Hi Moshe,
On 25/09/2020 8:23 pm, Moshe Zuisman wrote:
Hi.
I am trying to figure out if cve-2014-3566 cve-2014-6593 nad if yes -
starting from which build.
This is not something that build-dev can help you with.
The best people to contact for this would be the Vulnerability group
that Alan referred to.
There is historical information available for Oracle JDK [1] but I don't
know how to map that to OpenJDK for certain.
Cheers,
David
-----
[1] To go that far back you'd need to check:
https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
for the CVE and find the corresponding CPU link. E.g. for cve-2014-3566
it is:
https://www.oracle.com/security-alerts/cpujul2017.html
which applies to Oracle Java SE, versions 6u151, 7u141, 8u131. (I'm not
sure whether than means it is fixed in 8u131 or whether 8u131 is still
affected and the fix is in the next CPU release.)
Alan Bateman pointed me to
https://openjdk.java.net/groups/vulnerability/advisories/. But it contains
only a list of fixed vulnerabilities, that were reported at 2019-2020 years.
I have found at https://linux.oracle.com/errata/ELSA-2015-0069.html
that Open JDK 8 for Oracle Linux 6 already contained fix for cve-2014-3566
for example.
But - is there some way, I can be sure that this was included in the
general code base of Open JDK(and not some special branch - ORACLE manages
for their systems), and starting from which build this fix was included?
