How can I know which vulnerabilities (CVEs) are fixed in specific tag of open JDK?
Moshe Zuisman
zuismanm at gmail.com
Wed Sep 23 11:35:53 UTC 2020
Thanks!
But the problem here is that this list includes only vulnerabilities, dated
by 2019-2020.
Vulnerabilities we (our customer) are interested in - are of 2014-2015.
ср, 23 сент. 2020 г. в 13:38, Alan Bateman <Alan.Bateman at oracle.com>:
> On 23/09/2020 11:29, Moshe Zuisman wrote:
> > Hi.
> > I have the following problem. We provide OpenJDK binary distro with our
> > product.
> > With the current version we provided JDK8u-b222
> > Customer comes with a list of CVEs and asks if they are fixed in distro,
> we
> > provided with our product.
> > For example he asks about cve-2014-3566, jre-vuln-cve-2017-3241(it is
> only
> > a part of the full list he asks about).
> > In the release note of b222 (
> > https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-July/009840.html)
> I
> > do not see any info about fixed CVEs.
> > Is there any way I figure out what is a full list of CVEs - fixed in
> > specific, or opposite - can I somehow know if some specific CVE fixed in
> > some build?
> Advisories are posted to the vuln-announce mailing list and also linked
> from the advisories page [1].
>
> -Alan
>
> [1] https://openjdk.java.net/groups/vulnerability/advisories/
>
More information about the build-dev
mailing list