Can't Manjaro outperform Arch and provides updates for high risk packages?

Feedback
1

Running arch-audit tool I found multiple high risk issues :

Screenshot_20211222_130606

The most used jdk for now as running and development platform is still jdk 8 but the current version in stable, unstable and testing branches is still 8u292 released in April/2021 which has many risks, but the latest version is 8u312 released on October/2021

Screenshot_20211222_133452

This dependence on Arch is really dangerous, because even Ubuntu which is known for holding packages updates have the latest patch for old distro releases

Screenshot_20211222_134010

This is just a case of an important package, and the list of risks is much longer

Screenshot_20211222_134330
Screenshot_20211222_134330771Ă—818 211 KB

2

All the updated packages are present in Unstable branch and it will be moved to stable branch soon.

You can always compare packages on different branch using this link

2 Likes
3

Please do not post screenshots of text.
Copy + Paste and use appropriate formatting via </> button or adding three backticks ` above and below the text.

jdk8-openjdk is taken from arch and has been flagged out-of-date since 2021-07-29: Arch Linux - jdk8-openjdk 8.u292-1 (x86_64)
Several security issues are known to Arch: jdk8-openjdk - Arch Linux

4

jdk8 packages have been flagged out of date in Arch repositories since 2021-07-29
Arch Linux - Package Search - jdk8

Manjaro has grub v2.06-1 on all branches

Chromium v96.0.4664.110-1 is available on Testing and Unstable branches

5

jdk8 is not even updated for Arch, so is there any way to fix this problem instead depending on outdated Arch packages ?

6

So is there a fix for Manjaro or is it under the weight of Arch ?

7

No, there is no “fix” for Manjaro.

If you need to use software depending on old Java 8 you’d be better of on another distro.
You can try pressuring developers of said software to depend on current Java 17 (which is an LTS if I’m not mistaken): That one seems to be current and has no open security issues on Arch.

1 Like
8

It’s not easy to use new JDKs, some APIs were removed and new compilers/runtimes generates many warnings and errors, and many used external libraries are still compiled using JDK8, and it’s difficult to re-struct whole project to use the new modular approach, JDK 8 (especially JRE8) is a free LTS version which will be supported until 2026 (and could be extended till 2030 with paid support from any major vendor like Oracle or RedHat or IBM) so it’s still updating and get security updates, the only problem is that Manjaro doesn’t ship them.

9

but if they are available
all that would be needed is an updated package in the AUR
to easily make use of them

It’s the AUR - ( the “U” stands for “user”)
apparently no one has felt the need for an up to date JRE8 …

10

That’s not how it works. See AUR submission guidelines - ArchWiki

  • The submitted PKGBUILDs must not build applications already in any of the official binary repositories under any circumstances. Check the official package database for the package. If any version of it exists, do not submit the package. If the official package is out-of-date, flag it as such. If the official package is broken or is lacking a feature, then please file a bug report.
1 Like
11

ah - my misunderstanding
so the JRE8 version in Arch repos is not current - but perhaps should be …

12

apparently no one has felt the need for an up to date JRE8

It’s the opposite, people didn’t use much Arch or Manjaro to develop or deploy client/server java apps, but for now this specific distro (especially Manjaro KDE) became popular and is attracting many users (including me who was Ubuntu user for many years) so I think it should meet at least the basics including important security patches, because Arch is not well welcomed by devs due to fast updates and breaking easily dev env, so Manjaro should come with strategy to ship necessary updates.

1 Like
13

Popular frameworks has LTS releases. Java is no exception. LTS releases are maintained upstream by the source - when upstream backports security fixes it will reflect downstream.

If an application depends on a non LTS release of any given framework it is a development issue.

No operating system or distribution should feel obliged to supported frameworks which is abandoned upstream.

Arch is very strict with this - even more than Manjaro.

AUR is available - but completely unsupported.

3 Likes
14

So if Arch doesn’t push security updates then Manjaro will do nothing and wait for them to fix it. For me I found (and I’m sure of it) that Arch guys are the weirdest (with false high pride like nothing) devs on the market so following their attitudes will just contaminate this beautiful distro.

15

So this is the list I get with arch-audit with a not yet fully updated unstable system of Manjaro:

