[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does JDK7 security hole affect OpenJDK6?

David Gerard:
> I would assume the recent JDK7 hole would also affect OpenJDK7, given
> they're pretty much the same codebase.
> 
> But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone
> checked if OpenJDK6 is vulnerable?

CERT states this:

"Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

    Java Platform Standard Edition 7 (Java SE 7)
    Java SE Development Kit (JDK 7)
    Java SE Runtime Environment (JRE 7)
    OpenJDK 7 and 7u
    IcedTea 2.x (IcedTea7 2.x)

All versions of Java 7 through update 10 are affected.  Web browsers
using the Java 7 plug-in are at high risk."

"Revision History

    January 10, 2013: Initial release
    January 14, 2013: Added fix information per Java 7u11 release
    January 15, 2013: Added OpenJDK and IcedTea to Systems Affected"

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding
CVE-2013-0422:
https://security-tracker.debian.org/tracker/CVE-2013-0422
https://security-tracker.debian.org/tracker/source-package/openjdk-7

*But*

"There's currently a technical problem with the Tracker not updating
from the database."
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15

Maybe that security tracker issue has not yet been resolved?

Cheers,
Andreas
Reply to: