On 02/11/2013 12:23 PM, Linda Jacobson wrote: > Will someone on this email list please answer these questions: I see others have answered some of these questions, so I will try and provide more background. Feel free to ask for further details if something does not make sense. I can't speak for Red Hat here, but I can talk about OpenJDK and Fedora. > 1. Oracle recently (2/1) released an emergency update to java se 7, > that fixed most open security issues. Since openjdk is the reference > implementation for Java SE, does this mean that all updates are entered > into openjdk first? Yes, and no. OpenJDK was used as the reference implementation of Java 7. However, Oracle did point out that the reference implementation will not be getting any security updates [1]. The security fixes do make it into the OpenJDK project. However, there are a few catches. First, the OpenJDK project does not do releases that correspond to Oracle's 7uXX (where XX is odd) update releases. The fixes are added to the development tree for the next 7uYY (where YY is even) feature update release. Oracle develops the security fixes in private. The fixes are added to OpenJDK (soon) after Oracle's proprietary releases. In the case of the most recent fixes, for example, Oracle made proprietary binaries public on 2013-02-01 [2], but changesets were added to OpenJDK on 2013-02-08 [3]. > 2. Red Hat released a new version of openjdk 6, that fixed "many" > security bugs, as well as other issues. Does it fix all the ones fixed > by Oracle? The security holes are the same in openjdk 6 and openjdk 7. Again, the answer is not a simple yes or no. Oracle's proprietary binaries contain things that are _not_part of OpenJDK. So it is possible that these vulnerabilities are not present in OpenJDK to begin with. The security vulnerabilities can be different between OpenJDK6 and OpenJDK7. OpenJDK7 does contain some new features and some of them may be (or have been) vulnerable. But we do try and fix all vulnerabilities in OpenJDK (or, rather in IcedTea [4], which is what most distributions ship as OpenJDK) and send feedback upstream. > 3. What is the current status of openjdk 7, with respect to the > documented security vulnerabilities? It's easy enough to find out which fixes are currently in OpenJDK. Once you have the bug numbers for the fixes that Oracle publishes, clone the jdk7u-dev tree [5] and see if there are changesets with that bug id present. HTH, Omair [1] http://jdk7.java.net/java-se-7-ri/ [2] http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates [3] http://mail.openjdk.java.net/pipermail/jdk7u-dev/2013-February/005587.html [4] http://icedtea.classpath.org/wiki/Main_Page [5] http://hg.openjdk.java.net/jdk7u/jdk7u-dev/ -- PGP Key: 66484681 (http://pgp.mit.edu/) Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681 -- java-devel mailing list java-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/java-devel
