oss-sec mailing list archives
Re: CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars
From: Ritwik Ghoshal <ritwik.ghoshal () oracle com>
Date: Mon, 09 Feb 2015 12:48:01 -0800
Hi Kurt, This issue was addressed in Java 7U51 as a security-in-depth fix because of CVSS 0 score. Oracle doesn't assign CVEs to CVSS 0 issues. Please note: the correct email address to contact Oracle Security Alert team is secalert_us () oracle com. Thanks, -Ritwik On 2/8/2015 2:37 PM, Kurt Seifried wrote:
CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars https://bugzilla.redhat.com/show_bug.cgi?id=1031471 Fixed upstream in OpenJDK: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e Also reportedly fixed in Oracle Java in CPU Jan 2014 http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html But I don't see the CVE. Oracle can you confirm if this was fixed, and which CVE it was given? Thanks.
Current thread:
- CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars Kurt Seifried (Feb 08)
- Re: CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars Ritwik Ghoshal (Feb 09)