Solar Designer <so...@openwall.com> writes: > On Thu, Jan 23, 2025 at 09:24:14AM -0800, Alan Coopersmith wrote: >> The open source packages delivered in Oracle Linux & Oracle Solaris are >> listed separately, but these are downstreams, so I've always thought they'd >> be off topic here, since we normally only cover upstream issues, and don't >> publish every distro's notices that they've applied the latest fixes to >> rsync, openssl, glibc, or whatever upstream was fixed this week. >> >> For those who want to see such downstream notices, you can find them at: >> >> Oracle Linux: >> https://linux.oracle.com/security/ >> https://oss.oracle.com/mailman/listinfo/el-errata >> https://www.oracle.com/security-alerts/#OLBulletin >> >> Oracle Solaris: >> https://www.oracle.com/security-alerts/#SolarisThirdPartyBulletin > > You're correct, these would generally be off-topic here. > > So in this thread I am not talking about Oracle's OS distros, but about > Oracle's upstream Open Source projects. Looking at the Critical Patch > Update, I don't know which projects fit such criteria. Like I wrote, I > think it's MySQL and VirtualBox, but probably not only these two. > Perhaps also Java? I'm not familiar with most of Oracle's products and > their licensing. > > Also, in some cases we make exceptions for projects closely related to > or enabling Open Source ones e.g. as in the recent AMD microcode thread.
An issue we've observed is it can be hard to map to open-source projects for Java/OpenJDK at least. For example, CVE-2025-21502 appears under "Oracle Java SE Risk Matrix", but determining if OpenJDK was affected (and what the actual details, inc. patch) were involved googling it and happening upon https://access.redhat.com/errata/RHSA-2025:0421. Is there another source of this information anyone is aware of? Thanks. (Ideally one published by Oracle rather than something others then collate otherwise.)
