Opened 9 years ago
Closed 8 years ago
#7492 closed enhancement (fixed)
OpenJDK-1.8.0.77
Reported by: | Fernando de Oliveira | Owned by: | Pierre Labastie |
---|---|---|---|
Priority: | high | Milestone: | 7.10 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html
Oracle Security Alert for CVE-2016-0603 Description This Security Alert addresses CVE-2016-0603 which can be exploited when installing Java SE 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6. To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system. Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later. As a reminder, Oracle recommends that Java SE home users visit Java.com to ensure that they are running the most recent version of Java SE and advises against downloading Java SE from sites other than Java.com as these sites may be malicious. Note: The Java SE Advanced Enterprise installers are not affected. Supported Products Affected The security vulnerability addressed by this Security Alert affects the products listed below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches. Affected product releases and versions: Java SE Patch Availability JDK and JRE 6 Update 111 on Windows only Java SE JDK and JRE 7 Update 95 on Windows only Java SE JDK and JRE 8 Update 71, 72 on Windows only Java SE Patch Availability Table and Risk Matrix Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts. Patch Availability Table Product Group Risk Matrix Patch Availability and Installation Information Oracle Java SE Oracle Java SE Risk Matrix • Oracle Security Alert for CVE-2016-0603 My Oracle Support Note 2101338.1. • Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html. • Windows users running Java SE with a browser can download the latest release from http://java.com. or use automatic updates to get the latest release. References • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ] • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] • Risk Matrix definitions [ Risk Matrix Definitions ] • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ] • English text version of risk matrix [ Oracle Technology Network ] • CVRF XML version of the risk matrix [ Oracle Technology Network ] Modification History Date Comments 2016-February-5 Rev 1. Initial Release
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/archive/jdk8u74-b02.tar.bz2
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Java SE 8u73 / 8u74 Java SE 8u73 includes important security fixes. Oracle strongly recommends that all Java SE 8 users upgrade to this release. Java SE 8u74 is a patch-set update, including all of 8u73 plus additional features (described in the release notes).
http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html
Release Notes for JDK 8 and JDK 8 Update Releases Java SE 8u74 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 8u74 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. To determine the version of your JDK software, use the following command: java -version Changes in Java SE 8u74 b32 Bug Fixes BugId Category Subcategory Description • 6675699 hotspot compiler need comprehensive fix for unconstrained ConvI2L with narrowed typed • 8130735 client-libs javax.swing javax.swing.TimerQueue: timer fires late when another timer starts • 8038837 security-libs java.security Add support to jarsigner for specifying timestamp hash algorithm • 8146336 • (Confidential) deploy plugin pac file returns wrong proxy with IE only due to broken wildcarding • 8144864 • (Confidential) deploy plugin .pac file returns wrong proxy • 8145712 • (Confidential) deploy webstart NPE is introduced by 8133458 Changes in Java SE 8u74 b31 Please note that fixes from prior BPR (8u72 b31) are included in this version. Bug Fixes BugId Category Subcategory Description • 8144963 deploy webstart Javaws checks jar files twice if JVM needs to be restarted • 8140291 • (Confidential) deploy webstart (JWS)LazyRootStore leak when calling getResourceAsStream on non-class resource • 8142982 deploy webstart Race Condition can cause CacheEntry.getJarSigningData() to return null. Java™ SE Development Kit 8, Update 73 (JDK 8u73) The full version string for this update release is 1.8.0_73-b02 (where "b" means "build"). The version number is 8u73. This update release contains several enhancements and changes including the following. IANA Data 2015g JDK 8u73 contains IANA time zone data version 2015g. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u73 are specified in the following table: JRE Family Version JRE Security Baseline (Full Version String) 8 1.8.0_71 7 1.7.0_95 6 1.6.0_111 The demos, samples, and Documentation bundles for 8u73 are not impacted by the Security Alert for CVE-2016-0603, so version 8u71 demos, samples, and Documentation bundles remain the most up to-date version until the April Critical Patch Update release. Bug Fixes This release contains fixes for security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. Note that 8u73 does not contain the PSU builds found in 8u72. Customers who require the additional bug fixes contained in 8u72 should update to 8u74 instead of 8u73.
Change History (7)
comment:1 by , 9 years ago
Priority: | high → normal |
---|
comment:2 by , 9 years ago
Milestone: | 7.10 → hold |
---|---|
Summary: | OpenJDK-1.8.0.74 → OpenJDK-1.8.0.74 (hold until next release) |
comment:3 by , 8 years ago
Priority: | normal → high |
---|---|
Summary: | OpenJDK-1.8.0.74 (hold until next release) → OpenJDK-1.8.0.77 |
New security fix.
Oracle Security Alert for CVE-2016-0636 Description This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE running in web browsers on desktops. This vulnerability is not applicable to Java deployments, typically in servers or standalone desktop applications, that load and run only trusted code. It also does not affect Oracle server-based software. This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
comment:4 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
follow-up: 6 comment:5 by , 8 years ago
Milestone: | hold → 7.10 |
---|
Note:
See TracTickets
for help on using tickets.
The security alert is only for Windows users. I think this can wait for the regular update (in April), unless of course there is another security threat before that.