It seems I wasn't informed that the report had been created; at least
I cannot find the confirmation mail for it. Note that I had specified
a different private contact e-mail address.
It's because the bug isn't public.
... but I am the reporter!? It could of course be that there was an
attempt to inform me but it did not reach me for whatever reason (please
don't mention the e-mail address, I used for reporting, here on this
mailing list though).
That is unfortunately exactly what I had been criticizing in
https://mail.openjdk.org/pipermail/web-discuss/2022-January/000593.html;
as external reporter it can be extremely intransparent what happens to a
report.
Yes, the bug is marked confidential.
I don't really understand that. Unless I accidentally leaked private
information in the report, I think it contains exactly the information I
wrote in the original e-mail of this thread. And this is not secret
information, it is basically what had been mentioned in the JDK 9
release notes originally. It is rather weird to withhold this
information from users, especially since malicious actors are long aware
of the security issues see for example
https://www.alibabacloud.com/blog/analysis-of-jdwpminer-mining-trojan-remote-debugging-with-java-causes-hidden-risks_598002
or just search for "jdwp exploit" or similar.
(Aleksei Ivanov I have included you as direct recipient of this mail;
but this mail might still be awaiting approval on serviceability-dev@,
so in case you respond before that it might be confusing for others.)
