Re: openjdk-7 status
On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
>
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
>
> It's MITRE page points to:
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"
>
> which also references CVE-2019-2698, which DLA-1782-1 addressed.
> So it is likely that this is an oversight in data/CVE/list, as the
> upload was a new upstream version (i.e. not cherry-picking).
It was not clear to me at the time of upload if it was addressed in 7u221. It
was not mentioned in the upstream announcement. I asked upstream for
clarification on its status, it may be that that CVE is Oracle specific and
doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
for their answer.
Emilio
>
> Cheers!
> Sylvain
>
> On 13/05/2019 17:00, Ola Lundqvist wrote:
>> Hi Sylvain
>>
>> It was meant to consider CVE-2019-2697.
>> I do not know anything about re-consider this CVE as nothing has been
>> noted to that CVE that it has been ignored or should be treated in
>> some other way.
>>
>> // Ola
>>
>> On Mon, 13 May 2019 at 10:57, Sylvain Beucler <beuc@beuc.net
>> <mailto:beuc@beuc.net>> wrote:
>>
>> Hi,
>>
>> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
>> serious enough".
>> However it was re-added the day after DLA-1782-1 and there's no
>> new CVE
>> since.
>>
>> Was it an oversight, or was it meant to reconsider
>> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
>> addressed by that DLA?
>>
>> Cheers!
>> Sylvain
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> | ola@inguza.com <mailto:ola@inguza.com>
>> opal@debian.org <mailto:opal@debian.org> |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> ---------------------------------------------------------------
>>
>
Reply to: