Hi David. Do this Vulnerability group have some their own forum, mail list or other place - they can be contacted?
пт, 25 сент. 2020 г. в 13:58, David Holmes <david.hol...@oracle.com>: > Hi Moshe, > > On 25/09/2020 8:23 pm, Moshe Zuisman wrote: > > Hi. > > I am trying to figure out if cve-2014-3566 cve-2014-6593 nad if yes - > > starting from which build. > > This is not something that build-dev can help you with. > > The best people to contact for this would be the Vulnerability group > that Alan referred to. > > There is historical information available for Oracle JDK [1] but I don't > know how to map that to OpenJDK for certain. > > Cheers, > David > ----- > > [1] To go that far back you'd need to check: > > https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html > > for the CVE and find the corresponding CPU link. E.g. for cve-2014-3566 > it is: > > https://www.oracle.com/security-alerts/cpujul2017.html > > which applies to Oracle Java SE, versions 6u151, 7u141, 8u131. (I'm not > sure whether than means it is fixed in 8u131 or whether 8u131 is still > affected and the fix is in the next CPU release.) > > > Alan Bateman pointed me to > > https://openjdk.java.net/groups/vulnerability/advisories/. But it > contains > > only a list of fixed vulnerabilities, that were reported at 2019-2020 > years. > > I have found at https://linux.oracle.com/errata/ELSA-2015-0069.html > > that Open JDK 8 for Oracle Linux 6 already contained fix for > cve-2014-3566 > > for example. > > But - is there some way, I can be sure that this was included in the > > general code base of Open JDK(and not some special branch - ORACLE > manages > > for their systems), and starting from which build this fix was included? > > >
