(imported topic written by mgardner28)
Why is this showing up as critical? When you go to the Oracle site and download the latest you get JRE6 update 29. There are lots of things that do not work with JRE7 yet. This should not show up as a critical vulnerability.
Thanks,
Mark
(imported comment written by SystemAdmin)
As a general rule, Fixlet severity is determined by the severity of the patch - as specified by the patch vendor.
In this case, we have two JRE update fixlets:
Both these fixlets install the same critical patch, but their applicability is different.
We do understand your point about not marking the second Fixlet as critical, because it’s more of an upgrade Fixlet. The severity of the second Fixlet should be set to .
Does anyone on this forum disagree?
(imported comment written by mgardner28)
I agree with your statement. The following fixlet is an upgrade and the severity should be set to .
Java Runtime Environment 7 update 1 Available (JRE < 7 Installed)
I have automatic reports that are emailed to management. Currently they see that we have critical Java vulnerabilities. They don’t understand it’s an upgrade. They just say patch it.
Thanks,
Mark
(imported comment written by mgardner28)
When will the severity of Fixlet “Java Runtime Environment 7 update 1 Available (JRE < 7 Installed)” be changed to ?
Thanks,
Mark
(imported comment written by SystemAdmin)
The change should be available in the latest version of the site (392).
(imported comment written by gtallan91)
I was just checking into why fixlet “Java Runtime Environment 7 update 3 Available (JRE < 7 Installed)” (and the x64 version) has “critical” severity, and see that this was addresses once before for Update 1.
Can the same thing be done again for Update 3, and can the change be made “sticky” for future updates?
Graham
(imported comment written by mgardner28)
Thanks!