US-CERT Alert TA13-064A: Oracle Java Contains Multiple Vulnerabilities
National Cyber Awareness System
TA13-064A: Oracle Java Contains Multiple Vulnerabilities Original release date: March 05, 2013 Systems Affected * Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including * Java Platform Standard Edition 7 (Java SE 7) * Java Platform Standard Edition 6 (Java SE 6) * Java Platform Standard Edition 6 (Java SE 5) * Java SE Development Kit (JDK 7) * Java SE Development Kit (JDK 6) * Java SE Development Kit (JDK 5) * Java SE Runtime Environment (JRE 7) * Java SE Runtime Environment (JRE 6) * Java SE Runtime Environment (JRE 5) * OpenJDK 6 and 6u * IcedTea 1.x (IcedTea6 1.x) All versions of Java 7 through update 15, Java 6 through update 41, and Java 5.0 through update 40 are affected. Web browsers using the Java 5, 6 or 7 plug-in are at high risk. See http://www.linuxquestions.org/questi...5/#post4906617. Go to http://www.oracle.com/technetwork/ja...ads/index.html to download either the JDK or JRE tar.gz (note that JRE in included with JDK). Hope this helps some. |
... OpenJDK 7u is not listed there, nor the IcedTea 2.x which was used to build it. Still, I suppose that an update to OpenJDK is coming soon.
Eric |
US-CERT doesn't report OpenJDK, might be nice, but they don't; the concern is for the widest installed base affecting pretty much everybody. The FOSS projects you see at US-CERT would include MySQL, for example, but nothing else I can think of off-hand.
We're on our own, gotta rely on distributions (like today's sudo update), alas. |
Quote:
Code:
* OpenJDK 6 and 6u Eric |
Yep JRE 7 update 17 came out on Monday to address this. Java and Swiss cheese have a lot in Common : )
http://www.oracle.com/technetwork/ja...ads/index.html |
Well, duh! Probably ought to read the entire thing, eh?
So, I suppose that when Oracle releases the open guys get notified and do their thing and, yup, US-CERT picks up on all of it. Usually seems to take a couple of days for the notices to get sent out, think they check (closer than I do, huh?) and get everything into one bundle before the do their thing. The important thing is not how dumb I am but that the notice gets sent, everybody gets to download and fiddle-faddle around and that you do not want the Java Plug-in enabled in any browser unless you absolutely need it for some (trusted) web site or other. |
All times are GMT -5. The time now is 01:38 PM. |