Re: [Mageia-discuss] Current java plugin with security hole?

Sat, 31 Mar 2012 18:00:05 -0700 

On 03/29/2012 03:51 AM, Wolfgang Bornath wrote:

2012/3/29 Luc Menut<[email protected]>:

Le 29/03/2012 09:30, Oliver Burger a écrit :


Am 29.03.2012 09:22, schrieb Wolfgang Bornath:


The page gives a link to a test routine at java.com where you can test
which version is installed on your machine. For my Mageia 1
installation with firefox the test shows "Your Java version: Version
6 Update 26" - which matches the installed package
(java-1.6.0-sun-plugin-1.6.0.26-0.2.mga1.nonfree).

Recommended is "version 6 update 31". But this is not available yet at
Mageia.

- will there be a security related update for Mageia 1?
- if not, should we use the recommended newer version from java.com
(rpm packages available for 32 and 64 bit)


Afaik oracle has withdrawn the redistribution license for all newer java
versions.
But I'm not sure if only java>= 1.7 is concerned or java>  1.6.0.26.



java-1.6.0-sun>  1.6.0.26 is concerned too.
http://jdk-distros.java.net/
http://robilad.livejournal.com/90792.html
https://bugs.mageia.org/show_bug.cgi?id=3101


Ah, missed the bug report on this - but this only shows that the
average "non-mailing-list-reader" may not know about the issue at all.

Step 1: action ASAP as suggested in the bug report comment #13
("update" the version in mga1 repos with a README.urpmi)
Step 2: after this is done give out a related warning (mailing list, forum).

As Dave Hodgins wrote in Bugzilla: "It may be bad for beginner users,
but it's worse to leave them
with insecure software that is being actively exploited."
FWIW, I had one site I use frequently (a weather radar loop) that used to complain (I'm thinking this was about three years ago) if I didn't use Oracle(Sun) Java, so I had Oracle's JRE 1.7.2 installed. It worked fine, but because of the license problem and the bigger bother to install it I tried the iced tea-web package again. It too now works just fine with that fussy page.
In fact, I like it better. JRE would wait until the entire loop was downloaded before displaying anything, but the iced tea plugin displays frames as they are downloaded. That's important for my impatient brother, as if there's too much delay before something displays, he starts thinking something's gone wrong. 

TJ

Reply via email to