Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 09 Feb 2015 12:48:01 -0800
From: Ritwik Ghoshal <ritwik.ghoshal@...cle.com>
To: oss-security@...ts.openwall.com
CC: Oracle Security Alerts <secalert_us@...cle.com>
Subject: Re: CVE-2013-4578 OpenJDK: jarsigner does not detect
 unsigned bytecode injected into signed jars

Hi Kurt,

This issue was addressed in Java 7U51 as a security-in-depth fix because
of CVSS 0 score. Oracle doesn't assign CVEs to CVSS 0 issues.

Please note: the correct email address to contact Oracle Security Alert
team is secalert_us@...cle.com.

Thanks,
-Ritwik


On 2/8/2015 2:37 PM, Kurt Seifried wrote:
> CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode
> injected into signed jars
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1031471
>
> Fixed upstream in OpenJDK:
>
> http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
>
> Also reportedly fixed in Oracle Java in CPU Jan 2014
>
> http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
>
> But I don't see the CVE. Oracle can you confirm if this was fixed, and
> which CVE it was given? Thanks.
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