Sunday 26 January 2014

Re: Potential Server Seed impact for 14.04: removal of OpenJDK/Tomcat7 from Ubuntu main

I am not really an Ubuntu user but I want to contribute to this conversation. The main source of recent security vulnerability is down to the Java Plug-in and Webstart (so called "deployment" component) of the OpenJDK. You need to bear in mind that most server process (e.g. Tomcat process) are not run under the security manager and therefore no sandbox to escape. As a result majority of the security doesn't applies if you disable Java Plug-in and Webstart. I did a little analysis last year and look at a number of pass security vulnerability whether something that would affect a server processes, etc. This information is actually given in Oracle security notification pages:
Java Patch Release Info URL Total number of fixes Fixes that affect Client components Fixes that affect Client and Server components
January 2014 January patch 38 35 3
October 2013 October 2013 patch 51 40 11
June 2013 June 2013 patch 40 35 4
Feb 2013 Feb 2013 patch 50 43 5
October 2012 October 2012 30 26 3
June 2012 June 2012 14 9 4
Notice that in majority of the cases if no "client" components is being used, the number of security vulnerability affecting Java is substantially lower. This is why Oracle has now introduced a Server JRE which removed Java Plug-in and Webstart components to reduce the security risk. I would suggest for Ubuntu to re-organise the Java packages on the server so that Java Plug-in and Webstart is being separated and only distribute a "server JRE" type of packaging in Ubuntu server. Sunny

View this message in context: Re: Potential Server Seed impact for 14.04: removal of OpenJDK/Tomcat7 from Ubuntu main
Sent from the ubuntu-devel mailing list archive at Nabble.com.