Java update spoofing vulnerability

http://secunia.com/advisories/47134/

 

Please don't tell me this affects Java 7u2?

 

The advisory lists only 1.6.x but it's not clear to me that it's been fixed in 1.7.x either.

 

So, the thing just gets updated and now they come with this?

-edit-

The vulnerability is reported in versions 1.6.0.28 and prior.

 

"Solution Status: Unpatched"

 

Then, it's a bit contradictory, isn't it? Why would they mention only 1.6.0.28 and prior? There's no prior, then. I mean, there is, but we need to include, possibly, version 1.6.0.29. But, I wonder if it has been patched in version 1.6.0.29? I'll see if I can spot anything in the change log.

But, according to the original article (-http://blog.infobytesec.com/2011/12/pwning-java-update-process-2007-today.html):

The article was written a week ago. By then, the latest version was 1.6.0.29 for quite some time, not 1.6.0.28.

I'm not saying there isn't a bug; I'm just saying these folks need to make things a bit more clear.

 

-edit-

This is the page from Oracle regarding to what was patched in version 1.6.0.29. -http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

I didn't see any mentions...