8u212 missing fixes
Gil Tene
gil at azul.com
Thu Apr 25 12:59:00 UTC 2019
> On Apr 25, 2019, at 5:22 AM, Eric Peterson <epeterson at interactivebrokers.com> wrote:
> ...
> The recent OpenJDK 8u212 release mentioned fixes for three CVEs:
>
> * S8211936, CVE-2019-2602: Better String parsing
> * S8218453, CVE-2019-2684: More dynamic RMI interactions
> * S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()
>
> But the Oracle 8u212 release mentions two additional fixed CVEs:
>
> * CVE-2019-2699
> * CVE-2019-2697
>
> Was OpenJDK 8u212 missing fixes for those vulnerabilities? Or perhaps they were just inadvertently left out of the release notes, or did not need to be applied?
To my knowledge:
CVE-2019-2699 was related to an artifact of choices made in the build environment, and as such existed in some 8u distros but not in others. So it is not a source-code-project thing (but individual distros have dealt with it and may want to mention it).
CVE-2019-2697 was specific to Oracle JDK 8 code that is not included in OpenJDK 8u, so it is not applicable to OpenJDK 8u.
— Gil
More information about the jdk8u-dev
mailing list