Downporting JDK-8313765 to jdk11u and jdk17u and respinning 11.0.20 and 17.0.8
Andrew Hughes
gnu.andrew at redhat.com
Thu Aug 17 17:31:07 UTC 2023
On 22:33 Wed 16 Aug , Volker Simonis wrote:
> Hi,
>
> We would like to downport JDK-8313765 [1] to jdk11u-dev and jdk17u-dev and
> propose to release new versions of 11.0.20 and 17.0.8.
>
> JDK-8313765 [1] is a fix for a regression in the processing of zip files
> containing extended ZIP64 entries that was introduced by JDK-8302483 in the
> July security update. This regression affects a significant number of our
> internal as well as external customers (you can find more details in the
> JBS issue [1] and the original PR [2]).
>
> We think that the blast radius of the regression justifies a re-spin of
> 11.0.20 and 17.0.8 and we are planning to do this for Amazon Corretto. We
> would however appreciate if we could agree on this downport among all
> maintainers and come up with a synchronized up-stream fix and versioning.
> We've published corresponding PRs for jdk11u-dev [3] and jdk17u-dev [4].
>
> Best regards,
> Volker
>
> [1] https://bugs.openjdk.org/browse/JDK-8313765
> [2] https://github.com/openjdk/jdk/pull/15273
> [3] https://github.com/openjdk/jdk11u-dev/pull/2084
> [4] https://github.com/openjdk/jdk17u-dev/pull/1670
Yes, I've been tracking this since it was discussed in the vulnerability
group. I agree it is preferable to have a fix rather than resorting to
turning off a CVE fix.
My main worry is not about backporting the fix, but in whether we can
squeeze in a respin. I'm glad to see the proposed fix has finally been
posted publicly, reviewed and integrated as of yesterday. It seems
to have taken a long time to get to that stage from the original VG
discussion.
When we've done interim releases in the past, they have been within a
few weeks of the original release. With this release, we are already
at the point where we enter rampdown for the next release in < 2
weeks.
I think we can still manage an interim release this time, but it
needs to happen within the next week, before people start to focus
on testing and adding security fixes to the October update.
I'll go and review the 11u & 17u backports now. Note that there
are currently GHA failures with both, one down to the GCC versioning
we removed in 8u with https://bugs.openjdk.org/browse/JDK-8284772
Best regards,
--
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20230817/df8c5684/signature.asc>
More information about the jdk-updates-dev
mailing list