From owner-freebsd-java@freebsd.org  Sat Jul 18 02:44:23 2015
Return-Path: <owner-freebsd-java@freebsd.org>
Delivered-To: freebsd-java@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77E899A3B4E
 for <freebsd-java@mailman.ysv.freebsd.org>;
 Sat, 18 Jul 2015 02:44:23 +0000 (UTC)
 (envelope-from glewis@eyesbeyond.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 5C99F1EE8
 for <freebsd-java@freebsd.org>; Sat, 18 Jul 2015 02:44:23 +0000 (UTC)
 (envelope-from glewis@eyesbeyond.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 596AB9A3B4C; Sat, 18 Jul 2015 02:44:23 +0000 (UTC)
Delivered-To: java@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 590079A3B4A
 for <java@mailman.ysv.freebsd.org>; Sat, 18 Jul 2015 02:44:23 +0000 (UTC)
 (envelope-from glewis@eyesbeyond.com)
Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16])
 by mx1.freebsd.org (Postfix) with ESMTP id 2242E1EE7;
 Sat, 18 Jul 2015 02:44:22 +0000 (UTC)
 (envelope-from glewis@eyesbeyond.com)
Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1])
 by misty.eyesbeyond.com (8.14.9/8.14.9) with ESMTP id t6I2iLLp057705;
 Fri, 17 Jul 2015 19:44:22 -0700 (PDT)
 (envelope-from glewis@eyesbeyond.com)
Received: (from glewis@localhost)
 by misty.eyesbeyond.com (8.14.9/8.14.9/Submit) id t6I2iLdA057675;
 Fri, 17 Jul 2015 19:44:21 -0700 (PDT)
 (envelope-from glewis@eyesbeyond.com)
X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to
 glewis@eyesbeyond.com using -f
Date: Fri, 17 Jul 2015 19:44:21 -0700
From: Greg Lewis <glewis@eyesbeyond.com>
To: Roger Marquis <marquis@roble.com>
Cc: glewis@FreeBSD.org, jkim@FreeBSD.org, java@FreeBSD.org
Subject: Re: JDK/JRE security question
Message-ID: <20150718024421.GB12952@misty.eyesbeyond.com>
References: <201507141324.t6EDO5aR080102@ginkgo.iagu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201507141324.t6EDO5aR080102@ginkgo.iagu.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-java>,
 <mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java/>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
 <mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2015 02:44:23 -0000

On Tue, Jul 14, 2015 at 06:23:55AM -0700, Roger Marquis wrote:
> Esteemed JDK maintainers,
> 
> Given all of the recent Java security news (not just javaws- or
> windows-related) it's surprising that the database does not show a
> FreeBSD jdk vulnerability for over 30 months.  Is this accurate?  If so
> thank you for the excellent work (and thank you even if not for the
> excellent work).  If it's not necessarily accurate and considering
> Oracle's EOL of Java 6 and 7, do you have any recommendations for
> updating vuln.xml?

It is likely that there are vulnerabilities in the JDK that should be
listed there.  The Linux JDK as well one suspects.  However, less than
one might expect due to many of these occurring in the browser plugin
which isn't included in OpenJDK.

I'm not precisely sure where to start on such a list though.  Perhaps
something like this:

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html

Although the internal build numbers there for OpenJDK6 don't correspond to
the public release build numbers that have been used since Oracle stopped
doing public releases and RedHat took over source code maintenance.  So
getting the correct version for that may be tricky.

-- 
Greg Lewis                          Email   : glewis@eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis@FreeBSD.org