Java JRE updates/advisories

[AplusWebMaster]

FYI...

Oracle Java SE Critical Patch Update Pre-Release Announcement - April 2013
- http://www.oracle.com/technetwork/to...3-1928497.html
Apr 15, 2013 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for April 2013, which will be released on Tuesday, April 16, 2013... this Critical Patch Update contains -42- new security vulnerability fixes..."

[AplusWebMaster]

FYI...

- http://www.symantec.com/connect/blog...-2423-coverage
Updated: 26 Apr 2013 - "... this vulnerability is now seen as a high priority... Please be aware of -malware- that masquerades as software updates and patches - only download the patch from the official website."

Current version always shown here:
- https://www.java.com/en/download/manual.jsp
___

Java JRE 7u21
- http://www.oracle.com/technetwork/ja...s-1880261.html
April 16, 2013

Release Notes
- http://www.oracle.com/technetwork/ja...s-1932873.html

- https://blogs.oracle.com/security/en..._patch_update1
Apr 16, 2013

Oracle Java SE Critical Patch Update Advisory - April 2013
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
April 16, 2013 - "This Critical Patch Update contains 42 new security fixes for Oracle Java SE. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/...ecurity-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

Java JRE 6 Update 45
- http://www.oracle.com/technetwork/ja...s-1902815.html
___

Java 7 Update 21 is available - Watch for Behaviour Changes
- https://isc.sans.edu/diary.html?storyid=15620
2013-04-16 - "... Oracle has significantly changed how Java runs with this version. Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed. They now alert on unsigned, signed-but-expired and self-signed certificates. We'll even need to click "OK" when we try to download and execute signed and trusted Java... graphics you can expect to see once you update are:
> https://isc.sans.edu/diaryimages/ima...pired_cert.jpg
> https://isc.sans.edu/diaryimages/ima...igned_cert.jpg
Full details on the new run policy can be found here ==>
- https://www.java.com/en/download/hel...itydialogs.xml
And more information can be found here ==>
- http://www.oracle.com/technetwork/ja...g-1915323.html "

Dangerous defaults let certificates stay unchecked.
- http://www.h-online.com/security/new...ew=zoom;zoom=2
17 April 2013
___

- http://www.securitytracker.com/id/1028434
CVE Reference: CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440
Apr 16 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 41, 6 Update 43, 7 Update 17; and prior versions...
Solution: The vendor has issued a fix (6 Update 45, 7 Update 21)...
___

- http://www.f-secure.com/weblog/archives/00002544.html
April 23, 2013 - "A few days after Oracle released a critical patch, CVE-2013-2423* is found to (have) already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening... the Metasploit module was published on the 20th... the exploit was seen in the wild the day after..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-2423

[AplusWebMaster]

FYI...

Java 7u65 released
- http://www.oracle.com/technetwork/ja...s-1880261.html
July 15, 2014

Java 8u11
- http://www.oracle.com/technetwork/ja...ads/index.html

Java SE Risk Matrix
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
"... contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication..."
___

Recommended Version 7 Update 65
- https://www.java.com/en/download/manual.jsp

Java Uninstall Tool
- https://www.java.com/en/download/faq...r_toolinfo.xml
"... simplifying the process of finding and uninstalling older versions of Java. The Uninstall tool shows you a list of the Java versions on your computer and then removes those that are out of date..."
- https://www.java.com/en/download/uninstallapplet.jsp
___

- http://www.securitytracker.com/id/1030577
CVE Reference: CVE-2014-2483, CVE-2014-2490, CVE-2014-4208, CVE-2014-4209, CVE-2014-4216, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4223, CVE-2014-4227, CVE-2014-4244, CVE-2014-4247, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4264, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268
Jul 15 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5; and prior versions...
___

- https://atlas.arbor.net/briefs/index#-1227693199
High Severity
17 Jul 2014

[AplusWebMaster]

FYI...

Java 8u73 released
- https://www.java.com/en/download/manual.jsp
Recommended Version 8 Update 73
Feb 5, 2016

Java 8u73 Update Release Notes
- http://www.oracle.com/technetwork/ja...s-2874654.html

- http://www.oracle.com/technetwork/ja...ads/index.html

- http://www.oracle.com/technetwork/to...l#AppendixJAVA
Notes: Applies to installation of Java SE on Windows only.
> https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-0603

- https://blogs.oracle.com/security/en..._cve_2016_0603
Feb 05, 2016 - "... unsuspecting user (can) be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8... vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system..."

- https://www.us-cert.gov/ncas/current...y-Updates-Java
February 08, 2016

> http://www.securitytracker.com/id/1034969
Feb 9 2016

... -if- you still need to use Java at all. If not - uninstall it!

[AplusWebMaster]

FYI...

Java JRE 7u60 released
- http://www.oracle.com/technetwork/ja...s-1880261.html
May 28, 2014

Release Notes
- http://www.oracle.com/technetwork/ja...s-2200106.html
... notable bug fixes in this release:
Area: security-libs/java.security
Synopsis: Realm.getRealmsList returns realms list in wrong order...

Bug fixes included in JDK 7u60 release
- http://www.oracle.com/technetwork/ja...s-2202029.html
___

Recommended Version 7 Update 60
- https://www.java.com/en/download/manual.jsp

[AplusWebMaster]

FYI...

Java 8u71 Update Release Notes
- http://www.oracle.com/technetwork/ja...s-2773756.html
Jan 19, 2016

Java SE Risk Matrix
- http://www.oracle.com/technetwork/to...l#AppendixJAVA

> http://www.oracle.com/technetwork/to...7956.html#JAVA

Recommended Version 8 Update 71
- https://www.java.com/en/download/manual.jsp
Jan 19, 2016

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1034713
CVE Reference: CVE-2015-8126, CVE-2015-8472
Jan 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6u105, 7u91, 8u66
Impact: A remote user can create content that, when loaded by the target application, will execute arbitrary code on the target user's system.
Solution: Oracle has issued a fix for Oracle Java SE as part of the January 2016 Oracle Critical Patch Update.

- http://www.securitytracker.com/id/1034714
CVE Reference: CVE-2015-7575
Jan 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6u105, 7u91, 8u66
Impact: A remote user can conduct hash collision forgery attacks.
Solution: Sun has issued a fix for CVE-2015-7575 for Oracle Java SE as part of the January 2016 Oracle Critical Patch Update.

- http://www.securitytracker.com/id/1034715
CVE Reference: CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494
Jan 20 2016
Impact: A remote user can obtain data on the target system.
A remote user can modify data on the target system.
A remote user can cause partial denial of service conditions.
A remote user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix as part of the January 2016 Oracle Critical Patch Update.