|
Message-ID: <54F81196.9060004@gmail.com> Date: Thu, 05 Mar 2015 09:19:34 +0100 From: Gsunde Orangen <gsunde.orangen@...il.com> To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com Subject: Re: [FD] Java 8u40 released: why? I'd be interested in that, too. In case this out-of-band release is about an important security fix, then either this is something new (details still to be disclosed). Or it is associated with CVE-2014-6593 (e.g. incomplete or buggy fix in the January release)? The detais (named as "SKIP-TLS") had been disclosed just this week along with the "FREAK" attack (see https://www.smacktls.com/#skip). Former descriptions of CVE-2014-6593 only indicated a failure to properly check the ChangeCipherSpec in the TLS connection handshake; but apparently - esp. on client side - much more could go wrong in former JSSE implemenations. Maybe someone involved in openJDK could tell more... Gsunde On 04.03.2015, 02:23 paul.szabo@...ney.edu.au wrote: > I notice that Java (JDK, JRE) update 8u40 has been released. > Though > http://www.oracle.com/technetwork/java/javase/downloads/index.html > says "this release includes important security fixes", the release notes > http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html > says the "security baseline" is 1.8.0_31 (unchanged). > I do not notice any major "useability" issues fixed. > So: why this out-of-band release? > > Thanks, Paul > > Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.