Re: [CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS
- Is there a page like Ubuntu's CVE Tracker site where it shows the
CVE, the package name, and the status
Red Hat (CentOS's upsream) posts advisories for these sorts of things:
https://access.redhat.com/errata/RHSA-2020:2969
This is the security advisory for this package.
Yeah, I found this page cause harbor even links these, I apparently left out the important piece in this question "and the status per OS" - e.g. CentOS 7 "pending", CentOS 8 "released" I'm guessing there's not a central place?
- If 2 is no, How can I look up the status of a package that has
been released by upstream on CentOS? (e.g. it's been released in Upstream, it's available in CentOS, it's pending backport for CentOS 7)
As I mentioned earlier, the Red Hat errata site is a good place to look. You can search for CVEs there too.
This doesn't show the more critical piece though: "What is the status of the package being released per CentOS?"
Leon mentioned:
Which (assuming I'm reading this right) seems like 11.0.8 was released for CentOS 7 15 days ago...? c7 = CentOS 7
But 11.0.8 isn't in the YUM repo, so that doesn't seem accurate.
I'm trying to find out "Ok, it's been released for CentOS 8, what's the status of CentOS 7 - is it not vulnerable? Is it deferred? Is it pending?"
Essentially I want to find out how you know that "No, but it's in the process of being built and distributed." - cause I can't tell that based on any info I've found so far.
-
Boushy, Phillip