Old Sun Java JRE updates

[AplusWebMaster]

Additional detail:

Sun Java JDK/JRE multiple vulns - updates available
- http://secunia.com/advisories/32991/
Release Date: 2008-12-04
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
JDK and JRE 6 Update 11: http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 17: http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_19: http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://www.us-cert.gov/cas/techalerts/TA08-340A.html

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

[AplusWebMaster]

FYI...

- http://java.com/en/download/help/new_plugin.xml
"This article applies to:
* Platform(s): Windows 2000 (SP4+), Windows XP (SP1 SP2), Vista
* Browser(s): Internet Explorer 6.x, Internet Explorer 7.x, Netscape 7, Mozilla 1.4+, Firefox
* JRE version(s): 6.0 ...
...old Java Plug-in and next-generation Java Plug-in
The new Java Plug-in is enabled by default. However if there are issues running applets with the new Java Plug-in, the user can switch to the old Java plug-in without any manual manipulation of the windows registry and moving files..."

(More detail available at the URL above.)

[AplusWebMaster]

FYI...

SunJava SE Runtime Environment JRE 6 Update 12
- http://java.sun.com/javase/downloads/index.jsp
Feb. 2, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u12.html
"This feature release does -not- contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 11. Users who have Java SE 6 Update 11 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
Bug Fixes: 140

[AplusWebMaster]

FYI...

SunJava SE Runtime Environment JRE 6 Update 13 released
- http://java.sun.com/javase/downloads/index.jsp
March 24, 2009

Release Notes
- http://java.sun.com/javase/6/webnotes/6u13.html
"...Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 254569, 254570, 254571, 254608, 254609, 254610, and 254611..."
(Links to Alerts shown at the URL above - Total: -7-)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

// Security Updates for Java SE
- http://blogs.sun.com/security/category/news
23 Mar 2009 - "On March 24, 2009, Sun will release the following security updates:
• JDK and JRE 6 Update 13: http://java.sun.com/javase/downloads/index.jsp
• JDK and JRE 5.0 Update 18: http://java.sun.com/javase/downloads/index_jdk5.jsp
• SDK and JRE 1.4.2_20: http://java.sun.com/j2se/1.4.2/download.html
• SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html ...

- http://secunia.com/advisories/34451/
Release Date: 2009-03-26
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.3.x, Sun Java SDK 1.4.x...
Solution: Update to a fixed version...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1093
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1094
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1095
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1096
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1097
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1098
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1099
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1100
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1101
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1102
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1103
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1104
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1105
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1106
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1107

[AplusWebMaster]

FYI...

JRE 5.0 Update 19 released
- http://java.sun.com/javase/downloads/index_jdk5.jsp
May 20, 2009 - "... already announced its End of Service Life (EOSL) ... October 30th, 2009. Public releases of the J2SE 5.0 platform will be stopped at that time..."

Changes to 1.5.0_19
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_19
"...As of this update, support has been added for the following system configurations:
• Internet Explorer 8
• Windows Server 2008 ..."
(Bug Fixes: 50+)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."

- https://jdk6.dev.java.net/6uNea.html
Java SE 6 Update 14 - FCS - Q2, 2009

[AplusWebMaster]

FYI...

Sun Java - JRE 6 Update 14 released
- http://java.sun.com/javase/downloads/index.jsp
5/29/2009 - "This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2..."

Changes in 1.6.0_14 (6u14)
- http://java.sun.com/javase/6/webnotes/6u14.html
...Bug Fixes:
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 13. Users who have Java SE 6 Update 13 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."
(... but there are 350+ bug fixes listed.)

- http://java.sun.com/javase/6/
"Java SE 6 is the current major release of the Java SE platform... Sun provides some older product and technology releases as a courtesy..."
___

Auto-updater with Java6u13 does not see Update 14
- http://www.theinquirer.net/inquirer/...fails-releases
5 June 2009

[tashi]

JRE 6 Update 15

http://java.sun.com/javase/downloads/index.jsp

Quote:

This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2. New features include the G1 garbage collector, plus performance and security enhancements.

Release notes: http://java.sun.com/javase/6/webnotes/6u15.html

Sans Diary.

Quote:

Several readers wrote in about the java update.
Their concerns included the fact that there is always a pre-checked piggyback application when you download java from SUN.
I was offered Microsoft's bling tool bar for IE. Others were offered Carbonite Online Backup.
The fact that updates usually modifies your current configuration so if you have your check for updates set to daily you may find has been modified to once a month after the update.
You may find the java tray icon is enabled even if you have disabled it in the past.
So after you update check your configuration and if you don't want the pre-checked software uncheck the check box.

http://isc.sans.org/diary.html?storyid=6916
___

- http://secunia.com/advisories/36159/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JDK 1.6.x, Sun Java JRE 1.4.x, Sun Java JRE 1.5.x / 5.x, Sun Java JRE 1.6.x / 6.x, Sun Java SDK 1.4.x ...
Solution: Update to a fixed version.
JDK and JRE 6 Update 15:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 20:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Java SE for Business SDK and JRE 1.4.2_22:
http://www.sun.com/software/javasefo...t_download.jsp ...

CVE reference:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2625
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2670
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2671
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2672
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2673
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2674
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2675
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2676
.

[AplusWebMaster]

FYI...

Sun Java JRE 6 Update -16- released
- http://java.sun.com/javase/downloads/index.jsp
08.11.2009

- http://java.sun.com/javase/6/webnotes/6u16.html
"Bug Fixes (1)
This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 15. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
BugId
6862295 hotspot / jvmti / JDWP threadid changes during debugging session (leading to ignored breakpoints) ..."

.

[AplusWebMaster]

FYI...

Sun Java design problem in the updated Secunia OSI applet
- http://secunia.com/vulnerability_sca...curity_notice/
"... Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.
Technical Solution
Run the Secunia OSI**. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below). Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"
Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java. Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate. Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet. However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java. Sun has informed Secunia that they are working on a "kill list mechanism". You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog*."
* http://www.cert.org/blogs/vuls/2008/...worse_tha.html

** http://secunia.com/vulnerability_sca...ne/?task=start

[AplusWebMaster]

FYI...

Sun Java JRE v1.6.0_17 released
- http://java.sun.com/javase/downloads/index.jsp
11.03.2009

- http://java.sun.com/javase/6/webnotes/6u17.html
Bug Fixes ( 33 )
"... This release contains fixes for one or more security vulnerabilities..."

- http://secunia.com/advisories/37231/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to a fixed version.
Original Advisory: Sun:
http://sunsolve.sun.com/search/docum...=1-66-269868-1
http://sunsolve.sun.com/search/docum...=1-66-269869-1
http://sunsolve.sun.com/search/docum...=1-66-269870-1
http://sunsolve.sun.com/search/docum...=1-66-270474-1
http://sunsolve.sun.com/search/docum...=1-66-270475-1
http://sunsolve.sun.com/search/docum...=1-66-270476-1

- http://secunia.com/advisories/37231/3/
CVE reference: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885