Downporting JDK-8313765 to jdk11u and jdk17u and respinning 11.0.20 and 17.0.8
Severin Gehwolf
sgehwolf at redhat.com
Thu Aug 17 09:34:25 UTC 2023
Hi,
On Wed, 2023-08-16 at 22:33 -0700, Volker Simonis wrote:
> Hi,
>
> We would like to downport JDK-8313765 [1] to jdk11u-dev and jdk17u-
> dev and propose to release new versions of 11.0.20 and 17.0.8.
>
> JDK-8313765 [1] is a fix for a regression in the processing of zip
> files containing extended ZIP64 entries that was introduced by JDK-
> 8302483 in the July security update.
That bug introduced the jdk.util.zip.disableZip64ExtraFieldValidation
property so as to have a way to disable the new extra validation. That
seems like a work-around to me. Is that not working?
I'll also note that CVE-2023-22036 (8302483) has a score of 3.7 (low)
if that is being turned off.
> This regression affects a significant number of our internal as well
> as external customers (you can find more details in the JBS issue [1]
> and the original PR [2]).
>
> We think that the blast radius of the regression justifies a re-spin
> of 11.0.20 and 17.0.8 and we are planning to do this for Amazon
> Corretto. We would however appreciate if we could agree on this
> downport among all maintainers and come up with a synchronized up-
> stream fix and versioning. We've published corresponding PRs for
> jdk11u-dev [3] and jdk17u-dev [4].
While I agree that it makes sense to fix this in the next JDK 17
(17.0.9) and 11 (11.0.21) releases, I'm not sure this warrants an
upstream respin (provided the work-around does what it's supposed to).
Thanks,
Severin
>
> [1] https://bugs.openjdk.org/browse/JDK-8313765
> [2] https://github.com/openjdk/jdk/pull/15273
> [3] https://github.com/openjdk/jdk11u-dev/pull/2084
> [4] https://github.com/openjdk/jdk17u-dev/pull/1670
More information about the jdk-updates-dev
mailing list