Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#57339 - [java9-openjdk] CVE galore
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 19:11 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:35 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 19:11 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:35 GMT
|
Detailsjava9-openjdk 9.u181-4 was packaged on 2017-10-07 and has been flagged as outdated on 2017-10-18, but hasn't received any updates ever since. After 9u181, upstream released version 9.0.1 in mid-October 2017, and version 9.0.4 in mid-January 2018.
Upstream version 9.0.1 fixed 17 CVEs, version 9.0.4 fixed another 19 CVEs (if I counted correctly). List of CVEs fixed in version 9.0.1: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA List of CVEs fixed in version 9.0.4: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA It seems this would be a (chronological?) list of upstream's (release?) versions: http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/file/de23f9d1ee78/.hgtags#l428 Note that in the above text, version "9.0.1" actually means "9.0.1+11", and "9.0.4" actually means "9.0.4+11". To verify/match those version strings, you may want to have a look at this oustanding documentation from upstream: http://www.oracle.com/technetwork/java/javase/9-0-1-relnotes-3883752.html http://www.oracle.com/technetwork/java/javase/9-0-4-relnotes-4021191.html To be honest, given upstream's incompetence to come up even just with an understandable version numbering scheme, let alone the sheer CVE factory this crapware constitues, I find it hard not to ask you to drop this shit and move it to AUR. Regards Pascal |
This task depends upon
Closed by Guillaume ALAUX (galaux)
Saturday, 03 February 2018, 14:35 GMT
Reason for closing: Implemented
Additional comments about closing: Packages version 9.0.4.u11-1 pushed.
Saturday, 03 February 2018, 14:35 GMT
Reason for closing: Implemented
Additional comments about closing: Packages version 9.0.4.u11-1 pushed.
Comment by Guillaume ALAUX (galaux) -
Friday, 02 February 2018, 20:36 GMT
Thanks, I am updating the packages right now. Could be done by tomorrow as I will have to check many paths/links.
Comment by Pascal Ernster (hardfalcon) -
Friday, 02 February 2018, 22:11 GMT
Thanks for the swift reaction, and thanks for work you're putting into this. :-)
Comment by Guillaume ALAUX (galaux) -
Saturday, 03 February 2018, 14:34 GMT
Thanks for your heads up! I should have done that ages ago!