[CentOS] OpenJDK vulnerability and best way to find status of package that remediates vulnerability for CentOS

Fri Jul 31 17:45:42 UTC 2020
Boushy, Phillip <phillip.boushy at intel.com>

>> 2. Is there a page like Ubuntu's CVE Tracker site where it shows the
>> CVE, the package name, and the status
> Red Hat (CentOS's upsream) posts advisories for these sorts of things:
> https://access.redhat.com/errata/RHSA-2020:2969
> This is the security advisory for this package.

Yeah, I found this page cause harbor even links these, I apparently left out the important piece in this question "and the status per OS" - e.g. CentOS 7 "pending", CentOS 8 "released"
I'm guessing there's not a central place?

>> 3. If 2 is no, How can I look up the status of a package that has
>> been released by upstream on CentOS? (e.g. it's been released in
>> Upstream, it's available in CentOS, it's pending backport for CentOS 7)

> As I mentioned earlier, the Red Hat errata site is a good place to
> look.  You can search for CVEs there too.

This doesn't show the more critical piece though: "What is the status of the package being released per CentOS?"

Leon mentioned:
> https://git.centos.org/rpms/java-11-openjdk/releases
Which (assuming I'm reading this right) seems like 11.0.8 was released for CentOS 7 15 days ago...? 
c7 = CentOS 7

But 11.0.8 isn't in the YUM repo, so that doesn't seem accurate.

I'm trying to find out "Ok, it's been released for CentOS 8, what's the status of CentOS 7 - is it not vulnerable? Is it deferred?  Is it pending?"

Essentially I want to find out how you know that "No, but it's in the process of being built and distributed." - cause I can't tell that based on any info I've found so far.