JRE older installs - Windows - now online - no need for Oracle account

As I stated in a different thread, to get the older version of Java Runtime Engine, you have to sign up for an Oracle users account - with a valid email address for verification.

For you Windows users, I have now posted a few of those earlier JREs online.

At the bottom of the "default English" install page for the NA-DVD, I have listed 6u20 through 6u23. Tom stated that 6u23 was a slow version, so decided to give you a choice. He told me he uses 6u21 and it works well for him.

http://libreoffice-na.us/English/install.html

For the direct links, use the following:

http://libreoffice-na.us/English/jre/jre-6u23-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u22-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u21-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u20-windows-i586.exe

My Ubuntu 10.04 system uses OpenJDK, but their site is still down. If it ever comes back up, I will see about downloading their version of the JRE and adding them to my LibreOffice-NA.US domain, just in case they go down again.

As I stated in a different thread, to get the older version of Java Runtime Engine, you
have to sign up for an Oracle users account - with a valid email address for
verification.

For you Windows users, I have now posted a few of those earlier JREs online.

At the bottom of the "default English" install page for the NA-DVD, I have listed 6u20
through 6u23. Tom stated that 6u23 was a slow version, so decided to give you a choice.
He told me he uses 6u21 and it works well for him.

http://libreoffice-na.us/English/install.html

For the direct links, use the following:

http://libreoffice-na.us/English/jre/jre-6u23-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u22-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u21-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u20-windows-i586.exe

My Ubuntu 10.04 system uses OpenJDK, but their site is still down. If it ever comes
back up, I will see about downloading their version of the JRE and adding them to my
LibreOffice-NA.US domain, just in case they go down again.

I see no speed speed differences in the JRE 6 flavours.

Please explain why you are promoting these older vulnerable and exploitable versions of
JRE instead of the latest in the JRE 6 family, update 27.
Since this is installed into the OS, not exclusive to a given application, it leaves the
end-user open to the vulnerability/exploitation vector.

Hi Dave,

From: "webmaster for Kracked Press Productions" <webmaster@krackedpress.com>

>
> As I stated in a different thread, to get the older version of Java Runtime Engine, you
> have to sign up for an Oracle users account - with a valid email address for
> verification.
>
> For you Windows users, I have now posted a few of those earlier JREs online.
>
> At the bottom of the "default English" install page for the NA-DVD, I have listed 6u20
> through 6u23. Tom stated that 6u23 was a slow version, so decided to give you a choice.
> He told me he uses 6u21 and it works well for him.
>
> http://libreoffice-na.us/English/install.html
>
> For the direct links, use the following:
>
> http://libreoffice-na.us/English/jre/jre-6u23-windows-i586.exe
>
> http://libreoffice-na.us/English/jre/jre-6u22-windows-i586.exe
>
> http://libreoffice-na.us/English/jre/jre-6u21-windows-i586.exe
>
> http://libreoffice-na.us/English/jre/jre-6u20-windows-i586.exe
>
> My Ubuntu 10.04 system uses OpenJDK, but their site is still down. If it ever comes
> back up, I will see about downloading their version of the JRE and adding them to my
> LibreOffice-NA.US domain, just in case they go down again.

I see no speed speed differences in the JRE 6 flavours.

Please explain why you are promoting these older vulnerable and exploitable versions of
JRE instead of the latest in the JRE 6 family, update 27.
Since this is installed into the OS, not exclusive to a given application, it leaves the
end-user open to the vulnerability/exploitation vector.

There is a speed difference for the different JRE's if you're using
the BASE component from LibreOffice.

So, since it is possible, to have several JRE's installed in one OS,
the "recommendation" is to use the latest JRE for everything except
LibreOffice. Does this make sense?

Sigrid

Hi
Yes, those are the crucial points.
1. It's mostly only Base that is affected by which version of java you are
using. If you don't use Base you might even be able to stop LibreOffice from
trying to use java at all!
Tools - Options - LibreOffice - Java
and un-tick the tick-box at the top. If you can do that then you might find
LibreOffice opens significantly faster.

