AW: Beginner's Question on Java Security Fixes

To: <debian-java@lists.debian.org>
Subject: AW: Beginner's Question on Java Security Fixes
From: "Markus Karg" <karg@quipsy.de>
Date: Wed, 8 May 2013 09:45:29 +0200
Message-id: <[🔎] C318061356872B4D892533A28BD08819010B9CE9@quipsy1>
References: <[🔎] C318061356872B4D892533A28BD08819010B9CCE@quipsy1><[🔎] CAKTje6HS4_tw2FmD_=48J70899bjdrEh-g=DjFiRbZ5DNZjS0Q@mail.gmail.com><[🔎] C318061356872B4D892533A28BD08819010B9CCF@quipsy1><[🔎] CAKTje6EqLU-_Uct-7CzLTrReRtNouRRm6eNrCGbFcpL=i=+2tQ@mail.gmail.com><[🔎] C318061356872B4D892533A28BD08819010B9CD0@quipsy1> <[🔎] CAKTje6GMy7AX39WGb3WKnCEtbnHkb4t_k8FqEa+ZVN27QMyDOA@mail.gmail.com>

Following the trouble currently made around Java's security, this means that the version of Java 7 delivered with Wheezy actually implies huge security risks? If that is actually true I do not understand the Debian release policy. I mean, what should it be good for having a stable-but-unsecure (7u3) package in Wheezy while there is as-near-as-stable-but-secure (7u21) package already available? Or is the Debian team actually aware of facts which say 7u21 is so much more unstable that it is in fact better to use the unsecure 7u3 instead?

-----Ursprüngliche Nachricht-----
Von: paul.is.wise@gmail.com [mailto:paul.is.wise@gmail.com] Im Auftrag von Paul Wise
Gesendet: Mittwoch, 8. Mai 2013 08:36
An: debian-java@lists.debian.org
Betreff: Re: Beginner's Question on Java Security Fixes

On Wed, May 8, 2013 at 2:16 PM, Markus Karg wrote:

> Maybe there is a misunderstanding. I am running Debian Wheezy, neither jessie nor sid. Certainly I want the best stability and security. Using Oracle's product, this would result in manually installing 7u21. But what if using openjdk-7-jre on wheezy? The version tag says it is 7u3, but I doubt that none of Oracle's fixes done between 7u3 and 7u21 is found in Wheezy. That's the problem I have. Everywhere Oracle says "since 7u21 it's safe", but I just cannot see whether this holds true for Wheezy's 7u3+?

Correct, none of the 7u21 fixes are in 7u3. I believe the plan is to add 7u21 to wheezy because Oracle doesn't release fine-grained fixes, but I'm not sure when that will happen. It should be possible for you to install openjdk-7 from jessie on wheezy though, since they haven't diverged much yet.

--
bye,
pabs

http://wiki.debian.org/PaulWise
http://bonedaddy.net/pabs3/

--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] CAKTje6GMy7AX39WGb3WKnCEtbnHkb4t_k8FqEa+ZVN27QMyDOA@mail.gmail.com">http://lists.debian.org/[🔎] CAKTje6GMy7AX39WGb3WKnCEtbnHkb4t_k8FqEa+ZVN27QMyDOA@mail.gmail.com

Reply to:

References:
- Beginner's Question on Java Security Fixes
  - From: "Markus Karg" <karg@quipsy.de>
- Re: Beginner's Question on Java Security Fixes
  - From: Paul Wise <pabs@debian.org>
- AW: Beginner's Question on Java Security Fixes
  - From: "Markus Karg" <karg@quipsy.de>
- Re: Beginner's Question on Java Security Fixes
  - From: Paul Wise <pabs@debian.org>
- AW: Beginner's Question on Java Security Fixes
  - From: "Markus Karg" <karg@quipsy.de>
- Re: Beginner's Question on Java Security Fixes
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Beginner's Question on Java Security Fixes
Next by Date: Joining pkg-java
Previous by thread: Re: Beginner's Question on Java Security Fixes
Next by thread: Joining pkg-java
Index(es):
- Date
- Thread