tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <je...@ptc.com>
Subject Re: Java 6u35, 7u07 are available
Date Fri, 31 Aug 2012 15:22:53 GMT
Well, don't give Oracle too much credit -- or grief.

According to various articles (look them up, I didn't save the URLs), 
they were notified of these vulnerabilities ~4 months ago.

Unfortunately several days ago serious attacks in the wild using these 
vulnerabilities were discovered -- after which Oracle responded rather 
quickly.

So one can give Oracle hell for not triaging these particular 
vulnerabilities as needing redress far more quickly than 4 months or 
laud them for fixing the issue quickly once a zero-day attack was found 
in the wild.  I'd say the reasonable response is somewhere in between 
and that overall most companies make some mistakes in this area (just 
look at some of the issue Microsoft has sat on....)

On 8/31/2012 10:16 AM, Williams, Nick wrote:
> Just my smarmy reply to Tony's "when Sun owned Java" comment...
>
> Used to be when Sun owned Java you got security updates months, not days, after a vulnerability
like this was discovered. :-)
>
> Not saying I like Oracle (I loathe it most days); just making the point that they were
REALLY good about jumping on this issue so quickly.
>
> Nick
>
> -----Original Message-----
> From: Tony Anecito [mailto:adanecito@yahoo.com]
> Sent: Friday, August 31, 2012 10:02 AM
> To: Tomcat Users List
> Subject: Re: Java 6u35, 7u07 are available
>
> Hi All,
>
> I looked at the release notes and there was nearly nothing there. So justification to
update was impossible. Oracle needs to realize that releases with just one security and one
time clock change makes it impossible to explain to anyone why we need to update an Enterprise.
>
> Just my inital reaction. Used to be you got actual release notes when Sun owned Java.
>
> Regards,
> -Tony
>
> --- On Fri, 8/31/12, Konstantin Kolinko <knst.kolinko@gmail.com> wrote:
>
>
> From: Konstantin Kolinko <knst.kolinko@gmail.com>
> Subject: Java 6u35, 7u07 are available
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Friday, August 31, 2012, 8:54 AM
>
>
> Hi!
>
> Just noting that Java 6u35, 7u07 were released by Oracle a day ago http://www.oracle.com/technetwork/java/javase/downloads/
>
> Those contain security fixes for issues exploitable when running Java from within a web
browser. (Those running it on server or standalone are said to be unaffected).
> http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
>
> BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6.
> Oracle page, linked above, says the update includes fixes for two other vulnerabilities
and affects both Java 6 and Java 7.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> This e-mail may contain privileged or confidential information. If you are not the intended
recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s);
and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s).
Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions,
corruption or virus in this message or any attachments.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message