2. You can have more than one version of java on your machine. Most apps will
try to use the newest version but you can force LibreOffice to choose one that
works better for LibreOffice
Tools - Options - LibreOffice - Java
So your web-browser can be nice and safe.

3. I think the exploits would only work if contained inside a document that you
opened using LibreOffice? ie after various anti-virus programs had nosed
around.

4. Dependence on java is being slowly written out of LibreOffice to avoid this
problem in the future although it's probably going to take a long time to remove
it from Base completely! I think people are being steered away from Base
back-ends that might depend on java.

Regards from
Tom

I see no speed speed differences in the JRE 6 flavours.

Please explain why you are promoting these older vulnerable and exploitable versions of
JRE instead of the latest in the JRE 6 family, update 27.
Since this is installed into the OS, not exclusive to a given application, it leaves
the
end-user open to the vulnerability/exploitation vector.

There is a speed difference for the different JRE's if you're using
the BASE component from LibreOffice.

So, since it is possible, to have several JRE's installed in one OS,
the "recommendation" is to use the latest JRE for everything except
LibreOffice. Does this make sense?

Sigrid

OK, but it still leaves the end-user open to the vulnerability/exploitation vector.

I have analyzed obfuscated Javascripts and viewed deobfuscated Javascripts that uses a
laundry list of vulnerabilities and software versions in the vulnerability/exploitation
attack vector.

I wonder how much of a speed degradation is realized and is that worth the increased risk.

Hi
Yes, those are the crucial points.
1. It's mostly only Base that is affected by which version of java you are
using. If you don't use Base you might even be able to stop LibreOffice from
trying to use java at all!
Tools - Options - LibreOffice - Java
and un-tick the tick-box at the top. If you can do that then you might find
LibreOffice opens significantly faster.

2. You can have more than one version of java on your machine. Most apps will
try to use the newest version but you can force LibreOffice to choose one that
works better for LibreOffice
Tools - Options - LibreOffice - Java
So your web-browser can be nice and safe.

3. I think the exploits would only work if contained inside a document that you
opened using LibreOffice? ie after various anti-virus programs had nosed
around.

4. Dependence on java is being slowly written out of LibreOffice to avoid this
problem in the future although it's probably going to take a long time to remove
it from Base completely! I think people are being steered away from Base
back-ends that might depend on java.

Regards from
Tom
> >

In reference to #3, that is a faux conclusion.

JRE is installed into the OS and LO takes advantage of it in contrast to an application
that includes JRE and uses it privately.

Take Adobe Acrobat Professional v9.x as an example.
It installs a private version of JRE that is used by Adobe Life Cycle Designer.
C:\Program Files\Adobe\Acrobat 9.0\Designer 8.2\jre\bin
Which is; 1.5.0_11-b03 (version 5 update 11)

That's is in contrast to the JRE distribution which is installed into the OS as a shared
Java resource.
C:\Program Files\Java\jre6
C:\Program Files\Java\jre7

Thus it is available to Internet Browsers such as IE and Firefox and all one has to do is
visit a web site that hosts malicious code that seeks out vulnerable versions of Oracle
Java and subsequently exploit it.

You wrote in in #2...
"Tools - Options - LibreOffice - Java...So your web-browser can be nice and safe. "

Selecting which JRE to use in LO is exclusive to what the Internet Browser ultimately
uses.

As I stated in a different thread, to get the older version of Java Runtime Engine, you
have to sign up for an Oracle users account - with a valid email address for
verification.

For you Windows users, I have now posted a few of those earlier JREs online.

At the bottom of the "default English" install page for the NA-DVD, I have listed 6u20
through 6u23. Tom stated that 6u23 was a slow version, so decided to give you a choice.
He told me he uses 6u21 and it works well for him.

http://libreoffice-na.us/English/install.html

For the direct links, use the following:

http://libreoffice-na.us/English/jre/jre-6u23-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u22-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u21-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u20-windows-i586.exe

My Ubuntu 10.04 system uses OpenJDK, but their site is still down. If it ever comes
back up, I will see about downloading their version of the JRE and adding them to my
LibreOffice-NA.US domain, just in case they go down again.

One more note...
I hope the Foundation has secured permission from Oracle to host "their" software because
if it is not secured then it can be considered a DMCA violation.

Then why would they require everything but your blood type to download their old software? No other company I know does that and if they require my blood to have free copies of their old free software for available for free, then take the blood of a guy who is on a fixed income with a work related disability living in government housing, who's wife has Alzheimer's. Good press for them, would it?

What is DMCA? I am not up to all of the alphabet soup names. Is this something like the record industry threating 60 year old ladies with pay me $100,000 or I sue you for $10,000,000 and 20 years in jail for downloading music that they did not but cannot prove it?

Well said.

In addition:
http://java.com/en/download/faq/remove_olderversions.xml

Let's also hope that 'webcracked' abides by Oracles license and in
particular:

From: "webmaster for Kracked Press Productions"<webmaster@krackedpress.com>

As I stated in a different thread, to get the older version of Java Runtime Engine,
you
have to sign up for an Oracle users account - with a valid email address for
verification.

For you Windows users, I have now posted a few of those earlier JREs online.

At the bottom of the "default English" install page for the NA-DVD, I have listed 6u20
through 6u23. Tom stated that 6u23 was a slow version, so decided to give you a
choice.
He told me he uses 6u21 and it works well for him.

http://libreoffice-na.us/English/install.html

For the direct links, use the following:

http://libreoffice-na.us/English/jre/jre-6u23-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u22-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u21-windows-i586.exe

http://libreoffice-na.us/English/jre/jre-6u20-windows-i586.exe

My Ubuntu 10.04 system uses OpenJDK, but their site is still down. If it ever comes
back up, I will see about downloading their version of the JRE and adding them to my
LibreOffice-NA.US domain, just in case they go down again.

One more note...
I hope the Foundation has secured permission from Oracle to host "their" software
because
if it is not secured then it can be considered a DMCA violation.

Then why would they require everything but your blood type to download their old
software? No other company I know does that and if they require my blood to have free
copies of their old free software for available for free, then take the blood of a guy
who is on a fixed income with a work related disability living in government housing,
who's wife has Alzheimer's. Good press for them, would it?

What is DMCA? I am not up to all of the alphabet soup names. Is this something like
the record industry threating 60 year old ladies with pay me $100,000 or I sue you for
$10,000,000 and 20 years in jail for downloading music that they did not but cannot
prove it?

DMCA - Digital Millenium Copyright Act
http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act

It has to do with Intellectual Property (IP) rights. Basically, Oracle owns the software
and the Foundation has to have permission to host their software on the Foundation's
server. If that permission is not secured then Oracle has the right to issue a DMCA
Takedown Notice.

It doesn't matter if the software is free or not. What matters is Oracle owns it and has
the right to approve who can distribute it. Failure to follow a DMCA Takedown Notice can
lead to the shutdown of the Foundation's server(s) by the hosting company.

I STRONGLY suggest removing Oracle's software (or any other 3rd party software) until the
Foundation secure's permission to host it/them. I really would hate to see the
Foundation's server shutdown over an DMCA IP violation.

I don't believe he is using TDF servers. Notice that the domain being used is libreoffice-na.us and that is about as far from TDF as you can get and still have "libreoffice" in the name. (TDF may have objections of its own, of course.)

I share your concern about the mirror of older JRE versions being allowed by Oracle. Personally, I never obtain downloads of anything so fundamental from anywhere but the authentic source. The added risk is hardly compensation for avoiding registration. I also fail to see what the downside risk of registration is.

That these files are being offered by direct linking to the installer .exe files is also scary.

But that's just me.

- Dennis

What on earth has javascript to do with this issue? This is a JAVA
issue. Any vulnerabilities in javascript only affect javascript, which
is a totally different kettle of fish and doesn't even form part of LO.

I remain puzzled by this thread. I have Java 1.6.0.26 installed and
that works just fine with LO 3.4.3 on Windows XP SP3. The suggestion to
deliberately install old potentially insecure versions of Java is very
bad advice, not to mention the copyright infringements of hosting it on
personal web space.

Dave

http://www.davesergeant.com

Hi
If the _26 version is not causing problems for you then LibreOffice is
probably not actually calling any java at all. Perhaps you are not using
Base at all or if you are then you are probably using back-ends that don't
need java.

You can probably stop using java completely and that would make LibreOffice
start up faster
Tools - Options - LibreOffice - Java
and un-tick the top box.

'Obviously' if you are not having a problem with java slowing LibreOffice
down to a ridiculous extent then you don't need to worry. However, we have
had a lot of posts where slow-downs and crashes have been solved by moving
to one of the earlier versions of java. OpenJdk is officially recommended
but it also seems quite slow and problematic. Again it's only where java is
actually getting used. Again if you are not using features of LibreOffice
that rely on java then you wouldn't notice.

Most of the posts giving links have included one link to the folder so that
you can see what else is stored on the site
http://libreoffice-na.us/English/install.html
The links to direct downloads tend to give some indication that they are
direct links, for example "For the direct links, use the following:" to
quote Tim.

This is an evolving situation, not a static one.
1. On the legal side it seems that a "Take down Notice" or something else
like a "Cease and Desist notice" is the most that could happen to start
with. Complying would be easy and take just a few minutes. Chances are
that it would take significant time for those notices to be drawn up and
served especially since they would probably have to rely on snail-mail.
Java is free so it's unlikely they would be able to claim damages. A lot of
hassle for them and easy for individuals here to comply with. Tim is
"sticking his neck out" slightly to help people here so we do owe him our
thanks.
2. Java dependence is being written out of the code altogether. This is
not because java is currently owned by a company that decided to be a
competitor rather than just use us to further their own aims resulting in
them being unable to compete at all (an opinion some people have held rather
than necessarily being true) but rather because java just seems to slow
things down unnecessarily.

So, by the time anyone gets around to serving a cease and desist or
take-down notice for no gain and some cost to themselves the chances are
that individuals here would have already taken down the helpful offerings.
Until then we have a good work-around for those people that need it.

In England there is a phrase that seems very apt to all those fear-mongers
that don't even use java anyway "Don't get your knickers in a twist"
Regards from
Tom

Well, I am only doing what originally was on the German language ISO. They had 6u23 on it the same way we originally had it, so it was kept on our version. Actually the 6u23 files are the original ones that the original German language LibreOfficeBox ISO had. We used many of the original "extras" that was on that DVD.

To be honest, if Oracle wants it gone, they can tell me. All Oracle has to do is officially tell me and it will be removed. At that point it is over. Until an Official from Oracle tells me officially, it is not anyone else's problem. If I refuse to "take it down", then action can be taken. Also, if there was any money issues coming up later, companies cannot get blood out of stone, so to speak. My income is government disability and that cannot be taken, by law.

Of course, if someone here notifies them, then it is like squealing in first grade, and we all should be above that, hopefully.

As soon as I can get OpenJDK version - open source - I will be removing Oracle from my life. Soon, except for extensions, LibreOffice will no longer need Java. That will be nice as well. At that point no one will need to deal with Oracle.

So, let this be the end of this thread.
Let me do the things I need to do, and in the end, it is only my concern what I do on my computer and my web account[s], or at least it is not the concern of anyone on this list.
So, the thread is ended.
leave it so.

I have analyzed obfuscated Javascripts and viewed deobfuscated
Javascripts that uses a laundry list of vulnerabilities and software
versions in the vulnerability/exploitation attack vector.

What on earth has javascript to do with this issue? This is a JAVA
issue. Any vulnerabilities in javascript only affect javascript, which
is a totally different kettle of fish and doesn't even form part of LO.

I remain puzzled by this thread. I have Java 1.6.0.26 installed and
that works just fine with LO 3.4.3 on Windows XP SP3. The suggestion to
deliberately install old potentially insecure versions of Java is very
bad advice, not to mention the copyright infringements of hosting it on
personal web space.

I'm sorry if this subject matter escapes you.

What I have tried to do is to explain the perils of using older versions of Oracle Java.
In this thread I have I tried to relate how using an older version can compromise your PC.

In short...
When you install an older version of JRE that version is made available via a Browser
Helper Object or Browser Plug-In to Internet Browsers. When you visit a malicious website
(or get redirected to a malicious web site by something like a hidden IFrame) that
malicious web site can use exploit code to compromise one's computer. Usually the exploit
code is in the form of an obfuscated Javascript and will use a laundry list of exploits
seeking out vulnerable software (such as JRE) and particular vulnerable versions.

Hi Dave and all,

I only run LibreOffice in Linux, specifically Ubuntu 11.04. Java versions 1.6.0_24 and 1.6.0_26 essentially broke base. I have a database with about 2600 records in. Before the two releases mentioned, going from the first record to last record took a second. With either of those two versions, it would take 20 to 25 seconds. It slowed mail merge to a crawl also. The way that the older version, such as 1.6.0_21 is installed in Linux, or at least specifically in Ubuntu, it is only available for Libre Office. My browsers all are using the most current version. I've checked. Also, 1.6.0_21 does not show up as an installed package on the Linux system in synaptic package manager. It is only being used for LibreOffice, primarily Base. There is no plugin installed to make it available for browsers. I'm very security conscious. I've not run LibreOffice on Windows, so I don't know if the issues of problems with Java affected Windows installs or not. One post some time ago indicated it only affected Linux installs of LibreOffice. Regardless, I now have a functional Base working as it should, and still have the security of the latest released version of Java for Ubuntu for my browsers. Hopefully this will help you understand the issue.

Don

Hi Dave and all,

I only run LibreOffice in Linux, specifically Ubuntu 11.04. Java versions 1.6.0_24 and
1.6.0_26 essentially broke base. I have a database with about 2600 records in. Before
the two releases mentioned, going from the first record to last record took a second.
With either of those two versions, it would take 20 to 25 seconds. It slowed mail merge
to a crawl also. The way that the older version, such as 1.6.0_21 is installed in Linux,
or at least specifically in Ubuntu, it is only available for Libre Office. My browsers
all are using the most current version. I've checked. Also, 1.6.0_21 does not show up as
an installed package on the Linux system in synaptic package manager. It is only being
used for LibreOffice, primarily Base. There is no plugin installed to make it available
for browsers. I'm very security conscious. I've not run LibreOffice on Windows, so I
don't know if the issues of problems with Java affected Windows installs or not. One
post some time ago indicated it only affected Linux installs of LibreOffice. Regardless,
I now have a functional Base working as it should, and still have the security of the
latest released version of Java for Ubuntu for my browsers. Hopefully this will help you
understand the issue.

Yep, got it.

Luckily Ubuntu is not targeted to the degree that MS Windows is and thus you have a lessor
degree of exploitation.

________________________________
From: David H. Lipman <DLipman@Verizon.Net>
To: users@global.libreoffice.org
Sent: Fri, 2 September, 2011 18:48:47
Subject: [libreoffice-users] Re: JRE older installs - Windows - nowonline- no
need for Oracleaccount

<snip />

Luckily Ubuntu is not targeted to the degree that MS Windows is and thus you
have a lesser degree of exploitation.

Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Hi
Hmm, not quite the case. Servers would make a far better target than desktops
if the aim of malware is to cause disruption or grab data. Pranks and accidents
are sooo last decade.

However, we still hardly ever hear about servers suffering. If it happens at
all it often gets reported in the mainstream news because it's so rare. So, why
is it so common-place to hear of desktops getting infected instead of servers?

