Re: openjdk-7 status
On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
> It's MITRE page points to:
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"
> which also references CVE-2019-2698, which DLA-1782-1 addressed.
> So it is likely that this is an oversight in data/CVE/list, as the
> upload was a new upstream version (i.e. not cherry-picking).
It was not clear to me at the time of upload if it was addressed in 7u221. It
was not mentioned in the upstream announcement. I asked upstream for
clarification on its status, it may be that that CVE is Oracle specific and
doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
for their answer.
> On 13/05/2019 17:00, Ola Lundqvist wrote:
>> Hi Sylvain
>> It was meant to consider CVE-2019-2697.
>> I do not know anything about re-consider this CVE as nothing has been
>> noted to that CVE that it has been ignored or should be treated in
>> some other way.
>> // Ola
>> On Mon, 13 May 2019 at 10:57, Sylvain Beucler <email@example.com
>> <mailto:firstname.lastname@example.org>> wrote:
>> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
>> serious enough".
>> However it was re-added the day after DLA-1782-1 and there's no
>> new CVE
>> Was it an oversight, or was it meant to reconsider
>> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
>> addressed by that DLA?
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> | email@example.com <mailto:firstname.lastname@example.org>
>> email@example.com <mailto:firstname.lastname@example.org> |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |