OpenJDK Vulnerability And Best Way To Find Status Of Package That Remediates Vulnerability For CentOS

Home » CentOS » OpenJDK Vulnerability And Best Way To Find Status Of Package That Remediates Vulnerability For CentOS
CentOS 3 Comments

I have a docker image based off CentOS:7 with java-11-openjdk-devel.

It appears that the current java-11-openjdk-devel available in the CentOS 7 Yum repo is 1:11.0.7.10-4.el7_8

11.0.7 is reported to have some high vulnerabilities RHSA-2020:2969 that are fixed in 11.0.8, but 11.0.8 is not available for CentOS 7.

1. Is there a 11.0.8 update for java-11-openjdk-devel available for CentOS 7?
2. Is there a page like Ubuntu’s CVE Tracker site where it shows the CVE, the package name, and the status (e.g. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14578.html)
3. If 2 is no, How can I look up the status of a package that has been released by upstream on CentOS? (e.g. it’s been released in Upstream, it’s available in CentOS, it’s pending backport for CentOS 7)

3 thoughts on - OpenJDK Vulnerability And Best Way To Find Status Of Package That Remediates Vulnerability For CentOS

  • No, but it’s in the process of being built and distributed. It’s been released in RHEL and I suspect the GRUB2/shim/kernel security issue is taking some priority right now.

    Red Hat (CentOS’s upsream) posts advisories for these sorts of things:

    https://access.redhat.com/errata/RHSA-2020:2969

    This is the security advisory for this package.

    As I mentioned earlier, the Red Hat errata site is a good place to look. You can search for CVEs there too. There’s also a RHSA-Announce mailing list if you’d prefer that they end up in your mailbox:

    https://www.redhat.com/mailman/listinfo/rhsa-announce

  • Yeah, I found this page cause harbor even links these, I apparently left out the important piece in this question “and the status per OS” – e.g. CentOS 7 “pending”, CentOS 8 “released”
    I’m guessing there’s not a central place?

    This doesn’t show the more critical piece though: “What is the status of the package being released per CentOS?”

    Leon mentioned:
    Which (assuming I’m reading this right) seems like 11.0.8 was released for CentOS 7 15 days ago…?
    c7 = CentOS 7

    But 11.0.8 isn’t in the YUM repo, so that doesn’t seem accurate.

    I’m trying to find out “Ok, it’s been released for CentOS 8, what’s the status of CentOS 7 – is it not vulnerable? Is it deferred? Is it pending?”

    Essentially I want to find out how you know that “No, but it’s in the process of being built and distributed.” – cause I can’t tell that based on any info I’ve found so far.