Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
The rpms in java-1.6.0-openjdk including those in RHSA-2016-0723 do not have updated changelog to reflect CVE's and or RHSA's being patched the page
https://rhn.redhat.com/errata/RHSA-2016-0723.html
indicates that the listed packages are security updates mentioned for the CVE's listed in the page however the rpms when queried i.e.
rpm -q $package --changelog | grep -i CVE-2016 do not show any cve for 2016 not to mention any of the listed cve's in the crtical update page ( all of the listed CVE's are of 2016 ).
This failure of note in the changelog makes it harder to verify package compliance please update
Version-Release number of selected component (if applicable):
How reproducible:
allways
Steps to Reproduce:
1.rpm -q java-1.6.0-openjdk-1.6.0.39-1.13.11.0.el6_7.x86_64 --changelog | grep -i CVE
2. verify command above lists not any cve from 2016
Actual results: has no listed CVE from 2016
Expected results: has list within changelog of date and patch notes for CVE with ID
Additional info:
Hello! This is unlikely to change. The spec file changelog contains ID of tracking bug, which list the CVEs but unluckily this bug is not public.
Also, the openjkd6 pacages are 100% based on icedtea6. So any CVE listed on release notes is of icedtea6 is fixed in rpms. If some additional CVE is fixed in rpms, it i s listed in changelog.
THe reason is simple - it is huge amount of bugs every time fixed, and keeping them all in changelog will make it megabytes long. So we are restricted by "updated to icedtea X.Y.Z"
Same people doing icedtea, are doing rpms.
Especially of this being last CPU for openjdk6, I would like to close-notBug/cantFix/wontFix. Sorry for not bringing any happier news...
Comment 4Andrew John Hughes
2016-10-10 13:38:24 UTC
Information on the changes in each release is provided in the NEWS file e.g. /usr/share/doc/java-1.6.0-openjdk-1.6.0.40/NEWS
We're not going to duplicate that information in the RPM changelog.