On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
> 
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
> 
> It's MITRE page points to:
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"
> 
> which also references CVE-2019-2698, which DLA-1782-1 addressed.
> So it is likely that this is an oversight in data/CVE/list, as the
> upload was a new upstream version (i.e. not cherry-picking).

It was not clear to me at the time of upload if it was addressed in 7u221. It
was not mentioned in the upstream announcement. I asked upstream for
clarification on its status, it may be that that CVE is Oracle specific and
doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
for their answer.

Emilio

> 
> Cheers!
> Sylvain
> 
> On 13/05/2019 17:00, Ola Lundqvist wrote:
>> Hi Sylvain
>>
>> It was meant to consider CVE-2019-2697.
>> I do not know anything about re-consider this CVE as nothing has been
>> noted to that CVE that it has been ignored or should be treated in
>> some other way.
>>
>> // Ola 
>>
>> On Mon, 13 May 2019 at 10:57, Sylvain Beucler <b...@beuc.net
>> <mailto:b...@beuc.net>> wrote:
>>
>>     Hi,
>>
>>     openjdk-7 is back in dla-needed.txt with the commit message "Sounds
>>     serious enough".
>>     However it was re-added the day after DLA-1782-1 and there's no
>>     new CVE
>>     since.
>>
>>     Was it an oversight, or was it meant to reconsider
>>     https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
>>     addressed by that DLA?
>>
>>     Cheers!
>>     Sylvain
>>
>>
>>
>> -- 
>>  --- Inguza Technology AB --- MSc in Information Technology ----
>> |  o...@inguza.com <mailto:o...@inguza.com>                 
>>   o...@debian.org <mailto:o...@debian.org>            |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>>  ---------------------------------------------------------------
>>
> 

Reply via email to