Can't Manjaro outperform Arch and provides updates for high risk packages?

Well, I’m sure I’m going to get hate for this, but…but here goes:

If you want something more Arch-like, then go ahead and install Arch.

There, I said it. Now, I’ll sit back and watch the fallout.


[gets some popcorn]

Can I Join you? I’m short of watching the Log4j
dumpster fire as of late.

I don’t think I’ve enough popcorn, so if you’re OK with only a little you’re more than welcome!

Edit:

I’m assuming you meant sort of there…

Yeah. I didn’t major in English. although I am from Australia.

This is the same command as before. But from Testing install.

binutils is affected by multiple issues, arbitrary code execution. (CVE-2021-3648, CVE-2021-3530, CVE-2021-20197, CVE-2021-3549). Medium risk!
bluez is affected by denial of service. (CVE-2021-41229). Medium risk!
flac is affected by information disclosure. (CVE-2021-0561). Medium risk!
giflib is affected by information disclosure. (CVE-2020-23922). Medium risk!
glibc is affected by multiple issues. (CVE-2021-43396, CVE-2021-35942, CVE-2021-33574, CVE-2021-27645). Medium risk!
grub is affected by multiple issues. (CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27749, CVE-2020-25647, CVE-2020-25632, CVE-2020-14372). Medium risk! Update to at least 2:2.06-1!
intel-ucode is affected by information disclosure. (CVE-2020-24491). Medium risk!
krb5 is affected by denial of service. (CVE-2021-37750). Medium risk!
libarchive is affected by arbitrary code execution. (CVE-2021-36976). Medium risk!
libde265 is affected by multiple issues. (CVE-2020-21606, CVE-2020-21605, CVE-2020-21604, CVE-2020-21603, CVE-2020-21602, CVE-2020-21601, CVE-2020-21600, CVE-2020-21599, CVE-2020-21598, CVE-2020-21597, CVE-2020-21596, CVE-2020-21595, CVE-2020-21594). Medium risk!
libheif is affected by information disclosure. (CVE-2020-23109). Medium risk!
libsndfile is affected by arbitrary code execution. (CVE-2021-3246). Medium risk!
ncurses is affected by arbitrary code execution. (CVE-2021-39537). Medium risk!
openjpeg2 is affected by multiple issues. (CVE-2021-3575, CVE-2021-29338, CVE-2019-6988, CVE-2018-20846, CVE-2018-16376). Medium risk!
openvpn is affected by information disclosure. (CVE-2021-3773). Medium risk!
perl is affected by signature forgery, directory traversal. (CVE-2020-16156, CVE-2021-36770). Medium risk!
rsync is affected by arbitrary command execution. (CVE-2021-3755). Medium risk!
speex is affected by multiple issues. (CVE-2020-23904, CVE-2020-23903). Medium risk!
squashfs-tools is affected by directory traversal. (CVE-2021-41072). Medium risk!
wget is affected by information disclosure. (CVE-2021-31879). Medium risk!
wpa_supplicant is affected by multiple issues. (CVE-2021-30004, CVE-2021-27803, CVE-2021-0535). Medium risk!
xdg-utils is affected by information disclosure. (CVE-2020-27748). Medium risk!
avahi is affected by denial of service. (CVE-2021-3468). Low risk!
imagemagick is affected by denial of service. (CVE-2021-34183). Low risk!
openssh is affected by information disclosure. (CVE-2016-20012). Low risk!
p7zip is affected by denial of service. (CVE-2021-3465). Low risk!

Me neither. I just read. A.LOT.

South Africa here.

Well Manjaro adds 2 extra layers on top of Arch. So Arch reports security issues,fixes some of them and depending on the risk Manjaro is recompiling them as needed / if possible to other branches like testing and stable.

Pulling them only from Arch into our unstable branch only fixes the issues there.

If there is any fix it needs to be verified by someone. So security experts are needed. Canonical employs those in a team. Arch has only a team of volunteers, which may delay things. Arch is also a do ít yourself Distributon. So in the end you’re the Admin of your system.

We have to see how this can be improved.

2 Likes

no offence, your problem is expecting everything from once prime projects that now sports the open* moniker abandoned after mergers that were least bothered to keep the open part of it. paid close sourced oracle version is the only one with proper housekeeping.

and before saying this and that distro should be like, please do your research to find where it is at now with the others. from the rolling distros i know only alpine, gentoo, solus has managed to update to something atleast close to the supposedly latest with most of them beta.

https://repology.org/project/openjdk/versions

1 Like

There is no specific java release for a specific linux distro, each update is released for any 64bits linux distro.

i fail to see your problem, if you have your desired binaries for any distro whats keeping you from using them, and expecting the distro to deliver it

It’s hard to keep manual updates for many machines especially hot security updates that fix high risk bugs, while the distro is keeping an old version of it.

Java is more or less an optional dependency and can be removed from your system. On my end it would look like this:

[phil@development community]$ export LANG=C
[phil@development community]$ pacman -Qi jdk8-openjdk
Name            : jdk8-openjdk
Version         : 8.u292-1
Description     : OpenJDK Java 8 development kit
Architecture    : x86_64
URL             : https://openjdk.java.net/
Licenses        : custom
Groups          : None
Provides        : java-environment=8  java-environment-openjdk=8
Depends On      : java-environment-common  jre8-openjdk=8.u292-1
Optional Deps   : None
Required By     : None
Optional For    : libreoffice-fresh  subversion
Conflicts With  : None
Replaces        : jdk8-openjdk-wm
Installed Size  : 38,32 MiB
Packager        : Allan McRae <allan@archlinux.org>
Build Date      : Sa 24 Apr 2021 03:44:11 CEST
Install Date    : Sa 24 Apr 2021 09:21:01 CEST
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature

Since it was explicitly installed we have to check why …

2 Likes

Removing a package because the distro doesn’t provide the suitable hot updates is not the solution, that package is still used by many heavy business apps that require it for running.

That can be true, but a regular user might not need JDK8 preinstalled, which is just true for our XFCE install. So removing or changing it to JDK17 is recommended.

Some apps like Steam may need openssl-1.0, which is out of support for years. This task shows again, that the wider community made the extra effort to provide the needed PKGBUILD changes based on the work of Canonical and others to backport fixes as needed, even when those only are available for premium users. To me it seems that the maintainer of the packager might either update or not.

Seems people who still use those libs are at least able to fix it, if they apply the patches themselves …

2 Likes

i’m sorry what sort of environment with multiple boxes are you talking about.

in case yours is alike, you’ve made wrong choices all over. anyone with remote possibility of running semi or production level environment will not choose;

  • manjaro unstable(or even stable) updated by a user to get the latest security patches, this applies to not just open-jdk any package for stability stake.
  • expecting latest hot fixes from OSS teams overburdened/underfunded is a big security lapse by whoever is making security decisions at you place. dont get me wrong there are those orgs like apache foundation which are reasonably funded by IBM, but manjaro/arch/openJDK are not.

i’m no security expert but i wouldnt expect anything short of enterprise grade host solution with support with oracle jdk to meet you expectations.

over and out

PSSST: B.T.W.: There’s no such thing. It’s just “out.”

It’s just small number of machines where a JavaFX app using JRE8 needs to be installed, It’s impossible to run it on JRE11 or 17 because it uses many libraries that rely on JRE8, I was using Ubuntu for that, so I’m trying to test the possibility with Manjaro because I’m using it for over two years on my personal laptop, so I thought it would work and pull latest upgrades without any problem and I anticipated it to work better than Ubuntu in that matter, but I’m blocked now because all machines are connected to internet and the risk of running not patched JRE8 is high. There is no need for paid support because now even Oracle JDK is provided free to all users, and OpenJDK is leading Java development and funded by many big companies.

@medmedin Apparently you didn’t follow the instructions before filing your Arch bug report:

Please read this before reporting a bug:
Bug reporting guidelines - ArchWiki

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the ‘flag out of date’ link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

I’m sure the maintainer is already aware, but you did not provide any details about the security risks. The report will most likely be closed.

3 Likes

I don’t have the full list of all security risks that were patched in u302 and u312, I updated the bug report with some of them :

CVE-2021-2341 (Low)
CVE-2021-2369 (Medium)
CVE-2021-2388 (High)
CVE-2021-35550 (Medium)
CVE-2021-35556 (Medium)
CVE-2021-35559 (Medium)
CVE-2021-35561 (Medium)
CVE-2021-35564 (Medium)
CVE-2021-35565 (Medium)
CVE-2021-35567 (Medium)
CVE-2021-35578 (Medium)
CVE-2021-35586 (Medium)
CVE-2021-35588 (Low)
CVE-2021-35603 (Low)

And it is now updated in Arch.

https://archlinux.org/packages/?q=jdk8-openjdk

It took less time for the new version to be updated than all the previous replies here in this thread.

3 Likes

That is one way to look at it, I guess.

Another one might be: It took almost 5 months since it was flagged out of date even though there were open security issues with the packaged older version.

2 Likes