ImageJ distributing insecure and unsupported Java 6

Hi folks,

On http://imagej.nih.gov/ij/download.html the downloads with a bundled
JVM are distributing a 1.6 JVM, rather than a current stable release.

As mentioned on http://www.oracle.com/technetwork/java/eol-135779.html
support ended in February *2013*.  It no longer has any security
updates, and after nearly two years of being unpatched, and given the
number of Java vulnerabilities, it's not particularly prudent or safe to
continue to use it; publicly distributing it and encouraging its
continued use is putting all your users at risk.  Even Java 7 is getting
old now; it's been out for over three and a half years.

Is there a plan to move to Java 7 (or 8) in the near future, at least in
terms of providing a supported and secure version of Java which will at
least have security updates?

Does the ImageJ Updater also update the JVM for installations with an
embedded copy?  If not, it might be something to consider, rather than
leave users with an insecure and vulnerable version.

Java 7 is available for the currently supported versions of all
platforms ImageJ can run on (as is Java 8).


Thanks,
Roger

--
Dr Roger Leigh -- Open Microscopy Environment
Wellcome Trust Centre for Gene Regulation and Expression,
College of Life Sciences, University of Dundee, Dow Street,
Dundee DD1 5EH Scotland UK   Tel: (01382) 386364

The University of Dundee is a registered Scottish Charity, No: SC015096

--
ImageJ mailing list: http://imagej.nih.gov/ij/list.html

Hi Roger,

 Just wanted to add that there was some discussion of this last month. See
https://groups.google.com/forum/#!searchin/fiji-devel/java$207/fiji-devel/mIN1X14VtYU/f-s6QeBVANwJ

Best,
Mark

On Sun, Jan 11, 2015 at 8:55 AM, Roger Leigh <[hidden email]> wrote:

--
ImageJ mailing list: http://imagej.nih.gov/ij/list.html

Hi Roger,

> given the number of Java vulnerabilities, it's not particularly
> prudent or safe to continue to use it; publicly distributing it and
> encouraging its continued use is putting all your users at risk.

The Java runtime distributed with some bundles of Fiji is used only by
ImageJ; it is not a system-wide Java installation. In particular, it is not
available to web browsers for executing Java content over the web, so I
believe the security vulnerabilities in question are rather moot. Can you
outline a scenario where having an outdated Java 6 inside an ImageJ
application folder causes a concrete security issue?

> Is there a plan to move to Java 7 (or 8) in the near future, at least
> in terms of providing a supported and secure version of Java which
> will at least have security updates?

As Mark pointed out, there was a recent discussion on fiji-devel about
updating ImageJ2 to require Java 7 or later:

    https://groups.google.com/d/msg/fiji-devel/mIN1X14VtYU/2PpShOtd4KkJ

It would be a substantial effort though, with disruptive implications for
some users, and it seems that no one has time to do the work in the near
term.

One easier thing to do would be to update the Windows- and Linux-based Fiji
distributions to bundle a Java 7 or Java 8 runtime instead of Java 6. There
is a serious image rendering performance problem with Java 7 & 8 on OS X
[1], but I do not believe Windows or Linux is affected.

In the meantime, users can of course delete the embedded JRE from their
Fiji installation, and the ImageJ launcher will then use the system Java
instead.

> Does the ImageJ Updater also update the JVM for installations with an
> embedded copy?

No, and it would probably be very tricky to implement without breaking
backwards compatibility. That said, if a motivated party is willing to
tackle that feature, it would be a welcome addition.

Regards,
Curtis

[1] http://fiji.sc/bugzilla/show_bug.cgi?id=965

On Sun, Jan 11, 2015 at 8:55 AM, Roger Leigh <[hidden email]> wrote:

--
ImageJ mailing list: http://imagej.nih.gov/ij/list.html