15 messages in net.java.dev.jugs.jug-leaders[jug-leaders] Re: Java 7 0day| From | Sent On | Attachments |
|---|---|---|
| Tobias Frech | Aug 27, 2012 4:55 am | |
| John Yeary | Aug 28, 2012 6:49 am | |
| Víctor Orozco | Aug 28, 2012 8:46 am | |
| Hildeberto Mendonça | Aug 30, 2012 12:34 am | |
| John Yeary | Aug 30, 2012 5:27 am | |
| Víctor Orozco | Aug 31, 2012 3:46 pm | |
| Georges Saab | Sep 1, 2012 11:04 pm | |
| Frans Thamura | Sep 1, 2012 11:19 pm | |
| Mattias Karlsson | Sep 11, 2012 5:51 am | |
| Frans Thamura | Sep 11, 2012 5:56 am | |
| Donald Smith | Sep 11, 2012 6:01 am | |
| Tobias Frech | Sep 11, 2012 9:27 am | |
| Donald Smith | Sep 11, 2012 9:35 am | |
| Toth, Csaba | Sep 11, 2012 12:53 pm | |
| Hildeberto Mendonça | Sep 12, 2012 12:48 am |
| Subject: | [jug-leaders] Re: Java 7 0day | |
|---|---|---|
| From: | Donald Smith (dona...@oracle.com) | |
| Date: | Sep 11, 2012 9:35:14 am | |
| List: | net.java.dev.jugs.jug-leaders | |
Someone was teasing me recently for using "quotes" frequently in my "communications".
Glad to see someone else is "like minded". :)
I appreciate the feedback. To "reiterate" the key message, there are well defined policies (at the links below) that explain when/how/why we communicate about these topics. Keep sending us constructive feedback and notes like this, and we will keep doing the best we can.
- Don
On 11/09/2012 12:28 PM, Tobias Frech wrote:
Hi Don! I think I skimmed these policies in the past. Correct me if I am wrong, please.
For admin people it would be very helpful to know what is coming and to get a rough estimate when applying a patch is due. I applaud Oracle for reacting "quickly" in the lastet 0-day issue we had. But the communication could be improved. If a exploit is public, there is no reason not to admit it. And if you do so, Oracle could also let us know they are working on a fix. And perhaps even when it might be available. This communication helps to "keep the faith" and enables admins to plan rollouts. Not talking to the public in such a situation gives all those "experts" enough room to launch their "great" recommendations.
After the latest release there has been a mention of another way to use this 0-day on fully patched systems. If this is not true, then Oracle should let us know by issueing a press release or a blog post or such. I haven't heard anything about this, so I expect a new release.
I sincerly hope Oracle has already prepared itself with a press release and an emergency plan if that problem exists and it is spotted in the wild and is being exploited.
Regards, Tobias
Am Dienstag, den 11.09.2012, 09:02 -0400 schrieb Donald Smith:
As Georges noted earlier:
The Oracle [security fixing] policy has a bit more nuance than this -- for reference it can be found here:
http://www.oracle.com/us/support/assurance/fixing-policies/index.html
btw, I am not trying to suggest that the policy is perfect, just to facilitate knowing what it actually is.
I would add that the vulnerability disclosure policy can be found here: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html
I would also echo that I'm not trying to suggest these policies are perfect, but am just trying to facilitate knowing that they exist, and what they are.
We do greatly appreciate any and all constructive feedback and links such as this.
- Don
On 11/09/2012 8:52 AM, Mattias Karlsson wrote:
Dear JUG Leaders,
I have tried to keep a calm and balanced view on this topic. Unfortunately that's not the case for the rest of the world... FUD or not... it effects many people. AND not only "Applets" or "plugins" The entire Java Platform... and the growth and acceptance for it.
Today our largest "tabloid" IT magazine woke up and published this LARGE first page... http://twitpic.com/atdzr8
The Experts - "Dump Java" "The Java Platform has serious security issues"
Continued: "Critics storm has recently reached hurricane strength and several security experts advise against company's from using Java" (not applets Java in general?)
It then continues more with the Security Officer at .SE (largest domain controler in Sweden) "It can be very serious for everybody. We have turnd Java off. Problems arise because it is complex software that has been patched and repaired long enough. Personally, I would be happy if Java was abandoned. Unfortunately prioritize software companies to come out with products to market quickly, rather than spending time at safety."
This said by a safety profile! .SE's Safety Manager that has been named the 2012 safety profile of Safety Awards. https://www.iis.se/en/om-se/ses-sakerhetschef-utsedd-till-arets-sakerhetsprofil
What should I do as JUG Leader and Java Champion? Stand up to the newspapers! (for that to happen, I would like some "inside" info on this OR the Java Champions" mailing lists... I would like to help and stand-up!)
OR at least expect Oracle to at least meet the journalists? "Oracle declined to comment on the criticism" http://translate.google.com/translate?hl=sv&sl=sv&tl=en&u=http%3A%2F %2Fcomputersweden.idg.se%2F2.2683%2F1.465018
:(
Regards, Mattias Karlsson www.linkedin.com/in/mattiask
Jfokus 2013 CfP is OPEN http://www.jfokus.com
2012/9/2 Frans Thamura<fra...@meruvian.org> my opinion
i like more bugs publication... and java case is different with windows case, this is a push, to manage it, share how to fix it, or lets the media recommended, remove Java in your desktop, like IE6 .
windows is propietary and close development
i think that will be better these bugs to become part of OpenJDK rather Java SDK, and there are a community program to become patch team to fix the bugs.
i believe the bugs will become part of java ecosystem
should we wait oracle to fix it? how hard to fix it ? is there people that smart enough out there to fix it?
Frans