Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18485

Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out

Show key headers only | View raw

markspace wrote:
> On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> > Without pointing you to the source code of the exploit [...] it becomes
> > trivially clear to anyone that it allows the attacker to execute _any_
> > code on the target machine. It evades the normal java sandbox completely.
>
>  But only for Java 7. Java 6 is fine.

Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

--
Fredrik Jonson

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 16:44 -0700
  Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:41 -0400
    Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 17:45 -0700
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-30 20:52 -0400
      Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-30 19:16 -0700
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 06:02 +0000
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out markspace <-@.> - 2012-08-30 23:29 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:38 -0400
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-08-31 20:20 +0000
              Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Fredrik Jonson <fredrik@jonson.org> - 2012-09-01 06:38 +0000
                Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-09-02 02:15 -0700
          Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Roedy Green <see_website@mindprod.com.invalid> - 2012-08-31 15:21 -0700
            Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 19:53 -0400
        Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out Arne Vajhøj <arne@vajhoej.dk> - 2012-08-31 15:36 -0400

csiph-web