Downporting JDK-8313765 to jdk11u and jdk17u and respinning 11.0.20 and 17.0.8
Volker Simonis
volker.simonis at gmail.com
Thu Aug 17 18:21:00 UTC 2023
On Thu, Aug 17, 2023 at 10:31 AM Andrew Hughes <gnu.andrew at redhat.com> wrote:
>
> On 22:33 Wed 16 Aug , Volker Simonis wrote:
> > Hi,
> >
> > We would like to downport JDK-8313765 [1] to jdk11u-dev and jdk17u-dev and
> > propose to release new versions of 11.0.20 and 17.0.8.
> >
> > JDK-8313765 [1] is a fix for a regression in the processing of zip files
> > containing extended ZIP64 entries that was introduced by JDK-8302483 in the
> > July security update. This regression affects a significant number of our
> > internal as well as external customers (you can find more details in the
> > JBS issue [1] and the original PR [2]).
> >
> > We think that the blast radius of the regression justifies a re-spin of
> > 11.0.20 and 17.0.8 and we are planning to do this for Amazon Corretto. We
> > would however appreciate if we could agree on this downport among all
> > maintainers and come up with a synchronized up-stream fix and versioning.
> > We've published corresponding PRs for jdk11u-dev [3] and jdk17u-dev [4].
> >
> > Best regards,
> > Volker
> >
> > [1] https://bugs.openjdk.org/browse/JDK-8313765
> > [2] https://github.com/openjdk/jdk/pull/15273
> > [3] https://github.com/openjdk/jdk11u-dev/pull/2084
> > [4] https://github.com/openjdk/jdk17u-dev/pull/1670
>
> Yes, I've been tracking this since it was discussed in the vulnerability
> group. I agree it is preferable to have a fix rather than resorting to
> turning off a CVE fix.
>
> My main worry is not about backporting the fix, but in whether we can
> squeeze in a respin. I'm glad to see the proposed fix has finally been
> posted publicly, reviewed and integrated as of yesterday. It seems
> to have taken a long time to get to that stage from the original VG
> discussion.
>
> When we've done interim releases in the past, they have been within a
> few weeks of the original release. With this release, we are already
> at the point where we enter rampdown for the next release in < 2
> weeks.
>
> I think we can still manage an interim release this time, but it
> needs to happen within the next week, before people start to focus
> on testing and adding security fixes to the October update.
>
Thanks Andrew, I agree. I think because the 11u and 17u repos already
contain changes for the October release we will have to cherry pick
the downports from 11u-dev and 17u-dev and apply them in a new branch
right on top of the 11.0.20/17.0.8 GA changes (and not the current
HEAD of 11u and 17u). We also have to bump the version strings in
those new branches. But this has all been done in the past already
(e.g. see https://github.com/openjdk/jdk11u/commits/jdk11.0.16.1) so
shouldn't be a blocker.
> I'll go and review the 11u & 17u backports now. Note that there
> are currently GHA failures with both, one down to the GCC versioning
> we removed in 8u with https://bugs.openjdk.org/browse/JDK-8284772
>
Thanks!
> Best regards,
> --
> Andrew :)
> Pronouns: he / him or they / them
> Principal Free Java Software Engineer
> OpenJDK Package Owner
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>
> Please contact via e-mail, not proprietary chat networks
> Available on Libera Chat & OFTC IRC networks as gnu_andrew
More information about the jdk-updates-dev
mailing list