Oracle to re-release Java SE patch with extra helping of fixes

Oracle to re-release Java SE patch with extra helping of fixes

Summary: Oracle didn't have time to fix all the Java bugs when it released its out of band patch earlier this month, so now there's a redux on the way.

TOPICS: Security, Oracle

Thought you'd sorted the problems with Java SE already this month? Think again — a new patch is on the way.

Oracle may have released a fix for 50 Java SE vulnerabilities in its out of band update at the start of February, but administrators will need to patch the software again: the company has announced an updated patch will shortly be made available, bringing a "small number" of fixes that Oracle could not include in time for the first patch's release.

The original Critical Patch Update (CPU) for Java SE was due to be released on 19 February, but Oracle brought it forward to close a zero-day flaw affecting the Java Runtime Environment in desktop browsers that was already being exploited by attackers.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's director of software security assurance, Eric Maurice, announced on the company's blog on Friday. 

"This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn't be released on February 1st."

Maurice did not say how many fixes it missed in the first release. However, he noted the updated patch will be cumulative, meaning that it will also include all the fixes in the first release.

Two days ahead of Oracle's original patch update, Apple used its anti-malware system Xprotect to block web plugins versions of Java 6 and 7 in Safari, which caused some problems for Java-based enterprise applications.

It's unclear if the 19 February patch will also include fixes for Java 6, which Apple still maintains.

Topics: Security, Oracle

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There is no such thing like "Java patches"...

    One would expect from a journalist writing about Java to know that there are no "cumulative patches" and actually no patches at all.
    • Word games - you lose

      Do a Google search on "Java patch". Good luck on your future troll endeavors.
      • he's right though

        An Internet search on a statement is a pretty weak test of its veracity. I'm pretty sure what you get from Oracle each time is the full boat, not a patch.
  • However, the article misspeaks about the idea of a RE-release...

    Nothing is being RE-released. The Feb 19th update package is a NEW package. (Unless you're inclined to claim that the previous 9 JRE7 packages were all "re-releases" because none of those fixes were included in the *RTM* of JRE7 back in July, 2011. :-)

    As for the packages, they ARE cumulative. That is to say, regardless of whether you've installed JRE7u13 yet (or any other JRE7 update package), or not, you'll still need to install JRE7u15 on February 19th. Installing JRE7(RTM) + JRE7u13 is identical to installing JRE7(RTM) + JRE7u1 + JRE7u2 + ... + JRE7u13, that's because each JRE7u* package is *cumulative*.
    Lawrence Garvin
  • Don't tell me Windows 8 is a cumulative patch of Windows Vista

    Every release of Java is the entire product - Java SE 7u12, Java SE 7u13 - every one is the entire product and can be installed independently. You can not call a "patch" the new model of a car.
  • Hornets Nest

    Whoooo, Im stayin out of this mess,,,,
  • Oracle needs to get serious about Java

    Ever since Oracle took over Java from Sun, it has been slow to patch critical vulnerabilities in the popular programming language. Despite the pundits saying one should disable Java altogether, I have found hordes of websites insisting on JRE to work smoothly. Some Banking sites don't even provide certain features if JRE isn't installed. So, having Java has become a necessary evil. So, one can only hope that Oracle will give it due attention and importance, to prevent hackers from having a field day at users' expense.
  • I just uninstalled everything Java

    I just uninstalled everything Java

    ...starting from the most recent updates. Won't reinstall until the current mess is sorted out. Currently Oracle rushed and published "patches" (or updates or packages) faster than they can think or test. Allow them time to cool down.

    Versailles, Tue 12 Feb 2013 23:53:10 +0100
    Michel Merlin
  • But we need Java

    All the best stuff on websites runs on Java. Yahoo! games, Pogo, Minecraft, Runescape, and... uh... other super-important stuff worth risking an exploit.

    All us computer geeks had to learn Java applet programming in college anyway. Remember that boring mess? Everybody else should be forced to use it even if it is buggy, slow, and asks you if you want to update it practically every other day. The updates make it secure for at least a few hours anyway.
    • +1000

      You win. While others argue the semantics of "Java patch" vs. "patched Java runtime" (who cares?), this is the important point: it's a vulnerable, clunky waste of disk space that doesn't provide any significant advantages.

      Thank you.
  • Java comments

    You can't put anything on the Internet that isn't true.