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: Sylvestre Ledru <sylvestre@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 14:15:56 +0200

On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote:
> Have we been in contact with Oracle upstream and explained that we are
> eager to comply with their wish to move entirely to openjdk for our next
> release, but have the problem that we have a stable release out in the
> field that people rely on? Are there possibilities to extend the offer for
> the lifetime of stable, or at least until it becomes oldstable?

there's nothing which hinders you to still have the current version in stable.
The license isn't changed for the existing package.  It's up to the
security/release teams to decide if they want to have a version with known
security issues in the stable release (in the past the security team didn't care
about this at all for the current oldstable).

  Matthias

Message #30 received at 645881@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Matthias Klose" <doko@ubuntu.com>

Cc: "Sylvestre Ledru" <sylvestre@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 15:28:02 +0200

On Wed, October 19, 2011 14:15, Matthias Klose wrote:
> On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote:
>> Have we been in contact with Oracle upstream and explained that we are
>> eager to comply with their wish to move entirely to openjdk for our next
>> release, but have the problem that we have a stable release out in the
>> field that people rely on? Are there possibilities to extend the offer
>> for
>> the lifetime of stable, or at least until it becomes oldstable?
>
> there's nothing which hinders you to still have the current version in
> stable.
> The license isn't changed for the existing package.  It's up to the
> security/release teams to decide if they want to have a version with known
> security issues in the stable release

I understand that, and I think the situation where we keep something in
unstable while refraining from publishing security updates is undesirable.

What I'm wondering is if we tried to ask upstream whether they would be
willing to extend the DLJ offer so we can keep security fixes for the
sun-java6 version in stable coming in for the lifetime of this release,
notwithstanding the fact that we're removing it from the next release.

> (in the past the security team
> didn't care about this at all for the current oldstable).

I don't know what this refers to, but it doesn't seem relevant because
we're talking about the present.


Thijs

Message #35 received at 645881@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Sylvestre Ledru" <sylvestre@debian.org>

Cc: 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 14:09:57 +0200

On Wed, October 19, 2011 12:50, Sylvestre Ledru wrote:
> CC debian release & security
>
> Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit :
>> Upstream has released Java SE 6 update 29 yesterday:
>> http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
>> with security fixes.
>
> Well, that especially means that it is now time to consider the removal
> of sun-java6 from Debian.
>
> We, the distros, are no longer allowed by Oracle to redistribute this
> version [1] [2].
> The OpenJDK (6 or 7) is now the way to go.
>
> About stable, I don't know what the security team would recommend
> here ?!

Well, stable is supposed to be stable. I'm all for removal of sun-java6
from unstable and hence not including it in wheezy, but we've released
stable with the expectations for users that they can run it for its
lifetime without large disruptions. While software has been removed from
stable as a last resort, it really should be the last resort.

Have we been in contact with Oracle upstream and explained that we are
eager to comply with their wish to move entirely to openjdk for our next
release, but have the problem that we have a stable release out in the
field that people rely on? Are there possibilities to extend the offer for
the lifetime of stable, or at least until it becomes oldstable?


cheers,
Thijs

Message #40 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 16:31:40 +0200

[Message part 1 (text/plain, inline)]

On mer., 2011-10-19 at 15:28 +0200, Thijs Kinkhorst wrote:
> What I'm wondering is if we tried to ask upstream whether they would be
> willing to extend the DLJ offer so we can keep security fixes for the
> sun-java6 version in stable coming in for the lifetime of this release,
> notwithstanding the fact that we're removing it from the next release.

Do we know the situation for other distribution (Red Hat, Ubuntu,
Suse, ...) which might ship sun-java6 in stable / long term support
releases?

Could this be discussed on the cross-distro list?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 16:33:57 +0200

[Message part 1 (text/plain, inline)]

On Wed, Oct 19, 2011 at 03:28:02PM +0200, Thijs Kinkhorst wrote:
> What I'm wondering is if we tried to ask upstream whether they would be
> willing to extend the DLJ offer so we can keep security fixes for the
> sun-java6 version in stable coming in for the lifetime of this release,
> notwithstanding the fact that we're removing it from the next release.

They won't.

| I'm not familiar with the Debian Project's practices around security issues
| in non-free packages to be able to make a specific recommendation other than to
| recommend using the open source OpenJDK code base for Debian's packaging needs.
| 
| Like I said on my blog, there won't be further Oracle JDK 6 releases published
| under the DLJ license. Oracle's schedule for Critical Patch Updates (CPUs) is
| public, and available at
| http://www.oracle.com/technetwork/topics/security/alerts-086861.html

> > (in the past the security team
> > didn't care about this at all for the current oldstable).
> I don't know what this refers to, but it doesn't seem relevant because
> we're talking about the present.

Well, non-free used to be unsupported security-wise AFAIK.  doko is right
that the security team still didn't care in the present, though, as the
updates were through p-u and not the security archive.  That said I'm glad
that somebody stepped up and did the updates that were possible.

There might be one other option, but one I probably wouldn't be happy with
due to it probably being impossible to review: improve openjdk in stable enough
to replace sun-java6.

Apart from this it's either a DSA telling people that it contains known
flaws (if they're critical enough) and that there will be no further
security updates.  OTOH the updates didn't pass security anyway because
there's no non-free there.  Or it's the removal of the package.  Or
we simply don't care because it's freaking non-free and people are
supposed to use it in secure environments with a grain of salt.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Torsten Werner <twerner@debian.org>

To: Philipp Kern <pkern@debian.org>, 645881@bugs.debian.org

Cc: Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Wed, 19 Oct 2011 18:20:12 +0200

Hi Philipp,

Am 19.10.2011 16:33, schrieb Philipp Kern:
> Or it's the removal of the package.

we should remove sun-java5 from oldstable, too, if we are going to
remove sun-java6 from (old)stable. But I do not have a strong opinion on
that.

Cheers,
Torsten

Message #53 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Torsten Werner <twerner@debian.org>

Cc: Philipp Kern <pkern@debian.org>, 645881@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Fri, 21 Oct 2011 08:41:38 +0200

On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote:
> Hi Philipp,
> 
> Am 19.10.2011 16:33, schrieb Philipp Kern:
> > Or it's the removal of the package.
> 
> we should remove sun-java5 from oldstable, too, if we are going to
> remove sun-java6 from (old)stable. But I do not have a strong opinion on
> that.

In any case we should go ahead with the removal from unstable ASAP.

As for stable/oldstable: I noticed that Red Hat provided packages for
update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
http://lwn.net/Articles/463919/

Cheers,
        Moritz

Message #58 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: Torsten Werner <twerner@debian.org>, Philipp Kern <pkern@debian.org>, 645881@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Fri, 21 Oct 2011 11:07:30 +0200

* Moritz Muehlenhoff:

> As for stable/oldstable: I noticed that Red Hat provided packages for
> update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
> http://lwn.net/Articles/463919/

If anyone remembers the rationale behind the DLJ, perhaps they can
check if the current BCL matches our needs, too?  The licensing
conditions for the stock JDK distribution probably have changed since
the Oracle acquisition, and perhaps these changes are sufficient to
permit redistribution by Debian.

I have also uploaded the fixes for openjdk-6 to security-master (for
squeeze).  It's currently stuck in the unchecked queue, along with the
still-missing previous update for lenny.

Message #63 received at 645881@bugs.debian.org (full text, mbox, reply):

From: "Simon,Mathieu" <mathieu.simon@koeniz-lerbermatt.ch>

To: Sylvestre Ledru <sylvestre@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, "645881@bugs.debian.org" <645881@bugs.debian.org>

Cc: Torsten Werner <twerner@debian.org>, Philipp Kern <pkern@debian.org>, Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "debian-release@lists.debian.org" <debian-release@lists.debian.org>

Subject: AW: Bug#645881: critical update 29 available

Date: Mon, 24 Oct 2011 19:56:09 +0200

Hi

Von: Sylvestre Ledru [sylvestre@debian.org]
Gesendet: Freitag, 21. Oktober 2011 11:34

>> As for stable/oldstable: I noticed that Red Hat provided packages for
>> update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK):
>> http://lwn.net/Articles/463919/
> Well, I wonder how (if ?) they can do that...

I'd expect RedHat has a agreement with Oracle that allows them to do so (including financial agreement) ;)

- Mathieu

Message #68 received at 645881-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 434144-done@bugs.debian.org,436092-done@bugs.debian.org,474595-done@bugs.debian.org,477211-done@bugs.debian.org,491414-done@bugs.debian.org,493873-done@bugs.debian.org,500762-done@bugs.debian.org,518558-done@bugs.debian.org,523368-done@bugs.debian.org,529339-done@bugs.debian.org,529928-done@bugs.debian.org,532360-done@bugs.debian.org,538341-done@bugs.debian.org,547315-done@bugs.debian.org,554017-done@bugs.debian.org,556978-done@bugs.debian.org,560044-done@bugs.debian.org,561693-done@bugs.debian.org,562668-done@bugs.debian.org,562923-done@bugs.debian.org,566690-done@bugs.debian.org,572100-done@bugs.debian.org,574146-done@bugs.debian.org,576568-done@bugs.debian.org,582146-done@bugs.debian.org,582246-done@bugs.debian.org,585389-done@bugs.debian.org,586761-done@bugs.debian.org,589255-done@bugs.debian.org,607168-done@bugs.debian.org,607744-done@bugs.debian.org,609632-done@bugs.debian.org,617402-done@bugs.debian.org,618725-done@bugs.debian.org,624184-done@bugs.debian.org,625236-done@bugs.debian.org,626041-done@bugs.debian.org,628869-done@bugs.debian.org,630580-done@bugs.debian.org,630747-done@bugs.debian.org,631943-done@bugs.debian.org,632288-done@bugs.debian.org,632289-done@bugs.debian.org,633982-done@bugs.debian.org,637981-done@bugs.debian.org,638545-done@bugs.debian.org,645881-done@bugs.debian.org,

Cc: sun-java6@packages.debian.org, sun-java6@packages.qa.debian.org

Subject: Bug#646524: Removed package(s) from unstable

Date: Tue, 25 Oct 2011 09:17:18 +0000

Version: 6.26-3+rm

Dear submitter,

as the package sun-java6 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/646524

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)

Message #75 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: Torsten Werner <twerner@debian.org>, Philipp Kern <pkern@debian.org>, 645881@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Tue, 22 Nov 2011 21:24:28 +0100

On Fri, Oct 21, 2011 at 11:07:30AM +0200, Florian Weimer wrote:
> * Moritz Muehlenhoff:
> 
> > As for stable/oldstable: I noticed that Red Hat provided packages for
> > update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
> > http://lwn.net/Articles/463919/
> 
> If anyone remembers the rationale behind the DLJ, perhaps they can
> check if the current BCL matches our needs, too?  The licensing
> conditions for the stock JDK distribution probably have changed since
> the Oracle acquisition, and perhaps these changes are sufficient to
> permit redistribution by Debian.
> 
> I have also uploaded the fixes for openjdk-6 to security-master (for
> squeeze).  It's currently stuck in the unchecked queue, along with the
> still-missing previous update for lenny.

Florian, what's the status of openjdk6 for stable/oldstable?

Java maintainers, shall we proceed with removal from stable/oldstable for the next
point releases? sun-java6 will still be kept on existing installations,
but we avoid new installations with the insecure JVM.

Cheers,
        Moritz

Message #80 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: Torsten Werner <twerner@debian.org>, Philipp Kern <pkern@debian.org>, 645881@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Thu, 01 Dec 2011 21:47:53 +0100

* Moritz Mühlenhoff:

> Florian, what's the status of openjdk6 for stable/oldstable?

I've released the pending update for squeeze.  lenny will eventually
follow, and so will the pending updates for squeeze, but judging by my
past performance, it will take a while.

If someone else wants to work on these updates, I'll gladly share what
I've learnt about the packaging.

Message #85 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: drazzib@debian.org, twerner@debian.org, doko@ubuntu.com

Cc: team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Thu, 8 Dec 2011 20:43:06 +0100

On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote:
> * Moritz Mühlenhoff:
> 
> > Florian, what's the status of openjdk6 for stable/oldstable?
> 
> I've released the pending update for squeeze.  lenny will eventually
> follow, and so will the pending updates for squeeze, but judging by my
> past performance, it will take a while.
> 
> If someone else wants to work on these updates, I'll gladly share what
> I've learnt about the packaging.

OpenJDK maintainers, can you take care of preparing security updates
in the future? We need maintainer support, especially for such
intricate packages with frequent security issues.

Since openjdk-6 is fixed now, now would be a good time to remove
sun-java6 from stable in the next point update?

Cheers,
        Moritz

Message #88 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 10:40:31 +0100

[Message part 1 (text/plain, inline)]

Hi Moritz, hi all,

On Thu, Dec 08, 2011 at 08:43:06PM +0100, Moritz Mühlenhoff wrote:
> Since openjdk-6 is fixed now, now would be a good time to remove
> sun-java6 from stable in the next point update?

sorry, but I'd rather like to have an announcement that it has a bug,
describing its impact to the users, which is not going to be fixed
than for it to tbe removed.  I know it's not your fault but it even
took ages to get openjdk-6 fixed, for something which you claim to be
a high profile bug, so I'm not sure it's really that critical.

non-free doesn't get security support and there are people relying on
it anyway because they have no choice in squeeze.  I'd be ok with a
debconf note upon install, for example.  But squeeze is supposed to be
frozen unless for packages, which are so broken that they don't work
anymore and where fixing them is either impossible because the patches
would be way to intrusive or because the (possibly former) maintainer
dropped the ball.

sun-java6 is sadly still a very high profile package.  I won't go and
break all those installations which force sun-java6 over openjdk-6
locally, either in unattended installations or through other means.

openjdk-6 might well be a viable replacement in wheezy, but there are no
efforts to backport those compatibility patches that might be in newer
versions.

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #93 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: debian-release@lists.debian.org

Cc: Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 13:07:42 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sonntag, 11. Dezember 2011, Philipp Kern wrote:
> sorry, but I'd rather like to have an announcement that it has a bug,

me too, for all the reasons Philipp noted.

It's also trivial to download the fixed jdk from oracle and 
build a fixed package, so IMHO an announcement containing these information
plus no removal would be best:

diff -Nru sun-java6-6.26/debian/changelog sun-java6-6.29/debian/changelog
--- sun-java6-6.26/debian/changelog     2011-08-26 11:58:59.000000000 +0200
+++ sun-java6-6.29/debian/changelog     2011-11-23 18:49:33.000000000 +0100
@@ -1,3 +1,11 @@
+sun-java6 (6.29-1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * New upstream version to fix
+    http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA 
+
+ -- Holger Levsen <holger@debian.org>  Wed, 23 Nov 2011 18:49:02 +0100
+
 sun-java6 (6.26-3) unstable; urgency=low
 
   * "ia32-sun-java6-bin has improperly equal alternatives priority on amd64"
diff -Nru sun-java6-6.26/debian/rules sun-java6-6.29/debian/rules
--- sun-java6-6.26/debian/rules 2011-08-26 11:58:59.000000000 +0200
+++ sun-java6-6.29/debian/rules 2011-11-23 20:04:38.000000000 +0100
@@ -43,7 +43,7 @@
 jdirname       := $(ia32_prefix)java-$(version)-$(VENDOR)-$(jdkversion).$(releng_ver)
 jdiralias      := $(ia32_prefix)java-$(version)-$(VENDOR)
 srcdir         := $(arch)-jdk
-bin_pattern    = jdk-$(version)u$(releng_ver)-dlj-linux-%.bin
+bin_pattern    = jdk-$(version)u$(releng_ver)-linux-%.bin
 all_archs      = $(filter $(subst =, , $(arch_map)), \
                           $(subst -, , $(patsubst %.bin, %, $(wildcard *.bin))))
 priority       := 63
@@ -316,8 +316,8 @@
          exit 1; \
        fi
 
-diff_ignore = -I 'Wednesday, May 4' \
-       -I 'Wed May 04' -I '^ *// java GenerateCharacter'
+diff_ignore = -I 'Monday, October 3' \
+       -I 'Mon Oct 03' -I '^ *// java GenerateCharacter'
 
 with_check = yes

$ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat
 debian/changelog             |    8 
 debian/rules                 |    6 
 jdk-6u26-dlj-linux-amd64.bin |327520 ------------------------------------------
 jdk-6u26-dlj-linux-i586.bin  |327113 ------------------------------------------
 jdk-6u29-linux-amd64.bin     |327526 +++++++++++++++++++++++++++++++++++++++++++
 jdk-6u29-linux-i586.bin      |325585 ++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 653122 insertions(+), 654636 deletions(-)


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #98 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Philipp Kern <pkern@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 14:21:55 +0100

* Philipp Kern:

> sun-java6 is sadly still a very high profile package.  I won't go and
> break all those installations which force sun-java6 over openjdk-6
> locally, either in unattended installations or through other means.

It's really unfortunate that most of those installations seem to need
sun-java6-plugin, which the package which is actually dangerous to
install.  (Presumably, only the first stage payload is pure Java, and
the dropped malware won't run, but it's a bit unsettling.)  At least
this package doesn't seem to be install without explicit request, so
it's not extremely bad.

> openjdk-6 might well be a viable replacement in wheezy, but there
> are no efforts to backport those compatibility patches that might be
> in newer versions.

We will have to switch to a different IcedTea version in squeeze
because the 1.8 branch we currently use will cease to receive security
fixes soonish, probably after the next round of updates.  If we switch
to branch where the plugin is separate (1.10 and later, IIRC), we
could start fixing compatibility issues more aggressively if we wanted
to.

> openjdk-6 might well be a viable replacement in wheezy, but there
> are no efforts to backport those compatibility patches that might be
> in newer versions.

I doubt it.  The incompatibilities do not vanish, unless there is a
critical mass of users who also contribute bug fixes.  We just don't
seem to be there yet.

(I also doubt that Oracle can drop security support for the Java 6
plugin in mid-2012, for mostly the same reason, at lesat if they don't
want to be entirely reckless.  They haven't even started pushing
Java 7 to end users yet.)

Message #103 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@ubuntu.com>

To: Holger Levsen <holger@layer-acht.org>

Cc: debian-release@lists.debian.org, Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 16:47:57 +0100

On 12/11/2011 01:07 PM, Holger Levsen wrote:
> Hi,
> 
> On Sonntag, 11. Dezember 2011, Philipp Kern wrote:
>> sorry, but I'd rather like to have an announcement that it has a bug,
> 
> me too, for all the reasons Philipp noted.
> 
> It's also trivial to download the fixed jdk from oracle and build a fixed
> package, so IMHO an announcement containing these information plus no
> removal would be best:

the DLJ bundles were created because you are not allowed to re-distribute the
jdk packages from oracle. Did that change recently?

Message #108 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: debian-release@lists.debian.org

Cc: Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 17:02:56 +0100

[Message part 1 (text/plain, inline)]

Hi,

I forgot:

On Sonntag, 11. Dezember 2011, Holger Levsen wrote:
> $ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat
>  debian/changelog             |    8
>  debian/rules                 |    6
>  jdk-6u26-dlj-linux-amd64.bin |327520
> ------------------------------------------ jdk-6u26-dlj-linux-i586.bin 
> |327113 ------------------------------------------
> jdk-6u29-linux-amd64.bin     |327526
> +++++++++++++++++++++++++++++++++++++++++++ jdk-6u29-linux-i586.bin     
> |325585 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 653122
> insertions(+), 654636 deletions(-)

$ sha1sum *bin
a73580ed8ac42040f1bbcab62617719a31c6f487  jdk-6u29-linux-i586.bin
45286e11864285c0d9d5cafd0355dbe04d272951  jdk-6u29-linux-amd64.bin

And I had to rename the second one...


