Slashdot Mirror

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

A reminder for commenters: non-commercial use of Java remains free. An anonymous reader quotes InfoWorld: Oracle has revamped its commercial support program for Java SE (Standard Edition), opting for a subscription model instead of one that has had businesses paying for a one-time perpetual license plus an annual support fee... It is required for Java SE 8, and includes support for Java SE 7. (As of January 2019, Oracle will require a subscription for businesses to continue getting updates to Java SE 8.)

The price is $25 per month per processor for servers and cloud instances, with volume discounts available. For PCs, the price starts at $2.50 per month per user, again with volume discounts. One-, two-, and three-year subscriptions are available... The previous pricing for the Java SE Advanced program cost $5,000 for a license for each server processor plus a $1,100 annual support fee per server processor, as well as $110 one-time license fee per named user and a $22 annual support fee per named user (each processor has a ten-user minimum)...

If users do not renew a subscription, they lose rights to any commercial software downloaded during the subscription. Access to Oracle Premier Support also ends. Oracle recommends that those choosing not to renew transition to OpenJDK binaries from the company, offered under the GPL, before their subscription ends. Doing so will let users keep running applications uninterrupted.
Oracle's senior director of product management stresses that the company is "working to make the Oracle JDK and OpenJDK builds from Oracle interchangeable -- targeting developers and organisations that do not want commercial support or enterprise management tools."

A reminder for commenters: non-commercial use of Java remains free. An anonymous reader quotes InfoWorld: Oracle has revamped its commercial support program for Java SE (Standard Edition), opting for a subscription model instead of one that has had businesses paying for a one-time perpetual license plus an annual support fee... It is required for Java SE 8, and includes support for Java SE 7. (As of January 2019, Oracle will require a subscription for businesses to continue getting updates to Java SE 8.)

The price is $25 per month per processor for servers and cloud instances, with volume discounts available. For PCs, the price starts at $2.50 per month per user, again with volume discounts. One-, two-, and three-year subscriptions are available... The previous pricing for the Java SE Advanced program cost $5,000 for a license for each server processor plus a $1,100 annual support fee per server processor, as well as $110 one-time license fee per named user and a $22 annual support fee per named user (each processor has a ten-user minimum)...

If users do not renew a subscription, they lose rights to any commercial software downloaded during the subscription. Access to Oracle Premier Support also ends. Oracle recommends that those choosing not to renew transition to OpenJDK binaries from the company, offered under the GPL, before their subscription ends. Doing so will let users keep running applications uninterrupted.
Oracle's senior director of product management stresses that the company is "working to make the Oracle JDK and OpenJDK builds from Oracle interchangeable -- targeting developers and organisations that do not want commercial support or enterprise management tools."

An anonymous reader quotes InfoWorld: Further clarifying its ongoing support plans for Java SE 8, Oracle will require businesses to have a commercial license to get updates after January 2019. In an undated bulletin about the revision, Oracle said public updates for Java SE 8 released after January 2019 will not be available for business, commercial, or production use without a commercial license. However, public updates for Java SE 8 will be available for individual, personal use through at least the end of 2020.

Oracle advises enterprises to review the Oracle Java SE Support Roadmap to assess support requirements to migrate to a later release or obtain a commercial license... Oracle advises developers to review roadmaps for Java SE 8 and beyond and take appropriate action based on their application and its distribution model.

An anonymous reader quotes Application Development Trends: Oracle announced the general availability of Java SE 10 (JDK 10) this week. This release, which comes barely six months after the release of Java SE 9, is the first in the new rapid release cadence Oracle announced late last year. The new release schedule, which the company is calling an "innovation cycle," calls for a feature release every six months, update releases every quarter, and a long-term support (LTS) release every three years. Java 10 is a feature release that obsoletes Java 9. The next LTS release will be Java 11, expected in September. The next LTS version after that will be Java 17, scheduled for release in September 2021...

The six-month feature release cadence is meant to reduce the latency between major releases, explained is Sharat Chander, director of Oracle's Java SE Product Management group, said in a blog post. "This release model takes inspiration from the release models used by other platforms and by various operating-system distributions addressing the modern application development landscape," Chander wrote. "The pace of innovation is happening at an ever-increasing rate and this new release model will allow developers to leverage new features in production as soon as possible. Modern application development expects simple open licensing and a predictable time-based cadence, and the new release model delivers on both."
This release finally adds var to the Java language (though its use is limited to local variables with initializers or declared in a for-loop). It's being added "to improve the developer experience by reducing the ceremony associated with writing Java code, while maintaining Java's commitment to static type safety, by allowing developers to elide the often-unnecessary manifest declaration of local variable type."

Linux kernel developer (and LWN.net co-founder) Jonathan Corbet recently posted an essay with a tantalizing title: "Is it time for open processors?" He cited several "serious initiatives", including the OpenPOWER effort, OpenSPARC, and OpenRISC, adding that "much of the momentum" appears to be with the RISC-V architecture. An anonymous reader quotes LWN.net: The [RISC-V] project is primarily focused on the instruction-set architecture, rather than on specific implementations, but free hardware designs do exist. Western Digital recently announced that it will be using RISC-V processors in its storage products, a decision that could lead to the shipment of RISC-V by the billion. There is a development kit available for those who would like to play with this processor and a number of designs for cores are available... RISC-V seems to have quite a bit of commercial support behind it -- the RISC-V Foundation has a long list of members. It seems likely that this architecture will continue to progress for some time.
Here's some of the reasons that Corbet argues open souce hardware "would certainly offer some benefits, but it would be no panacea."

• "While compilers can be had for free, the same is not true of chip fabrication facilities, especially the expensive fabs needed to create high-end processors... It will never be as easy or as cheap as typing 'make'..."

• "Without some way of verifying underlying design of an actual piece of hardware, we'll never really know if a given chip implements the design that we're told it does..."

• "Even if RISC-V becomes successful in the marketplace, chances are good that the processors we can actually buy will not come with freely licensed designs..."

• "Finally, even if we end up with entirely open processors, that will not bring an end to vulnerabilities at that level. We have a free kernel, but the kernel vulnerabilities come just the same. Open hardware may give us more confidence in the long term that we can retain control of our systems, but it is certainly not a magic wand that will wave our problems away."

"None of this should prevent us from trying to bring more openness and freedom to the design of our hardware, though. Once upon a time, creating a free operating system seemed like an insurmountably difficult task, but we have done it, multiple times over. Moving away from proprietary hardware designs may be one of our best chances for keeping our freedom; it would be foolish not to try."

rastos1 writes: Oracle has announced the general availability of Java SE 9 (JDK 9), Java Platform Enterprise Edition 8 (Java EE 8) and the Java EE 8 Software Development Kit (SDK). JDK 9 is a production-ready implementation of the Java SE 9 Platform Specification, which was recently approved together with Java EE 8 in the Java Community Process (JCP). Java SE 9 provides more than 150 new features, including a new module system and improvements that bring more scalability, improved security, better performance management and easier development to the world's most popular programming platform.

An anonymous reader quotes InfoWorld: Oracle wants to end its leadership in the development of enterprise Java and is looking for an open source foundation to take on the role. The company said Thursday that the upcoming Java EE (Enterprise Edition) 8 presents an opportunity to rethink how the platform is developed. Although development is done via open source with community participation, the current Oracle-led process is not seen as agile, flexible, or open enough. "We believe that moving Java EE technologies to an open source foundation may be the right next step, to adopt more agile processes, implement more flexible licensing and change the governance process," Oracle said in a statement...

Despite its desire to retreat from Java EE leadership, Oracle said it plans to continue participating in the evolution of Java EE technologies. "But we believe a more open process, that is not dependent on a single vendor as platform lead, will encourage greater participation and innovation, and will be in best interests of the community"... Oracle's goals for offloading Java EE would have Oracle not lead the project as it still effectively does with Java SE.
Red Hat's senior principal product manager called this "a very positive move," while Eclipse's executive director said that moving Java EE to a vendor-neutral open source foundation "would be great for both the platform and the community," adding "If asked to so, the Eclipse Foundation would be pleased to serve as the host organization."

An anonymous reader quotes BleepingComputer: Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...

Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.

bobthesungeek76036 writes: According to The Register, Solaris 12 has been removed from Oracle roadmaps. This pretty much signals the demise of Solaris (as if we didn't already know that...) From the report: "The new blueprint -- dated January 13, 2017 -- omits any word of Solaris 12 that Oracle included in the same document's 2014 edition, instead mentioning 'Solaris 11.next' as due to debut during this year or the next complete with 'Cloud Deployment and Integration Enhancements.' At the time of writing, search engines produce no results for 'Solaris 11.next.' The Register has asked Oracle for more information. The roadmap also mentions a new generation of SPARC silicon in 2017, dubbed SPARC Next, and then in 2020 SPARC Next+. The speeds and capabilities mentioned in the 2017 document improve slightly on those mentioned in the 2014 roadmap.

An anonymous reader quotes a report from International Business Times: According to a report from ProPublica, the world's largest social network knows far more about its users than just what they do online. What Facebook can't glean from a user's activity, it's getting from third-party data brokers. ProPublica found the social network is purchasing additional information including personal income, where a person eats out and how many credit cards they keep. That data all comes separate from the unique identifiers that Facebook generates for its users based on interests and online behavior. A separate investigation by ProPublica in which the publication asked users to report categories of interest Facebook assigned to them generated more than 52,000 attributes. The data Facebook pays for from other brokers to round out user profiles isn't disclosed by the company beyond a note that it gets information "from a few different sources." Those sources, according to ProPublica, come from commercial data brokers who have access to information about people that isn't linked directly to online behavior. The social network doesn't disclose those sources because the information isn't collected by Facebook and is publicly available. Facebook does provide a page in its help center that details how to get removed from the lists held by third-party data brokers. However, the process isn't particularly easy. In the case of the Oracle-owned Datalogix, users who want off the list have to send a written request and a copy of a government-issued identification in the mail to Oracle's chief privacy officer. Another data collecting service, Acxiom, requires users provide the last four digits of their social security number to see the information the company has gathered about them.

New submitter liveedu shares with us a report from InfoWorld: When Java 8 was released two years ago, the community graciously accepted it, seeing it as a huge step toward making Java better. Its unique selling point is the attention paid to every aspect of the programming language, including JVM (Java Virtual Machine), the compiler, and other help-system improvements. Java is one of the most searched programming languages according to TIOBE index for July 2016, where Java ranks number one. Its popularity is also seen on LiveCoding, a social live coding platform for engineers around the world, where hundreds and thousands of Java projects are broadcasted live. InfoWorld highlights five Java 8 features for developers in their report: lambda expressions, JavaScript Nashorn, date/time APIs, Stream API and concurrent accumulators. But those features only scratch the surface. What makes Java 8 amazing in your opinion? What are your favorite Java 8 features that help you write high quality code? You can view the entire list of changes made to the programming language here.

An anonymous reader writes: Oracle has released the April 2016 Critical Patch Update, which provides fixes for 136 vulnerabilities in 49 products, including Java SE and MySQL, the company's Database Server and E-Business Suite, its Fusion Middleware, and its Sun Systems Products Suite. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," the company advised.

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

An anonymous reader writes: After Mozilla said in October that it would stop supporting Firefox plugins on the older NPAPI technology, Oracle had no choice now but to announce the deprecation of the Java browser plugin starting with the release of the JDK version 9, which is set for release in March 2017, and developers are urged to start using the Java Web Start pluginless technology instead. Security issues also had a big part in Java's demise.

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

jfruh writes: It used to be that you could get an Oracle database certification and declare yourself Oracle-certified for the rest of your career. That time is now over, causing a certain amount of consternation among DBAs. On the one hand, it makes sense that someone who's only been certified on a decade-old version of the product should need to prove they've updated their skills. On the other, Oracle charges for certification and will definitely profit from this shift."

darthcamaro writes "Oracle today officially released Java 8, nearly two years after Java 7, and after much delay. The new release includes a number of critical new features, including Lambda expressions and the new Nashorn JavaScript engine. Java 8, however, is still missing at least one critical piece that Java developers have been asking for, for years. 'It's a pity that some of the features like Jigsaw were dropped as modularity, runtime dependencies and interoperability are still a huge problem in Java,' James Donelan, vice president of engineering at MuleSoft said. 'In fact this is the one area where I still think Java has a long way to go.'"

An anonymous reader writes with this quick bite from Info Q: "Oracle is seeking feedback from the Java community about what it should work on for the next version of Java EE, the popular and widely used enterprise framework. As well as standardizing APIs for PaaS and SaaS the vendor is looking at removing some legacy baggage including EJB 2.x remote and local client view (EJBObject, EJBLocalObject, EJBHome, and EJBLocalHome interfaces) and CORBA."

An anonymous reader writes "Oracle acquired GlassFish when it acquired Sun Microsystems, and now — like OpenSolaris and OpenOffice — the company has announced it will no longer support a commercial version of the product. Mike Milinkovich, executive director of the Eclipse Foundation. said in an interview the decision wasn't exactly a surprise: "The only company that was putting any real investment in GlassFish was Oracle," Milinkovich said. "Nobody else was really stepping up to the plate to help. If you never contributed anything to it, you can't complain when something like this happens." An update to the open source version is still planned for 2014." GlassFish is an open source application server.

donadony writes "Oracle announced the release of VirtualBox 4.3; this is a major release that comes with important new features, devices support and improvements. According to the announcement, 'Oracle VM VirtualBox 4.3 adds a unique virtual multi-touch interface to support touch-based operating systems, and other new virtual devices and utilities, including webcam devices and a session recording facility. This release also builds on previous releases with support for the latest Microsoft, Apple, Linux and Oracle Solaris operating systems, new virtual devices, and improved networking functionality.'"

sfcrazy writes "Oracle has a love-hate relationship with open source technologies. In a whitepaper (PDF) for the Deparment of Defense, Oracle claims that TCO (total cost of ownership) goes up with the use of open source. They're essentially trying to build a case for the use of their own products within the government. 'The skill required to successfully and economically blend source code into a commercially viable product is relatively scarce. It should not be done directly at government expense.' Oracle also attacks the community-based development model, calling it more insecure than company developed products. 'Government-sponsored community development approaches to software creation lack the financial incentives of commercial companies to produce low-defect, well-documented code.'"

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

Hugh Pickens DOT Com writes "ZDNet reports that Oracle's Larry Elison kicked off Oracle OpenWorld 2013 promising a 100x speed-up querying OTLP database or data warehouse batches by means of a 'dual format' for both row and column in-memory formats for the same data and table. Using Oracle's 'dual-format in-memory database' option, every transaction is recorded in row format simultaneously with writing the same data into a columnar database. 'This is pure in-memory columnar technology,' said Ellison, explaining that means no logging and very little overhead on data changes while the CPU core scans local in-memory columns. Ellison followed up with the introduction of Oracle's new M6-32 'Big Memory Machine,' touted to be the fastest in-memory machine in the world, hosting 32 terabytes of DRAM memory and up to 384 processor cores with 8-threads per core."

kylus writes "The Register is reporting that Oracle's new Java 7 update 40 release comes complete with a new 'Deployment Rule Set' capability which allows administrators to define which particular applets and Java Web Start applications ('Rich Internet Applications') are permitted to run on a given machine. Not a complete solution for the recent trend of Java hacks that have cropped up, but good news for enterprises that have to run this in their environment." Update: 09/19 20:08 GMT by U L : There's an introduction to deploying rule sets on the Java platform group weblog too.

knorthern knight writes "Most major weather services (US NWS, Britain's Met Office, etc) have their own supercomputers, and their own weather models. But there are some models which are used globally. A new paper has been published, comparing outputs from one such program on different machines around the world. Apparently, the same code, running on different machines, can produce different outputs due to accumulation of differing round-off errors. The handling of floating-point numbers in computing is a field in its own right. The paper apparently deals with 10-day weather forecasts. Weather forecasts are generally done in steps of 1 hour. I.e. the output from hour 1 is used as the starting condition for the hour 2 forecast. The output from hour 2 is used as the starting condition for hour 3, etc. The paper is paywalled, but the abstract says: 'The global model program (GMP) of the Global/Regional Integrated Model system (GRIMs) is tested on 10 different computer systems having different central processing unit (CPU) architectures or compilers. There exist differences in the results for different compilers, parallel libraries, and optimization levels, primarily due to the treatment of rounding errors by the different software systems. The system dependency, which is the standard deviation of the 500-hPa geopotential height averaged over the globe, increases with time. However, its fractional tendency, which is the change of the standard deviation relative to the value itself, remains nearly zero with time. In a seasonal prediction framework, the ensemble spread due to the differences in software system is comparable to the ensemble spread due to the differences in initial conditions that is used for the traditional ensemble forecasting.'"

