Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <54D91D01.7060602@oracle.com>
Date: Mon, 09 Feb 2015 12:48:01 -0800
From: Ritwik Ghoshal <ritwik.ghoshal@...cle.com>
To: oss-security@...ts.openwall.com
CC: Oracle Security Alerts <secalert_us@...cle.com>
Subject: Re: CVE-2013-4578 OpenJDK: jarsigner does not detect
 unsigned bytecode injected into signed jars

Hi Kurt,

This issue was addressed in Java 7U51 as a security-in-depth fix because
of CVSS 0 score. Oracle doesn't assign CVEs to CVSS 0 issues.

Please note: the correct email address to contact Oracle Security Alert
team is secalert_us@...cle.com.

Thanks,
-Ritwik


On 2/8/2015 2:37 PM, Kurt Seifried wrote:
> CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode
> injected into signed jars
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1031471
>
> Fixed upstream in OpenJDK:
>
> http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
>
> Also reportedly fixed in Oracle Java in CPU Jan 2014
>
> http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
>
> But I don't see the CVE. Oracle can you confirm if this was fixed, and
> which CVE it was given? Thanks.
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.