Re: Java problems

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

Update 38 was released on 11/12/2012.   It doesn't contain a patch to address a vulnerability Oracle was notified of on 
1/11/2013.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis 
APONTE
Sent: Monday, January 14, 2013 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Java problems


On the SE download page Oracle advises all version 6 users to move to update 38, not really a stand down as your not 
affected.



The latest updates to that page (as of Sept. 19, 2012) state (emphasis added):

Java SE 6 End of Public Updates Notice

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 
downloads already posted as of February 2013 will remain accessible in the Java 
Archive<http://www.oracle.com/technetwork/java/javase/archive-139210.html> on Oracle Technology Network. Developers and 
end-users are encouraged to update to more recent Java SE versions that remain available for public download. For 
enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance 
for Java SE 6 or older versions, long term support is available through Oracle Java SE 
Support<http://www.oracle.com/us/technologies/java/java-se-support-393643.html?ssSourceSiteId=otnen> .


What does this mean for Oracle E-Business Suite users?

EBS users fall under the category of "enterprise users" above.  Java is an integral part of the Oracle E-Business Suite 
technology stack, so EBS users will continue to receive Java SE 6 updates after February 2013.

In other words, nothing will change for EBS users after February 2013.


The eBusiness and normal users support has created added additional confusion about Java 6.



> > > On 1/14/2013 at 08:21 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA24083E6 () EXCHANGE2007 oneonta 
> > > edu<mailto:5220D448876FCD43ABAD3F71AC8184483BA24083E6 () EXCHANGE2007 oneonta edu>>, "McClenon, Brady" 
> > > <Brady.McClenon () ONEONTA EDU<mailto:Brady.McClenon () ONEONTA EDU>> wrote:
> From http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

Affected product releases and versions:
Java SE

Patch Availability

JDK and JRE 7 Update 10 and earlier

Java SE<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#PatchTable>




Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A 
Safian
Sent: Monday, January 14, 2013 10:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Java problems

I'm not sure if they're correct or not, but, even assuming they are.  Since Java 6 is basically not supported any more, 
how long do you think you can safely continue to use it?  Seems like at best you have just kicked the can down the road 
a little.

FWIW, I'd like to be wrong on this, since we use Kronos, and it has the same issue.  We're recommending the non-java 
version right now.

Hopefully Oracle will put out some news today...

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, 
Kevin
Sent: Monday, January 14, 2013 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Java problems

Here's a Chicago Tribune story on Java security problems:
http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

We use Java 6 in order to run Banner.  This article seems to suggest that Java 6 doesn't have the problem.  People in 
my department have started to ask me what to do.  What do you all think?

Kevin