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #113 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Matthias Klose <doko@ubuntu.com>

Cc: debian-release@lists.debian.org, Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 17:25:41 +0100

On Sonntag, 11. Dezember 2011, Matthias Klose wrote:
> the DLJ bundles were created because you are not allowed to re-distribute
> the jdk packages from oracle. Did that change recently?

I believe inside an organisation I can rebundle their bundles to my prefered 
kind of bundle, that is, form of distribution (inside the organisation), 
anything else would be riciculous, or?

All I suggest is to document how to enhance their "bundles" to proper Debian 
packages :-)

Message #118 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 11:34:26 -0800

Florian Weimer <fw@deneb.enyo.de> writes:
> * Philipp Kern:

>> sun-java6 is sadly still a very high profile package.  I won't go and
>> break all those installations which force sun-java6 over openjdk-6
>> locally, either in unattended installations or through other means.

> It's really unfortunate that most of those installations seem to need
> sun-java6-plugin, which the package which is actually dangerous to
> install.

I'm not sure that we actually know that.  popcon tends to overweight
desktop systems, since servers more often have security policies that
don't allow use of popcon for one reason or another.

I know we (Stanford) have a whole ton of server systems that are using
sun-java6 with Tomcat or similar application architectures.  We're working
on migrating them all to OpenJDK, of course, but we don't expect to finish
that until the wheezy release unless something that seriously affects
server use of the Sun JDK crops up.  (And we have some vendor apps that
unfortunately so far have refused to even consider or test OpenJDK.
Sigh.)

We know that OpenJDK doesn't work with some of our applications currently,
mostly for stupid reasons, like a web service that doesn't support any
remotely modern SSL implementation.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #123 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Matthias Klose <doko@ubuntu.com>

Cc: Holger Levsen <holger@layer-acht.org>, debian-release@lists.debian.org, Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Sun, 11 Dec 2011 21:01:51 +0100

* Matthias Klose:

> On 12/11/2011 01:07 PM, Holger Levsen wrote:
>> Hi,
>> 
>> On Sonntag, 11. Dezember 2011, Philipp Kern wrote:
>>> sorry, but I'd rather like to have an announcement that it has a bug,
>> 
>> me too, for all the reasons Philipp noted.
>> 
>> It's also trivial to download the fixed jdk from oracle and build a fixed
>> package, so IMHO an announcement containing these information plus no
>> removal would be best:
>
> the DLJ bundles were created because you are not allowed to re-distribute the
> jdk packages from oracle. Did that change recently?

The main difference seems to be this (DLJ first):

| [...] Sun also grants you a non-exclusive, non-transferable,
| royalty-free limited license to reproduce and distribute the
| Software [...]  provided that: (b) the Software is distributed with
| your Operating System, and such distribution is solely for the
| purposes of running Programs under the control of your Operating
| System and designing, developing and testing Programs to be run
| under the control of your Operating System; [...]

| [...] Oracle grants you a non-exclusive, non-transferable, limited
| license without fees to reproduce and distribute the Software,
| provided that (i) you distribute the Software complete and
| unmodified and only bundled as part of, and for the sole purpose of
| running, your Programs, [...]

Other problematic clauses (indemnification, no bundling with
reimplementatiosn of java.* classes and so on) are also part of the
DLJ.

(I still don't understand why the DLJ was suitable for non-free, so
I'm clearly not qualified to judge these license matters for Debian.)

Message #128 received at 645881@bugs.debian.org (full text, mbox, reply):

From: "Damien Raude-Morvan" <drazzib@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: Matthias Klose <doko@ubuntu.com>, debian-release@lists.debian.org, Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, twerner@debian.org, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Mon, 12 Dec 2011 23:41:05 +0100

[Message part 1 (text/plain, inline)]

Hi all,

Le dimanche 11 décembre 2011 17:25:41, Holger Levsen a écrit :
> On Sonntag, 11. Dezember 2011, Matthias Klose wrote:
> > the DLJ bundles were created because you are not allowed to re-distribute
> > the jdk packages from oracle. Did that change recently?
> 
> I believe inside an organisation I can rebundle their bundles to my
> prefered kind of bundle, that is, form of distribution (inside the
> organisation), anything else would be riciculous, or?
> 
> All I suggest is to document how to enhance their "bundles" to proper
> Debian packages :-)

You should have a look at old "make-jpkg" tool which used to be provided by 
java-package : http://packages.qa.debian.org/j/java-package.html
Purpose of this tool is to repackage "binaries" provided by Oracle and 
integrate them inside Debian : alternatives, FHS directories, plugin 
registration, etc...

Maybe we can provide some support to integrate non-free Oracle JDK with this 
tool (but someone has to do the work to support newer JDK in this tool).

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan

[signature.asc (application/pgp-signature, inline)]

Message #133 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: debian-curiosa@lists.debian.org

Cc: 645881@bugs.debian.org

Subject: Re: Bug#645881: critical update 29 available

Date: Tue, 13 Dec 2011 00:30:03 +0100

On Montag, 12. Dezember 2011, Damien Raude-Morvan wrote:
> You should have a look at old "make-jpkg" tool[..]

No, thanks, I shall not. I already have a working solution.

> (but someone has to do the work to support newer JDK in this
> tool).

Message #138 received at 645881@bugs.debian.org (full text, mbox, reply):

From: Andrei <asura@gleim.com>

To: 645881@bugs.debian.org

Subject: RMI and java 6b18-1.8.10-0~lenny1

Date: Tue, 13 Dec 2011 19:32:46 -0500

[Message part 1 (text/plain, inline)]

Hello,
This email is related to 
http://security-tracker.debian.org/tracker/CVE-2011-3556


Basically, one of our RMI applications is failing to start after the 
security update to java 6b18-1.8.10-0~lenny1*

*I have tried to run the test case specified as part of

http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470
http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d27f0b2f1476

and it fails with an exception trace similar to:

Exceptions

2011-12-13 17:28:18,346 [main] ERROR com.gleim.gacs.Gacs - java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
   java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
   java.lang.ClassNotFoundException: access to class loader denied
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
   java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
   java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:419)
   at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267)
   at sun.rmi.transport.Transport$1.run(Transport.java:177)
   at java.security.AccessController.doPrivileged(Native Method)
   at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
   at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:553)
   at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:808)
   at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:667)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
   at java.lang.Thread.run(Thread.java:636)
   at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:273)
   at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:251)
   at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:377)
   at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
   at java.rmi.Naming.rebind(Naming.java:177)
   at com.gleim.gacs.Gacs.startup(Gacs.java:49)
   at com.gleim.gacs.Gacs.main(Gacs.java:103)
Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
   java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
   at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409)

Caused by: java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:445)
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:182)
   at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
   at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
   at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
   at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1592)
   at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1513)
   at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1749)
   at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346)
   at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
   ... 12 more
Caused by: java.security.AccessControlException: access denied (java.io.FilePermission ////usr/local/gcss2/gacs/- read)
   at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
   at java.security.AccessController.checkPermission(AccessController.java:553)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
   at sun.rmi.server.LoaderHandler$Loader.checkPermissions(LoaderHandler.java:1173)
   at sun.rmi.server.LoaderHandler$Loader.access$000(LoaderHandler.java:1127)
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:409)



The code and the test case both work fine with the the previous security 
java version "1.6.0_18"

OpenJDK Runtime Environment (IcedTea6 1.8.7) *(6b18-1.8.7-2*~lenny1)


Is there a way for somebody to re-review
http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470 ?

Have a great day.

-- 

Andrei Sura
Software Developer
IT Department

Gleim Publications, Inc.
4201 NW 95th Blvd
Gainesville, FL. 32606
http://www.gleim.com

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.