Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.programmer > #21384 > unrolled thread
| Started by | Roedy Green <see_website@mindprod.com.invalid> |
|---|---|
| First post | 2013-01-13 18:24 -0800 |
| Last post | 2013-01-16 20:14 -0500 |
| Articles | 6 — 3 participants |
Back to article view | Back to comp.lang.java.programmer
JDK 1.7.0_11 is out. Roedy Green <see_website@mindprod.com.invalid> - 2013-01-13 18:24 -0800
Re: JDK 1.7.0_11 is out. Arne Vajhøj <arne@vajhoej.dk> - 2013-01-13 21:32 -0500
Re: JDK 1.7.0_11 is out. Roedy Green <see_website@mindprod.com.invalid> - 2013-01-14 20:01 -0800
Re: JDK 1.7.0_11 is out. Arne Vajhøj <arne@vajhoej.dk> - 2013-01-15 21:03 -0500
Re: JDK 1.7.0_11 is out. Eric Sosman <esosman@comcast-dot-net.invalid> - 2013-01-15 22:03 -0500
Re: JDK 1.7.0_11 is out. Arne Vajhøj <arne@vajhoej.dk> - 2013-01-16 20:14 -0500
| From | Roedy Green <see_website@mindprod.com.invalid> |
|---|---|
| Date | 2013-01-13 18:24 -0800 |
| Subject | JDK 1.7.0_11 is out. |
| Message-ID | <n1r6f817h6mus92hrkpgr92lineb6lintr@4ax.com> |
Presumably will fix the 0-day exploit. I will find out after I get it myself. -- Roedy Green Canadian Mind Products http://mindprod.com Students who hire or con others to do their homework are as foolish as couch potatoes who hire others to go to the gym for them.
[toc] | [next] | [standalone]
| From | Arne Vajhøj <arne@vajhoej.dk> |
|---|---|
| Date | 2013-01-13 21:32 -0500 |
| Message-ID | <50f36e45$0$293$14726298@news.sunsite.dk> |
| In reply to | #21384 |
On 1/13/2013 9:24 PM, Roedy Green wrote: > Presumably will fix the 0-day exploit. It does. Arne
[toc] | [prev] | [next] | [standalone]
| From | Roedy Green <see_website@mindprod.com.invalid> |
|---|---|
| Date | 2013-01-14 20:01 -0800 |
| Message-ID | <h2l9f8dcitjijhvu1hi596cos7julbci7q@4ax.com> |
| In reply to | #21384 |
On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green <see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted someone who said : >Presumably will fix the 0-day exploit. >I will find out after I get it myself. the release notes are at http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html As I read them the "fix" is just to turn off Applets entirely, by default -- hardly a fix. Perhaps one of the group's language lawyers could see if I interpreted that correctly. -- Roedy Green Canadian Mind Products http://mindprod.com The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time. ~ Tom Cargill Ninety-ninety Law
[toc] | [prev] | [next] | [standalone]
| From | Arne Vajhøj <arne@vajhoej.dk> |
|---|---|
| Date | 2013-01-15 21:03 -0500 |
| Message-ID | <50f60a90$0$287$14726298@news.sunsite.dk> |
| In reply to | #21404 |
On 1/14/2013 11:01 PM, Roedy Green wrote: > On Sun, 13 Jan 2013 18:24:23 -0800, Roedy Green > <see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted > someone who said : > >> Presumably will fix the 0-day exploit. >> I will find out after I get it myself. > > the release notes are at > http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html > > As I read them the "fix" is just to turn off Applets entirely, by > default -- hardly a fix. Perhaps one of the group's language lawyers > could see if I interpreted that correctly. I don't read it that way. <quote> This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422. In addition, the following change has been made: Area: deploy Synopsis: Default Security Level Setting Changed to High The default security level for Java applets and web start applications has been increased from "Medium" to "High". </quote> ... contains fixes ... in addition ... security level setting changed ... I can not interpret that other than there are both a fix and a change in default security level. Arne
[toc] | [prev] | [next] | [standalone]
| From | Eric Sosman <esosman@comcast-dot-net.invalid> |
|---|---|
| Date | 2013-01-15 22:03 -0500 |
| Message-ID | <kd558i$fbp$1@dont-email.me> |
| In reply to | #21420 |
On 1/15/2013 9:03 PM, Arne Vajhøj wrote:
>[...]
> <quote>
> This release contains fixes for security vulnerabilities. For more
> information, see Oracle Security Alert for CVE-2013-0422.
CERT's advice is
"Immunity has indicated that only the reflection
vulnerability has been fixed and that the JMX MBean
vulnerability remains. [...] Unless it is absolutely
necessary to run Java in web browsers, disable it as
described below, even after updating to 7u11. [...]"
--from <http://www.kb.cert.org/vuls/id/625617>
Write once, pwn anywhere ...
--
Eric Sosman
esosman@comcast-dot-net.invalid
[toc] | [prev] | [next] | [standalone]
| From | Arne Vajhøj <arne@vajhoej.dk> |
|---|---|
| Date | 2013-01-16 20:14 -0500 |
| Message-ID | <50f7507d$0$294$14726298@news.sunsite.dk> |
| In reply to | #21422 |
On 1/15/2013 10:03 PM, Eric Sosman wrote: > On 1/15/2013 9:03 PM, Arne Vajhøj wrote: >> [...] >> <quote> >> This release contains fixes for security vulnerabilities. For more >> information, see Oracle Security Alert for CVE-2013-0422. > > CERT's advice is > > "Immunity has indicated that only the reflection > vulnerability has been fixed and that the JMX MBean > vulnerability remains. [...] Unless it is absolutely > necessary to run Java in web browsers, disable it as > described below, even after updating to 7u11. [...]" > --from <http://www.kb.cert.org/vuls/id/625617> > > Write once, pwn anywhere ... According to the link then the exploits require both vulnerabilities. But obviously the unfixed problem could be part of new exploits as well. So it definitely should be fixed. And hopefully it will be. Arne
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.java.programmer
csiph-web