Date: Mon, 09 Feb 2015 12:48:01 -0800 From: Ritwik Ghoshal <ritwik.ghoshal@...cle.com> To: oss-security@...ts.openwall.com CC: Oracle Security Alerts <secalert_us@...cle.com> Subject: Re: CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars Hi Kurt, This issue was addressed in Java 7U51 as a security-in-depth fix because of CVSS 0 score. Oracle doesn't assign CVEs to CVSS 0 issues. Please note: the correct email address to contact Oracle Security Alert team is secalert_us@...cle.com. Thanks, -Ritwik On 2/8/2015 2:37 PM, Kurt Seifried wrote: > CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode > injected into signed jars > > https://bugzilla.redhat.com/show_bug.cgi?id=1031471 > > Fixed upstream in OpenJDK: > > http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e > > Also reportedly fixed in Oracle Java in CPU Jan 2014 > > http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html > > But I don't see the CVE. Oracle can you confirm if this was fixed, and > which CVE it was given? Thanks. >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.