[jitsi-dev] FYI / OT : Java7 upd 11 released, plugs browser plug-in sec holes, raises security wrt unsigned / self-signed code


[NOTE: while Jitsi packages its own internal JRE I guess many people
who use Jitsi might also have the Java JRE -or JDK in the case of
devs- installed on their systems, so the following would be mildly "on
topic" for this list. If you
consider it isn´t, then my apologies in advance -FC]

FYI: Over the weekend, Java 7 update 11 has been released for all
supported operating systems.
All users of Java are strongly encouraged to upgrade to this version.

JRE 7u11

Shorter redirector to the url above: http://ho.io/Java7u11

JDK 7u11 [use only if you need the Java Development Kit]
short url redirector to the page above: http://ho.io/JDK7u11

It fixes the security holes in the **browser plug-in component** (and
just present when using Java applets inside a web browser), widely
reported on the IT and mainstream press last Thursday-Friday, many of
those news stories included the usual misinformation-FUD recommending
to "uninstall Java" (the whole JVM) instead of just disabling the
browser plug-in component.

In the release notes, ORCL says it has made the browser plug-in NOT
RUN by default any UNSIGNED or "Self-signed" web browser applets
without user confirmation. This effectively should make "zero click
surface" attacks based on aplets not possible anymore.

Firefox 18 also added a feature asking users to confirm before running
any plug-in content on each web page or a per-page basis. Thus
creating a double-confirmation to run unsigned or self-signed applets.

OK, that´s it. Sorry for the noise. I thought it was a news piece
important enough to post here.



During times of Universal Deceit, telling the truth becomes a revolutionary act
Durante épocas de Engaño Universal, decir la verdad se convierte en un
Acto Revolucionario
- George Orwell