Bug 1382160

Summary: RHSA-2016:0723: java-1.6.0-openjdk security update does not contain patch information
Product: Red Hat Enterprise Linux 6 Reporter: Brian Urrutia <brian.urrutia>
Component: java-1.6.0-openjdkAssignee: Deepak Bhole <dbhole>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.9CC: ahughes, jvanek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 13:38:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brian Urrutia 2016-10-05 22:05:47 UTC 
Description of problem:
The rpms in java-1.6.0-openjdk including those in RHSA-2016-0723 do not have updated changelog to reflect CVE's and or RHSA's being patched the page 

https://rhn.redhat.com/errata/RHSA-2016-0723.html

indicates that the listed packages are security updates mentioned for the CVE's listed in the page however the rpms when queried i.e.

rpm -q $package --changelog | grep -i CVE-2016 do not show any cve for 2016 not to mention any of the listed cve's in the crtical update page ( all of the listed CVE's are of 2016 ).

This failure of note in the changelog makes it harder to verify package compliance please update

Version-Release number of selected component (if applicable):


How reproducible:
allways

Steps to Reproduce:
1.rpm -q java-1.6.0-openjdk-1.6.0.39-1.13.11.0.el6_7.x86_64 --changelog | grep -i CVE

2. verify command above lists not any cve from 2016

Actual results: has no listed CVE from 2016


Expected results: has list within changelog of date and patch notes for CVE with ID


Additional info:
Comment 2 jiri vanek 2016-10-06 05:42:23 UTC 
Hello! This is unlikely to change. The spec file changelog contains ID of tracking bug, which list the CVEs but unluckily this bug is not public.

Also, the openjkd6 pacages are 100% based on icedtea6. So any CVE listed on release notes is of icedtea6 is fixed in rpms. If some additional CVE is fixed in rpms, it i s listed in changelog.

THe reason is simple - it is huge amount of bugs every time fixed, and keeping them all in changelog will make it megabytes long. So we are restricted by "updated to icedtea X.Y.Z" 

Same people doing icedtea, are doing rpms.

Especially of this being last CPU for openjdk6, I would like to close-notBug/cantFix/wontFix. Sorry for not bringing any happier news...
Comment 4 Andrew John Hughes 2016-10-10 13:38:24 UTC 
Information on the changes in each release is provided in the NEWS file e.g. /usr/share/doc/java-1.6.0-openjdk-1.6.0.40/NEWS

We're not going to duplicate that information in the RPM changelog.