CVE-2012-5083 does not affect openjdk
Hi,
Bug #690774 was closed (as invalid), and the remaining CVEs from the
Oracle Java October 2012 updates have been marked as invalid, except
for CVE-2012-5083, which is still open in the security tracker.
I don't think it was obvious at the time, but I agree now that this
(and some of the other CVEs) affected the Oracle Fusion Middleware
and not OpenJDK. This is vaguely implied in the description of:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3202
Please could this CVE be closed like the others?
--- data/CVE/list (revision 22106)
+++ data/CVE/list (working copy)
@@ -11389,8 +11389,9 @@
- openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774)
- openjdk-7 7u3-2.1.3-1 (bug #690774)
CVE-2012-5083 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-6 <unfixed> (bug #690774)
- - openjdk-7 <unfixed> (bug #690774)
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2012-5082 (Unspecified vulnerability in the JavaFX component in Oracle Java SE ...)
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
- openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: