Downporting JDK-8313765 to jdk11u and jdk17u and respinning 11.0.20 and 17.0.8
Sergey Bylokhov
bylokhov at amazon.com
Thu Aug 17 21:50:51 UTC 2023
Nobody mention respin of JDK 20u:
https://github.com/openjdk/jdk20u/pull/87
Does anybody plan to do it?
On 8/17/23 10:31, Andrew Hughes wrote:
> Yes, I've been tracking this since it was discussed in the vulnerability
> group. I agree it is preferable to have a fix rather than resorting to
> turning off a CVE fix.
>
> My main worry is not about backporting the fix, but in whether we can
> squeeze in a respin. I'm glad to see the proposed fix has finally been
> posted publicly, reviewed and integrated as of yesterday. It seems
> to have taken a long time to get to that stage from the original VG
> discussion.
>
> When we've done interim releases in the past, they have been within a
> few weeks of the original release. With this release, we are already
> at the point where we enter rampdown for the next release in < 2
> weeks.
>
> I think we can still manage an interim release this time, but it
> needs to happen within the next week, before people start to focus
> on testing and adding security fixes to the October update.
>
> I'll go and review the 11u & 17u backports now. Note that there
> are currently GHA failures with both, one down to the GCC versioning
> we removed in 8u with https://bugs.openjdk.org/browse/JDK-8284772
--
Best regards, Sergey.
More information about the jdk-updates-dev
mailing list