8u212 missing fixes
Eric Peterson
epeterson at interactivebrokers.com
Thu Apr 25 12:21:32 UTC 2019
On Apr 25, 2019, at 5:40 AM, Langer, Christoph <christoph.langer at sap.com<mailto:christoph.langer at sap.com>> wrote:
Hi Paul, Andrew,
On 24/04/2019 16:07, Hohensee, Paul wrote:
From Oracle’s 8u211 release notes at
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oracle.com%2Ftechnetwork%2Fjava%2Fjavase%2F2col%2F8u211-bugfixes-&data=01%7C01%7Cepeterson%40interactivebrokers.com%7Cc2da785c1fc14a47932a08d6c9621884%7C7abd04ef837d48e69ba869d84f65a110%7C0&sdata=T6kmuEBv1RIedFsSAGaFxGCiyuz6nryPK9n6b0gLY60%3D&reserved=0
5292912.html,
this issue
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-8129988&data=01%7C01%7Cepeterson%40interactivebrokers.com%7Cc2da785c1fc14a47932a08d6c9621884%7C7abd04ef837d48e69ba869d84f65a110%7C0&sdata=KUHtpnm0pdXlfLdcW14xIN8APur%2FT2yIwmTKQXNrGzw%3D&reserved=0: JSSE should create a
single instance of the cacerts KeyStore
was in Oracle’s 8u211, but not in OpenJDK 8u212. I’ve just pushed a
backport to jdk8u-dev.
Yes, as I mentioned when approving the 8u request, this seems to have
slipped through because it was marked as fixed in 8u202, but in a BPR
which didn't make OpenJDK. That suggests a flaw in the filter we used. I
don't know if it's worth rectifying now, as it only applies to the
crossover phase. Maybe something to bear in mind if we end up
maintaining OpenJDK 14 or something.
I've had a closer look to the filters. It seems that changes being part of 8u202 b31 have never made it to the OpenJDK repo while the filter assumed so. I've updated the filters to account for backports being integrated in b31+ builds.
The 8u212 filter now shows 7 items: https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fissues%2F%3Ffilter%3D36394&data=01%7C01%7Cepeterson%40interactivebrokers.com%7Cc2da785c1fc14a47932a08d6c9621884%7C7abd04ef837d48e69ba869d84f65a110%7C0&sdata=6ARzhKAJY%2FUEgEEfqIaKKqdxqMI5xqOXLoEWleIsd%2Bs%3D&reserved=0
The 8u222 filter also includes these items now (That is, 6 items because you pushed JDK-8129988): https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fissues%2F%3Ffilter%3D36456&data=01%7C01%7Cepeterson%40interactivebrokers.com%7Cc2da785c1fc14a47932a08d6c9621884%7C7abd04ef837d48e69ba869d84f65a110%7C0&sdata=lwICzparu2PLr8R5yU76VpxHMTEUsGgIthwg8UJWS1Q%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https://bugs.openjdk.java.net/issues/?filter=36456&data=01|01|epeterson@interactivebrokers.com|c2da785c1fc14a47932a08d6c9621884|7abd04ef837d48e69ba869d84f65a110|0&sdata=lwICzparu2PLr8R5yU76VpxHMTEUsGgIthwg8UJWS1Q=&reserved=0>
The recent OpenJDK 8u212 release mentioned fixes for three CVEs:
* S8211936, CVE-2019-2602: Better String parsing
* S8218453, CVE-2019-2684: More dynamic RMI interactions
* S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()
But the Oracle 8u212 release mentions two additional fixed CVEs:
* CVE-2019-2699
* CVE-2019-2697
Was OpenJDK 8u212 missing fixes for those vulnerabilities? Or perhaps they were just inadvertently left out of the release notes, or did not need to be applied?
I tried to check on the "missing" fixes using the JBS filters given above, but they require a login.
—Eric
More information about the jdk8u-dev
mailing list