How can I know which vulnerabilities (CVEs) are fixed in specific tag of open JDK?

Moshe Zuisman zuismanm at
Wed Sep 23 10:29:37 UTC 2020

I have the following problem. We provide OpenJDK binary distro with our
With the current version we provided JDK8u-b222
Customer comes with a list of CVEs and asks if they are fixed in distro, we
provided with our product.
For example he asks about cve-2014-3566, jre-vuln-cve-2017-3241(it is only
a part of the full list he asks about).
In the release note of b222 ( I
do not see any info about fixed CVEs.
Is there any way I figure out what is a full list of CVEs - fixed in
specific, or opposite - can I somehow know if some specific CVE fixed in
some build?

More information about the build-dev mailing list