How can I know which vulnerabilities (CVEs) are fixed in specific tag of open JDK?
Alan Bateman
Alan.Bateman at oracle.com
Wed Sep 23 10:38:32 UTC 2020
On 23/09/2020 11:29, Moshe Zuisman wrote:
> Hi.
> I have the following problem. We provide OpenJDK binary distro with our
> product.
> With the current version we provided JDK8u-b222
> Customer comes with a list of CVEs and asks if they are fixed in distro, we
> provided with our product.
> For example he asks about cve-2014-3566, jre-vuln-cve-2017-3241(it is only
> a part of the full list he asks about).
> In the release note of b222 (
> https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-July/009840.html) I
> do not see any info about fixed CVEs.
> Is there any way I figure out what is a full list of CVEs - fixed in
> specific, or opposite - can I somehow know if some specific CVE fixed in
> some build?
Advisories are posted to the vuln-announce mailing list and also linked
from the advisories page [1].
-Alan
[1] https://openjdk.java.net/groups/vulnerability/advisories/
More information about the build-dev
mailing list