JDK/JRE security question
Greg Lewis
glewis at eyesbeyond.com
Sat Jul 18 02:44:23 UTC 2015
On Tue, Jul 14, 2015 at 06:23:55AM -0700, Roger Marquis wrote:
> Esteemed JDK maintainers,
>
> Given all of the recent Java security news (not just javaws- or
> windows-related) it's surprising that the database does not show a
> FreeBSD jdk vulnerability for over 30 months. Is this accurate? If so
> thank you for the excellent work (and thank you even if not for the
> excellent work). If it's not necessarily accurate and considering
> Oracle's EOL of Java 6 and 7, do you have any recommendations for
> updating vuln.xml?
It is likely that there are vulnerabilities in the JDK that should be
listed there. The Linux JDK as well one suspects. However, less than
one might expect due to many of these occurring in the browser plugin
which isn't included in OpenJDK.
I'm not precisely sure where to start on such a list though. Perhaps
something like this:
http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html
Although the internal build numbers there for OpenJDK6 don't correspond to
the public release build numbers that have been used since Oracle stopped
doing public releases and RedHat took over source code maintenance. So
getting the correct version for that may be tricky.
--
Greg Lewis Email : glewis at eyesbeyond.com
Eyes Beyond Web : http://www.eyesbeyond.com
Information Technology FreeBSD : glewis at FreeBSD.org
More information about the freebsd-java
mailing list