Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.programmer > #18485
| From | Fredrik Jonson <fredrik@jonson.org> |
|---|---|
| Newsgroups | comp.lang.java.programmer |
| Subject | Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out |
| Date | 2012-08-31 20:20 +0000 |
| Message-ID | <slrnk4275r.olb.fredrik@scout.jonson.org> (permalink) |
| References | (1 earlier) <50400827$0$289$14726298@news.sunsite.dk> <k1p1fp$24v$1@dont-email.me> <ei604819trie2avefhs4punmav31tmibuo@4ax.com> <slrnk40ksb.mg5.fredrik@scout.jonson.org> <k1plkf$r9n$1@dont-email.me> |
markspace wrote: > On 8/30/2012 11:02 PM, Fredrik Jonson wrote: > > > Without pointing you to the source code of the exploit [...] it becomes > > trivially clear to anyone that it allows the attacker to execute _any_ > > code on the target machine. It evades the normal java sandbox completely. > > But only for Java 7. Java 6 is fine. Java 6u34 and older is also partially vulnerable of "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html Oracle has indeed release Java 6 update 35, which is a security update, and it cites exactly the same alert as the Java 7 update 7 release. http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't have to bee too concerned if you've only deployed Java 6 in your browser. Still, do note that both these releases, 6u35 and 7u7, divert from the ordinary release schedule. Normally we've seen a new Java update every two months. Both 6u35 and 7u7 lands barely half a month after their previous releases. I'm actually positively surprised that Oracle is this responsive, especially for 6u34, which they claim isn't directly vulnerable today. It will also be interesting to see if that means that the release numbers just skips now, i.e. that we'll see a 7u8 in mid or end of October, where 7u7 was originally expected to be released. The alternative is that the entire schedule is shifted, and that we wont see the next update until early or mid November. -- Fredrik Jonson
Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 16:44 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:41 -0400
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 17:45 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:52 -0400
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 19:16 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 06:02 +0000
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 23:29 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:38 -0400
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 20:20 +0000
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-09-01 06:38 +0000
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-09-02 02:15 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-31 15:21 -0700
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 19:53 -0400
Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:36 -0400
csiph-web