Vulnerability of the non LTS JDK releases

Chen Liang chen.l.liang at oracle.com
Mon Aug 26 15:24:38 UTC 2024 

Hello Lovro,
To clarify Alan's remarks, there's a dedicated jdk-updates-dev list and a jdk-updates project responsible for any released jdk; for example, if 23 is released, the subsequent releases of 23.0.1 and 23.0.2, etc. are their responsibility. A request for backporting critical security fixes to 1 release before the latest should be raised to the jdk-updates project., which is usually constituted of "the companies and organizations that make supported JDK releases available."

For the frequency of security fixes: there's a https://openjdk.org/groups/vulnerability/ vulnerabiltiy group that releases security fixes every quarter (see https://mail.openjdk.org/pipermail/vuln-announce/), usually in Jan, Apr, Jul, and Oct. Do you wish for Apr and Oct vulnerability fixes to be incorporated into the last release before the latest (released just one month prior)? You can raise this request to the jdk-updates-dev list there.

I have heard that even backporting even security fixes would be a heavy maintenance cost; so, the updates group might reject your request of 1 year of security fixes, as new releases roll out every half a year. But a security fix for the one version before the latest released version release makes sense to me, especially that the new version is just released for one month. Ultimately, it is up to jdk-update project's discretion, so go ask them.

Regards,
Chen Liang
________________________________
From: jdk-dev <jdk-dev-retn at openjdk.org> on behalf of Alan Bateman <alan.bateman at oracle.com>
Sent: Monday, August 26, 2024 2:23 AM
To: Lovro Pandžić <Lovro.Pandzic at infobip.com>; jdk-dev at openjdk.org <jdk-dev at openjdk.org>
Subject: Re: Vulnerability of the non LTS JDK releases

On 26/08/2024 06:38, Lovro Pandžić wrote:

Hello all,



Not sure if this is the right address to talk about this issue so feel free to redirect me to another if it’s more appropriate.

Your question isn't unreasonable but it's not really a question for the OpenJDK project, instead it's a question for the companies and organizations that make supported JDK releases available.





:



Projects that want to follow the train in it’s tracks and be on latest, usually non lts, version and that use any non trivial kind of dependency (Spring, Sonar, …) they must accept the fact that there will be periods of time (usually a month or two) where they’ll be forced to stay on an unsupported non LTS version until all of their dependencies add support for latest JDK version so they can upgrade as well.

Just a reminder that there Early Access (EA) builds published weekly so these projects don't need to wait until the GA to test. Ongoing testing with EA builds help find issues earlier and allows these projects to align their releases with the JDK releases.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240826/2e3eaf51/attachment.htm>

More information about the jdk-dev mailing list