hypnosec writes "Oracle will soon be announcing its decision to stop development of Sun virtualization technologies including Sun Ray Software and Hardware, Oracle Virtual Desktop Client, and Virtual Desktop Infrastructure (VDI) product lines. In an update to its support policies [Oracle support login required] for virtualization software and hardware, the database company has revealed that this decision is a result of its efforts to 'tightly align Oracle's future desktop virtualization portfolio investments with Oracle Corporation's overall core business strategy.'"

New submitter Noel Trout writes "For a long time in the Java world, there has been a free tool called the 'tzupdater' or Time Zone Updater released as a free download first by Sun and then Oracle. This tool can be used to apply a patch to the Java runtime so that time zone information is correct. This is necessary since some time zones in the world are not static and change more frequently than one might think; in general time zone updates can be released maybe 4-6 times a year. The source information backing the Java timezone API comes from the open source Olson timezone database that is also used by many operating systems. For certain types of applications, you can understand that these updates are mission critical. For example, my company operates in the private aviation sector so we need to be able to display the correct local time at airports around the world. So, the interesting part is that Oracle has now decided to only release these updates if you have a Java SE support contract. Being Oracle, such licenses are far from cheap. In my opinion, this is a pretty serious change in stance for Oracle and amounts to killing free Java for certain types of applications, at least if you care about accuracy. We are talking about the core API class java.util.TimeZone. This begs the question, can you call an API free if you have to pay for it to return accurate information? What is the point of such an API? Should the community not expect that core Java classes are fully functional and accurate? I believe it is also a pretty bad move for Java adoption for these types of applications. If my company as a startup 10 years ago would have been presented with such a license fee, we almost certainly could not have chosen Java as our platform as we could not afford it."

twofishy writes "'To avoid the confusion caused by renumbering releases,' Oracle has announced that it is adopting a new numbering scheme for JDK 5.0, JDK 6 and JDK 7. 'The next Limited Update for JDK 7 will be numbered 7u40, and the next 3 CPUs after that will be numbered 7u45, 7u51, and 7u55." The vendor notes that a more elegant solution would require the changing of the version numbering scheme to accommodate different kinds of changes (for example by using 7u44-2 ). However this cannot be implemented outside of a major release, since doing so might break existing code that parses version strings (possibly including the Java auto-update system)" Here's Oracle's announcement.

wiredmikey writes "Oracle released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. As part of its update, Oracle released a Java SE Critical Patch Update to plug 42 security holes in Java, 19 with base CVE score of 10 (the highest you can go) and 39 related to the Java Web Start plugin which can be remotely exploited without authentication. According to security analyst Wade Williamson, organizations need to realize that Java will continue to pose a significant risk. 'The first step is for an organization to understand precisely where and why Java is needed,' Williamson wrote. 'Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.' Organizations should to take a long, hard look at Java and answer for themselves if it's worth it, Williamson added. Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible."

msm1267 writes "Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today's update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15. The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan."

First time accepted submitter jsmyth writes "MySQL 5.6.10 has been released, marking the General Availability of version 5.6 for production." Here's more on the features of 5.6. Of possible interest to MySQL users, too, is this look at how MySQL spinoff MariaDB (from Monty, one of the three creators of MySQL) is making inroads into the MySQL market, including (as we've mentioned before) as default database system in some Linux distributions.

darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

itwbennett writes "In an official document that is both 'confidential' and publicly available on Oracle's website, the company lays out its cloud policies. Most of the policies follow industry standards, but then there are a few that should give customers pause. Like the one that allows Oracle to turn off access to accounts in the event of a dispute or account violation."

