[fedora-java] openjdk and java security issues

Omair Majid omajid at redhat.com
Mon Feb 11 18:27:17 UTC 2013 

On 02/11/2013 12:23 PM, Linda Jacobson wrote:
>     Will someone on this email list please answer these questions:

I see others have answered some of these questions, so I will try and
provide more background. Feel free to ask for further details if
something does not make sense.

I can't speak for Red Hat here, but I can talk about OpenJDK and Fedora.

>     1.  Oracle recently (2/1) released an emergency update to java se 7,
> that fixed most open security issues.  Since openjdk is the reference
> implementation for Java SE, does this mean that all updates are entered
> into openjdk first?

Yes, and no.

OpenJDK was used as the reference implementation of Java 7. However,
Oracle did point out that the reference implementation will not be
getting any security updates [1].

The security fixes do make it into the OpenJDK project. However, there
are a few catches. First, the OpenJDK project does not do releases that
correspond to Oracle's 7uXX (where XX is odd) update releases. The fixes
are added to the development tree for the next 7uYY (where YY is even)
feature update release.

Oracle develops the security fixes in private. The fixes are added to
OpenJDK (soon) after Oracle's proprietary releases. In the case of the
most recent fixes, for example, Oracle made proprietary binaries public
on 2013-02-01 [2], but changesets were added to OpenJDK on 2013-02-08 [3].

>     2.  Red Hat released a new version of openjdk 6, that fixed "many"
> security bugs, as well as other issues.  Does it fix all the ones fixed
> by Oracle?  The security holes are the same in  openjdk 6 and openjdk 7.

Again, the answer is not a simple yes or no. Oracle's proprietary
binaries contain things that are _not_part of OpenJDK. So it is possible
that these vulnerabilities are not present in OpenJDK to begin with.

The security vulnerabilities can be different between OpenJDK6 and
OpenJDK7. OpenJDK7 does contain some new features and some of them may
be (or have been) vulnerable.

But we do try and fix all vulnerabilities in OpenJDK (or, rather in
IcedTea [4], which is what most distributions ship as OpenJDK) and send
feedback upstream.

>     3.  What is the current status of openjdk 7, with respect to the
> documented security vulnerabilities?

It's easy enough to find out which fixes are currently in OpenJDK. Once
you have the bug numbers for the fixes that Oracle publishes, clone the
jdk7u-dev tree [5] and see if there are changesets with that bug id present.

HTH,
Omair


[1] http://jdk7.java.net/java-se-7-ri/
[2]
http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates
[3]
http://mail.openjdk.java.net/pipermail/jdk7u-dev/2013-February/005587.html
[4] http://icedtea.classpath.org/wiki/Main_Page
[5] http://hg.openjdk.java.net/jdk7u/jdk7u-dev/

-- 
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

More information about the java-devel mailing list