Interestingly it's the market where MS is dominant that has the most trouble
with malware. Most big servers run Gnu&Linux, Bsd or some other Unix-based
platform precisely because stability and security are more important.

http://librenix.com/?inode=21

Even if we just look at desktops we would expect a platform such as Mac at an
estimated 20% of the market taking 20% of the malware. Yet we have heard of
less than a handful. Again it's so rare that it reaches the mainstream press.

People that want to sound knowledgeable about malware and sound serious about it
use Windows. There is a lot to know! It's good to show-off about how much you
know but always the intel these people have is old because they are always
trying to catch-up with the ingenuity of malware creators. People who are just
serious about stability and security and want to stay ahead of the game tend to
use Gnu&Linux (or Bsd, or even Mac).

Regards from
Tom

Hi,

<snip />

Luckily Ubuntu is not targeted to the degree that MS Windows is and thus you
have a lesser degree of exploitation.

Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Hi
Hmm, not quite the case. Servers would make a far better target than desktops
if the aim of malware is to cause disruption or grab data. Pranks and accidents
are sooo last decade.

However, we still hardly ever hear about servers suffering. If it happens at
all it often gets reported in the mainstream news because it's so rare. So, why
is it so common-place to hear of desktops getting infected instead of servers?

Interestingly it's the market where MS is dominant that has the most trouble
with malware. Most big servers run Gnu&Linux, Bsd or some other Unix-based
platform precisely because stability and security are more important.

http://librenix.com/?inode=21

Even if we just look at desktops we would expect a platform such as Mac at an
estimated 20% of the market taking 20% of the malware. Yet we have heard of
less than a handful. Again it's so rare that it reaches the mainstream press.

People that want to sound knowledgeable about malware and sound serious about it
use Windows. There is a lot to know! It's good to show-off about how much you
know but always the intel these people have is old because they are always
trying to catch-up with the ingenuity of malware creators. People who are just
serious about stability and security and want to stay ahead of the game tend to
use Gnu&Linux (or Bsd, or even Mac).

Regards from
Tom

Two other factors that help Gnu/Linux and BSD in particular is that they
are often installed and used by more knowledgeable users and probably
more importantly is that most desktop Linux users can find almost all
the software they need in relatively secure repositories maintained by
the distros. Mac, I believe, comes with a suite of software aimed at the
most common desktop needs already installed.

Another factor with Linux and BSD (include the Mac) is no typical setup
exists, every distro has their own ideas of what makes a good distro and
how it should be done. Thus there are fewer common attack vectors that
all Linux distros have, primarily at the kernel level. Above the kernel
level you have significant differences between Red Hat/Fedora, Debian,
Ubuntu, openSUSE/SUSE, etc and add in the number of different
environments. Thus an exploit that targets KDE (or any other desktop)
probably will not have much affect on other desktops simply because they
may not have the required files installed or even need the files.

In Windows you have the situation where users range from extremely
knowledgeable to total incompetence, compound this with there is
essentially a single OS for each version of Window. This allows crackers
a wealth of very similar targets with less effort. Add that some the
users are utterly clueless about computer security and you have a
situation were attacks will be successful enough for the crackers to
justify their efforts.

BIG <snip>

In Windows you have the situation where users range from extremely
knowledgeable to total incompetence, compound this with there is
essentially a single OS for each version of Window. This allows crackers
a wealth of very similar targets with less effort. Add that some the
users are utterly clueless about computer security and you have a
situation were attacks will be successful enough for the crackers to
justify their efforts.

All of which is OT here but this shows Linux elitism. Security by
obscurity. So few people use Linux that Linux is not significant enough
to be of value to the 'bad guys' out there.

Should Linux ever become common enough that more than about 50 million
people, [1] in a world of 5 Billion people, use it - then it might
become *worth the effort*.

What do you think?

[1] "Linux Counter Summary Report"

<http://counter.li.org/reports/short.php>