Artefacto writes "The Ksplice team has made available a git repository with the changes Red Hat made to the kernel broken down. They are calling this project RedPatch. This comes in response to a policy change Red Hat had implemented in early 2011, with the goal of undercutting Oracle and other vendors' strategy of poaching Red Hat's customers. The Ksplice team says they've been working on these individual patches since then. They claim to be now making it public because they 'feel everyone in the Linux community can benefit from the work.' 'For Ksplice, we build individual updates for each change and rely on source patches that are broken-out, not a giant tarball. Otherwise, we wouldn't be able to take the right patches to create individual updates for each fix, and to skip over the noise — like a change that speeds up bootup — which is unnecessary for an already-running system.'"

Artefacto writes "The Ksplice team has made available a git repository with the changes Red Hat made to the kernel broken down. They are calling this project RedPatch. This comes in response to a policy change Red Hat had implemented in early 2011, with the goal of undercutting Oracle and other vendors' strategy of poaching Red Hat's customers. The Ksplice team says they've been working on these individual patches since then. They claim to be now making it public because they 'feel everyone in the Linux community can benefit from the work.' 'For Ksplice, we build individual updates for each change and rely on source patches that are broken-out, not a giant tarball. Otherwise, we wouldn't be able to take the right patches to create individual updates for each fix, and to skip over the noise — like a change that speeds up bootup — which is unnecessary for an already-running system.'"

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

CowboyNeal writes "Last week, Oracle announced that they were making Oracle Linux available free of charge, and also provided a script that makes switching to Oracle Linux nearly painless for existing CentOS users. What makes Oracle Linux unique, and why would anyone want to use it? Read on to find out, as I delve into what Oracle Linux has to offer."

What is Oracle Linux?

On its face, Oracle Linux feels like just another Red Hat Enterprise Linux (RHEL) derivative. It uses anaconda for an installer. It uses yum for handling packages. Configuration is handled just like RHEL, CentOS, or Scientific Linux. To be honest, the reasons why anyone would switch to Oracle Linux aren't immediately apparent after installing. It feels like nearly any other Linux with the Oracle name bolted on. Under the hood, however, are some rather compelling features.

The Unbreakable Enterprise Kernel

I have to start off with saying that I hate the name "Unbreakable Enterprise Kernel." I've seen enough crazy stuff in my time, to know that no software is truly unbreakable. It might be pretty good, but unbreakable is like calling the Titanic unsinkable. Given a poor enough captain, or in this case, an administrator, I don't have any doubts that the kernel could be broken in at least some fashion. However, I suppose that "Unbreakable Enterprise Kernel" sounds a lot better than the "Pretty-dang-tootin'-robust Enterprise Kernel," and with a target like enterprise customers, terms like "Pretty-dang-tootin'" just won't get stuffy execs to authorize using Oracle Linux.

With that off my chest, let's see what the Unbreakable Linux Kernel does have to offer. Oracle has added a number of their own enhancements into a Linux 2.6 kernel. These include networking optimizations, NUMA optimizations, and enhancements for OCFS2, asynchronous I/O, SSD disk access, OLTP, and more. They clearly work pretty well, as back in March, Oracle submitted a TPC-C benchmark for a Sun Fire server that was the fastest x64-based non-clustered system.

Ksplice: Update Your Kernel Without Rebooting

Ksplice was acquired by Oracle roughly a year ago, and as a result is married to Oracle Linux rather nicely. Ksplice is the holy grail for any administrator who is obsessed with uptime. It gives you the ability to update your kernel, with no downtime necessary. This is by far the best reason to use Oracle Linux, but it also comes at a steep price. While support for Ksplice is present in the Unbreakable Enterprise Kernel, it does nothing without the Ksplice Uptrack service enabled.

How does one get Ksplice Uptrack? It's only included with an Oracle premier support contract. While Oracle is quick to note that it costs less than a similar-tier RHEL support contract, it's also still more than most people would want to pay for just reboot-less kernel updates. Sure, there's also actual support included in the contract, but the lack of an ala carte option for just Ksplice Uptrack doesn't make a premier support contract any easier to swallow.

I should note here, that regular package updates via yum, and regular kernel updates via yum, are still totally free. If you don't mind rebooting, Ksplice isn't a must-have. If Oracle wanted to attract more customers, an ala carte option for Ksplice Uptrack would be a step in the right direction. If they wanted to really build some good will with the Linux community, they'd make Ksplice Uptrack free for everyone. I know it may sound weird to mention Oracle and good will together, but I'd never thought I'd see Oracle and "free" mentioned together either. As it is, it feels like Uptrack is being used as the bait for a support contract, when the support contract should really be able to stand on its own.

