An important announcement about sun java packages that remained in the canonical partner repository (archive.canonical.com<http://archive.canonical.com/pool/partner/s/sun-java6/>). To be honest, I've been expecting such an announcement. There are several security exploits with the version of Sun Java (sun-java6).
*If you are using any of the sun java packages, you are advised to start using openjdk (ubuntu packages openjdk-6-jre or default-jre default-jdk) and purge any sun-java packages. * In short, for ubuntu 10.04 (and later versions): sudo apt-get purge sun-java6.* sudo apt-get install default-jre default-jdk openjdk-6-jre sudo update-alternatives --config java sudo update-alternatives --config javaws (For the last two commands, if you are given more choices, choose openjdk instead of sun java) If you really need sun/oracle java, then install oracle java 7: https://help.ubuntu.com/community/Java#Oracle_Java http://askubuntu.com/questions/56104/how-can-i-install-oracle-java-jre-7 http://askubuntu.com/questions/55848/how-do-i-install-oracle-java-jdk-7 Kind regards, Savvas ---------- Forwarded message ---------- From: Marc Deslauriers <marc.deslauri...@canonical.com> Date: 15 December 2011 20:28 Subject: Important notice regarding Java packages in Partner archive To: ubuntu-security-annou...@lists.ubuntu.com The Canonical partner archive currently contains Oracle's Sun Java JDK packages (sun-java6) for Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. As of August 24th 2011, we no longer have permission to redistribute new Java packages as Oracle has retired the “Operating System Distributor License for Java” [1][2]. Oracle has published an advisory about security issues in the version of Java we currently have in the partner archive [3]. Some of these issues are currently being exploited in the wild. Due to the severity of the security risk, Canonical is immediately releasing a security update for the Sun JDK browser plugin which will disable the plugin on all machines. This will mitigate users' risk from malicious websites exploiting the vulnerable version of the Sun JDK. In the near future (exact date TBD), Canonical will remove all Sun JDK packages from the Partner archive. This will be accomplished by pushing empty packages to the archive, so that the Sun JDK will be removed from all users machines when they do a software update. Users of these packages who have not migrated to an alternative solution will experience failures after the package updates have removed Oracle Java from the system. If you are currently using the Oracle Java packages from the partner archive, you have two options: 1- Install the OpenJDK packages that are provided in the main Ubuntu archive. (icedtea6-plugin for the browser plugin, openjdk-6-jdk or openjdk-6-jre for the virtual machine) 2- Manually install Oracle's Java software from their web site [4]. For more information, please consult the wiki page on the subject [5]. We apologize for any inconvenience this may cause, and thank you for your understanding. [1] - http://jdk-distros.java.net/ [2] - http://robilad.livejournal.com/90792.html [3] - http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html [4] - http://www.oracle.com/technetwork/java/javase/downloads/index.html [5] - https://wiki.ubuntu.com/LucidLynx/ReleaseNotes/Java6Transition -- ubuntu-security-announce mailing list ubuntu-security-annou...@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
signature.asc
Description: PGP signature
