Hi All, Following the latest security updates from Oracle, the version of OpenJDK package is currently listed as: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm The Redhat security advisory lists these packages: https://rhn.redhat.com/errata/RHSA-2014-0026.html but it makes no reference to the build number, which it turns out is important. The build on the package in centos 6.5 is currently listed as b02: [........]$ java -version java version "1.7.0_51" OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02) OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode) However changes were being made in at least b10: https://bugs.openjdk.java.net/browse/JDK-8028111 I guess this raises three questions: 1. How is the build of the JDK selected for a security update in RHEL/CentOS? 2. Could the b number be made more clear in the release information given its importance? 3. Is it possible to JDK package be updated to the latest build number, given the current one has missing backports? Thanks, Tom ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------
On 02/19/2014 11:12 AM, Tom Cartwright wrote:> Hi All, > > Following the latest security updates from Oracle, the version of OpenJDK package is currently listed as: > > java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm > > The Redhat security advisory lists these packages: https://rhn.redhat.com/errata/RHSA-2014-0026.html > but it makes no reference to the build number, which it turns out is important. > > The build on the package in centos 6.5 is currently listed as b02: > > [........]$ java -version > java version "1.7.0_51" > OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02) > OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode) > > However changes were being made in at least b10: https://bugs.openjdk.java.net/browse/JDK-8028111 > > I guess this raises three questions: > > 1. How is the build of the JDK selected for a security update in RHEL/CentOS? > 2. Could the b number be made more clear in the release information given its importance? > 3. Is it possible to JDK package be updated to the latest build number, given the current one has missing backports? > > Thanks, > > TomWell, the answer to this question in relation to CentOS is easy. When Red Hat releases a package for RHEL (any package, java-1.7.0-openjdk or anything else), then we build it. As to what Red Hat selects, when they select it or why, or any of the other questions you have ... we have no idea. We build what they release when they release it on our build system. Someone who has RHEL-6.5 might be able to post the java -version from that package as a comparison. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20140219/74c78ada/attachment-0002.sig>
Thanks Johnny, I've raised the question with RHEL too: https://www.redhat.com/archives/rhelv6-list/2014-February/msg00027.html It looks like the RHEL-6.5 package is also b02, so there's consistency, but it does mean that there are patches missing from the release, such as the one i linked to.>From the JDK bug tracker it looks like the issue i mentioned was fixed in a build made in December (https://bugs.openjdk.java.net/browse/JDK-8029404) so its a surprise to see an older package come out with the security advisory in January.________________________________________ From: centos-bounces at centos.org [centos-bounces at centos.org] on behalf of Johnny Hughes [johnny at centos.org] Sent: 19 February 2014 17:56 To: centos at centos.org Subject: Re: [CentOS] Java versions in CentOS On 02/19/2014 11:12 AM, Tom Cartwright wrote:> Hi All, > > Following the latest security updates from Oracle, the version of OpenJDK package is currently listed as: > > java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm > > The Redhat security advisory lists these packages: https://rhn.redhat.com/errata/RHSA-2014-0026.html > but it makes no reference to the build number, which it turns out is important. > > The build on the package in centos 6.5 is currently listed as b02: > > [........]$ java -version > java version "1.7.0_51" > OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02) > OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode) > > However changes were being made in at least b10: https://bugs.openjdk.java.net/browse/JDK-8028111 > > I guess this raises three questions: > > 1. How is the build of the JDK selected for a security update in RHEL/CentOS? > 2. Could the b number be made more clear in the release information given its importance? > 3. Is it possible to JDK package be updated to the latest build number, given the current one has missing backports? > > Thanks, > > TomWell, the answer to this question in relation to CentOS is easy. When Red Hat releases a package for RHEL (any package, java-1.7.0-openjdk or anything else), then we build it. As to what Red Hat selects, when they select it or why, or any of the other questions you have ... we have no idea. We build what they release when they release it on our build system. Someone who has RHEL-6.5 might be able to post the java -version from that package as a comparison. ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------
--On Wednesday, February 19, 2014 11:56:40 AM -0600 Johnny Hughes <johnny at centos.org> wrote:> Someone who has RHEL-6.5 might be able to post the java -version from > that package as a comparison.% cat /etc/redhat-release Red Hat Enterprise Linux Workstation release 6.5 (Santiago) % java -version java version "1.7.0_40" Java(TM) SE Runtime Environment (build 1.7.0_40-b43) Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode) Devin