Re: openjdk-7 status

2019-05-13 Thread Ola Lundqvist 
Great!

Sent from a phone

Den mån 13 maj 2019 22:52Emilio Pozuelo Monfort  skrev:

> On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> > It was not clear to me at the time of upload if it was addressed in
> 7u221. It
> > was not mentioned in the upstream announcement. I asked upstream for
> > clarification on its status, it may be that that CVE is Oracle specific
> and
> > doesn't affect OpenJDK. Though I haven't received a reply yet. But let's
> wait
> > for their answer.
>
> Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a
> vulnerability in a proprietary 2D component only present in Oracle Java. I
> updated the tracker accordingly.
>
> Cheers,
> Emilio
>
>

Re: openjdk-7 status

2019-05-13 Thread Emilio Pozuelo Monfort 
On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> It was not clear to me at the time of upload if it was addressed in 7u221. It
> was not mentioned in the upstream announcement. I asked upstream for
> clarification on its status, it may be that that CVE is Oracle specific and
> doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
> for their answer.

Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a
vulnerability in a proprietary 2D component only present in Oracle Java. I
updated the tracker accordingly.

Cheers,
Emilio

Re: openjdk-7 status

2019-05-13 Thread Emilio Pozuelo Monfort 
On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
> 
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
> 
> It's MITRE page points to:
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"
> 
> which also references CVE-2019-2698, which DLA-1782-1 addressed.
> So it is likely that this is an oversight in data/CVE/list, as the
> upload was a new upstream version (i.e. not cherry-picking).

It was not clear to me at the time of upload if it was addressed in 7u221. It
was not mentioned in the upstream announcement. I asked upstream for
clarification on its status, it may be that that CVE is Oracle specific and
doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
for their answer.

Emilio

> 
> Cheers!
> Sylvain
> 
> On 13/05/2019 17:00, Ola Lundqvist wrote:
>> Hi Sylvain
>>
>> It was meant to consider CVE-2019-2697.
>> I do not know anything about re-consider this CVE as nothing has been
>> noted to that CVE that it has been ignored or should be treated in
>> some other way.
>>
>> // Ola 
>>
>> On Mon, 13 May 2019 at 10:57, Sylvain Beucler > > wrote:
>>
>> Hi,
>>
>> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
>> serious enough".
>> However it was re-added the day after DLA-1782-1 and there's no
>> new CVE
>> since.
>>
>> Was it an oversight, or was it meant to reconsider
>> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
>> addressed by that DLA?
>>
>> Cheers!
>> Sylvain
>>
>>
>>
>> -- 
>>  --- Inguza Technology AB --- MSc in Information Technology 
>> |  o...@inguza.com                  
>>   o...@debian.org             |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>>  ---
>>
>

Re: openjdk-7 status

2019-05-13 Thread Sylvain 
Thanks Ola.

Emilio, can you confirm your latest upload also addresses CVE-2019-2697?

It's MITRE page points to:
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
"Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"

which also references CVE-2019-2698, which DLA-1782-1 addressed.
So it is likely that this is an oversight in data/CVE/list, as the
upload was a new upstream version (i.e. not cherry-picking).

Cheers!
Sylvain

On 13/05/2019 17:00, Ola Lundqvist wrote:
> Hi Sylvain
>
> It was meant to consider CVE-2019-2697.
> I do not know anything about re-consider this CVE as nothing has been
> noted to that CVE that it has been ignored or should be treated in
> some other way.
>
> // Ola 
>
> On Mon, 13 May 2019 at 10:57, Sylvain Beucler  > wrote:
>
> Hi,
>
> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
> serious enough".
> However it was re-added the day after DLA-1782-1 and there's no
> new CVE
> since.
>
> Was it an oversight, or was it meant to reconsider
> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
> addressed by that DLA?
>
> Cheers!
> Sylvain
>
>
>
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> |  o...@inguza.com                  
>   o...@debian.org             |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---
>

Re: openjdk-7 status

2019-05-13 Thread Ola Lundqvist 
Hi Sylvain

It was meant to consider CVE-2019-2697.
I do not know anything about re-consider this CVE as nothing has been noted
to that CVE that it has been ignored or should be treated in some other way.

// Ola

On Mon, 13 May 2019 at 10:57, Sylvain Beucler  wrote:

> Hi,
>
> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
> serious enough".
> However it was re-added the day after DLA-1782-1 and there's no new CVE
> since.
>
> Was it an oversight, or was it meant to reconsider
> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
> addressed by that DLA?
>
> Cheers!
> Sylvain
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
|  o...@inguza.como...@debian.org|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
 ---

openjdk-7 status

2019-05-13 Thread Sylvain Beucler 
Hi,

openjdk-7 is back in dla-needed.txt with the commit message "Sounds
serious enough".
However it was re-added the day after DLA-1782-1 and there's no new CVE
since.

Was it an oversight, or was it meant to reconsider
https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
addressed by that DLA?

Cheers!
Sylvain