cannot see evidence of security fixes after upgrade of openjdk package
I want to see CVE listed as fixes or backports after i upgraded java-1.6-openjdk but i am only seeing some few ones and quite old.
i have upgraded my openjdk to the latest package and used the command rpm -q java-1-6-openjdk --changelog | grep CVE to check whether the fix is included in the updated version.
Or is there any other way to check ? I need to give evidence to my security team as part of remediation of vulnerabilities.
Responses
I would suggest asking your security team to identify which CVE need to be addressed, then provide Red Hat documentation on the resolution. For example RHSA-2016:0067-1, which lists several CVE addressed from this year and specifies which version of OpenJDK-1.6 from Red Hat has addressed the fix for the listed issues.
You can also search Red Hat for a particular CVE, which will then provide details on the relevant Red Hat Security Advisories for that CVE such as CVE-2016-0402.
I don't think you can rely on the RPM changelog always fully reflecting all changes and why wacg change was implemented.
A similar post from a couple of years ago patching, changelog and CVE numbers.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
