FS#57339 - [java9-openjdk] CVE galore
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 19:11 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:35 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 19:11 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:35 GMT
|
Details
java9-openjdk 9.u181-4 was packaged on 2017-10-07 and has
been flagged as outdated on 2017-10-18, but hasn't received
any updates ever since. After 9u181, upstream released
version 9.0.1 in mid-October 2017, and version 9.0.4 in
mid-January 2018.
Upstream version 9.0.1 fixed 17 CVEs, version 9.0.4 fixed another 19 CVEs (if I counted correctly). List of CVEs fixed in version 9.0.1: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA List of CVEs fixed in version 9.0.4: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA It seems this would be a (chronological?) list of upstream's (release?) versions: http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/file/de23f9d1ee78/.hgtags#l428 Note that in the above text, version "9.0.1" actually means "9.0.1+11", and "9.0.4" actually means "9.0.4+11". To verify/match those version strings, you may want to have a look at this oustanding documentation from upstream: http://www.oracle.com/technetwork/java/javase/9-0-1-relnotes-3883752.html http://www.oracle.com/technetwork/java/javase/9-0-4-relnotes-4021191.html To be honest, given upstream's incompetence to come up even just with an understandable version numbering scheme, let alone the sheer CVE factory this crapware constitues, I find it hard not to ask you to drop this shit and move it to AUR. Regards Pascal |
This task depends upon
Closed by Guillaume ALAUX (galaux)
Saturday, 03 February 2018, 14:35 GMT
Reason for closing: Implemented
Additional comments about closing: Packages version 9.0.4.u11-1 pushed.
Saturday, 03 February 2018, 14:35 GMT
Reason for closing: Implemented
Additional comments about closing: Packages version 9.0.4.u11-1 pushed.
Comment by
Guillaume ALAUX (galaux) - Friday,
02 February 2018, 20:36 GMT
Comment by
Pascal Ernster (hardfalcon) -
Friday, 02 February 2018, 22:11 GMT
Comment by
Guillaume ALAUX (galaux) - Saturday,
03 February 2018, 14:34 GMT
Thanks, I am updating the packages right now. Could be done by
tomorrow as I will have to check many paths/links.
Thanks for the swift reaction, and thanks for work you're putting
into this. :-)
Thanks for your heads up! I should have done that ages ago!