US-CERT Alert TA13-064A: Oracle Java Contains Multiple Vulnerabilities
National Cyber Awareness System
TA13-064A: Oracle Java Contains Multiple Vulnerabilities
Original release date: March 05, 2013
* Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including
* Java Platform Standard Edition 7 (Java SE 7)
* Java Platform Standard Edition 6 (Java SE 6)
* Java Platform Standard Edition 6 (Java SE 5)
* Java SE Development Kit (JDK 7)
* Java SE Development Kit (JDK 6)
* Java SE Development Kit (JDK 5)
* Java SE Runtime Environment (JRE 7)
* Java SE Runtime Environment (JRE 6)
* Java SE Runtime Environment (JRE 5)
* OpenJDK 6 and 6u
* IcedTea 1.x (IcedTea6 1.x)
All versions of Java 7 through update 15, Java 6 through update 41, and
Java 5.0 through update 40 are affected. Web browsers using
the Java 5, 6 or 7 plug-in are at high risk.
Go to http://www.oracle.com/technetwork/ja...ads/index.html to download either the JDK or JRE tar.gz (note that JRE in included with JDK).
Hope this helps some.
... OpenJDK 7u is not listed there, nor the IcedTea 2.x which was used to build it. Still, I suppose that an update to OpenJDK is coming soon.
US-CERT doesn't report OpenJDK, might be nice, but they don't; the concern is for the widest installed base affecting pretty much everybody. The FOSS projects you see at US-CERT would include MySQL, for example, but nothing else I can think of off-hand.
We're on our own, gotta rely on distributions (like today's sudo update), alas.
Yep JRE 7 update 17 came out on Monday to address this. Java and Swiss cheese have a lot in Common : )
Well, duh! Probably ought to read the entire thing, eh?
So, I suppose that when Oracle releases the open guys get notified and do their thing and, yup, US-CERT picks up on all of it. Usually seems to take a couple of days for the notices to get sent out, think they check (closer than I do, huh?) and get everything into one bundle before the do their thing.
The important thing is not how dumb I am but that the notice gets sent, everybody gets to download and fiddle-faddle around and that you do not want the Java Plug-in enabled in any browser unless you absolutely need it for some (trusted) web site or other.
|All times are GMT -5. The time now is 01:58 AM.|