> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
> "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9" > I have Java 1.8.0_91. Am I affected? No. > What about if I had Java 1.8.0_60? Yes. > That doesn't give a version range. It makes it seem like only that > version number was affected. It also doesn't say what version has the > fix. Oracle has certainly made a mess of it. (Among other things, they decided to co-opt the acronym "CPU", intending it to stand for "Critical Patch Update"; I guess they were unaware it had any prior meaning.) As far as the affected versions go, that column means the specified version and all priors are impacted, and all later versions include the fix. Not at all clear. > What if you are on a beta-release schedule and you have out-of-band > updates from the public ones? Then you get direct weekly e-mails from Oracle describing what's in each CPU, when it will be available, and what build number it will be. > What about Java 9? That's included in the e-mails mentioned above. It's still in major flux, so no one should be using it in production or anywhere else that can be accessed from the internet. > What about Java 5? Not supported, unless you pay lots of money, in which case you get e-mails. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
