Re: Does JDK7 security hole affect OpenJDK6?
David Gerard:
> I would assume the recent JDK7 hole would also affect OpenJDK7, given
> they're pretty much the same codebase.
>
> But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone
> checked if OpenJDK6 is vulnerable?
CERT states this:
"Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including
Java Platform Standard Edition 7 (Java SE 7)
Java SE Development Kit (JDK 7)
Java SE Runtime Environment (JRE 7)
OpenJDK 7 and 7u
IcedTea 2.x (IcedTea7 2.x)
All versions of Java 7 through update 10 are affected. Web browsers
using the Java 7 plug-in are at high risk."
"Revision History
January 10, 2013: Initial release
January 14, 2013: Added fix information per Java 7u11 release
January 15, 2013: Added OpenJDK and IcedTea to Systems Affected"
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding
CVE-2013-0422:
https://security-tracker.debian.org/tracker/CVE-2013-0422
https://security-tracker.debian.org/tracker/source-package/openjdk-7
*But*
"There's currently a technical problem with the Tracker not updating
from the database."
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15
Maybe that security tracker issue has not yet been resolved?
Cheers,
Andreas
Reply to: