Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 21 Sep 2014, 00:22
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Critical flaw in Oracle Java SE impacts over 1 billion users
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [4 Posts]  
Author Message
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Thu 27 Sep 2012, 04:39    Post subject:  Critical flaw in Oracle Java SE impacts over 1 billion users  

Hi all,

While there are no reported attacks in the wild yet, this is a serious flaw in the java virtual machine that allows an attacker to take over a user's system... This vulnerability is found in Java Standard Edition (it used to be called JRE I think) 5, 6, & 7 and apparently affects most platforms: Windows, Mac, Linux, and Solaris. Details can be found here at arstechnica along with lots of relevant links for further info.

Apparently Oracle has not responded to this situation yet, but it is hoped that there will be a patch by mid October which is the next scheduled update.

Users of OpenJDK may or may not be affected... nothing has been confirmed yet, but since OpenJDK uses a different code base, there is discussion to suggest there's some chance the flaw will not impact it, or that the effects will be less severe. I don't know if anyone has managed to sucessfully install OpenJDK in any breed of Puppy Linux or not but some people including myself will be looking at OpenJDK impact as well since it is used in many distros now in lieu of Oracle Java.

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
darkcity


Joined: 23 May 2010
Posts: 2452
Location: near here

PostPosted: Thu 27 Sep 2012, 08:22    Post subject:  

its worrying Oracle, knew about previous flaws but did nothing
http://www.theregister.co.uk/2012/08/30/oracle_knew_about_flaws/

There is speculation Oracle can not keep up with fixes.

What license is it released under?

_________________
helping Wiki for help | IF SendSpace link = "dead" THEN PM me ("up file to http://meownplanet.net/")
Back to top
View user's profile Send private message Visit poster's website 
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Fri 28 Sep 2012, 04:22    Post subject: Critical flaw in Oracle Java SE impacts over 1 billion users  

Apparently, there are up to fifty outstanding security issues in Java SE at present as explained here: http://www.security-explorations.com/en/SE-2012-01-status.html
The good news is that apparently Oracle has developed fixes for most of these flaws... and hopefully it will release all of its fixes by the next regular scheduled critical patch update in mid-October though it sounds like the latest critical flaw --as per this thread-- might not be fixed by then in which case Oracle will either issue an out of band patch or make everyone wait until the following scheduled update (February, 2013). I suspect what will make the difference here is if any exploits are discovered in the wild. Some tech writers are suggesting that fixes might be slow in being issued because enterprises need time to test and deploy any patches. But then, isn't this one of the reasons there is an Enterprise Edition of Oracle Java as well as the Standard Edition? That being the case, why should the rest of the user base have to wait for these security fixes to be issued? Unless, Enterprises are using the Standard Edition also... but then, that begs the question as to why this would be allowed.

Beyond that, some security companies are issuing various patches for some of these flaws, but really (it seems to me) these "fixes" can only be workarounds, because Oracle has its own license for Java SE which means Oracle is the only body that can touch the code base. Now I am no legal expert re: software licensing, but for the sake of discussion, I will call Oracle's license proprietary and whether that is technically correct, I don't know. In any event, I assume any patches put forward by security companies would allow a business to continue to use Java SE thus avoiding any inconvenience or hardship from otherwise having to uninstall or disable Java SE until the scheduled update from Oracle.

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Thu 18 Oct 2012, 02:30    Post subject: Critical flaw in Oracle Java SE impacts over 1 billion users  

Hi all,

Here's an update to confirm that Oracle released it's latest Java SE runtime version on October 16th. Only about 30 flaws were fixed as reported in this article right here and, the critical flaw that sparked my initial post is still outstanding. It will not be fixed until the next scheduled patch release come February apparently. One can only hope this flaw is not exploited in the meantime...

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [4 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0678s ][ Queries: 12 (0.0197s) ][ GZIP on ]