Oracle Releases Java Security Updates

Published: 2012-08-30. Last Updated: 2012-08-30 18:34:17 UTC
by Scott Fendley (Version: 1)
2 comment(s)

A short while ago, Oracle released updates for both Java 6 and Java 7 in response to the critical 0-Day vulnerabilities discussed earlier this week, as well as two other security issues.

US-CERT has reported that applying Java 7 update 7 will solve the security issues as discussed at http://www.kb.cert.org/vuls/id/636312

More information is available at http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

Scott Fendley ISC Handler

Keywords:
2 comment(s)

Comments

Rapid7's test site showed Java 1.6 update 33 was vulnerable, but update 34 said it didn't have any security updates. Then today Oracle releases patches for JRE 1.6. Nice. The only thing more aggravating than that is Oracle's description of the 1.6 fix released today:

"CVE-2012-0547 represents a security -in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited."
fix came through in fedora as follows:

http://koji.fedoraproject.org/koji/buildinfo?buildID=351286

"Information for build java-1.7.0-openjdk-1.7.0.6-2.3.1.fc16.1"

"... Changelog * Thu Aug 30 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.1.fc16.1 - Updated to IcedTea-Forest 2.3.1 - Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks removed in 6788531. ..."

Diary Archives