As happened for the latest realese, also latest Java 7 update is splitted in two releases:
Update 79 which includes critical security updates only
Update 80 which includes 79 updates plus a new command line option to detect deprecated mechanisms: endorsed-standards and extensions.
Endorsed-standards is a way to update Java core to the latest version of non Java standards. Extensions allows us to extend the Java core with new libraries and functionalities. Both mechanism have been declared deprecated and they will be phase-out in the next future. The option introduced in Java 7u80 detect if these mechanisms have been used i our environments.
Oracle has released new Java 7 CPU (see meaning here) release: 7u25.
The release contains, in addition to usual security bug fixes, several changes that are also targeted to improve security.
The complete list of changes is here but let me remark the most important changes:
several changes on signed jar management including the check, before execution, that the certificate is valid (not revoked). The check can delay applet/application startup.
new attributes on JAR manifest file (permissions, to control jar execution authorizations, and codebase,to control who is using the JAR) has been introduced to let JAR author to better control JAR usage.
Java Runtime Environment (JRE) and Java Development Kit (JDK) version numbers follow a strict policy that Oracle has changed few months ago.
Knowing the rules behind the version numbers let us understand which are the benefits and the risks to migrate our environment to newest versions.
First of all, two Oracle definitions:
Limited Edition : release that includes new functionalities and/or bug fixes not related to security problems. Limited Edition releases have always even numbers.
Critical Path Update (CPU): release that includes only security bug fixes. No new functionality. CPU releases have always odd numbers.
So JRE/JDK 7 release 11 (in short 7u11 where u = update) is a CPU release while JRE/JDK 6 release 38 (6u38) has introduced new functionality because it is a Limited Edition.
In general it’s worth to migrate to a new CPU update (to secure our application) as soon it is available. Limited Edition releases can (should) be tested with more time before adoption.
Since last December, Oracle release plan was quite stable but in the last months a significant amount of security vulnerabilities have been discovered and fixed. The traditional numbering scheme needed to be updated: more odd numbers were needed.
So for the future, the numbering scheme is the following:
Limited Edition: use 20 as numbering step (from 20 to 40 to 60..) instead of 2
CPU: use 5 as numbering step (+1 if final number is even) like : 45 (first CPU after 40), 51 and 55.
The odd numbers not used (41, 43, 47.. in the above example) will be used, if necessary, for urgent security fixes.