Hide Forgot
Description of problem: The rpms in java-1.6.0-openjdk including those in RHSA-2016-0723 do not have updated changelog to reflect CVE's and or RHSA's being patched the page https://rhn.redhat.com/errata/RHSA-2016-0723.html indicates that the listed packages are security updates mentioned for the CVE's listed in the page however the rpms when queried i.e. rpm -q $package --changelog | grep -i CVE-2016 do not show any cve for 2016 not to mention any of the listed cve's in the crtical update page ( all of the listed CVE's are of 2016 ). This failure of note in the changelog makes it harder to verify package compliance please update Version-Release number of selected component (if applicable): How reproducible: allways Steps to Reproduce: 1.rpm -q java-1.6.0-openjdk-1.6.0.39-1.13.11.0.el6_7.x86_64 --changelog | grep -i CVE 2. verify command above lists not any cve from 2016 Actual results: has no listed CVE from 2016 Expected results: has list within changelog of date and patch notes for CVE with ID Additional info:
Hello! This is unlikely to change. The spec file changelog contains ID of tracking bug, which list the CVEs but unluckily this bug is not public. Also, the openjkd6 pacages are 100% based on icedtea6. So any CVE listed on release notes is of icedtea6 is fixed in rpms. If some additional CVE is fixed in rpms, it i s listed in changelog. THe reason is simple - it is huge amount of bugs every time fixed, and keeping them all in changelog will make it megabytes long. So we are restricted by "updated to icedtea X.Y.Z" Same people doing icedtea, are doing rpms. Especially of this being last CPU for openjdk6, I would like to close-notBug/cantFix/wontFix. Sorry for not bringing any happier news...
Information on the changes in each release is provided in the NEWS file e.g. /usr/share/doc/java-1.6.0-openjdk-1.6.0.40/NEWS We're not going to duplicate that information in the RPM changelog.