End of security support OpenJDK 8 for Bionic U18.04

Asked by jérémy HAURAY on 2020-11-17

Hello,

My question is about OpenJDK 8 end of security updates for Ubuntu 18.04.

A post on Ubuntu blog, about OpenJDK11 was giving somes informations about security updates for OpenJDK 8 (https://ubuntu.com/blog/announcing-openjdk-11-packages-in-ubuntu-18-04-lts) : Security updates for OpenJDK 8 will be provided until April 2021 for both Ubuntu 16.04 LTS and 18.04 LTS.

But I am not sure to understand well : Which security updates are ending in april 2021 ? Canonical support or Community support ?

OpenJDK 8 package is now in "universe" repository. So under community support. That's right ?

Do you know how long OpenJDK 8 package for Ubuntu 18.04 will receive community security patches ?

Thanks for your great job!

Best regards,

Jérémy HAURAY

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openjdk-8 Edit question
Assignee:
No assignee Edit question
Solved by:
Bernard Stafford
Solved:
2020-11-19
Last query:
2020-11-19
Last reply:
2020-11-19

This question was reopened

All packages will cease to be available in April 2021 for Xenial as it was released in April 2016 and has 5 years support. I don't know about OpenJDK. Maybe others can advise there

Bernard Stafford (bernard010) said : #2

Open JDK 8 - April 2021 It is being replaced by Open JDK 11 which now is the default Java program.
Open JDK 8 has many vulnerabilities and is being replaced. [Memory exhaustion, Remote denial of service attack, Remote trusted network attacks, Etc.]
For Ubuntu its self [As correctly stated above]

jérémy HAURAY (jhauray) said : #3

Hello,

Thanks for your reply.

OK. So, if I understand well, Ubuntu policy is to support one OpenJDK version.

That's why "openjdk-8" package for Ubuntu will not be longer updated after april 2021. Although the openjdk community continues to provide source security updates upstream.

that's right ?

Thanks by advance and stay safe.

Best Bernard Stafford (bernard010) said : #4

Open JDK 11 is the supported version by Ubuntu...
There is no fix for all of the vulnerabilities on JDK 8...
The New Default Java for Ubuntu is JDK 11...
----------------------------------------------------------------------
Ubuntu 16.04 will no longer be a supported Operating System as of April 2021...
Ubuntu 18.04 will no longer be a supported Operating System as of April 2023...

jérémy HAURAY (jhauray) said : #5

Thanks Bernard Stafford, that solved my question.

Bernard Stafford (bernard010) said : #6

You are very welcome.
Bernard

Manfred Hampl (m-hampl) said : #7

A small addition that most probably does not change any conclusion:

see https://wiki.ubuntu.com/Releases

In April 2021 Ubuntu 16.04 will go into ESM status until April 2024
In April 2023 Ubuntu 18.04 will go into ESM status until April 2028

ESM = Extended Security Maintenance https://ubuntu.com/security/esm
A (paid) contract providing security maintenance to a wide range of binary packages that are commonly used in cloud and server workloads on 64-bit x86 AMD/Intel architectures.

At least for Ubuntu 14.04 there is the statement that OpenJDK is not included, see https://wiki.ubuntu.com/SecurityTeam/ESM/14.04
Details for the coverage of Ubuntu 16.04 ESM have not yet been published, but it is likely that OpenJDK is also not covered for 16.04 and later, because it is already in the universe repository.