Server security and java

Hello,

using latest SimpleHelp 5.1.6, it comes bundled with java jre 1.8.0_192.
This version from october 2018 has multiple security issues.
I’ve decided to rely on my own java version, downloaded an RPM at https://www.java.com/download, and installed jre 1.8.0_221.
I’ve then modified serverstart.sh to set SH_LAUNCH variable accordingly.

So far so good, Simplehelp server and clients seem to work troubleless.

@SimpleHelp team: Is there any particular reason SimpleHelp releases don’t follow java security updates ?

Best regards.

Hi Orsiris,

We try to control the version of the runtime on the server for stability reasons. Public releases of SimpleHelp are assumed to be ready for production so we need to be certain that a change in runtime version won’t affect the server in an unexpected way. Unfortunately this requires a very large level of testing, so we do it for major releases of SimpleHelp only.

Understood.
Maybe make an exception for critical Java security fixes.
Don’t like my vulnerability scanner reporting SimpleHelp as security risk.

Best regards.