cve-2014-3566 cve-2014-6593 in OPEN JDK 8
David Holmes
david.holmes at oracle.com
Fri Sep 25 10:56:39 UTC 2020
Hi Moshe,
On 25/09/2020 8:23 pm, Moshe Zuisman wrote:
> Hi.
> I am trying to figure out if cve-2014-3566 cve-2014-6593 nad if yes -
> starting from which build.
This is not something that build-dev can help you with.
The best people to contact for this would be the Vulnerability group
that Alan referred to.
There is historical information available for Oracle JDK [1] but I don't
know how to map that to OpenJDK for certain.
Cheers,
David
-----
[1] To go that far back you'd need to check:
https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
for the CVE and find the corresponding CPU link. E.g. for cve-2014-3566
it is:
https://www.oracle.com/security-alerts/cpujul2017.html
which applies to Oracle Java SE, versions 6u151, 7u141, 8u131. (I'm not
sure whether than means it is fixed in 8u131 or whether 8u131 is still
affected and the fix is in the next CPU release.)
> Alan Bateman pointed me to
> https://openjdk.java.net/groups/vulnerability/advisories/. But it contains
> only a list of fixed vulnerabilities, that were reported at 2019-2020 years.
> I have found at https://linux.oracle.com/errata/ELSA-2015-0069.html
> that Open JDK 8 for Oracle Linux 6 already contained fix for cve-2014-3566
> for example.
> But - is there some way, I can be sure that this was included in the
> general code base of Open JDK(and not some special branch - ORACLE manages
> for their systems), and starting from which build this fix was included?
>
More information about the build-dev
mailing list