On March 3, Oracle announced a new version of Java 8, designated Update 40. This update includes a variety of improvements for stability and performance, but no security fixes.
The release notes for Java JDK 8 Update 40 provide the technical details.
A new version of Chrome was released on Tuesday. Version 41.0.2272.76 includes fixes for at least 51 security vulnerabilities, as well as a number of other fixes related to stability and performance.
Mozilla quietly slipped a new version of Firefox to the public yesterday. Firefox 36.0 fixes at least 17 security issues, adds more HTML5 compatibility, and adds HTTP/2 functionality to the browser.
As usual, I learned about the new version from a non-Mozilla source, this time a post on the CERT alerts blog. There was no announcement at all on the Mozilla blog.
The release notes and security advisories (aka known vulnerabilities) pages provide additional details on the new release.
Update 2015Feb25: I did receive an email alert from Mozilla that could conceivably be considered an announcement for the new version. The Firefox download page includes a ‘Get Firefox news’ signup form, and I was able to confirm the email I received was sent via this mechnism. Sounds good, right? Not really. The email talks exclusively about Firefox’s new(ish) ‘Hello’ chat feature. It never mentions anything about a new version, or even the version in which ‘Hello’ first appeared. It only says that if you want to try it, you should install the latest version of Firefox.
The latest version of Chrome apparently includes a few minor bug fixes. At least that’s my interpretation of the extremely uninformative release notes and associated version control log.
Google is getting increasingly sloppy with its release notes for Chrome. Will they clean up their act, or move even closer to the chaotic and confusing methods employed by Mozilla for Firefox?
A new version of WordPress, described as a maintenance release by the developers, was announced yesterday.
The new version includes fixes for several minor bugs, none of which are related to security. The announcement page includes a link to the list of tickets corresponding to the changes in this release.
WordPress sites that are configured for automatic updates should have the new version installed automatically over the next couple of days.
Microsoft has announced this month’s updates. There are nine bulletins and associated patches, addressing 56 vulnerabilities in Windows, Office and Internet Explorer. Three are flagged as Critical.
Recommendation: install these updates as soon as possible. At least one of them fixes a bug that’s currently being exploited in the wild.
The official bulletin summary has all the technical details.
The latest version of Chrome fixes eleven security issues. Version 40.0.2214.111 also includes the latest embedded version of Flash (16.0.0.305).
The release notes for Chrome 40.0.2214.111 describe some of the changes in the new version. There’s a link to the ‘full list of changes’, but since the linked page is an automated change log from the version management software Git, it’s aimed at developers and not much use for regular users. A link to ’11 security fixes’ currently displays an empty page.
In any case, since the new Chrome contains security fixes and the new Flash, anyone using the browser is strongly encouraged to allow Chrome to update itself before using it for web browsing.
To their credit, Adobe is reacting swiftly to the recent outbreak of critical vulnerabilities in Flash. They just released another new version (16.0.0.305) to address vulnerability CVE-2015-0313, which is being actively exploited on the Internet.
Anyone using Flash, especially in a web browser, should install the new version as soon as possible.
Internet Explorer for Windows 8.x and Google Chrome will see related updates in the very near future.
Update 2015Feb07: Ars Technica: As Flash 0day exploits reach new level of meanness, what are users to do?
Another new version of Google’s web browser was announced on Friday. The release notes for version 40.0.2214.94 don’t provide any useful information on what’s different. There is only a link to the version control log entries for version 40.0.2214.94. And unfortunately, that log is both difficult to interpret (especially for non-technical folks) and extremely light on details. It looks like the new version fixes two minor issues, neither related to security.
A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.
There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.
Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.
The ‘complete list of changes‘ link to Bugzilla is still not much help.
boot13