On 1/21/25 12:57 PM, some-java-user-99206970363698485...@vodafonemail.de
wrote:
It seems I wasn't informed that the report had been created; at
least I cannot find the confirmation mail for it. Note that I had
specified a different private contact e-mail address.
It's because the bug isn't public.
... but I am the reporter!? It could of course be that there was an
attempt to inform me but it did not reach me for whatever reason
(please don't mention the e-mail address, I used for reporting, here
on this mailing list though).
That is unfortunately exactly what I had been criticizing in
https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html;
as external reporter it can be extremely intransparent what happens to
a report.
Yes, the bug is marked confidential.
I don't really understand that. Unless I accidentally leaked private
information in the report, I think it contains exactly the information
I wrote in the original e-mail of this thread. And this is not secret
information, it is basically what had been mentioned in the JDK 9
release notes originally. It is rather weird to withhold this
information from users, especially since malicious actors are long
aware of the security issues see for example
https://www.alibabacloud.com/blog/analysis-of-jdwpminer-mining-trojan-remote-debugging-with-java-causes-hidden-risks_598002
or just search for "jdwp exploit" or similar.
(Aleksei Ivanov I have included you as direct recipient of this mail;
but this mail might still be awaiting approval on serviceability-dev@,
so in case you respond before that it might be confusing for others.)
https://bugs.openjdk.org/browse/JDK-8329414 is no longer confidential.
You should be able to view it now.
Chris
