83 replies to this topic

[AplusWebMaster]

FYI...

Sun Java JRE v1.6.0_11 released
- http://java.sun.com/...loads/index.jsp
Dec. 02, 2008

Release Notes
- http://java.sun.com/...notes/6u11.html
-18- bug fixes...
"This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 244986, 244987, 244988, 244989, 244990, 244991, 244992, 245246, 246266, 246286, 246346, 246366, and 246387..."

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

Verify/test (-not- a Sun site):
- http://javatester.org/version.html ...

Edited by AplusWebMaster, 12 April 2010 - 05:01 AM.

[AplusWebMaster]

Additional detail:

Sun Java JDK/JRE multiple vulns - updates available
- http://secunia.com/advisories/32991/
Release Date: 2008-12-04
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
JDK and JRE 6 Update 11: http://java.sun.com/...loads/index.jsp
JDK and JRE 5.0 Update 17: http://java.sun.com/.../index_jdk5.jsp
SDK and JRE 1.4.2_19: http://java.sun.com/...2/download.html
SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/...3/download.html ...

- http://www.us-cert.g.../TA08-340A.html

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

Edited by AplusWebMaster, 05 December 2008 - 04:25 PM.

[AplusWebMaster]

FYI...

- http://java.com/en/d.../new_plugin.xml
"This article applies to:
* Platform(s): Windows 2000 (SP4+), Windows XP (SP1 SP2), Vista
* Browser(s): Internet Explorer 6.x, Internet Explorer 7.x, Netscape 7, Mozilla 1.4+, Firefox
* JRE version(s): 6.0 ...
...old Java Plug-in and next-generation Java Plug-in
The new Java Plug-in is enabled by default. However if there are issues running applets with the new Java Plug-in, the user can switch to the old Java plug-in without any manual manipulation of the windows registry and moving files..."

(More detail available at the URL above.)

[AplusWebMaster]

FYI...

SunJava SE Runtime Environment JRE 6 Update 12
- http://java.sun.com/...loads/index.jsp
Feb. 2, 2009

Release Notes
- http://java.sun.com/...notes/6u12.html
"This feature release does -not- contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 11. Users who have Java SE 6 Update 11 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
Bug Fixes: 140

[AplusWebMaster]

FYI...

SunJava SE Runtime Environment JRE 6 Update 13 released
- http://java.sun.com/...loads/index.jsp
March 24, 2009

Release Notes
- http://java.sun.com/...notes/6u13.html
"...Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 254569, 254570, 254571, 254608, 254609, 254610, and 254611..."
(Links to Alerts shown at the URL above - Total: -7-)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

// Security Updates for Java SE
- http://blogs.sun.com...y/category/news
23 Mar 2009 - "On March 24, 2009, Sun will release the following security updates:
• JDK and JRE 6 Update 13: http://java.sun.com/...loads/index.jsp
• JDK and JRE 5.0 Update 18: http://java.sun.com/.../index_jdk5.jsp
• SDK and JRE 1.4.2_20: http://java.sun.com/...2/download.html
• SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/...3/download.html ...

- http://secunia.com/advisories/34451/
Release Date: 2009-03-26
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x...
Solution: Update to a fixed version...

http://web.nvd.nist....d=CVE-2009-1093
http://web.nvd.nist....d=CVE-2009-1094
http://web.nvd.nist....d=CVE-2009-1095
http://web.nvd.nist....d=CVE-2009-1096
http://web.nvd.nist....d=CVE-2009-1097
http://web.nvd.nist....d=CVE-2009-1098
http://web.nvd.nist....d=CVE-2009-1099
http://web.nvd.nist....d=CVE-2009-1100
http://web.nvd.nist....d=CVE-2009-1101
http://web.nvd.nist....d=CVE-2009-1102
http://web.nvd.nist....d=CVE-2009-1103
http://web.nvd.nist....d=CVE-2009-1104
http://web.nvd.nist....d=CVE-2009-1105
http://web.nvd.nist....d=CVE-2009-1106
http://web.nvd.nist....d=CVE-2009-1107

Edited by AplusWebMaster, 26 March 2009 - 07:36 AM.
Added Secunia advisory and CVE info...

[AplusWebMaster]

FYI...

JRE 5.0 Update 19 released
- http://java.sun.com/.../index_jdk5.jsp
May 20, 2009 - "... already announced its End of Service Life (EOSL) ... October 30th, 2009. Public releases of the J2SE 5.0 platform will be stopped at that time..."

Changes to 1.5.0_19
- http://java.sun.com/...tes.html#150_19
"...As of this update, support has been added for the following system configurations:
• Internet Explorer 8
• Windows Server 2008 ..."
(Bug Fixes: 50+)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

- https://jdk6.dev.java.net/6uNea.html
Java SE 6 Update 14 - FCS - Q2, 2009

.

Edited by AplusWebMaster, 22 May 2009 - 03:46 PM.

[AplusWebMaster]

FYI...

Sun Java - JRE 6 Update 14 released
- http://java.sun.com/...loads/index.jsp
5/29/2009 - "This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2..."

Changes in 1.6.0_14 (6u14)
- http://java.sun.com/...notes/6u14.html
...Bug Fixes:
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 13. Users who have Java SE 6 Update 13 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
(... but there are 350+ bug fixes listed.)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
___

Auto-updater with Java6u13 does not see Update 14
- http://www.theinquir...-fails-releases
5 June 2009

Edited by AplusWebMaster, 05 June 2009 - 11:05 AM.
Added updated Sun notes and Inquirer link...

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=6547
Last Updated: 2009-06-11 08:25:06 UTC ...(Version: 2) - "... despite there being 'no security bug fixes', interesting security news in the release notes:
'Blacklist Jar Feature
Support for blacklisting signed jar files has been added to 6u14. A blacklist is a list of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications. A system-wide blacklist will be distributed with each JRE release. Java Plugin and Web Start will consult this blacklist and refuse to load any class or resource contained in a jar file that's on the blacklist. By default, blacklist checking is enabled. The deployment.security.blacklist.check deployment configuration property can be used to toggle this behavior.
The blacklist entries are the union of the blacklist files pointed to by the deployment.system.security.blacklist and deployment.user.security.blacklist properties. By default, deployment.system.security.blacklist points to the blacklist file in the jre/lib/security directory, and deployment.user.security.blacklist points to a blacklist file that contains additional entries added by a user...'"

[AplusWebMaster]

FYI...

Sun Java JRE 6 Update 15 released
- http://java.sun.com/...loads/index.jsp

Release Notes
- http://java.sun.com/...notes/6u15.html
37 Bug Fixes

- http://isc.sans.org/...ml?storyid=6916
Last Updated: 2009-08-05 17:55:52 UTC ...(Version: 2) - "... Several readers wrote in about the java update. Their concerns included the fact that there is always a pre-checked piggyback application when you download java from SUN. I was offered Microsoft's bling tool bar for IE. Others were offered Carbonite Online Backup. The fact that updates usually modifies your current configuration so if you have your check for updates set to daily you may find has been modified to once a month after the update. You may find the java tray icon is enabled even if you have disabled it in the past. So after you update check your configuration and if you don't want the pre-checked software uncheck the check box."

- http://secunia.com/advisories/36159/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.4.x ...
Solution: Update to a fixed version.
JDK and JRE 6 Update 15:
http://java.sun.com/...loads/index.jsp
JDK and JRE 5.0 Update 20:
http://java.sun.com/.../index_jdk5.jsp
Java SE for Business SDK and JRE 1.4.2_22:
http://www.sun.com/s...it_download.jsp ...

CVE reference:
http://web.nvd.nist....d=CVE-2009-2625
http://web.nvd.nist....d=CVE-2009-2670
http://web.nvd.nist....d=CVE-2009-2671
http://web.nvd.nist....d=CVE-2009-2672
http://web.nvd.nist....d=CVE-2009-2673
http://web.nvd.nist....d=CVE-2009-2674
http://web.nvd.nist....d=CVE-2009-2675
http://web.nvd.nist....d=CVE-2009-2676

Edited by AplusWebMaster, 09 August 2009 - 12:59 AM.

[AplusWebMaster]

FYI...

Sun Java JRE 6 Update -16- released
- http://java.sun.com/...loads/index.jsp
08.11.2009

- http://java.sun.com/...notes/6u16.html
"Bug Fixes (1)
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
BugId
6862295 hotspot / jvmti / JDWP threadid changes during debugging session (leading to ignored breakpoints) ..."

.

[Ben T]

I have netbeans so I have to install the JDK in addition to the JRE. After the JRE update I downloaded & installed the JDK/net beans bundle and it didn't at the time install the new JRE update so I had to install the new JRE in addition to that. Are they always behind updating the JRE version built into the JDK or JDK/net beans bundle? Does anybody know? I just have to note that I hate their web site's design. I always have trouble finding the full downloads page and it seems to have gotten worse; I don't know if it is just me or if others find it that way. I know thats random but I was just reminded of that and I felt like ranting. Edit: I started to wonder about the update version because all I found was JRE update 15 & JDK update 14 so I clicked on your link to find the JRE and JDK update 16. I don't know. I hate their site [see rant].

Edited by Ben T, 20 August 2009 - 11:14 PM.

[AplusWebMaster]

FYI...

Sun Java design problem in the updated Secunia OSI applet
- http://secunia.com/v...ecurity_notice/
"... Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.
Technical Solution
Run the Secunia OSI**. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below). Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"
Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java. Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate. Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet. However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java. Sun has informed Secunia that they are working on a "kill list mechanism". You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog*."
* http://www.cert.org/..._worse_tha.html

** http://secunia.com/v...ine/?task=start

Edited by AplusWebMaster, 14 October 2009 - 12:21 PM.

[AplusWebMaster]

FYI...

Sun Java JRE.v1.6.0_17 released
- http://java.sun.com/...loads/index.jsp
11.03.2009

- http://java.sun.com/...notes/6u17.html
Bug Fixes ( 33 )
"... This release contains fixes for one or more security vulnerabilities..."

- http://secunia.com/advisories/37231/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
Original Advisory: Sun:
http://sunsolve.sun....y=1-66-269868-1
http://sunsolve.sun....y=1-66-269869-1
http://sunsolve.sun....y=1-66-269870-1
http://sunsolve.sun....y=1-66-270474-1
http://sunsolve.sun....y=1-66-270475-1
http://sunsolve.sun....y=1-66-270476-1

- http://secunia.com/advisories/37231/3/
CVE reference: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885

Edited by AplusWebMaster, 11 November 2009 - 05:32 AM.

[AplusWebMaster]

FYI...

Java proof-of-concept attack released
- http://www.theregist...ws_java_attack/
4 December 2009 - "... A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month*... The code will also exploit unpatched Windows machines..."
* Sun Java v1.6.0_17: http://java.sun.com/...loads/index.jsp

Quick check to see what you have installed:
- http://javatester.org/version.html

Edited by AplusWebMaster, 04 December 2009 - 02:00 PM.

[AplusWebMaster]

FYI...

Java ...exploit in use in web drive-by attacks
- http://isc.sans.org/...ml?storyid=7879
Last Updated: 2010-01-05 17:54:55 UTC - "... java applet exploiting CVE-2008-5353 ( http://web.nvd.nist....d=CVE-2008-5353 / ...JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier... ) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack... As we get more details on what it does, we'll update this entry with it."
* https://www.virustot...974d-1262270360
File jar_cache5501.zip received on 2009.12.31 14:39:20 (UTC)
Result: 7/39 (17.95%)