Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Java Quarterly Updates - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java Quarterly Updates

I just posted a one-liner on the latest Java Update.  There is a hefty list of security vulnerabilities fixed, but I figured folks could dig into if they were interested, and a one liner would do.

However, the real story, for me at least, is that Oracle is now on a quarterly update schedule, starting with this version.  Going forward, expect regular updates to be released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

    14 January 2014
    15 April 2014
    15 July 2014
    14 October 2014

Not sure if this is good or not, I'd rather see more frequent updates, but that's the schedule.

The release notes for this version (Windows, Linux, Mac and Solaris) are here: http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html         

 

===============
Rob VandenBrink
Metafore

Rob VandenBrink

469 Posts
ISC Handler
I think Oracle have "dropped a ball" here...

They released 7u45 what, a couple of days ago? 15/10/2013? But machines with 7u40 are already complaining that the installed version is out of date and refusing to start Java unless you update. According to http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html "The expiration date for JRE 7u40 is 12/10/2013." and it's that date that should trigger the "out of date" warnings. On the equivalent page for 7u25 it says "The expiration date for JRE 7u25 is November 15, 2013." and for the new 7u45 it says "The expiration date for JRE 7u45 is 02/14/2014."

So we've got a mixture of short dates in MM/DD/YYYY format and long dates. It seems to me that perhaps the 7u40 date is actually the wrong way round and in DD/MM/YYYY format and hence the warning has triggered too soon? It seems a bit cheeky of Oracle to be firing off out-of-date warnings and breaking apps before techs have the chance to test/approve the new version?

Can anyone confirm what I'm thinking is right?
Anonymous
This is looking bad already. Oracle are identifying 7u45 as a security baseline, but a major web application we use is reporting an "undocumented, breaking change" in 7u45 which renders it unusable so we are unable to deploy the patch. I would be amazed if there weren't other enterprise systems having issues with this one too.
Anonymous
By the way, 7u45 is a major security update. 51 remotely exploitable vulnerabilities, 22 of them arbitary code execution, 12 of those classed as 'easily exploitable' (CVSS score 10).
Anonymous

Sign Up for Free or Log In to start participating in the conversation!