Re: Java 6u35, 7u07 are available
Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
On 8/31/2012 11:02 AM, Tony Anecito wrote: Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. To me, a rapidly-spreading exploit that affects all major operating systems (both linux and windows) and browsers is a good-enough reason. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinkoknst.koli...@gmail.com wrote: From: Konstantin Kolinkoknst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users Listusers@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
On 31/08/2012 16:02, Tony Anecito wrote: Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony Zero-Day Exploit in the Wild enough reason for you? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: Java 6u35, 7u07 are available
Read the second link and you have quite a reason for upgrading :) Actually all teamlers at GameForge was told to disable java in browsers because of this security issue... Med venlig hilsen/Kind regards Casper W. Schmidt Den 31-08-2012 17:02, Tony Anecito skrev: Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Java 6u35, 7u07 are available
Just my smarmy reply to Tony's when Sun owned Java comment... Used to be when Sun owned Java you got security updates months, not days, after a vulnerability like this was discovered. :-) Not saying I like Oracle (I loathe it most days); just making the point that they were REALLY good about jumping on this issue so quickly. Nick -Original Message- From: Tony Anecito [mailto:adanec...@yahoo.com] Sent: Friday, August 31, 2012 10:02 AM To: Tomcat Users List Subject: Re: Java 6u35, 7u07 are available Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
Well, don't give Oracle too much credit -- or grief. According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago. Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly. So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on) On 8/31/2012 10:16 AM, Williams, Nick wrote: Just my smarmy reply to Tony's when Sun owned Java comment... Used to be when Sun owned Java you got security updates months, not days, after a vulnerability like this was discovered. :-) Not saying I like Oracle (I loathe it most days); just making the point that they were REALLY good about jumping on this issue so quickly. Nick -Original Message- From: Tony Anecito [mailto:adanec...@yahoo.com] Sent: Friday, August 31, 2012 10:02 AM To: Tomcat Users List Subject: Re: Java 6u35, 7u07 are available Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
On 31/08/2012 16:22, Jess Holle wrote: Well, don't give Oracle too much credit -- or grief. According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago. Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly. So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on) I try not to criticise Oracle or Sun too much, it kind of went from 'exploit in the wild' to 'very easily obtainable exploit' https://community.rapid7.com/community/metasploit/blog/2012/08/30/weekly-metasploit-update I can understand them being vague about the update, but critically severe seems an appropriate description. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: Java 6u35, 7u07 are available
Thanks Everyone. I agree on the security issue just seemed the last couple of updates had no substance beyond just security. MS sends updates quite often but I look forward to advances in other areas like performance ect. Regards, -Tony --- On Fri, 8/31/12, Jess Holle je...@ptc.com wrote: From: Jess Holle je...@ptc.com Subject: Re: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Cc: Williams, Nick nicholas.willi...@ul.com Date: Friday, August 31, 2012, 9:22 AM Well, don't give Oracle too much credit -- or grief. According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago. Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly. So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on) On 8/31/2012 10:16 AM, Williams, Nick wrote: Just my smarmy reply to Tony's when Sun owned Java comment... Used to be when Sun owned Java you got security updates months, not days, after a vulnerability like this was discovered. :-) Not saying I like Oracle (I loathe it most days); just making the point that they were REALLY good about jumping on this issue so quickly. Nick -Original Message- From: Tony Anecito [mailto:adanec...@yahoo.com] Sent: Friday, August 31, 2012 10:02 AM To: Tomcat Users List Subject: Re: Java 6u35, 7u07 are available Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
In case it's not clear, Oracle normally strictly alternates between security-only (or very, very nearly security only) and performance/bug-fix updates. In this particular case they had to alter their plans -- as they had to get a security fix out the door immediately. On 8/31/2012 10:31 AM, Tony Anecito wrote: Thanks Everyone. I agree on the security issue just seemed the last couple of updates had no substance beyond just security. MS sends updates quite often but I look forward to advances in other areas like performance ect. Regards, -Tony --- On Fri, 8/31/12, Jess Holle je...@ptc.com wrote: From: Jess Holle je...@ptc.com Subject: Re: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Cc: Williams, Nick nicholas.willi...@ul.com Date: Friday, August 31, 2012, 9:22 AM Well, don't give Oracle too much credit -- or grief. According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago. Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly. So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on) On 8/31/2012 10:16 AM, Williams, Nick wrote: Just my smarmy reply to Tony's when Sun owned Java comment... Used to be when Sun owned Java you got security updates months, not days, after a vulnerability like this was discovered. :-) Not saying I like Oracle (I loathe it most days); just making the point that they were REALLY good about jumping on this issue so quickly. Nick -Original Message- From: Tony Anecito [mailto:adanec...@yahoo.com] Sent: Friday, August 31, 2012 10:02 AM To: Tomcat Users List Subject: Re: Java 6u35, 7u07 are available Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony --- On Fri, 8/31/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Java 6u35, 7u07 are available To: Tomcat Users List users@tomcat.apache.org Date: Friday, August 31, 2012, 8:54 AM Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 6u35, 7u07 are available
2012/8/31 Konstantin Kolinko knst.koli...@gmail.com: Hi! Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/ Those contain security fixes for issues exploitable when running Java from within a web browser. (Those running it on server or standalone are said to be unaffected). http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. Oracle page, linked above, says the update includes fixes for two other vulnerabilities and affects both Java 6 and Java 7. Confirming, that CVE-2012-4681 affects those server systems that rely on SecurityManager to secure Tomcat and allow it to run untrusted web applications (e.g. shared hosting environments). The existing proof-of-concept for this issue triggers it by calling some method in AWT implementation classes (sun.*). This method is public in 7u06 and does not check its caller. The method exists in 6u34 as well, but it is private there and thus cannot be called without using reflection API. So Java 6 is unaffected by this specific issue. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