DTrace: Debugging and Troubleshooting in Real Time

To be fair, the DTrace modules can be plugged into a lot of Linux kernels already out there, but Oracle Linux has done the leg work for their users. Maybe you're not doing the sort of development that requires DTrace, but it's still something handy to have in the toolbox when something breaks. It's also a handy way to profile already running processes at any moment, with little to no impact on performance when tracing a process. Oracle maintains a long list of DTrace resources on their OpenSolaris site.

Should I give this a look?

If you're already perfectly happy with your RHEL or CentOS Linux install, Oracle Linux is a hard sell, even at the price of free. After toying about with the system, I'd say it's at least worth a hard look. As it is, you get the benefits of CentOS or Scientific Linux, with Oracle's own stuff bolted on, and their enhancements, even minus Ksplice, make a compelling argument to use Oracle Linux. If you are setting up a machine to use Oracle's database software, Oracle Linux is the best choice, since it's been designed to support Oracle DB, and is the same Linux that Oracle uses in-house. While Oracle's premier support contract is cheaper than the RHEL alternative, the actual cost of switching from RHEL to Oracle in a given case may not be. While this release is a good first step for Oracle, more options, like free Ksplice Uptrack, or even a Ksplice Uptrack subscription, would make it an easier sell.

If you'd like to give Oracle Linux a try, without having to jump through a lot of hoops, the Oracle Linux Wiki has a list of download sites.

CowboyNeal writes "Last week, Oracle announced that they were making Oracle Linux available free of charge, and also provided a script that makes switching to Oracle Linux nearly painless for existing CentOS users. What makes Oracle Linux unique, and why would anyone want to use it? Read on to find out, as I delve into what Oracle Linux has to offer."

What is Oracle Linux?

On its face, Oracle Linux feels like just another Red Hat Enterprise Linux (RHEL) derivative. It uses anaconda for an installer. It uses yum for handling packages. Configuration is handled just like RHEL, CentOS, or Scientific Linux. To be honest, the reasons why anyone would switch to Oracle Linux aren't immediately apparent after installing. It feels like nearly any other Linux with the Oracle name bolted on. Under the hood, however, are some rather compelling features.

The Unbreakable Enterprise Kernel

I have to start off with saying that I hate the name "Unbreakable Enterprise Kernel." I've seen enough crazy stuff in my time, to know that no software is truly unbreakable. It might be pretty good, but unbreakable is like calling the Titanic unsinkable. Given a poor enough captain, or in this case, an administrator, I don't have any doubts that the kernel could be broken in at least some fashion. However, I suppose that "Unbreakable Enterprise Kernel" sounds a lot better than the "Pretty-dang-tootin'-robust Enterprise Kernel," and with a target like enterprise customers, terms like "Pretty-dang-tootin'" just won't get stuffy execs to authorize using Oracle Linux.

With that off my chest, let's see what the Unbreakable Linux Kernel does have to offer. Oracle has added a number of their own enhancements into a Linux 2.6 kernel. These include networking optimizations, NUMA optimizations, and enhancements for OCFS2, asynchronous I/O, SSD disk access, OLTP, and more. They clearly work pretty well, as back in March, Oracle submitted a TPC-C benchmark for a Sun Fire server that was the fastest x64-based non-clustered system.

Ksplice: Update Your Kernel Without Rebooting

Ksplice was acquired by Oracle roughly a year ago, and as a result is married to Oracle Linux rather nicely. Ksplice is the holy grail for any administrator who is obsessed with uptime. It gives you the ability to update your kernel, with no downtime necessary. This is by far the best reason to use Oracle Linux, but it also comes at a steep price. While support for Ksplice is present in the Unbreakable Enterprise Kernel, it does nothing without the Ksplice Uptrack service enabled.

How does one get Ksplice Uptrack? It's only included with an Oracle premier support contract. While Oracle is quick to note that it costs less than a similar-tier RHEL support contract, it's also still more than most people would want to pay for just reboot-less kernel updates. Sure, there's also actual support included in the contract, but the lack of an ala carte option for just Ksplice Uptrack doesn't make a premier support contract any easier to swallow.

I should note here, that regular package updates via yum, and regular kernel updates via yum, are still totally free. If you don't mind rebooting, Ksplice isn't a must-have. If Oracle wanted to attract more customers, an ala carte option for Ksplice Uptrack would be a step in the right direction. If they wanted to really build some good will with the Linux community, they'd make Ksplice Uptrack free for everyone. I know it may sound weird to mention Oracle and good will together, but I'd never thought I'd see Oracle and "free" mentioned together either. As it is, it feels like Uptrack is being used as the bait for a support contract, when the support contract should really be able to stand on its own.

DTrace: Debugging and Troubleshooting in Real Time

To be fair, the DTrace modules can be plugged into a lot of Linux kernels already out there, but Oracle Linux has done the leg work for their users. Maybe you're not doing the sort of development that requires DTrace, but it's still something handy to have in the toolbox when something breaks. It's also a handy way to profile already running processes at any moment, with little to no impact on performance when tracing a process. Oracle maintains a long list of DTrace resources on their OpenSolaris site.

Should I give this a look?

If you're already perfectly happy with your RHEL or CentOS Linux install, Oracle Linux is a hard sell, even at the price of free. After toying about with the system, I'd say it's at least worth a hard look. As it is, you get the benefits of CentOS or Scientific Linux, with Oracle's own stuff bolted on, and their enhancements, even minus Ksplice, make a compelling argument to use Oracle Linux. If you are setting up a machine to use Oracle's database software, Oracle Linux is the best choice, since it's been designed to support Oracle DB, and is the same Linux that Oracle uses in-house. While Oracle's premier support contract is cheaper than the RHEL alternative, the actual cost of switching from RHEL to Oracle in a given case may not be. While this release is a good first step for Oracle, more options, like free Ksplice Uptrack, or even a Ksplice Uptrack subscription, would make it an easier sell.

If you'd like to give Oracle Linux a try, without having to jump through a lot of hoops, the Oracle Linux Wiki has a list of download sites.

Sique writes "An author of software cannot oppose the resale of his 'used' licenses allowing the use of his programs downloaded from the internet. The exclusive right of distribution of a copy of a computer program covered by such a license is exhausted on its first sale. This was decided [Tuesday] (PDF) by the Court of Justice of the European Union in a case of Used Soft GmbH v. Oracle International Corp.."

benfrog writes with a piece that appeared in yesterday's Wall Street Journal about the in-progress legal battle between Oracle and Google over Java: "Ex-Sun and current Google employee Tim Lindholm testified that it was "not what he meant" when asked about the smoking gun email (included here (PDF)) that essentially said that Google needed to get a license for Java because all the alternatives 'suck[ed].' He went on in 'brief but tense testimony' to claim that his day-to-day involvement with Android was limited."

LinuxScribe writes "Oracle has announced a new Big Data Appliance, which will feature Cloudera's Hadoop, shiny hardware, and a price tag that could be more affordable than commodity servers. But Oracle's new Cloudera partner should heed the lessons of Red Hat and what it means to partner with Oracle."

msmoriarty writes "Oracle had lots of Java announcements at this year's JavaOne. So far the plans include: 'The availability of an early access version of JDK 7 for the Mac OS, plans to "bridge the gap" between Java ME and Java SE, an approach to modularizing Java SE 8 that will rely on the Jigsaw platform, a new project that aims to use HTML5 to bring Java to Apple's iOS platform, the availability of JavaFX 2.0, a pending proposal to open source that technology, gearing up Java EE for the cloud, and a delay in the release of Java 8.'"

jfruhlinger writes "Oracle has released proprietary extensions to the open source MySQL database, seeming to reinforce the worst fears of those in the open source community who opposed Oracle's acquisition of MySQL in the first place. But open source observer Brian Proffitt urges you not to panic: This dual source strategy really isn't unusual in the commercial open source world, Oracle has already released a bevy of open source improvements to the database, and anyway the EU extracted a commitment to keep MySQL open for another four years when it approved the Sun-Oracle merger."