How are critical security updates implemented in openjdk vs oracle jdk?

[Alexander]

Hi Ken,

 Looks like my original message didn't go through because of the HTML
format, so I'm repeating it in a plain text form:

You might want to take a look into the Timelines section of JDK 17u
page (https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u):

Timelines

OpenJDK 17.0.3

Friday, December 17 2021: jdk17u-dev repo open (no tag this time!)
Tuesday, February 8 2022: First merge from jdk17u-dev to jdk17u (tag:
17.0.3+1) (Delayed according to original plan to align with 11.0.15.)
Tuesday, March 1 30 2022: Rampdown; last merge from jdk17u-dev to jdk17u
Tuesday, March 29 2022: Last tag before code freeze
Tuesday, April 19 2022 GA; OpenJDK 17.0.3 released (tag: jdk-17.0.3-ga)

 OpenJDK 17.0.4

Wednesday, March 2 2022: jdk17u-dev repo open (tag: 17.0.4+0)
Tuesday, Mai 3 2022: First merge from jdk17u-dev to jdk17u (tag: 17.0.4+1)
Tuesday, Mai 31 2022: Rampdown; last merge from jdk17u-dev to jdk17u
Tuesday, June 28 2022: Last tag before code freeze
Tuesday, July 19 2022 GA; OpenJDK 17.0.4 released (tag: jdk-17.0.4-ga)

 OpenJDK 17.0.5
Wednesday, June 1 2022: jdk17u-dev repo open (tag: 17.0.5+0)

17.0.3 binaries are already available
(https://adoptium.net/temurin/archive/) and, if I got this right
(https://github.com/openjdk/jdk17u/commit/2d4103a3d929e05edca98e7703e0869077966be7),
it does contain the fix you are looking for.

Regards,

Alexander Kiselyov.


чт, 21 апр. 2022 г. в 19:41, ken edward <kedward777 at gmail.com>:
>
> Hello,
>
> Can someone tell me how Critical security updates are implemented in open
> jdk vs oracle?
>
> For the recent CVE-2022-21449 I see oracle jdk 17.0.3 has been published to
> address CVE, but open jdk is still on 17.0.2.  How long until open jdk
> update typically?
>
> Ken