cve-2014-3566 cve-2014-6593 in OPEN JDK 8

David Holmes david.holmes at oracle.com
Fri Sep 25 14:13:06 UTC 2020 

On 25/09/2020 10:28 pm, Moshe Zuisman wrote:
> Hi David. Do this Vulnerability group have some their own forum, mail 
> list or other place - they can be contacted?

I assumed they did have but it seems not :(

https://openjdk.java.net/groups/vulnerability/

The only mailing list they have that you can post to is for 
vulnerability reports.

I suspect you have to pick an OpenJDK distributor and then ask them 
about this, rather than trying to find out generically what "version of 
OpenJDK" contains a given fix. I'm pretty sure that we don't record CVE 
details when such fixes get integrated.

David
-----

> пт, 25 сент. 2020 г. в 13:58, David Holmes <david.holmes at oracle.com 
> <mailto:david.holmes at oracle.com>>:
> 
>     Hi Moshe,
> 
>     On 25/09/2020 8:23 pm, Moshe Zuisman wrote:
>      > Hi.
>      > I am trying to figure out if cve-2014-3566 cve-2014-6593 nad if yes -
>      > starting from which build.
> 
>     This is not something that build-dev can help you with.
> 
>     The best people to contact for this would be the Vulnerability group
>     that Alan referred to.
> 
>     There is historical information available for Oracle JDK [1] but I
>     don't
>     know how to map that to OpenJDK for certain.
> 
>     Cheers,
>     David
>     -----
> 
>     [1] To go that far back you'd need to check:
> 
>     https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
> 
>     for the CVE and find the corresponding CPU link. E.g. for cve-2014-3566
>     it is:
> 
>     https://www.oracle.com/security-alerts/cpujul2017.html
> 
>     which applies to Oracle Java SE, versions 6u151, 7u141, 8u131. (I'm not
>     sure whether than means it is fixed in 8u131 or whether 8u131 is still
>     affected and the fix is in the next CPU release.)
> 
>      > Alan Bateman pointed me to
>      > https://openjdk.java.net/groups/vulnerability/advisories/. But it
>     contains
>      > only a list of fixed vulnerabilities, that were reported at
>     2019-2020 years.
>      > I have found at https://linux.oracle.com/errata/ELSA-2015-0069.html
>      > that Open JDK 8 for Oracle Linux 6 already contained fix for
>     cve-2014-3566
>      > for example.
>      > But - is there some way, I can be sure that this was included in the
>      > general code base of Open JDK(and not some special branch -
>     ORACLE manages
>      > for their systems), and starting from which build this fix was
>     included?
>      >
>

More information about the build-dev mailing list