A new version of Java was released yesterday with zero fanfare from Oracle. Presumably that’s because there are no security vulnerability fixes in this release, since normally there would be an announcement on Oracle’s Critical Patch Updates, Security Alerts and Third Party Bulletin blog.

The update is listed on the main release notes page for Java 7. The release notes page for 7u40 shows that there have been a lot of changes in this release, including some related to security, but no fixes for specific security vulnerabilities. The complete list of bugs fixed in this release is enormous.

It will be interesting to see what Adam Gowdiak says about this release, since some of the vulnerabilities he has reported still existed in the previous Java release, 7u25. Update 2013Sep24: According to the vendor log on the Security Explorations site, “Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.” In other words, Issue 69 is STILL not fixed.