Forum Thread: OSI/PSI Discrepancy with Firefox for Java JRE

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
OSI

This thread has been marked as locked.
ceridgac1 OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 08:07
Ranking: 0
Posts: 3
User Since: 20th Aug, 2010
System Score: N/A
Location: US
The Online Software Inspector & the Personal Software Inspector both report my computer's installed version of the Java Runtime Environment software (JRE) as fully patched and current. The installed version of the Java JRE is 6.0.200.2. However, Firefox (Web Browser) version 3.6.8 reports that the current version of the Java JRE is insecure and that it should be updated. It presents an "Update" button.

This has been reported as insecure by Firefox for one month, yet Secunia still displays it as the current patched version of the JRE. This is the first discrepancy I've noted with the OSI/PSI and Firefox. Which is the correct analysis, the Secunia OSI/PSI or Firefox?

taffy078

RE: OSI/PSI Discrepancy with Firefox for Java JRE
[+]
This reply has been minimised due to a negative Relevancy Score.
This user no longer exists RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 08:49
Hi,

The PSI is right in this matter. Java JRE Update 20 is the latest security update, whereas Update 21 is a maintenance release.

For more information, please see our advisory: http://secunia.com/advisories/39260/

As well as the Java SE 6 Update 20 release notes: http://www.oracle.com/technetwork/java/javase/6u21...

Particularly, at the very bottom of the Oracle release notes:
"Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

hope this helps.
Was this reply relevant?
+0
-0
ceridgac1 RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 09:06
Score: 0
Posts: 3
User Since: 20th Aug 2010
System Score: N/A
Location: US
on 20th Aug, 2010 08:13, taffy078 wrote:
Hi ceridgac1.

My Java JRE was updated to v 6.0.210.6 earlier this week.

(A) So that we can help you, we need to know what file(s) Secunia has picked up as insecure. This is what you should do next:

Secunia has picked up no files as insecure -- the score is 100%.

1 Go to the main Secunia PSI window & click on ‘Advanced’ if it’s underlined in blue. (Don't be put off by the name "Advanced"! It's easy to follow/use.)

2 Click on “+” to highlight & expand it.

3 Click on “Technical Details” (in Toolbox”)

4 This will give you the installation path of the insecure file. If you copy & paste it in your next reply here, someone here will be able to help.


(B) When you reply please also tell us what version of Secunia you are using. It's shown in the bottom-right of the main Secunia screen.

v1.5.0.2

(C) Finally, please post some info about your PC etc – e.g. see my signature below.

Thanks.

Was this reply relevant?
+0
-0
ceridgac1 RE: OSI/PSI Discrepancy with Firefox for Java JRE
Member 20th Aug, 2010 09:15
Score: 0
Posts: 3
User Since: 20th Aug 2010
System Score: N/A
Location: US
on 20th Aug, 2010 08:49, wrote:
Hi,

The PSI is right in this matter. Java JRE Update 20 is the latest security update, whereas Update 21 is a maintenance release.

For more information, please see our advisory: http://secunia.com/advisories/39260/

As well as the Java SE 6 Update 20 release notes: http://www.oracle.com/technetwork/java/javase/6u21...

Particularly, at the very bottom of the Oracle release notes:
"Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

hope this helps.


Thank you, Emil. My suspicions are supported by your response. It is as I suspected, a maintenance release. Sometimes, the download Website for the Java JRE is lax on explanations for what is new with updates. I generally use the 64-bit version of the JRE with IE 8.0-64, but this Firefox recommended update showed using the 32-bit version of Firefox. I have not yet installed the Firefox 64-bit beta version.


Was this reply relevant?
+0
-0
Anthony Wells RE: OSI/PSI Discrepancy with Firefox for Java JRE
Expert Contributor 20th Aug, 2010 12:28
Score: 2468
Posts: 3,356
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 20th Aug, 2010 12:30
@ceridgac1 ,

If it is any consolation , I had exactly the same situation running Java U20 when Firefox 3.6.8 plug-in updates "suddenly" (as it were) requested U21 for Java several days ago , despite U21 being out very much longer .

As expected , the Java website offered me U21 and I took the opportunity to load it , simply to stop the Ff plug-in warning .

If you want full clarification you would need to ask Mozilla as to why the sudden "unnecessary" update warning .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.