Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29

Since Oracle has discontinued the Developer license of Java, we are no longer permitted to distribute newer versions. We will probably be removing sun-java6 from the partner archive.

http://jdk-distros.java.net/

Status changed to 'Confirmed' because the bug affects multiple users.

"Fix released" is inaccurate, imho. A fix can only be one of these two things:

1. A release of 6u29 in a new way that is still allowed by the license, e.g. an installation script that pulls 6u29 directly from the Oracle website (like is being done with Adobe Flash Player);

2. An immediate and complete removal of sun-java6 from the Partner repo, *plus* a warning to all current users to remove 6u26 instantly from their systems (popup dialog from Update Manager?).

Just actived the sources Partner-Repros in Natty and I still get Sun-Java 6.26-1natty1 listed within Synaptic

So, if I'm not completely wrong it is still instable, even though I do know, that Canonical only guarantees security-updates for packages that lie within "main" It should not be possible to install known harmful software.

A nice Graphic regarding the thread hass been issued by ZDNet on Oct.20th11

http://www.zdnet.com/blog/security/java-update-plugs-20-critical-security-holes/9670

Debain has removed the packages from 'stable' on immediate action.

Pls help making Ubuntu better

Ubuntu status is still confirmed. Any news on this security issue yet? Why does Sun Java not get removed from the partner repositories?

To me it would be sad to see Ubuntu 10.04 - 11.04 appear in Secunia's statistics, for taking no action.

Oracle Java SE Multiple Vulnerabilities:
http://secunia.com/advisories/46512/ status: highly critical, last updated 27.10.2011

Impact:

Hijacking
Spoofing
Manipulation of data
Exposure of sensitive information
DoS
System access

It's still installable:

http://archive.canonical.com/pool/partner/s/sun-java6/?C=M;O=D

We are trying to get permission to distribute a newer version. Once we get an official answer, we'll either update it, or remove it from the archive. Thank you for your patience.

Time has been passing by...

How does Oracle handle this?

http://www.oracle.com/technetwork/java/archive-139210.html

Quote start:
WARNING: These older versions of the JRE and JDK are provided to help developers debug issues in older systems. They are not updated with the latest security patches and are not recommended for use in production.

Quto end+++

Could be easy to add this, within Package-Management-Tools. It's just not fair to users of Ubuntu allowing to install packages with known sec-issues w/o according information.

QM should give a way how to deal with this. fyi Can u guess how many installations are made per day to expose private computers to run into this threat? 30/300/3000 ? Each day.

Probably it's less work to change a few Wiki-Pages that still recommend to install Java-sun-6-JRE on just a few wiki-pages (US -UK - Southamerikas - Asia- +++) and revert them back lateron than putting these files in a dead branch.

Some volunteers could do this in a few hours. A PARTNER is a Partner, with friends it's different.

Even though I might be a nuisance.

Software known for containing highly critical issues should be treated likewise as malicious.

 A PARTNER is a Partner, with friends it's different.

To explain this: Friends hopefully sort out problems. Partners kick ass sometimes, for their own good.

I do not wish to loose faith into Ubuntu itself. Reason enough 4 me to complain here.

Withdrawing from Launchpad.

Status: fix released?

Tks for impementation!

xcuses: should readout -> Tks 4 implementation // Merci bien!

Looks like we have the 1st person here complaining+asking 4 help: (sun)-java-browser-plugin stopped workin' after update in Lucid (Java-6-26-2), somewhat like 20111218-00:48

The security issues have most definitely *not* been fixed!

6.26-2 is a minor fix, and only repairs a bug in the alternatives system for amd64. It's still 6u26, and it's still insecure. It escapes me, why they took the trouble to release this minor fix, which does nothing about the security issues....

Anyway, a rescue attempt is under way. A programmer in the Dutch Ubuntu community has been working on a script that pulls the most recent Oracle Java (6u30, since this week) from the Oracle website, and installs it. Like the script for Adobe Flash Player. This is still allowed by the Oracle license.

I expect that this programmer will release his script soon; I've tested the prototype, and it works well. His intention is, to present it to both Ubuntu and Linux Mint (and maybe also to other distro's).

The 6.26-2 release disables the browser plugin as a first step before removing the packages completely from the archive. See:

https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-December/001528.html

and

https://wiki.ubuntu.com/LucidLynx/ReleaseNotes/Java6Transition

@Marc Deslauriers: apparently I misunderstood the meaning of the 6.26-2 update.... My compliments for your actions. :-)

As to the script that I mentioned in my previous post: when it becomes available, will you want to consider putting it in some repo? For example in Universe? Many people will still want Oracle Java......

We can at the very least link to the script from one of the java wiki pages. Let me know when it's ready.

As far as I'm concerned it's ready.

http://www.duinsoft.nl/packages.php

Great! Thank you, Frank de Bruijn! You've provided a fine example of the power of the community. :-)

The English web page for Frank de Bruijn's script is this:
http://www.duinsoft.nl/packages.php?t=en

@Marc Deslauriers: how about adding it to Universe?

Universe shouldn't be for packages supported by Canonical? I believe that Multiverse should be a better choice.

Lucid has reached end of support and sun-java-6 has been pulled from the partner archive. Marking the sun-java-6 task as Won't Fix.