Minerva vulnerability + patch
Ján Jančár
j08ny at mail.muni.cz
Thu Oct 17 13:10:44 UTC 2019
On 17/10/2019 12:26, Alan Bateman wrote:
> On 17/10/2019 09:49, Ján Jančár wrote:
>> Hi all,
>> I saw that the CVE for this vulnerability was mentioned in the latest
>> critical patch update advisory as fixed:
>>
> The OpenJDK mailing lists shouldn't be used to discuss vulnerability issues. Instead you should engage with the OpenJDK Vulnerability Group via their reporting page [1].
>
Hi Alan, all,
we already did this months ago. In fact this fix I mention
is the direct consequence of our report. As this is all public
after our disclosure [1], I see no reason to keep this
discussion private.
The patch provided on this mailing list was sent to the Oracle
security contact (and hopefully passed on to the OpenJDK security
team) on 14.08.2019. By posting to this list I was hoping to move
forward on fixing the issue by applying this patch, or a similar
one based on it, as the issue remains unfixed months after our
discovery/notification.
[1]: https://minerva.crocs.fi.muni.cz
Cheers,
Jan
More information about the security-dev
mailing list