Hi Solar,
As a maintainer of Linux From Scratch and the person in charge of
security there, I monitor this list
as well as a few others. Every quarter we also check the Oracle Critical
Product Update pages
for vulnerabilities pertaining to MySQL and Java SE (which also impact
OpenJDK).
I'd l
On Thu, Jan 23, 2025 at 09:24:14AM -0800, Alan Coopersmith wrote:
> The open source packages delivered in Oracle Linux & Oracle Solaris are
> listed separately, but these are downstreams, so I've always thought they'd
> be off topic here, since we normally only cover upstream issues, and don't
> pu
Bruce,
Thank you very much for your reply. My reading of it is that Oracle is
already doing a lot (publication in 3 formats) and isn't willing to do
more (also separately send info pertaining to Oracle's Open Source
projects to oss-security). Is that correct?
If so, maybe someone external shoul
A little comment on the inside helps. Glad to do so.
On Thu, Jan 23, 2025 at 7:57 AM Matthias Gerstner wrote:
> Hi list,
>
> thank you all for your input so far.
>
> It seems this thread somehow reached Mitre and my stuck CVE request got
> a CVE assignment by now. The reply also contains some
On 1/22/25 18:42, Solar Designer wrote:
Hi,
Once in a while, Oracle publishes what they call Critical Patch Update
Once a quarter, per the schedule published on:
https://www.oracle.com/security-alerts/#CriticalPatchUpdates
documents, which list many vulnerabilities addressed across many Orac
Olle, Solar Designer, oss-security list:
I am responsible for the content and publication of Oracle Critical
Patch Updates. These are published quarterly in three formats: Tabular
format HTML "AKA risk matrix", English Language HTML format and Oasis
Standard CSAF format via references at Ora
> On 23 Jan 2025, at 02:42, Solar Designer wrote:
>
> Hi,
>
> Once in a while, Oracle publishes what they call Critical Patch Update
> documents, which list many vulnerabilities addressed across many Oracle
> products, some of them Open Source and some not. This is great, but it
> would be ev
Hi list,
thank you all for your input so far.
It seems this thread somehow reached Mitre and my stuck CVE request got
a CVE assignment by now. The reply also contains some additional
information which I believe will be interesting to share in this thread
as well:
> On Thu, Jan 23, 2025 at 01:14:
Hi all,
On Wed, Jan 22, 2025 at 01:41:36PM +, Qualys Security Advisory wrote:
> Today (January 22, 2025) a Bugzilla entry and a patch proposal for this
> vulnerability have been published:
The final patch has already been committed and backported, all the links
are available in Bugzilla:
h
