critical vulns - time to update

General Discussions
#1

There are 5 critical bugs which allows untrusted applets to break out of the sandbox.

Three of those bugs (bug-IDs 6263857, 6277266 and 6277659) are related to reflection stuff, another one (bug 6268876) is in Java Management Extensions (JMX). And the last one (6243400) seems to be more general.

Affected versions (win, solaris and linux):

BugID 6243400: JDK/JRE 5.0 Update 3 BugID 6268876: JDK/JRE 5.0 Update 3 BugID 6263857: SDK/JRE 1.3.1_15, 1.4.2_08, JDK/JRE 5.0 Update 3 BugID 6277266: SDK/JRE 1.4.2_08, JDK/JRE 5.0 Update 3 BugID 6277659: SDK/JRE 1.4.2_08, JDK/JRE 5.0 Update 3
(including prior versions)

Sun suggests to upgrade to JDK/JRE 5.0 Update 4 or SDK/JRE 1.4.2_09. Currently there are already JDK/JRE 5.0 Update 5 and SDK/JRE 1.4.2_10 available.

See this advisories for details:
Security Vulnerabilities in the Java Runtime Environment
Security Vulnerability With Java Management Extensions in the Java Runtime Environment
Security Vulnerabilities in the Java Runtime Environment 2

Source: news on heise.de (german)

#2

Thanks,

Currently I’ve got 1.4.2_08 & 1.5.0_5 on this PC. Looks like the 08 needs replacing. It seems only yesterday that I was scrubbing 1.4.2_04 due to security bugs :’(

Alan :slight_smile:

#3

observations:

  • the uptodate checker didn’t work for me since I have both 1.6 AND 1.5 installed and 1.6 webstart doesn’t check 1.5 it appears :frowning:
  • online installer worked very well since it just binary patched it into its new folder (it did however turn automatice update ON again, dont change my settings!)
  • new jre1.5.0_05 indstallation wasn’t picked up by the java control panel applet (in the applet runtime settings, application settings works)
  • uninstalling 04 worked fine but was marked red in control panel, instead of removed ?

Do I have to update the JDK too ?

#4

Do I have to update the JDK too ?

The JDK comes with two JREs. A public one, which should be used by everyone and his dog and their browsers… and another one which is basically only there for running javac. However, I would upgrade that either way… some browser could accidently pick that one up or whatever.

I uninstalled the public JRE together with the JDK (and its own JRE) and installed 1.5.0_05. This time I was even smart enough to change the path variable before rebooting (uninstall, update path, reboot, install) :wink: