CVE-2012-5083 does not affect openjdk

To: debian-security-tracker@lists.debian.org
Subject: CVE-2012-5083 does not affect openjdk
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 30 Apr 2013 19:21:29 +0100
Message-id: <[🔎] 20130430182129.GA32384@squeeze.pyro.eu.org>

Hi,

Bug #690774 was closed (as invalid), and the remaining CVEs from the
Oracle Java October 2012 updates have been marked as invalid, except
for CVE-2012-5083, which is still open in the security tracker.

I don't think it was obvious at the time, but I agree now that this
(and some of the other CVEs) affected the Oracle Fusion Middleware
and not OpenJDK.  This is vaguely implied in the description of:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3202

Please could this CVE be closed like the others?


--- data/CVE/list       (revision 22106)
+++ data/CVE/list       (working copy)
@@ -11389,8 +11389,9 @@
    - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774)
    - openjdk-7 7u3-2.1.3-1 (bug #690774)
 CVE-2012-5083 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-       - openjdk-6 <unfixed> (bug #690774)
-       - openjdk-7 <unfixed> (bug #690774)
+       - openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+       - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+       NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-5082 (Unspecified vulnerability in the JavaFX component in Oracle Java SE ...)
    - openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
    - openjdk-7 <not-affected> (JavaFX not part of OpenJDK)


Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Prev by Date: External check
Previous by thread: Re: OSVDB 72183
Index(es):
- Date
- Thread