User: Password:
|
|
Subscribe / Log in / New account

Recent Java vulnerabilities

Recent Java vulnerabilities

Posted Feb 14, 2013 15:44 UTC (Thu) by jake (editor, #205)
In reply to: Recent Java vulnerabilities by gnu_andrew
Parent article: Recent Java vulnerabilities

> "bug fixes do not automatically propagate from one to the other
> (in either direction), since they are developed independently"

Is it possible that "they" is not completely clear here? When editing, I thought it meant the two projects (Java SE and OpenJDK) were developed independently. But, you see to be reading it that the *bug fixes* were developed independently. Is that right? Certainly, we could clarify "they" here ...

> I even
> explicitly stated in an e-mail response to you that the same patches
> were applied to the Oracle JDK and OpenJDK, albeit a week apart.

The next sentence:

That said, one week after Oracle released its fixes to Java, OpenJDK 7 was updated to reflect all of the fixes.

seems to say that. Is that not making sense or incorrect somehow?

thanks,

jake


(Log in to post comments)

Recent Java vulnerabilities

Posted Feb 18, 2013 17:35 UTC (Mon) by gnu_andrew (subscriber, #49515) [Link]

I think I was reading it as the specific bug fixes, but either way, it's false. To the best of my knowledge (obviously limited by Oracle's JDK being proprietary), Oracle's JDK is a downstream of OpenJDK, just as IcedTea is (the variant the distros package). The same bug fixes were used by Oracle, passed onto Red Hat for inclusion in their RPMs and posted to OpenJDK as far as I'm aware (and withstanding any mistakes made in the process).

You can actually see how Oracle use OpenJDK by looking at the codebase. The makefiles refer to directory paths including the word 'closed' which are used by Oracle on non-OpenJDK builds to include their proprietary add-ons.

The second sentence seems to contradict the one before, at least in my reading, but you're right that what I said is mentioned; my apologies.

I think the main general takeaway point is not about process or even Java, but that users should avoid having browser plugins enabled that they don't need (and browsers should allow their use to be whitelisted to specific sites). This would reduce the risk of the issues described


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds