Hello, I just run across this work from a team of researchers on TLS protocol fuzzing. One part of this article describes what CVE-2014-6593 is all about.
https://www.smacktls.com/#skip I must say, I had a brief look into this while checking the fixes in the January CPU, but due to the rather low 4.0 CVSS scoring with the "high access complexity" I did not really pay attention. So let me quote the finding of the researchers and keep in mind, this affects all of Java 5.0u75, 6u85, 7u72, 8u25 and older. (This especially affects all public available Java 6 updates). "A vulnerable JSSE client is then willing to accept the certificate and start exchanging unencrypted application data. In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years." I know here on the list are people which are not all developers of the security components but care about java security, so I guess it is fine to share that pointer here. Gruss Bernd
