7u65 Update Release Notes

Update Release Notes Index

---

Java™ SE Development Kit 7, Update 65 (JDK 7u65)

The full version string for this update release is 1.7.0_65-b17 (where "b" means "build"), except for Windows, where the version string is 1.7.0_65-b20. The version number is 7u65.

Highlights

This update release contains the following enhancements and changes:

• New Features and Changes

IANA Data 2014c

JDK 7u65 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u65 are specified in the following table:

JRE Family Version	JRE Security Baseline (Full Version String)
7	1.7.0_65
6	1.6.0_81
5.0	1.5.0_71

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 7u65) will expire with the release of the next critical patch update scheduled for October 14, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u65) on November 15, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

JavaFX Release Notes

This JDK release includes JavaFX version 2.2.65.

New Features and Changes

New Java Control Panel option to disable sponsors

Currently, to disable sponsor offers at the time of installation, the user can de-select the option during installation or can pass SPONSORS=0 as a commandline option.

In this release, a new Java Control Panel(JCP) option to disable sponsors is available. To use this option, go to JCP's "Advanced" tab, and check or uncheck "Suppress sponsor offers when updating Java".

This option is applicable to 32 and 64 bit Windows operating systems.

New JAXP processing limit property - maxElementDepth

A new property, maxElementDepth, is added to provide applications the ability to set limit on maximum element depth in an xml file that they parse. This may be helpful for applications that may use too much resources when processing an xml file with excessive element depth.

• Name: http://java.sun.com/xml/jaxp/properties/maxElementDepth
• Definition: Limit the maximum element depth
• Value: A positive integer. 0 is treated as no limit. Negative numbers are treated as 0.
• Defaule value: 0
• System property: jdk.xml.maxElementDepth

For more details, see Processing Limits from JAXP tutorial trail.

See 8031541 (not public).

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 7u65 Bug Fixes page.

The following are some of the notable bug fixes in this release:

Area: client-libs/AWT
Synopsis: Using RMI from a restricted environment may cause a NullPointerException.

If an application uses RMI and runs in a restricted environment (ie. Java Plugin, Java Web Start), it may not work. In particular, if you run a UI from an RMI callback, a NullPointerException is likely to be thrown.

See 8019274.

Area: other-libs/corba
Synopsis: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader

The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property was changed in the 7u55 release to require that the system wide/singleton ORB be visible to the system class loader.

In this release, the handling of this system property has been reverted to match the behavior found in JDK versions prior to 7u55 release, i.e. the singleton ORB is once again located using the thread context class loader of the first thread, to call the no-argument ORB.init method. The change is made to support applications which depend on this behavior.

Note that this change is applicable to 8u20, 7u65, 6u85 and 5.0u75 releases. For JDK 9, the new behavior, where the system wide/singleton ORB needs to be visible to the system class loader, will continue.

See 8046603.

Known Issues

Area: xml/jax-ws
Synopsis: JAF initialization in SAAJ clashing with the one in javax.mail

After initialization of SAAJ components, the javax.mail library may fail to work under certain circumstances, which in turn could break the javax.mail's JAF setup.

A possible workaround is to re-add the javax.mail handler before using javax.mail API:

MailcapCommandMap mailMap = (MailcapCommandMap) CommandMap.getDefaultCommandMap(); 
mailMap.addMailcap("multipart/mixed;;x-java-content-handler=com.sun.mail.handlers.multipart_mixed"); 

See 8043129.

- wong chee tat :)

Manic malware Mayhem spreads through Linux, FreeBSD web servers

Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second

By Iain Thomson, 18 Jul 2014

Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches.

Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, discovered the malware targeting *nix servers. They traced transmissions from compromised computers to two command and control (C&C) servers. So far they have found 1,400 machines that have fallen to the code, with potentially thousands more to come.

"In the *nix world, autoupdate technologies aren't widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly," the trio wrote in a technical report for Virus Bulletin.

"For ordinary websites, serious maintenance is quite expensive and often webmasters don't have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets."

Mayhem spreads by finding servers hosting websites with a remote file inclusion (RFI) vulnerability – it even uses Google's /humans.txt to test for this. If the ad giant rewrote this file, specifically changing the words "we can shake", Mayhem infections would be slowed – until its rfiscan.so plugin is updated.

Once the malware exploits an RFI, or some other weakness, to run a PHP script on a victim, it drops a shared object called libworker.so onto the infected system and pings its C&C servers.

It then creates a hidden file system, usually called sd0, and downloads eight plugins, none of which were picked up by the VirusTotal malware scanning tool.

These include a couple of brute-force password crackers targeting FTP, Wordpress and Joomla accounts – presumably to spread the malware further – and information-gathering web crawlers, one of which hunts for other sites with RFI holes.


Some of the vulnerable web applications Mayhem scans for ... click for slightly larger version (Credit: Kovalev, Otrashkevich, Sidorov)
The Yandex trio warn there may be other plugins in circulation, based on data found on the two cracked C&C servers. These include a tool specifically to exploit systems that haven't patched the Heartbleed vulnerability in OpenSSL.

The team notes that the Mayhem code does bear several similarities to the Trololo_mod and Effusion families of malware, which target Apache and Nginx servers respectively. They recommend system administrators check their servers to make sure Mayhem's spread is limited. ®



- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum

- wong chee tat :)