OpenJDK-1.8.0.77

[Fernando de Oliveira]

​http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html

Oracle Security Alert for CVE-2016-0603

Description

This Security Alert addresses CVE-2016-0603 which can be exploited when
installing Java SE 6, 7 or 8 on the Windows platform. This vulnerability
has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an
unsuspecting user be tricked into visiting a malicious web site and
download files into the user's system before installing Java SE 6, 7 or
8. Though relatively complex to exploit, this vulnerability may result,
if successfully exploited, in a complete compromise of the unsuspecting
user’s system.

Because the exposure exists only during the installation process, users
need not upgrade existing Java SE installations to address the
vulnerability. However, Java SE users who have downloaded any old
version of Java SE prior to 6u113, 7u97 or 8u73 for later installation
should discard these old downloads and replace them with 6u113, 7u97 or
8u73 or later.

As a reminder, Oracle recommends that Java SE  home users visit Java.com
to ensure that they are running the most recent version of Java SE and
advises against downloading Java SE from sites other than Java.com as
these sites may be malicious.

Note: The Java SE Advanced Enterprise installers are not affected.

Supported Products Affected

The security vulnerability addressed by this Security Alert affects the
products listed below.  Please click on the link in the Patch
Availability column or in the Patch Availability Table to access the
documentation for those patches.

Affected product releases and versions:
Java SE   Patch Availability
JDK and JRE 6 Update 111 on Windows only  Java SE
JDK and JRE 7 Update 95 on Windows only   Java SE
JDK and JRE 8 Update 71, 72 on Windows only   Java SE

Patch Availability Table and Risk Matrix

Java SE fixes in this Security Alert are cumulative; this latest update
includes all fixes from previous Critical Patch Updates and Security
Alerts.

Patch Availability Table

Product Group   Risk Matrix   Patch Availability and Installation Information
Oracle Java SE  Oracle Java SE Risk Matrix  

• Oracle Security Alert for CVE-2016-0603 My Oracle Support Note
  2101338.1.
• Developers can download the latest release from
  http://www.oracle.com/technetwork/java/javase/downloads/index.html.
• Windows users running Java SE with a browser can download the latest
  release from http://java.com. or use automatic updates to get the
  latest release.


References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle
    Technology Network ]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked
    Questions [ CPU FAQ ]
  • Risk Matrix definitions [ Risk Matrix Definitions ]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle
    CVSS Scoring ]
  • English text version of risk matrix [ Oracle Technology Network ]
  • CVRF XML version of the risk matrix [ Oracle Technology Network ]

Modification History

Date  Comments
2016-February-5   Rev 1. Initial Release

​http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/archive/jdk8u74-b02.tar.bz2

​http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 8u73 / 8u74

Java SE 8u73 includes important security fixes. Oracle strongly
recommends that all Java SE 8 users upgrade to this release. Java SE
8u74 is a patch-set update, including all of 8u73 plus additional
features (described in the release notes).

​http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

Release Notes for JDK 8 and JDK 8 Update Releases
 
Java SE 8u74 Advanced - Bundled Patch Release (BPR) - Bug Fixes and
Updates

The following sections summarize changes made in all Java SE 8u74
Advanced BPR. Bug fixes and any other changes are listed below in date
order, most current BPR first. Note that bug fixes in previous BPR are
also included in the current BPR.

To determine the version of your JDK software, use the following
command:

java -version
Changes in Java SE 8u74 b32

 
Bug Fixes
  BugId   Category  Subcategory   Description
• 6675699   hotspot   compiler  need comprehensive fix for unconstrained
  ConvI2L with narrowed typed
• 8130735   client-libs   javax.swing   javax.swing.TimerQueue: timer
  fires late when another timer starts
• 8038837   security-libs   java.security   Add support to jarsigner for
  specifying timestamp hash algorithm
• 8146336
• (Confidential)  deploy  plugin  pac file returns wrong proxy with IE
  only due to broken wildcarding
• 8144864
• (Confidential)  deploy  plugin  .pac file returns wrong proxy
• 8145712
• (Confidential)  deploy  webstart  NPE is introduced by 8133458

Changes in Java SE 8u74 b31

 
Please note that fixes from prior BPR (8u72 b31) are included in this
version.

Bug Fixes

BugId   Category  Subcategory   Description
• 8144963   deploy  webstart  Javaws checks jar files twice if JVM needs
  to be restarted
• 8140291
• (Confidential)  deploy  webstart  (JWS)LazyRootStore leak when calling
  getResourceAsStream on non-class resource
• 8142982   deploy  webstart  Race Condition can cause
  CacheEntry.getJarSigningData() to return null.

Java™ SE Development Kit 8, Update 73 (JDK 8u73)

The full version string for this update release is 1.8.0_73-b02 (where
"b" means "build"). The version number is 8u73.

This update release contains several enhancements and changes including
the following.

IANA Data 2015g

JDK 8u73 contains IANA time zone data version 2015g. For more
information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the
time of the release of JDK 8u73 are specified in the following table:

JRE Family Version  JRE Security Baseline
(Full Version String)
8   1.8.0_71
7   1.7.0_95
6   1.6.0_111

The demos, samples, and Documentation bundles for 8u73 are not impacted
by the Security Alert for CVE-2016-0603, so version 8u71 demos, samples,
and Documentation bundles remain the most up to-date version until the
April Critical Patch Update release.

Bug Fixes

This release contains fixes for security vulnerabilities. For more
information, see the Oracle Java SE Critical Patch Update Advisory.

Note that 8u73 does not contain the PSU builds found in 8u72. Customers
who require the additional bug fixes contained in 8u72 should update to
8u74 instead of 8u73.

[Pierre Labastie]

The security alert is only for Windows users. I think this can wait for the regular update (in April), unless of course there is another security threat before that.

[Pierre Labastie]

New security fix.

Oracle Security Alert for CVE-2016-0636

Description

This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE
running in web browsers on desktops. This vulnerability is not applicable to
Java deployments, typically in servers or standalone desktop applications, that
load and run only trusted code. It also does not affect Oracle server-based
software.

This vulnerability may be remotely exploitable without authentication, i.e.,
may be exploited over a network without the need for a username and password.
To be successfully exploited, an unsuspecting user running an affected release
in a browser will need to visit a malicious web page that leverages this
vulnerability. Successful exploits can impact the availability, integrity, and
confidentiality of the user's system.

Due to the severity of this vulnerability and the public disclosure of technical
details, Oracle strongly recommends that customers apply the updates provided
by this Security Alert as soon as possible.

[Pierre Labastie]

Replying to bdubbs@…:

Milestone changed from hold to 7.10

Thanks...

[Pierre Labastie]

Fixed at r17198