Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Java 6u30 released - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java 6u30 released

Oracle have released Java 6 Update 30 (6u30) today. The fixes are mostly of functional nature. As far as we can tell from the release notes, no gaping security craters had to be leveled out this time .. for a change. Two security related fixes are still noteworthy for developers, one affects the use of SSL (TLS_DH_anon_WITH_AES_128_CBC_SHA), the other is about the use of secure cookies in HTTPS when the applet gets invoked via JavaScript. The full release information and list of fixes are available on Oracle's web site.

 

Daniel

367 Posts
ISC Handler
- http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html
Dec. 12, 2011 - "... a notable bug fix for Java SE 6u30: Area: JSSE: Runtime Synopsis: REGRESSION - 6u29 -breaks- ssl connectivity using TLS_DH_anon_WITH_AES_128_CBC_SHA . It is strongly encouraged that applications using JSSE (SSL/TLS) be upgraded to this release to have access to the latest changes that address this recent vulnerability: Under certain circumstances, Java SE 6u29 will incorrectly throw an IndexOutOfBoundsException or send an extra SSL/TLS packet..."
.
Jack

160 Posts
Brian Krebs identified at least 5 exploitable bugs: http://krebsonsecurity.com/wp-content/uploads/2011/12/java6update30notes.txt
http://krebsonsecurity.com/2011/12/security-updates-for-microsoft-windows-java/
Jack
9 Posts

Sign Up for Free or Log In to start participating in the conversation!