Forum Thread: Java JDK/JRE 1.5 not EOL

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Oracle Java JRE 1.5.x / 5.x

This thread has been marked as locked.
tom_1st Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 09:52
Ranking: 12
Posts: 24
User Since: 23rd Jun, 2010
System Score: N/A
Location: DE
PSI tells me that my Java 1.5 is outdated.
This is probably due to:
http://java.sun.com/javase/downloads/index_jdk5.js...

This is true for version 1.5.0_22 which was the last publicly available version.

I am however using version 1.5.0_24 which is still activly maintained and supported by Sun. (SAP is paying SUN to do so.)
So why is PSI reporting that version as outdated?

Thanks
ToM

gjjean RE: Java JDK/JRE 1.5 not EOL
Contributor 23rd Jun, 2010 10:54
Score: 192
Posts: 197
User Since: 9th Apr 2010
System Score: N/A
Location: LB


--
HP pavilion DV6
Win 7 64bit - SP1
IE10 + MSSE4.3.215
Was this reply relevant?
+2
-1
tom_1st RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 11:49
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Last edited on 23rd Jun, 2010 11:50
Hi,

thanks for your reply but it didn't help much, since it was not a standard question about an old java version.

Secunia reports java 1.5 as outdated because normally it is not supported anymore. Sun calls this EOL (End-of-Life), and the last version was 1.5.0_22, which PSI correctly reports as outdated.

However Java Version 1.5.0_24 is not outdated since Sun activly maintains it (for business customers) and PSI also reports this version as outdated which it is not.

Current PSI behavior (which is partly wrong in my opinion):
Java Version <= 1.3.1_25 -> outdated
Java Version <= 1.4.2_26 -> outdated
Java Version <= 1.5.0_24 -> outdated
Java Version <= 1.6.0_19 -> outdated
Java Version == 1.6.0_20 -> valid

How it should be:
Java Version <= 1.3.1_25 -> outdated (since EOL)
Java Version <= 1.4.2_25 -> outdated (since EOL)
Java Version == 1.4.2_26 -> valid (since not EOL!)
Java Version <= 1.5.0_23 -> outdated
Java Version <= 1.5.0_24 -> valid (since not EOL!)
Java Version <= 1.6.0_19 -> outdated
Java Version == 1.6.0_20 -> valid

-> Thus a version is outdated when it is not supported anymore (EOL) and not when a newer "line" (e.g. 1.6 vs. 1.5 or 1.4) is available.

Regards,
ToM
Was this reply relevant?
+1
-0
This user no longer exists RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 12:03
Hi,

While Orcacle does offer extended support (As you said, for a fee) the 1.5.x series is officially End-Of-Life. Please see the notice here:
http://java.sun.com/j2se/1.5/

Since our rules cover policy for all customers, PSI or CSI, 1.5.x will remain end-of-life, as this is it's official status. Those from whom special exceptions have been made should decide for themself what they feel is the best action.

hope this helps.
Was this reply relevant?
+0
-0
tom_1st RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 13:42
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Hi,

thanks for your reply. I see it slightly different:
http://java.sun.com/products/archive/eol.policy.ht...

The standard version is EOL'd but the business version not. (And since everybody can download the business version for free everybody has the chance to use that version.)

I understand your argument that your policy covers all your products and customers but where is the problem when PSI differentiates the versions used?

- "standard" users who (at maximum) have 1.5.0_22 get the outdated message anyway and then install a newer (e.g. 1.6) version - so there is no problem.

- "business" users who have the up-to-date 1.5.0_24 version don't get a 'outdated' message

I checked PSI again and realized that java 1.4.2_26 is not reported as outdated -> thus the behaviour is correct (and i can update my initial list):

Java Version - PSI Message - PSI State
-------------------------------------------------- ---
<= 1.4.2_25 - outdated - ok
== 1.4.2_26 - valid - ok
<= 1.5.0_23 - outdated - ok
== 1.5.0_24 - outdated - not ok
<= 1.6.0_19 - outdated - ok
== 1.6.0_20 - valid - ok

So basically what i ask is to differentiate and not generally outdate a version (as it is done for e.g. java 1.4.2).

Thanks,
ToM
Was this reply relevant?
+1
-0
This user no longer exists RE: Java JDK/JRE 1.5 not EOL
Secunia Official 23rd Jun, 2010 15:00
Hi

Could I ask you to make a software suggestion on the java 1.5 file that is incorrectly flagged as EOL?
tom_1st RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 15:10
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Certainly!

Do you mean inside PSI with the following link:

Program missing? Suggest it here!

Regards,
ToM
Was this reply relevant?
+0
-0
This user no longer exists RE: Java JDK/JRE 1.5 not EOL
Secunia Official 23rd Jun, 2010 15:26
Yes, that's what we need
tom_1st RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 15:31
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
ok just sent it.

By the way PSI knows about JRE's but doesn't seem to care about JDK's.

Thanks,
ToM
Was this reply relevant?
+0
-0
This user no longer exists RE: Java JDK/JRE 1.5 not EOL
Secunia Official 23rd Jun, 2010 15:45
Thank you for the suggestion, I'll take a look at it.

You are welcome to suggest any software the PSI does not detect.

Just keep in mind that Secunia does not support :

- Beta version
- Installers


Giving us as much information as possible will increase the chance of we can add the software.

Please note that many files does not have any file information and are then useless for detection.

(the 1.4.0._26 java.exe is one example)
tom_1st RE: Java JDK/JRE 1.5 not EOL
Member 23rd Jun, 2010 16:08
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
on 23rd Jun, 2010 15:45, wrote:
Thank you for the suggestion, I'll take a look at it.

You are welcome :-)

on 23rd Jun, 2010 15:45, wrote:

Giving us as much information as possible will increase the chance of we can add the software.

This is difficult because in the 'Suggest Program' dialog there is no field like description or comment. Probably you should think about one more field where a user can supply more information or comment on a software...

on 23rd Jun, 2010 15:45, wrote:

Please note that many files does not have any file information and are then useless for detection. (the 1.4.0._26 java.exe is one example)


Ah ok didn't know that - then that is Sun's/Oracle's bad programming ;-) But i am curious how do you do it with JRE 1.4? Because i remember that PSI was complaining about it...?

Thanks
ToM
Was this reply relevant?
+0
-0
This user no longer exists RE: Java JDK/JRE 1.5 not EOL
Secunia Official 24th Jun, 2010 09:20
It happens that vendors forget to fill out the file information in a file in a specific version, that might be why your java.exe was empty and the one we have in our database is not.

I've added the "description field" suggestion to our "improvements" list.

I'm afraid I can't add a business version of Java 1.5.x to the database.
Due to the fact that it's a "custom" program that is not available to normal users
(unless they paid, which normal users most likely won't), we won't remove the EOL status from Sun Java 1.5.x

You can choose to make a ignore rules in the PSI since you still receive patches under these certain circumstances.


This thread has been marked as locked.