OpenJDK 11.0.3 Released

Andrew John Hughes gnu.andrew at redhat.com
Wed Apr 17 17:14:12 UTC 2019 


On 17/04/2019 08:13, Jones, Philip wrote:
> Sorry, re-formatting to make it readable as plain text
> 
> Andrew
> 
> Can I check the CVEs referenced below?
> Oracle put out their update a few hours later and the Java items they pulled out refer to two CVEs
> 
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixJAVA
> 
> CVE-2019-2602 Java SE, Java SE Embedded Libraries
> CVE-2019-2684 Java SE, Java SE Embedded RMI
> 
> and your email refers to 3 security fixes and also has two CVEs
> 
> New in OpenJDK 11.0.3:
> * Security fixes
>   - S8211936, CVE-2019-2602: Better String parsing
>   - S8214809: CDS storage improvements
>   - S8218453, CVE-2019-2698: More dynamic RMI interactions
> 
> The first, CVE-2019-2602, matches up exactly.
> The second Oracle announced CVE, CVE-2019-2684, does not occur in your email.
> 
> On https://access.redhat.com/security/cve/cve-2019-2684 there is detail of this and it says:
> 
> Bugzilla:1700564: CVE-2019-2684 OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453)
> 
> All that matches up with the third fix you list, so RMI and 8218453 all tie up, but the CVE you refer to is CVE-2019-2698.
> 
> The detail for that https://access.redhat.com/security/cve/cve-2019-2698 says:
> 
> Bugzilla:1700447: CVE-2019-2698 OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022)
> 
> So is a different issue.
> 
> Regards
> 
> Philip
> -----------------
> Siemens Industry Software Limited is a limited company registered in England and Wales.
> Registered number: 3476850.
> Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
> 

Sorry, looks like a copy-and-paste error on my part.

The correct ones are in the OpenJDK 8u212 release mail:
http://bitly.com/oj8u212
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk-updates-dev mailing list