Re: Oracle January 2025 Critical Patch Update

[Sam James <sam () gentoo org>]

Solar Designer <solar () openwall com> writes:

> On Thu, Jan 23, 2025 at 09:24:14AM -0800, Alan Coopersmith wrote:
> > The open source packages delivered in Oracle Linux & Oracle Solaris are
> > listed separately, but these are downstreams, so I've always thought they'd
> > be off topic here, since we normally only cover upstream issues, and don't
> > publish every distro's notices that they've applied the latest fixes to
> > rsync, openssl, glibc, or whatever upstream was fixed this week.
> >
> > For those who want to see such downstream notices, you can find them at:
> >
> > Oracle Linux:
> >    https://linux.oracle.com/security/
> >    https://oss.oracle.com/mailman/listinfo/el-errata
> >    https://www.oracle.com/security-alerts/#OLBulletin
> >
> > Oracle Solaris:
> >    https://www.oracle.com/security-alerts/#SolarisThirdPartyBulletin
>
> You're correct, these would generally be off-topic here.
>
> So in this thread I am not talking about Oracle's OS distros, but about
> Oracle's upstream Open Source projects.  Looking at the Critical Patch
> Update, I don't know which projects fit such criteria.  Like I wrote, I
> think it's MySQL and VirtualBox, but probably not only these two.
> Perhaps also Java?  I'm not familiar with most of Oracle's products and
> their licensing.
>
> Also, in some cases we make exceptions for projects closely related to
> or enabling Open Source ones e.g. as in the recent AMD microcode thread.

An issue we've observed is it can be hard to map to open-source projects
for Java/OpenJDK at least.

For example, CVE-2025-21502 appears under "Oracle Java SE Risk Matrix",
but determining if OpenJDK was affected (and what the actual details,
inc. patch) were involved googling it and happening upon
https://access.redhat.com/errata/RHSA-2025:0421.

Is there another source of this information anyone is aware of? Thanks.

(Ideally one published by Oracle rather than something others then
collate otherwise.)