Re: cve-2014-3566 cve-2014-6593 in OPEN JDK 8

Fri, 25 Sep 2020 07:13:42 -0700 

On 25/09/2020 10:28 pm, Moshe Zuisman wrote:
Hi David. Do this Vulnerability group have some their own forum, mail list or other place - they can be contacted? 

I assumed they did have but it seems not :(

https://openjdk.java.net/groups/vulnerability/


The only mailing list they have that you can post to is for 
vulnerability reports.



I suspect you have to pick an OpenJDK distributor and then ask them 
about this, rather than trying to find out generically what "version of 
OpenJDK" contains a given fix. I'm pretty sure that we don't record CVE 
details when such fixes get integrated.


David
-----


пт, 25 сент. 2020 г. в 13:58, David Holmes <david.hol...@oracle.com 
<mailto:david.hol...@oracle.com>>:


    Hi Moshe,

    On 25/09/2020 8:23 pm, Moshe Zuisman wrote:
     > Hi.
     > I am trying to figure out if cve-2014-3566 cve-2014-6593 nad if yes -
     > starting from which build.

    This is not something that build-dev can help you with.

    The best people to contact for this would be the Vulnerability group
    that Alan referred to.

    There is historical information available for Oracle JDK [1] but I
    don't
    know how to map that to OpenJDK for certain.

    Cheers,
    David
    -----

    [1] To go that far back you'd need to check:

    https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html

    for the CVE and find the corresponding CPU link. E.g. for cve-2014-3566
    it is:

    https://www.oracle.com/security-alerts/cpujul2017.html

    which applies to Oracle Java SE, versions 6u151, 7u141, 8u131. (I'm not
    sure whether than means it is fixed in 8u131 or whether 8u131 is still
    affected and the fix is in the next CPU release.)

     > Alan Bateman pointed me to
     > https://openjdk.java.net/groups/vulnerability/advisories/. But it
    contains
     > only a list of fixed vulnerabilities, that were reported at
    2019-2020 years.
     > I have found at https://linux.oracle.com/errata/ELSA-2015-0069.html
     > that Open JDK 8 for Oracle Linux 6 already contained fix for
    cve-2014-3566
     > for example.
     > But - is there some way, I can be sure that this was included in the
     > general code base of Open JDK(and not some special branch -
    ORACLE manages
     > for their systems), and starting from which build this fix was
    included?
     >























					Reply via email to