0

I have new install of Centos 6.4 x64, it comes with openjdk 1.7.09. Obviously there are exploits/vulnerabilities in that version. The new version is 1.7.17, I try to install install it, and I don't know where it (gets installed) to. rpm -ql is no help.

[root@joe home]# rpm -ivh jdk-7u17-linux-x64.rpm 
Preparing...                ########################################### [100%]
    package jdk-2000:1.7.0_17-fcs.x86_64 is already installed
[root@joe home]# rpm -ql jdk-7u17-linux-x64.rpm 
    package jdk-7u17-linux-x64.rpm is not installed
vonbrand
  • 1,149
  • 2
  • 8
  • 16
javajoe316
  • 11
  • 2
  • 3
    Don't assume your version is vulnerable redhat backport security fixes into their packages. check https://rhn.redhat.com/errata/rhel-server-6-errata.html for good details of RHEL security fixes. – squareborg Apr 09 '13 at 20:41

1 Answers1

2

Have you checked if the installed Java is really vulnerable? Red Hat Enterprise Linux (and thus clones like CentOS) don't bump up version numbers unless absolutely necessary: Users want stability, no changes unless they are unavoidable. Thus Red Hat works hard at backporting fixes, or plain fixing the old versions they ship.

Check e.g. rpm -q --changelog jdk to see if something is mentioned, see if the CentOS (or RHEL) advisories/release notes for the current package mention anything.

Installing non-official packages will get you into grief sooner or later, avoid it if possible; if you can't avoid it, check carefully what you are doing and make sure you can update to the official version or to the next of the package when needed.

Update: Added the link to RHEL advisories given in a comment by Shutupsquare.

vonbrand
  • 1,149
  • 2
  • 8
  • 16
  • Just mentioned this myself +1 – squareborg Apr 09 '13 at 20:42
  • I understand, there is nothing I need in java 7.17 that is not in 7.09. I'm guessing the vulnerabilities we hear about are only in the browser, so I am probably okay as long as I don't go browsing infected sites using this machine. Or do you think that if there was a vulnerability on linux (RHEL) that redhat would make the new version of java available and the version up until 7.17 can't cause an issue with RHEL? – javajoe316 Apr 09 '13 at 22:42