Java 7 Officially Released
Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISC reader Alex for notifying us about it.
The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, http://www.oracle.com/technetwork/java/index.html, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris & Windows).
As you can see in the release notes, the main security enhancements affect the JSSE (Java Secure Socket Extension) and TLS communications, including TLS v1.1 and v1.2 as well as Server Name Indication (SNI) support.
Java 7 does not remove any previous Java versions; I guess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform) on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around.
Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your IT environments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them.
UPDATE 1: Let's clarify this diary post title a little bit based on txISO comment (thanks!). If you consider Java to be officially released only when it is available at java.com, then Java has not been officially released yet (see quote on 3rd comment below). However, if you consider that Java 7 is available out there, not only in its JDK version (what I consider the version for developers), but the JRE (Java Runtime Environment) version too, then IMHO, it has been released - although only at oracle.com. Besides that, if you are old Java school and go to the old java.sun.com, you will be redirected to the oracle.com page where Java 7 is available to the public. For our ISC audience, officially or not, get ready for Java 7 as soon as possible: it is out there :)
----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com
Comments
Worst, many unsuspecting user may expect their linux package manager to take care of their security updates.
Does this means many Linux users may unknowing be taking a risk here, by not been updated at all (java7)?
Mic
Sep 5th 2011
1 decade ago
Users will need to switch to OpenJDK, or if they continue using the official JRE or JDK, get updates through the potential Oracle Java auto update processes or manually, but their Linux distribution won't be able to provide new updates.
If this information is not widely spread by Oracle and Linux distros, it basically will mean more vulnerable Java versions around for the same Linux package manager blind trust you mention.
Raul Siles
Sep 5th 2011
1 decade ago
[quote]
Why is Java SE 7 not yet available on java.com?
The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be downloaded from Oracle.com
[/quote]
txISO
Sep 5th 2011
1 decade ago