Java 6 Update 19 closes 26 security holes
Security updates for Java SE and Java for Business have been released as Java 6 Update 19. The novel part of this announcement is that, for the first time since the Oracle acquisition of Sun, the advisory appears as an Oracle Critical Patch Update (CPU). The change in format makes the advisory much easier to read and includes ratings on the Common Vulnerability Scoring System (CVSS) making it easier to asses how critical a vulnerability is and what priority should be given to closing the problem.
The holes include buffer overflows within the Java Runtime Environment (JRE) in ImageIO, Java 2D, WebStart, the Java plug-in from browsers, sound and in the HotSpot server. The issues affect Java 6 update 16, Java 5.0 update 23, Java 1.4.2_25 and Java 1.3.1_27.
Oracle's JDK 6 and JRE 6 Update 19 for Windows, Solaris and Linux, JDK 5.0 Update 24 for Solaris only, and SDK 1.4.2_26 for Solaris only, are available to download and eliminate the gaps. Java 1.3.1 is no longer supported. Oracle recommends that users install the updates as quickly as possible. For security reasons, TLS Renegotiation has been disabled as an interim fix to be restored in a future update. A number of other non-security fixes have been included in the update.
See also:
- Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010, Oracle advisory.
- Oracle Java Runtime Environment Image FIle Buffer Overflow Vulnerability, iDefense report.
(djwm)