Re: Potential Server Seed impact for 14.04: removal of OpenJDK/Tomcat7 from Ubuntu main

[sunnychan]

I am not really an Ubuntu user but I want to contribute to this
conversation.The main source of recent security vulnerability is down to the
Java Plug-in and Webstart (so called "deployment" component) of the OpenJDK.
You need to bear in mind that most server process (e.g. Tomcat process) are
not run under the security manager and therefore no sandbox to escape. As a
result majority of the security doesn't applies if you disable Java Plug-in
and Webstart.I did a little analysis last year and look at a number of pass
security vulnerability whether something that would affect a server
processes, etc. This information is actually given in Oracle security
notification pages:
Java Patch Release      Info URL        Total number of fixes   Fixes that 
affect Client
components      Fixes that affect Client and Server components
January 2014     <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA>
January patch   38      35      3
October 2013     <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA>
October 2013 patch      51      40      11
June 2013        <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html>
June 2013 patch         40      35      4
Feb 2013         <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>
Feb 2013 patch  50      43      5 
October 2012     <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html>
October 2012    30      26      3
June 2012        <font face="Consolas, monospace" color="#0000FF">
<http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html>
June 2012       14      9       4
Notice that in majority of the cases if no "client" components is being
used, the number of security vulnerability affecting Java is substantially
lower. This is why Oracle has now introduced a  Server JRE
<http://www.oracle.com/technetwork/java/javase/downloads/server-jre7-downloads-1931105.html>
  
which removed Java Plug-in and Webstart components to reduce the security
risk.I would suggest for Ubuntu to re-organise the Java packages on the
server so that Java Plug-in and Webstart is being separated and only
distribute a "server JRE" type of packaging in Ubuntu server.Sunny



--
View this message in context: 
http://ubuntu.5.x6.nabble.com/Potential-Server-Seed-impact-for-14-04-removal-of-OpenJDK-Tomcat7-from-Ubuntu-main-tp5054500p5054839.html
Sent from the ubuntu-devel mailing list archive at Nabble.com.
-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel