Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!news.musoftware.de!wum.musoftware.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Fredrik Jonson <fredrik@jonson.org>
Newsgroups: comp.lang.java.programmer
Subject: Re: JDK 1.7.0_07 and JDK 1.6.0_35 are out
Date: 31 Aug 2012 20:20:39 GMT
Lines: 37
Message-ID: <slrnk4275r.olb.fredrik@scout.jonson.org>
References: <6luv38htl4ve3ldqv0pd1pmu876gddq2v6@4ax.com> <50400827$0$289$14726298@news.sunsite.dk> <k1p1fp$24v$1@dont-email.me> <ei604819trie2avefhs4punmav31tmibuo@4ax.com> <slrnk40ksb.mg5.fredrik@scout.jonson.org> <k1plkf$r9n$1@dont-email.me>
X-Trace: individual.net WmczLEIBl4Eo/4U/Y9LbtAtlT57Fj2LUFM81G5p3jAovQMKOAoNGJ7Nc0vt1KgV+g=
Cancel-Lock: sha1:LnIK6RIWQjZnzfEQB5c/bZAHH1Q=
User-Agent: slrn/pre1.0.0-18 (Linux)
Xref: csiph.com comp.lang.java.programmer:18485

markspace wrote:
> On 8/30/2012 11:02 PM, Fredrik Jonson wrote:
>
> > Without pointing you to the source code of the exploit [...] it becomes
> > trivially clear to anyone that it allows the attacker to execute _any_
> > code on the target machine. It evades the normal java sandbox completely.
>
>  But only for Java 7. Java 6 is fine.

Java 6u34 and older is also partially vulnerable of "a security-in-depth
issue that is not directly exploitable but which can be used to aggravate
security vulnerabilities that can be directly exploited."

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Oracle has indeed release Java 6 update 35, which is a security update, and
it cites exactly the same alert as the Java 7 update 7 release.

http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

Granted the CVSS base score for CVE-2012-0547 is 0, so you probably don't
have to bee too concerned if you've only deployed Java 6 in your browser.

Still, do note that both these releases, 6u35 and 7u7, divert from the
ordinary release schedule. Normally we've seen a new Java update every two
months. Both 6u35 and 7u7 lands barely half a month after their previous
releases. I'm actually positively surprised that Oracle is this responsive,
especially for 6u34, which they claim isn't directly vulnerable today.

It will also be interesting to see if that means that the release numbers
just skips now, i.e. that we'll see a 7u8 in mid or end of October, where
7u7 was originally expected to be released. The alternative is that the
entire schedule is shifted, and that we wont see the next update until early
or mid November.

--
Fredrik Jonson