New Java Update?

Home » CentOS » New Java Update?
CentOS 34 Comments

I see there’s a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we’ll have an update?


34 thoughts on - New Java Update?

  • Johnny Hughes wrote:

    Figured that – just wondered if y’all had heard anything.

    For that matter, I tried following the CSV, and can’t find more info on the NIST site – trying to figure out if it *only* affects Oracle’s java, or openjdk also.


  • Johnny Hughes wrote:

    I’d found that in googling, but it only mentioned Oracle. Thanks, Johnny, now I can report that to my manager.


  • Note: That means (1) We’re on it :D , and (2) When this is released for CentOS-6.x it will initially be in 6.3/CR repo if 6.4 is not released yet or 6.4/updates if 6.4 is released. CentOS-5.9 will just get the update released normally into 5.9/updates.

    When will CentOS-6.4 be released … soon :)

    When is soon … I would expect sometime before Friday, March 8th (or very close to that date).

  • OpenJDK IS Oracle´s java, sans the browser plug-in which was never open sourced by Sun, and which is provided by Icedtea-web.

    Oracle has made OpenJDK 7 the reference implementation of JDK 7.
    95% shared code according to the RedHat presentation at the JBos 2012 summit:


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

  • Because the new pastime of the mainstream IT press (specially IDG;
    ZDNet which includes many Microsoft employees that write slamming Java) is slamming Oracle, not educating about OpenJDK and its open nature with IBM, RedHat, Apple and Twitter as contributors…


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

  • Fernando Cassia wrote:
    What do you mean M$ employees? I’ve never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java, which failed in everything it was sold on the basis of being able to solve in the mid-nineties….


    “Jason Perlow, Sr. Technology Editor at ZDNet …”
    “… Jason is currently a Technology Solution Professional with Microsoft Corp. ”

    Oh really, check out successfull Java based software like Jitsi, for instance: or vuze, or jdownloader… or or

    all actively developed, cross-platform and succesful. And I´m just naming a handful off the top of my head.


    During times of Universal Deceit, telling the truth becomes a revolutionary act
    – George Orwell

  • Errr, beg your pardon? There are some fantastic things written in java – jenkins is one that would clearly be difficult to do in any other language. And android’s dalvik is a conceptual if not literal offspring. The thing I don’t understand is why there isn’t a dalvik VM for other OS’s so android apk’s could run everywhere without something silly like bluestacks.

  • Les Mikesell wrote:
    tomcat? Ton’s o’ websites with java, that are really, really slow, and break easily? And then there’s the “write once, try to run everywhere….”

    Oh, and how about “with java, you can’t have null pointer exceptions”? Or the fact that when tomcat, for example, crashes, the stack traces – in other words, the function calls – range from 100 to 200 deep!


  • Am 05.03.2013 um 18:51 schrieb

    The question is rather: are there days without new “emergency patches” for Java?
    And at what point does an “emergency” become a permanent condition

  • Rainer Duffner wrote:

    Oh, come on. The last one was all of, um, what, two weeks ago? That’s not every day….


  • Yeah, right, like there are no 0day patches periodically for a multitude of software, including Apache, PHP, and the like. And what are Microsoft´s “Patch Tuesday” Windows updates for, after all?.

    Adobe Rolls out emergency patch for Flash plug-in

    Critical PHP vulnerability exposes web sites to data theft

    Top ten PHP security vulnerabilities (Oct 2012)

    PHP patches actively exploited CGI vulnerability

    Security is a process. There is no “permanently secure” software. Not even OpenBSD with its “memory randomization”.


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

  • Les Mikesell wrote:
    So, tell me (since I’d never heard of it): folks around here use eclipse
    (java, and not really happy with less than 2GB of RAM…) – what does opengrok need, and how’s it compare?


  • I’m not happy with less the 4GB RAM, with/without java, but I’m not sure how that is relevant. RAM is cheap and useful, if you need it, get more.

    Anyway, opengrok is a web service that runs under tomcat (or similar…), so everyone can share one instance. You drop the source in it’s directory and tell it to index. Then you can can browse the files, do raw text searches, or follow the def/ref links that it embeds for you. My point is that it is fast and you can try it out pretty quickly if you know how to deploy a tomcat site – or just follow the instructions.(
    It may or may not be useful to you but it shows the language works. As does Jenkins, OpenNMS, Alfresco, etc.

    Here’s a public one but they seem to have disabled the raw browsing –
    you have to search for something: And it is not nearly as fast as what you’d get with a local install on a CentOS box.

  • Please.

    Java is doing everything in it’s power to rival the insecurity records of sendmail and bind from years ago, or horde’s track record or phpBB’s. It’s just one rolling security vector. It’s apparently maintained by people that don’t really know what they’re doing since it’s one issue after another in rapid pace. Oracle’s attitude towards patches is abysmal at best and I can’t see any relief in sight. Look at it this way: distro’s have rolling releases and Java has rolling security vulnerabilities.

    How about permanently insecure?


  • But wait – wasn’t making the code ‘free’ supposed to take care of all those issues since everyone can now see the problems and contribute the fixes? I think RMS may have led us astray.

  • Les Mikesell wrote:

    No, java was Sun’s baby, now it’s Oracle’s. I know y’all have seen my feelings about Oracle/Sun hardware “tech support”….


  • sad, really, as one of Java’s original goals was to be a completely sandboxable environment.

    I wonder… is Java really getting worse, or is it that the hackers are getting more sophisticated and finding ever more fiendish ways of violating systems ?

    I also wonder how long before the HTML5/Javascript world starts showing up equally gnarly fundamental security exposures.

  • I’m talking about all those years when Sun’s baby was pretty good and
    “free as in beer” but not good/free enough for Red Hat to bless with an installer that actually worked so we got the broken gcj instead and made everybody hate java because it didn’t work. Now the real thing is free enough, but so far I don’t see the improvement that we were supposed to be waiting for…

  • I was just discussing this very issue with someone the other day. That was such a huge marketing factor in the beginning. And we waited. And waited. And waited. And it never materialized.

    I think it’s sort of a little of both. Tools and people are getting better and the people maintaining Java aren’t getting any better.


  • Of course it didn’t when big companies like Microsoft and Red Hat shipped incompatible competing versions making the code not portable.

    I’m cynical enough to believe that most code has intentional backdoors that for various reasons eventually leak out and have to be fixed. And hackers are incredibly sophisticated these days. Even in the CentOS 5.3 era I saw URL attacks in the wild that would use a spring
    (java lib) bug to execute commands to trigger the kernel’s root escalation bug.

  • Free as in what the FSF names code encumbered with restrictions that prevent combining it with any other components.

  • specifically, the Sun Java license restricted redistribution of the runtime, and it wasn’t opensource at all. further, it had type-of-use restrictions, you had to agree not to run ‘standard edition’ (free) on mobile phones, the licensing required a specific J2ME edition for phone use which was NOT free.

  • I meant that the GPL imposes restrictions.

    It would have been possible to make it trivial to install directly if not to completely automate it. And others started redistributing long before RH included it in their paid support channel. In any case, shipping something that pretended to be java but wasn’t had to be the worst possible thing that could happen to a language.

    Yet oddly, long ago RH shipped Netscape binaries…

  • It´s amazing the Java haters are not content with hating it in silence, they must spread their dislike and insisit that everyone else should hate it too.

    Just don´t use it, but keep the hate for yourself, and let those of us that understand it, use it and enjoy it. (OpenJDK, Netbeans, jEdit, Vuze, Jitsi, etc)

    Like RedHat, for instance, which is a big backer of JBoss and invests in OpenJDK…

    Sheesh… FC

    During times of Universal Deceit, telling the truth becomes a revolutionary act
    – George Orwell