[CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS

Fri Jul 31 12:26:11 UTC 2020
Jonathan Billings <billings at negate.org>

On Fri, Jul 31, 2020 at 12:04:52AM +0000, Boushy, Phillip wrote:
> 1. Is there a 11.0.8 update for java-11-openjdk-devel available for
> CentOS 7?

No, but it's in the process of being built and distributed.  It's been
released in RHEL and I suspect the GRUB2/shim/kernel security issue is
taking some priority right now.

> 2. Is there a page like Ubuntu's CVE Tracker site where it shows the
> CVE, the package name, and the status
> (e.g. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14578.html)

Red Hat (CentOS's upsream) posts advisories for these sorts of things:

https://access.redhat.com/errata/RHSA-2020:2969

This is the security advisory for this package.  

> 3. If 2 is no, How can I look up the status of a package that has
> been released by upstream on CentOS? (e.g. it's been released in
> Upstream, it's available in CentOS, it's pending backport for CentOS
> 7) 

As I mentioned earlier, the Red Hat errata site is a good place to
look.  You can search for CVEs there too.  There's also a
RHSA-Announce mailing list if you'd prefer that they end up in your
mailbox:

https://www.redhat.com/mailman/listinfo/rhsa-announce

-- 
Jonathan Billings <billings at negate.org>