java debian packages out of date please fix ASAP!

tony mancill tmancill at debian.org
Mon Feb 21 20:01:53 UTC 2011


Err... 6.24-1 has been available in the archive since February 16th [1].
(Personally, I applaud Sylvestre for the quick turn-around.)  It takes slightly
longer for the updated package to make it into stable, as Debian is a 100%
volunteer organization and the security releases for stable must be coordinated
amongst several teams.

However, there is nothing preventing you from either installing the packages
from testing on your stable system (I don't see anything in the Depends that
should cause an issue on squeeze).  Or, you can easily pull the sources from
either testing or unstable and building a binary package for your desired target
platform.  (I just did a build in a squeeze chroot and it took about 10 minutes,
including downloading the sources.)  Alternatively, if you'd like  *unofficial*
packages built inside a squeeze chroot, you fetch the i386 versions of the
packages from here [2].  Email me privately if you want to go this route and
need amd64.

You can always review the current status of the sun-java6 packages across all of
the Debian releases here [3].

tony

[1] http://packages.qa.debian.org/s/sun-java6/news/20110216T113253Z.html
[2] http://people.debian.org/~tmancill/
[3] http://packages.qa.debian.org/s/sun-java6.html


On 02/21/2011 11:06 AM, UNDERNET AI wrote:
> Greetings,
> 
> 
> Both JRE and JDK package are out of date latest version is 1.6 update 24
> and your package is currently only on update 22. The latest version
> fixes eight very serious security bugs that do not require
> authentication in order to be exploited. Update 23 that was released
> even earlier before update 24 fixes a dangerous remote denial of service
> flaw that causes a JVM to go into an infinite loop just by sending a
> certain floating point number to the server. Its been 4 days since the
> latest critical update was released yet it still has not been updated.
> Considering that these exploits are very serious I would have expected
> these packages to be updated within 48 hours but this has not happened. 
> 
> 
> This is NOT acceptable considering that almost all debian and ubuntu
> users rely on these packages to keep the offical oracle java JRE and JDK
> up to date via auto update.
> 
> 
> Please update these packages ASAP and keep a closer watch on oracle
> updates in future to make sure the vulnerable phase when users do not
> have the latest version is minimized.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20110221/840ff8d8/attachment-0001.pgp>


More information about the pkg-java-maintainers mailing list