[phil@development community]$ arch-audit -c
jdk8-openjdk is affected by multiple issues. (CVE-2021-2388, CVE-2021-2369, CVE-2021-2341, CVE-2021-35603, CVE-2021-35588, CVE-2021-35586, CVE-2021-35578, CVE-2021-35567, CVE-2021-35565, CVE-2021-35564, CVE-2021-35561, CVE-2021-35559, CVE-2021-35556, CVE-2021-35550). High risk!
jre8-openjdk-headless is affected by multiple issues. (CVE-2021-2388, CVE-2021-2369, CVE-2021-2341, CVE-2021-35603, CVE-2021-35588, CVE-2021-35586, CVE-2021-35578, CVE-2021-35567, CVE-2021-35565, CVE-2021-35564, CVE-2021-35561, CVE-2021-35559, CVE-2021-35556, CVE-2021-35550). High risk!
openssl-1.0 is affected by multiple issues. (CVE-2021-3712, CVE-2021-3601, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968). High risk!
ansible-core is affected by information disclosure. (CVE-2021-3681, CVE-2021-3620). Medium risk!
apr is affected by information disclosure. (CVE-2021-35940). Medium risk!
aspell is affected by arbitrary code execution. (CVE-2019-25051). Medium risk!
binutils is affected by multiple issues, arbitrary code execution. (CVE-2021-3648, CVE-2021-3530, CVE-2021-20197, CVE-2021-3549). Medium risk!
bluez is affected by denial of service. (CVE-2021-41229). Medium risk!
cpio is affected by arbitrary command execution. (CVE-2021-38185). Medium risk!
dcraw is affected by arbitrary code execution. (CVE-2021-3624). Medium risk!
flac is affected by information disclosure. (CVE-2021-0561). Medium risk!
giflib is affected by information disclosure. (CVE-2020-23922). Medium risk!
glibc is affected by multiple issues. (CVE-2021-43396, CVE-2021-35942, CVE-2021-33574, CVE-2021-27645). Medium risk!
grub is affected by multiple issues. (CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27749, CVE-2020-25647, CVE-2020-25632, CVE-2020-14372). Medium risk! Update to at least 2:2.06-1!
krb5 is affected by denial of service. (CVE-2021-37750). Medium risk!
lib32-libsndfile is affected by arbitrary code execution. (CVE-2021-3246). Medium risk!
libarchive is affected by arbitrary code execution. (CVE-2021-36976). Medium risk!
libde265 is affected by multiple issues. (CVE-2020-21606, CVE-2020-21605, CVE-2020-21604, CVE-2020-21603, CVE-2020-21602, CVE-2020-21601, CVE-2020-21600, CVE-2020-21599, CVE-2020-21598, CVE-2020-21597, CVE-2020-21596, CVE-2020-21595, CVE-2020-21594). Medium risk!
libgrss is affected by man-in-the-middle. (CVE-2016-20011). Medium risk!
libheif is affected by information disclosure. (CVE-2020-23109). Medium risk!
libsndfile is affected by arbitrary code execution. (CVE-2021-3246). Medium risk!
linux-lts is affected by multiple issues. (CVE-2021-43976, CVE-2021-4095, CVE-2021-4028, CVE-2021-4023, CVE-2021-3847, CVE-2021-3759, CVE-2021-3752, CVE-2021-3669, CVE-2021-30178, CVE-2021-29648). Medium risk!
ncurses is affected by arbitrary code execution. (CVE-2021-39537). Medium risk!
npm is affected by insufficient validation. (CVE-2021-43616). Medium risk!
openjpeg2 is affected by multiple issues. (CVE-2021-3575, CVE-2021-29338, CVE-2019-6988, CVE-2018-20846, CVE-2018-16376). Medium risk!
openvpn is affected by information disclosure. (CVE-2021-3773). Medium risk!
perl is affected by signature forgery, directory traversal. (CVE-2020-16156, CVE-2021-36770). Medium risk!
python-lxml is affected by cross-site scripting. (CVE-2021-43818). Medium risk!
python-pip is affected by silent downgrade. (CVE-2021-3572). Medium risk!
python-reportlab is affected by url request injection. (CVE-2020-28463). Medium risk!
qemu is affected by multiple issues. (CVE-2021-3947, CVE-2021-3930, CVE-2021-3750, CVE-2021-3748, CVE-2021-3735, CVE-2021-3713, CVE-2021-3638, CVE-2021-3611, CVE-2021-3507, CVE-2021-20255, CVE-2021-20203, CVE-2021-20196, CVE-2020-15859, CVE-2020-14394). Medium risk!
rsync is affected by arbitrary command execution. (CVE-2021-3755). Medium risk!
speex is affected by multiple issues. (CVE-2020-23904, CVE-2020-23903). Medium risk!
squashfs-tools is affected by directory traversal. (CVE-2021-41072). Medium risk!
wget is affected by information disclosure. (CVE-2021-31879). Medium risk!
wpa_supplicant is affected by multiple issues. (CVE-2021-30004, CVE-2021-27803, CVE-2021-0535). Medium risk!
xdg-utils is affected by information disclosure. (CVE-2020-27748). Medium risk!
audacity is affected by information disclosure. (CVE-2020-11867). Low risk!
avahi is affected by denial of service. (CVE-2021-3468). Low risk!
imagemagick is affected by denial of service. (CVE-2021-34183). Low risk!
kexec-tools is affected by information disclosure. (CVE-2021-20269). Low risk!
lua is affected by denial of service. (CVE-2021-43519). Low risk!
lua52 is affected by denial of service. (CVE-2021-43519). Low risk!
lua53 is affected by denial of service. (CVE-2021-43519). Low risk!
openssh is affected by information disclosure. (CVE-2016-20012). Low risk!
p7zip is affected by denial of service. (CVE-2021-3465). Low risk!

A full list can be found here: https://security.archlinux.org/

grub is a false positive as we don’t use epoch for that package. Same goes for linux-lts, which we don’t ship at all. Others we have to take a look at.

Some of the problems with Arch are:

  • to provide security updates we can do that downstream, however upstream will then still have the issue
  • we can’t simply provide and push updated packages to Arch directly, as for example PostmarketOS developers can do to Alpine Linux
  • doing anything for Arch as a packager, you have to be first a Trusted User and maybe you can get the rank as an Arch packager

We have to see on how we may improve our cooperation, as Manjaro wants to get more Beginners and Noobs to Linux, which Arch might not have on their agenda. The best thing which could happen would been that Calamares and other graphical tools would be part of Arch and Distros like us would have direct access to Arch infrastructure to improve Arch to be not so hostile to new users. Maybe a pipedream …

Also for the jdk8 problem there is a fix posted since 24 October 2021, but seems no interest yet to tackle that …

3 Likes
16

Well, I’m sure I’m going to get hate for this, but…but here goes:

If you want something more Arch-like, then go ahead and install Arch.

There, I said it. Now, I’ll sit back and watch the fallout.

[gets some popcorn]

17

Can I Join you? I’m short of watching the Log4j
dumpster fire as of late.

18

I don’t think I’ve enough popcorn, so if you’re OK with only a little you’re more than welcome!

Edit:

I’m assuming you meant sort of there…

19

Yeah. I didn’t major in English. although I am from Australia.

This is the same command as before. But from Testing install.

binutils is affected by multiple issues, arbitrary code execution. (CVE-2021-3648, CVE-2021-3530, CVE-2021-20197, CVE-2021-3549). Medium risk!
bluez is affected by denial of service. (CVE-2021-41229). Medium risk!
flac is affected by information disclosure. (CVE-2021-0561). Medium risk!
giflib is affected by information disclosure. (CVE-2020-23922). Medium risk!
glibc is affected by multiple issues. (CVE-2021-43396, CVE-2021-35942, CVE-2021-33574, CVE-2021-27645). Medium risk!
grub is affected by multiple issues. (CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27749, CVE-2020-25647, CVE-2020-25632, CVE-2020-14372). Medium risk! Update to at least 2:2.06-1!
intel-ucode is affected by information disclosure. (CVE-2020-24491). Medium risk!
krb5 is affected by denial of service. (CVE-2021-37750). Medium risk!
libarchive is affected by arbitrary code execution. (CVE-2021-36976). Medium risk!
libde265 is affected by multiple issues. (CVE-2020-21606, CVE-2020-21605, CVE-2020-21604, CVE-2020-21603, CVE-2020-21602, CVE-2020-21601, CVE-2020-21600, CVE-2020-21599, CVE-2020-21598, CVE-2020-21597, CVE-2020-21596, CVE-2020-21595, CVE-2020-21594). Medium risk!
libheif is affected by information disclosure. (CVE-2020-23109). Medium risk!
libsndfile is affected by arbitrary code execution. (CVE-2021-3246). Medium risk!
ncurses is affected by arbitrary code execution. (CVE-2021-39537). Medium risk!
openjpeg2 is affected by multiple issues. (CVE-2021-3575, CVE-2021-29338, CVE-2019-6988, CVE-2018-20846, CVE-2018-16376). Medium risk!
openvpn is affected by information disclosure. (CVE-2021-3773). Medium risk!
perl is affected by signature forgery, directory traversal. (CVE-2020-16156, CVE-2021-36770). Medium risk!
rsync is affected by arbitrary command execution. (CVE-2021-3755). Medium risk!
speex is affected by multiple issues. (CVE-2020-23904, CVE-2020-23903). Medium risk!
squashfs-tools is affected by directory traversal. (CVE-2021-41072). Medium risk!
wget is affected by information disclosure. (CVE-2021-31879). Medium risk!
wpa_supplicant is affected by multiple issues. (CVE-2021-30004, CVE-2021-27803, CVE-2021-0535). Medium risk!
xdg-utils is affected by information disclosure. (CVE-2020-27748). Medium risk!
avahi is affected by denial of service. (CVE-2021-3468). Low risk!
imagemagick is affected by denial of service. (CVE-2021-34183). Low risk!
openssh is affected by information disclosure. (CVE-2016-20012). Low risk!
p7zip is affected by denial of service. (CVE-2021-3465). Low risk!
20

Me neither. I just read. A.LOT.

South Africa here.