On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> It was not clear to me at the time of upload if it was addressed in 7u221. It
> was not mentioned in the upstream announcement. I asked upstream for
> clarification on its status, it may be that that CVE is Oracle specific and
> doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
> for their answer.
Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a
vulnerability in a proprietary 2D component only present in Oracle Java. I
updated the tracker accordingly.