FS#57339 - [java9-openjdk] CVE galore

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 19:11 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:35 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Guillaume ALAUX (galaux)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

java9-openjdk 9.u181-4 was packaged on 2017-10-07 and has been flagged as outdated on 2017-10-18, but hasn't received any updates ever since. After 9u181, upstream released version 9.0.1 in mid-October 2017, and version 9.0.4 in mid-January 2018.

Upstream version 9.0.1 fixed 17 CVEs, version 9.0.4 fixed another 19 CVEs (if I counted correctly).

List of CVEs fixed in version 9.0.1:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA

List of CVEs fixed in version 9.0.4:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA


It seems this would be a (chronological?) list of upstream's (release?) versions:
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/file/de23f9d1ee78/.hgtags#l428

Note that in the above text, version "9.0.1" actually means "9.0.1+11", and "9.0.4" actually means "9.0.4+11".

To verify/match those version strings, you may want to have a look at this oustanding documentation from upstream:

http://www.oracle.com/technetwork/java/javase/9-0-1-relnotes-3883752.html

http://www.oracle.com/technetwork/java/javase/9-0-4-relnotes-4021191.html


To be honest, given upstream's incompetence to come up even just with an understandable version numbering scheme, let alone the sheer CVE factory this crapware constitues, I find it hard not to ask you to drop this shit and move it to AUR.


Regards
Pascal
This task depends upon

Closed by  Guillaume ALAUX (galaux)
Saturday, 03 February 2018, 14:35 GMT
Reason for closing:  Implemented
Additional comments about closing:  Packages version 9.0.4.u11-1 pushed.
Comment by Guillaume ALAUX (galaux) - Friday, 02 February 2018, 20:36 GMT
Thanks, I am updating the packages right now. Could be done by tomorrow as I will have to check many paths/links.
Comment by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 22:11 GMT
Thanks for the swift reaction, and thanks for work you're putting into this. :-)
Comment by Guillaume ALAUX (galaux) - Saturday, 03 February 2018, 14:34 GMT
Thanks for your heads up! I should have done that ages ago!

Loading...