Boushy, Phillip
2020-Jul-31 00:04 UTC
[CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS
I have a docker image based off centos:7 with java-11-openjdk-devel. It appears that the current java-11-openjdk-devel available in the CentOS 7 Yum repo is 1:11.0.7.10-4.el7_8 11.0.7 is reported to have some high vulnerabilities RHSA-2020:2969 that are fixed in 11.0.8, but 11.0.8 is not available for CentOS 7. 1. Is there a 11.0.8 update for java-11-openjdk-devel available for CentOS 7? 2. Is there a page like Ubuntu's CVE Tracker site where it shows the CVE, the package name, and the status (e.g. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14578.html) 3. If 2 is no, How can I look up the status of a package that has been released by upstream on CentOS? (e.g. it's been released in Upstream, it's available in CentOS, it's pending backport for CentOS 7)
Leon Fauster
2020-Jul-31 11:37 UTC
[CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS
Am 31.07.20 um 02:04 schrieb Boushy, Phillip:> I have a docker image based off centos:7 with java-11-openjdk-devel. > > It appears that the current java-11-openjdk-devel available in the CentOS 7 Yum repo is 1:11.0.7.10-4.el7_8 > > 11.0.7 is reported to have some high vulnerabilities RHSA-2020:2969 that are fixed in 11.0.8, but 11.0.8 is not available for CentOS 7. > > 1. Is there a 11.0.8 update for java-11-openjdk-devel available for CentOS 7? > 2. Is there a page like Ubuntu's CVE Tracker site where it shows the CVE, the package name, and the status (e.g. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14578.html) > 3. If 2 is no, How can I look up the status of a package that has been released by upstream on CentOS? (e.g. it's been released in Upstream, it's available in CentOS, it's pending backport for CentOS 7) >https://lists.centos.org/pipermail/centos-announce/ https://git.centos.org/rpms/java-11-openjdk/releases -- Leon
Jonathan Billings
2020-Jul-31 12:26 UTC
[CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS
On Fri, Jul 31, 2020 at 12:04:52AM +0000, Boushy, Phillip wrote:> 1. Is there a 11.0.8 update for java-11-openjdk-devel available for > CentOS 7?No, but it's in the process of being built and distributed. It's been released in RHEL and I suspect the GRUB2/shim/kernel security issue is taking some priority right now.> 2. Is there a page like Ubuntu's CVE Tracker site where it shows the > CVE, the package name, and the status > (e.g. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14578.html)Red Hat (CentOS's upsream) posts advisories for these sorts of things: https://access.redhat.com/errata/RHSA-2020:2969 This is the security advisory for this package.> 3. If 2 is no, How can I look up the status of a package that has > been released by upstream on CentOS? (e.g. it's been released in > Upstream, it's available in CentOS, it's pending backport for CentOS > 7)As I mentioned earlier, the Red Hat errata site is a good place to look. You can search for CVEs there too. There's also a RHSA-Announce mailing list if you'd prefer that they end up in your mailbox: https://www.redhat.com/mailman/listinfo/rhsa-announce -- Jonathan Billings <billings at negate.org>
Reasonably Related Threads
- OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS
- CESA-2020:1509 Important CentOS 7 java-11-openjdk Security Update
- CentOS-announce Digest, Vol 183, Issue 1
- CESA-2020:2969 Important CentOS 7 java-11-openjdk Security Update
- CESA-2020:1512 Important CentOS 7 java-1.8.0-openjdk Security Update