This discussion is archived
5 Replies Latest reply: Jun 18, 2012 9:09 AM by gimbal2 RSS

What became of http://java.sun.com/jsp/jstl/fmt   ????

user13136504 Newbie
Currently Being Moderated
I am looking for the JSTL documentation which should be at that page I was led to believe. I would gratefully appreciate confirmation that JSTL still lives even though Sun Micro Systems was sold to
Oracle.
Also I have upgraded all my servers and workstations to Java JDK 7.0 Update 5 and JDK 6 update 33. Am I safe from all the CVEs known to hackers?
Also can someone tell me why the details of the updates seem so hidden? These must really be awfully bad security exploits that do mega damage. Applets are essentially dead?

Also can someone here confirm that JSTL is still supported by Oracle? Or is there a JSTL.org organization now to handle support of it?
  • 1. Re: What became of http://java.sun.com/jsp/jstl/fmt   ????
    EJP Guru
    Currently Being Moderated
    I am looking for the JSTL documentation which should be at that page I was led to believe.
    I think not. I think that is the namespace URL for the XML declarations. There isn't, and I doubt there ever was, anything actually there.
    I would gratefully appreciate confirmation that JSTL still lives even though Sun Micro Systems was sold to Oracle.
    Well of course it does, but you're asking in the wrong place, see below.
    Am I safe from all the CVEs known to hackers?
    I don't know what you mean by CVE, and I don't know that anybody in the software industry has ever guaranteed anything in the last sixty years or so, let alone that you are 'safe', but it is clear from recent product history that security issues are being worked on very actively indeed.
    Also can someone tell me why the details of the updates seem so hidden?
    Everyone else seems to find them.
    These must really be awfully bad security exploits that do mega damage.
    such as? Or are you just spreading some unceetainty of your own?
    Applets are essentially dead?
    No, they are still part of the platform, and people are still using them.
    Also can someone here confirm that JSTL is still supported by Oracle?
    Well of course it is, but you're asking in the wrong place. Thisnis a user-to-user forum. If you want an official statement from Oracle ask them through the proper channels. This isn't one of them.

    I must say this is an amazing way to ask where the JSTL documentation now lives, especially as even Google knows the answer.
  • 2. Re: What became of http://java.sun.com/jsp/jstl/fmt   ????
    user13136504 Newbie
    Currently Being Moderated
    Fair enough. Perhaps I do need some sleep!
    Thank for the responses to the somewhat dumb witted questions. Still I do think this page has the most on the vulnerabilities in Java JDK as of recently:
    http://www.securelist.com/en/advisories/48009
    Still it is interesting to note that Oracle is not listed in the credits on finding and fixing the vulnerabilities
    e.g
    1) An anonymous person via iDefense.
    2) Alin Rad Pop (binaryproof) via ZDI.
    3) Peter Vreugdenhil, TippingPoint DVLabs.
    4) TELUS Security Labs.
    5, 15-19) Chris Ries via ZDI.
    7) Jeroen Frijters.
    13) Timo Warns, PRESENSE Technologies via PRE-CERT.
    15) An anonymous person via ZDI.
    It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for February 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

    Perhaps I could assume those remaining vulnerabilities were solved by Oracle to be optimistic, however, why don't they give themselves credit and look better on this .
    I only hope the vulnerabilities were detected by Oracle and those on the 15 credited sources of the vulnerability exploits

    Oh and I did ultimately find the JSTL documentation at http://jstl.java.net/ but that was not so easy to find.
    I had to download the javadoc.jar file and also no mention was made regarding Java EE 6 which I understand is the current Java EE version available

    Also I was only able to find this web site for the JSTL documentation but it appears to be JSTL version 1.1 at: http://docs.oracle.com/cd/E17802_01/products/products/jsp/jstl/1.1/docs/tlddocs/index.html


    Edited by: user13136504 on Jun 17, 2012 10:45 PM

    Edited by: user13136504 on Jun 17, 2012 11:03 PM
  • 3. Re: What became of http://java.sun.com/jsp/jstl/fmt   ????
    gimbal2 Guru
    Currently Being Moderated
    Java stems from OpenJDK, an open source project. It is very possible that individuals not working directly for Oracle find and fix issues.

    As for JSTL, that is quite legacy technology that was built to support JSP technology (even more legacy). The JEE spec has moved on to include Javaserver Faces and Facelets which basically phase out JSPs and JSTL. The JSTL spec itself hasn't changed much all these years, documentation for 1.1 will still tell you most if not all of what you need to effectively use JSTL 1.2.
  • 4. Re: What became of http://java.sun.com/jsp/jstl/fmt   ????
    user13136504 Newbie
    Currently Being Moderated
    Hard to believe JSTL is already Legacy. It does not seem that long a period but I surely hope Java does not become Legacy code anytime soon!
    Oracle needs to get its act together. They need to share information better than they currently do with users.
    Instead of getting the information I got at :

    http://secunia.com/advisories/49472/
    and
    http://www.securelist.com/en/advisories/48009

    I should be getting it at Oracle on their web site. This stuff is vital for the enterprise. I should not have to get a CSI number to have access to such information as a developer.
    Downloads of Oracle patches sure make me have a CSI #
    but information regarding Oracle Java JDK? that should be freely available as well as the patches for it. Did you notice Under JSTL there no mention of it being moth balled except the 404 error
    when you go to the page supposedly regarding The Project. Not the best communication policy.
    Here is an idea for Oracle. Why not add a status on any phased out technology like JSTL - (Deprecated) or something like that so it does not become a surprise it has become legacy code.
  • 5. Re: What became of http://java.sun.com/jsp/jstl/fmt   ????
    gimbal2 Guru
    Currently Being Moderated
    That's just an uninformed rant. JSTL has nothing to do with "java" as a whole; its a minor API part of the large JEE specification, not Java directly. On top of that now you start to rave about security issues which is completely off-topic at best.
    Here is an idea for Oracle. Why not add a status on any phased out technology like JSTL - (Deprecated) or something like that so it does not become a surprise it has become legacy code.
    And that's just putting words in my mouth. I said legacy, not deprecated or phased out. Its old. People don't tend to use it anymore because there are far better alternatives. Its still happily included in the JEE6 spec if you are so inclined to keep using it and will likely still be in the upcoming JEE7 spec too, but I'd suggest you keep up with the times and move ahead like the rest of the world.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points