Date: Fri, 17 Jul 2015 19:44:21 -0700 From: Greg Lewis <glewis@eyesbeyond.com> To: Roger Marquis <marquis@roble.com> Cc: glewis@FreeBSD.org, jkim@FreeBSD.org, java@FreeBSD.org Subject: Re: JDK/JRE security question Message-ID: <20150718024421.GB12952@misty.eyesbeyond.com> In-Reply-To: <201507141324.t6EDO5aR080102@ginkgo.iagu.net> References: <201507141324.t6EDO5aR080102@ginkgo.iagu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 14, 2015 at 06:23:55AM -0700, Roger Marquis wrote: > Esteemed JDK maintainers, > > Given all of the recent Java security news (not just javaws- or > windows-related) it's surprising that the database does not show a > FreeBSD jdk vulnerability for over 30 months. Is this accurate? If so > thank you for the excellent work (and thank you even if not for the > excellent work). If it's not necessarily accurate and considering > Oracle's EOL of Java 6 and 7, do you have any recommendations for > updating vuln.xml? It is likely that there are vulnerabilities in the JDK that should be listed there. The Linux JDK as well one suspects. However, less than one might expect due to many of these occurring in the browser plugin which isn't included in OpenJDK. I'm not precisely sure where to start on such a list though. Perhaps something like this: http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html Although the internal build numbers there for OpenJDK6 don't correspond to the public release build numbers that have been used since Oracle stopped doing public releases and RedHat took over source code maintenance. So getting the correct version for that may be tricky. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150718024421.GB12952>