lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 20 Jul 2013 13:36:47 -0400 From: Jeffrey Walton <noloader@...il.com> To: Security Explorations <contact@...urity-explorations.com> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack On Thu, Jul 18, 2013 at 12:50 AM, Security Explorations <contact@...urity-explorations.com> wrote: > > Hello All, > > We discovered yet another indication that new Reflection API introduced > into Java SE 7 was not a subject to a thorough security review (if any). I'm kind or surpised some of these bugs exist for so long. Allowing them to fester and rot can't be good (I have not been able to come up with a use case where it is desired or preferred). Does anyone know anything about Oracle's engineering process? What is Oracle doing to ensure issues are tracked and remediated in reasonable time? What does the process include for code scanning to catch low hanging fruit? Are they using Find Bugs or Coverity (I checked scan.coverity.com, and I did not see Oracle Java or OpenJDK listed, so I wonder if they are doing it internally). What is the QA process doing to ensure items with negative impact are not allowed to pass? Jeff
Powered by blists - more mailing lists