Q about 8u442 applicability of JDK-8330045 (Enhance array handling) / CVE-2025-21502
David Holmes
david.holmes at oracle.com
Wed Feb 12 04:51:10 UTC 2025
On 12/02/2025 8:52 am, Thorsten Glaser wrote:
> On Tue, 11 Feb 2025, David Holmes wrote:
>> On 10/02/2025 3:04 pm, Thorsten Glaser wrote:
>>> On Mon, 10 Feb 2025, David Holmes wrote:
>>>
>>>> The entry here lists all the affected versions:
>>>>
>>>> https://www.oracle.com/security-alerts/cpujan2025.html
>>>
>>> It doesn’t, it doesn’t list OpenJDK after all, and I know that at
>>> least some OpenJDK versions are affected.
>>
>> If you want to know if an OpenJDK distribution is affected you should
>> ask the organisation distributing it.
>
> I *did* ask the organisation developing it. This is the OpenJDK 8
> mailing list, is it not?
I didn't say "developing" I said "distributing". However I have now
discovered there is another source of information for OpenJDK - the
Vulnerability Group:
https://openjdk.org/groups/vulnerability/
In particular:
https://openjdk.org/groups/vulnerability/advisories/2025-01-21
Regards,
David
>> I pointed you to the information for Oracle JDK.
>>
>> If you want to know if the fix is in an OpenJDK source repository then
>> use "git log" to search for it.
>
> Your attitude certainly matches your employer’s expected
> behaviour. You might wish to rethink that for your actions
> on OSS projects’ mailing lists.
>
> bye,
> //mirabilos
More information about the jdk8u-dev
mailing list