Educause Security Discussion mailing list archives
Re: Java problems
From: "Ludwig, David C." <dludwig () MIDDLEBURY EDU>
Date: Fri, 1 Feb 2013 22:50:06 +0000
Full patch was just released - http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html Also we recently got some clarity regarding end of life support for Java 6. Public updates will no longer be released, but we can still get updates until 2017 as part of Oracle "support for life" via either Ellucian or our Oracle Site license. David Ludwig Manager of Administrative Systems Library & Information Systems Middlebury College 14 Old Chapel Road Middlebury, VT 05753 Office: (802) 443-5692 Skype: Davidcludwig From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis APONTE Sent: Monday, January 14, 2013 11:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Java problems Brady What I was hoping to address was that users can not be told they are okay, but rather that they should be at u38. I think its been fairly well established this is a 1.7 issue. Some of my users will not update consistently, so this is the opportunity to have them caught up. No reference to patching 1.6 was intended. la On 1/14/2013 at 8:53 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA2408422 () EXCHANGE2007 oneonta edu<mailto:5220D448876FCD43ABAD3F71AC8184483BA2408422 () EXCHANGE2007 oneonta edu>>, "McClenon, Brady" <Brady.McClenon () ONEONTA EDU<mailto:Brady.McClenon () ONEONTA EDU>> wrote: Update 38 was released on 11/12/2012. It doesn't contain a patch to address a vulnerability Oracle was notified of on 1/11/2013. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis APONTE Sent: Monday, January 14, 2013 10:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Java problems On the SE download page Oracle advises all version 6 users to move to update 38, not really a stand down as your not affected. The latest updates to that page (as of Sept. 19, 2012) state (emphasis added): Java SE 6 End of Public Updates Notice After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive<http://www.oracle.com/technetwork/java/javase/archive-139210.html> on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support<http://www.oracle.com/us/technologies/java/java-se-support-393643.html?ssSourceSiteId=otnen> . What does this mean for Oracle E-Business Suite users? EBS users fall under the category of "enterprise users" above. Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 6 updates after February 2013. In other words, nothing will change for EBS users after February 2013. The eBusiness and normal users support has created added additional confusion about Java 6.
On 1/14/2013 at 08:21 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA24083E6 () EXCHANGE2007 oneonta edu<mailto:5220D448876FCD43ABAD3F71AC8184483BA24083E6 () EXCHANGE2007 oneonta edu>>, "McClenon, Brady" <Brady.McClenon () ONEONTA EDU<mailto:Brady.McClenon () ONEONTA EDU>> wrote:From http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Affected product releases and versions: Java SE Patch Availability JDK and JRE 7 Update 10 and earlier Java SE<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#PatchTable> Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian Sent: Monday, January 14, 2013 10:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Java problems I'm not sure if they're correct or not, but, even assuming they are. Since Java 6 is basically not supported any more, how long do you think you can safely continue to use it? Seems like at best you have just kicked the can down the road a little. FWIW, I'd like to be wrong on this, since we use Kronos, and it has the same issue. We're recommending the non-java version right now. Hopefully Oracle will put out some news today... From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Monday, January 14, 2013 9:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Java problems Here's a Chicago Tribune story on Java security problems: http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story We use Java 6 in order to run Banner. This article seems to suggest that Java 6 doesn't have the problem. People in my department have started to ask me what to do. What do you all think? Kevin
Current thread:
- Java problems Shalla, Kevin (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Roger A Safian (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Louis APONTE (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Louis APONTE (Jan 14)
- Re: Java problems Ludwig, David C. (Feb 01)
- Re: Java problems Dave Koontz (Feb 01)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Chuck Braden (Jan 14)