Bug#905215: CVE-2018-2941
Am 07.10.18 um 13:16 schrieb Moritz Muehlenhoff: [...] > No, unfortunately it's the same "we fix, but don't tell" bullshit policy > as with all other Oracle products. > > Given that mediathekview is our only reverse dependency in stretch we > can probably mark it as ignored for stretch anyway? > > Cheers, > Moritz Ok. MediathekView in Stretch only uses JavaFX to create some better integrated Panel messages or to improve performance. If I read the advisory correctly CVE-2018-2941 affects Java Web Start or Java applets but MediathekView is a desktop application and doesn't use those classes, so I believe it cannot be exploited. Ignored for Stretch makes sense. Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#905215: CVE-2018-2941
On Sun, Oct 07, 2018 at 01:04:38PM +0200, Markus Koschany wrote: > Hi, > > On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff > wrote: > > Source: openjfx > > Severity: grave > > Tags: security > > > > http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html > > fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package. > > We have recently upgraded OpenJFX to version 11. It is not listed as a > vulnerable version in Oracle's security advisory. I presume if it has > been vulnerable they would have fixed it in OpenJFX 11 too by now. Do > you have more information about this vulnerability because I can't find > any details on the web. No, unfortunately it's the same "we fix, but don't tell" bullshit policy as with all other Oracle products. Given that mediathekview is our only reverse dependency in stretch we can probably mark it as ignored for stretch anyway? Cheers, Moritz
Bug#905215: CVE-2018-2941
Hi, On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff wrote: > Source: openjfx > Severity: grave > Tags: security > > http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html > fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package. We have recently upgraded OpenJFX to version 11. It is not listed as a vulnerable version in Oracle's security advisory. I presume if it has been vulnerable they would have fixed it in OpenJFX 11 too by now. Do you have more information about this vulnerability because I can't find any details on the web. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#905215: CVE-2018-2941
Source: openjfx Severity: grave Tags: security http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package. Cheers, Moritz