On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote: > It was not clear to me at the time of upload if it was addressed in 7u221. It > was not mentioned in the upstream announcement. I asked upstream for > clarification on its status, it may be that that CVE is Oracle specific and > doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait > for their answer.
Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a vulnerability in a proprietary 2D component only present in Oracle Java. I updated the tracker accordingly. Cheers, Emilio