High Priority: Update Java in VERDI to Java SE 17.0.8 or greater

CEMPD / VERDI

This is the repo for the VERDI project, written in java.

GNU General Public License v3.0

16 stars 13 forks source link

High Priority: Update Java in VERDI to Java SE 17.0.8 or greater #330

Closed jherwehe closed 7 months ago

jherwehe commented 9 months ago

Describe the bug High Priority: A Java security vulnerability has been identified in VERDI by ORD/OSIM via a NESSUS scan on my Linux workstation. They have told me that Java should be updated to Java SE 17.0.8 or greater, or I need to delete VERDI from my workstation. Here is the Java version in the recent 20231013 build of VERDI 2.1.4:

[jherwehe@d2626ut7920g ~/verdi/VERDI_2.1.4.20231013/jre/bin]$ ./java --version java 17.0.2 2022-01-18 LTS Java(TM) SE Runtime Environment (build 17.0.2+8-LTS-86) Java HotSpot(TM) 64-Bit Server VM (build 17.0.2+8-LTS-86, mixed mode, sharing

This Java update needs to be completed before releasing VERDI 2.1.5.

To Reproduce Steps to reproduce the above Java version report:

Go to the ./jre/bin directory under any installed version of VERDI.
Type './java --version' to see the above Java version output.

Desktop (please complete the following information):

OS: Linux

lizadams commented 9 months ago

This release notes indicates that 17.09 is the baseline security version https://www.oracle.com/java/technologies/javase/21all-relnotes.html

So we are updating to a version within SDK17 - should we be considering an upgrade to SDK21 https://www.oracle.com/java/technologies/downloads/#java17

https://jdk.java.net/21/

I will need to test the security update version on the mac, and then also upgrade the release notes.

yadongxuEPA commented 9 months ago

This release notes indicates that 17.09 is the baseline security version https://www.oracle.com/java/technologies/javase/21all-relnotes.html

So we are updating to a version within SDK17 - should we be considering an upgrade to SDK21 https://www.oracle.com/java/technologies/downloads/#java17

https://jdk.java.net/21/

I will need to test the security update version on the mac, and then also upgrade the release notes.

Thanks for providing the links, Liz. I would choose 17.0.9 over 17.0.8, but not sure if updating to SDK21 over SDK17 will involve additional work.
Tony, Please let us know your thoughts on these ? ****

dkang2 commented 9 months ago

If not too much burden, it would be nice to upgrade to SDK21 over SDK17; seems that we have been lagged behind for a few versions?

Daiwen

yadongxuEPA commented 8 months ago

Java has been updated in 20231222 builds

dkang2 commented 8 months ago

Confirmed.

lizadams commented 8 months ago

using VERDI_2.1.5_mac_20240103.tar.gz Confirmed that I am seeing the same java version on the mac. cd VERDI_2.1.5/jre/Contents/Home/bin ./java --version java 21.0.1 2023-10-17 LTS Java(TM) SE Runtime Environment (build 21.0.1+12-LTS-29) Java HotSpot(TM) 64-Bit Server VM (build 21.0.1+12-LTS-29, mixed mode, sharing)