Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Mar 2015 09:19:34 +0100
From: Gsunde Orangen <>
Subject: Re: [FD] Java 8u40 released: why?

I'd be interested in that, too.
In case this out-of-band release is about an important security fix,
then either this is something new (details still to be disclosed).
Or it is associated with CVE-2014-6593 (e.g. incomplete or buggy fix in
the January release)? The detais (named as "SKIP-TLS") had been
disclosed just this week along with the "FREAK" attack (see Former descriptions of CVE-2014-6593
only indicated a failure to properly check the ChangeCipherSpec in the
TLS connection handshake; but apparently - esp. on client side - much
more could go wrong in former JSSE implemenations.

Maybe someone involved in openJDK could tell more...


On 04.03.2015, 02:23 wrote:
> I notice that Java (JDK, JRE) update 8u40 has been released.
> Though
> says "this release includes important security fixes", the release notes
> says the "security baseline" is 1.8.0_31 (unchanged).
> I do not notice any major "useability" issues fixed.
> So: why this out-of-band release?
> Thanks, Paul
> Paul Szabo
> School of Mathematics and Statistics   University of Sydney    Australia
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.