Re: Does JDK7 security hole affect OpenJDK6?
I found CVE-2013-0422 on the TODO list:
https://security-tracker.debian.org/tracker/status/todo
Cheers,
Andreas
---
Andreas Kuckartz:
> David Gerard:
>> I would assume the recent JDK7 hole would also affect OpenJDK7, given
>> they're pretty much the same codebase.
>>
>> But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone
>> checked if OpenJDK6 is vulnerable?
>
> CERT states this:
>
> "Systems Affected
>
> Any system using Oracle Java 7 (1.7, 1.7.0) including
>
> Java Platform Standard Edition 7 (Java SE 7)
> Java SE Development Kit (JDK 7)
> Java SE Runtime Environment (JRE 7)
> OpenJDK 7 and 7u
> IcedTea 2.x (IcedTea7 2.x)
>
> All versions of Java 7 through update 10 are affected. Web browsers
> using the Java 7 plug-in are at high risk."
>
> "Revision History
>
> January 10, 2013: Initial release
> January 14, 2013: Added fix information per Java 7u11 release
> January 15, 2013: Added OpenJDK and IcedTea to Systems Affected"
>
> http://www.us-cert.gov/cas/techalerts/TA13-010A.html
>
> Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding
> CVE-2013-0422:
> https://security-tracker.debian.org/tracker/CVE-2013-0422
> https://security-tracker.debian.org/tracker/source-package/openjdk-7
>
> *But*
>
> "There's currently a technical problem with the Tracker not updating
> from the database."
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15
>
> Maybe that security tracker issue has not yet been resolved?
>
> Cheers,
> Andreas
>
>
Reply to: