OpenJDK 11.0.3 Released
Jones, Philip
philip.m.jones at siemens.com
Wed Apr 17 07:13:20 UTC 2019
Sorry, re-formatting to make it readable as plain text
Andrew
Can I check the CVEs referenced below?
Oracle put out their update a few hours later and the Java items they pulled out refer to two CVEs
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixJAVA
CVE-2019-2602 Java SE, Java SE Embedded Libraries
CVE-2019-2684 Java SE, Java SE Embedded RMI
and your email refers to 3 security fixes and also has two CVEs
New in OpenJDK 11.0.3:
* Security fixes
- S8211936, CVE-2019-2602: Better String parsing
- S8214809: CDS storage improvements
- S8218453, CVE-2019-2698: More dynamic RMI interactions
The first, CVE-2019-2602, matches up exactly.
The second Oracle announced CVE, CVE-2019-2684, does not occur in your email.
On https://access.redhat.com/security/cve/cve-2019-2684 there is detail of this and it says:
Bugzilla:1700564: CVE-2019-2684 OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453)
All that matches up with the third fix you list, so RMI and 8218453 all tie up, but the CVE you refer to is CVE-2019-2698.
The detail for that https://access.redhat.com/security/cve/cve-2019-2698 says:
Bugzilla:1700447: CVE-2019-2698 OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022)
So is a different issue.
Regards
Philip
-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
More information about the jdk-updates-dev
mailing list