Woonsan, On 5/25/16 11:29 AM, Woonsan Ko wrote: > On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >>>> TL;DR If you use remote JMX, you need to update your JVM to address >>>> CVE-2016-3427 >>>> >>>> For the longer version, see the blog post I just published on >>>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? > >> When I clicked on the CVE link and the link to oracle page onward in >> the Reference section >> (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html), >> I could see the Java version ("Supported Versions Affected" column) in >> the table when I look up "CVE-2016-3427".
Right: "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9" I have Java 1.8.0_91. Am I affected? What about if I had Java 1.8.0_60? That doesn't give a version range. It makes it seem like only that version number was affected. It also doesn't say what version has the fix. What if you are on a beta-release schedule and you have out-of-band updates from the public ones? What about Java 9? What about Java 5? The documentation is just horrible. -chris
signature.asc
Description: OpenPGP digital signature
