Reputation: 766
JDK 1.8 critical update /security patch
This is about Oracle's critical update
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
Is it possible to know what was the real security vulnerabilities existed and what code changes has been made to fix these by downloading OpenJDK source code?
if I check the CVE details mostly it says "Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45".
When it says 6u95,7u80 are affected, does it mean earlier versions (6u31,7u55) are also affected?
Upvotes: 0
Views: 863
Answers (1)
Reputation: 719596
Yes it is possible to know1. Ask Oracle. You probably need a support contract though, and you may be required to sign non-disclosure, etc agreements.
The other thing you could do is to wait until the corresponding patches have made it into the publicly accessible OpenJDK source-code base.
Oracle are being cagey about this for the same reasons that other software manufacturers are cagey about vulnerabilities. They are trying to protect their customers by making it harder for the bad guys to craft exploits. More significantly, there is always a risk that Oracle (or whoever) have missed something.
When it says 6u95,7u80 are affected, does it mean earlier versions (6u31,7u55) are also affected?
You should assume so. If that is not a good enough answer, then contact Oracle.
1 - Actually, this is based on supposition, but I'm pretty sure that a "sufficiently valuable Java customer" with a demonstrable "need to know" would be granted access to this kind of information.
Upvotes: 1
Related Questions
- Java update only jre and not jdk
- Moving from JDK 1.7 to JDK 1.8 on Ubuntu
- RC4 related issue after Java 8 update
- JDK Wrong Version
- How do I convert between Oracle "Fix versions" and Oracle JDK versions?
- Does Spring Security support jdk8?
- Update JAR libraries under Java\jre7\lib\security
- JRE 1.7 Vulnerability
- Is there such a thing as JDK incremental upgrades?
- Patching Java software