Date: Wed, 12 Sep 2012 06:55:12 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Florian Weimer <fweimer@...hat.com>, Oracle Security Team <secalert_us@...cle.com>, David Jorm <djorm@...hat.com> Subject: Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Hello Steve, thank you for the clarification. > Jan/Kurt, > > The bug report appears to be describing a narrow class of vulnerability > that could affect multiple codebases that implement Java Virtual Machines, > not just Oracle's; That's true, my yesterday's request was too wide, because in that moment we were not sure yet, which concrete JVM implementations would be affected by this deficiency (and which not). > if so, then a separate CVE would be needed for each > REPORTED codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the > Oracle-supported JVM. Anyway, upon David's review (Cc-ed too) we can announce that this problem would affect / is specific only to Oracle Java SE 7 (java-1.7.0-oracle), and Java SE 7 as provided by OpenJDK 7 (java-1.7.0-openjdk). So after above suggestion we will use CVE-2012-4416 for Oracle's codebase / Oracle supported JVM and the OpenJDK one should obtain another CVE identifier. I will clarify this situation in our bugs too yet. Kurt, could you allocate another CVE id then for the OpenJDK part of the story? > > I wonder about the severity of the issue, but given the possibility that > applications might access an array before a fill, and applications may > depend on there being "empty" elements after initialization, this seems > reasonable for a CVE. Florian clarified on this already (why to assign CVE id for these is appropriate approach). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > > - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