Quick post on Java 6 Update 22 which was released on October 12th.
None of my vulnerabilities awaiting to be fixed on the Coordinated Vulnerability Disclosure front were actually fixed in this release, but a quick binary compare of releases 21 and 22 reveals that some of the stuff I've covered on the blog were addressed.
The Corba ObjectUtility problems I discussed were fixed.
And several of the serialization issues were addressed. It looks like they created a cute little mechanism for preventing external calls to defaultReadObject/defaultWriteObject. And the problem of repeated fields also seems to be addressed. The early reference stuff can't really be fixed, because it is a feature. And that means you can still create an Integer object that has 0 as its value and then later at an arbitrary moment changes it's value to something else.
A few thoughts on Fuchsia security
3 years ago