[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Does JDK7 security hole affect OpenJDK6?

I read somewhere (I think it was on Techrepublic but, I'm not sure) that the answer to that was no (as in that popular security hole does not affect OpenJDK 6). You should get confirmation from someone that knows more about this, though.

> Date: Thu, 17 Jan 2013 11:22:28 +0100
> From: A.Kuckartz@ping.de
> To: debian-java@lists.debian.org
> CC: debian-security@lists.debian.org
> Subject: Re: Does JDK7 security hole affect OpenJDK6?
>
> I found CVE-2013-0422 on the TODO list:
> https://security-tracker.debian.org/tracker/status/todo
>
> Cheers,
> Andreas
> ---
>
> Andreas Kuckartz:
> > David Gerard:
> >> I would assume the recent JDK7 hole would also affect OpenJDK7, given
> >> they're pretty much the same codebase.
> >>
> >> But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone
> >> checked if OpenJDK6 is vulnerable?
> >
> > CERT states this:
> >
> > "Systems Affected
> >
> > Any system using Oracle Java 7 (1.7, 1.7.0) including
> >
> > Java Platform Standard Edition 7 (Java SE 7)
> > Java SE Development Kit (JDK 7)
> > Java SE Runtime Environment (JRE 7)
> > OpenJDK 7 and 7u
> > IcedTea 2.x (IcedTea7 2.x)
> >
> > All versions of Java 7 through update 10 are affected. Web browsers
> > using the Java 7 plug-in are at high risk."
> >
> > "Revision History
> >
> > January 10, 2013: Initial release
> > January 14, 2013: Added fix information per Java 7u11 release
> > January 15, 2013: Added OpenJDK and IcedTea to Systems Affected"
> >
> > http://www.us-cert.gov/cas/techalerts/TA13-010A.html
> >
> > Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding
> > CVE-2013-0422:
> > https://security-tracker.debian.org/tracker/CVE-2013-0422
> > https://security-tracker.debian.org/tracker/source-package/openjdk-7
> >
> > *But*
> >
> > "There's currently a technical problem with the Tracker not updating
> > from the database."
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15
> >
> > Maybe that security tracker issue has not yet been resolved?
> >
> > Cheers,
> > Andreas
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/[🔎] 50F7D0E4.1050308@ping.de
>
Reply to: