Downporting JDK-8313765 to jdk11u and jdk17u and respinning 11.0.20 and 17.0.8
Andrew Hughes
gnu.andrew at redhat.com
Fri Aug 18 17:40:57 UTC 2023
On 14:50 Thu 17 Aug , Sergey Bylokhov wrote:
> Nobody mention respin of JDK 20u:
> https://github.com/openjdk/jdk20u/pull/87
> Does anybody plan to do it?
>
> On 8/17/23 10:31, Andrew Hughes wrote:
> > Yes, I've been tracking this since it was discussed in the vulnerability
> > group. I agree it is preferable to have a fix rather than resorting to
> > turning off a CVE fix.
> >
> > My main worry is not about backporting the fix, but in whether we can
> > squeeze in a respin. I'm glad to see the proposed fix has finally been
> > posted publicly, reviewed and integrated as of yesterday. It seems
> > to have taken a long time to get to that stage from the original VG
> > discussion.
> >
> > When we've done interim releases in the past, they have been within a
> > few weeks of the original release. With this release, we are already
> > at the point where we enter rampdown for the next release in < 2
> > weeks.
> >
> > I think we can still manage an interim release this time, but it
> > needs to happen within the next week, before people start to focus
> > on testing and adding security fixes to the October update.
> >
> > I'll go and review the 11u & 17u backports now. Note that there
> > are currently GHA failures with both, one down to the GCC versioning
> > we removed in 8u with https://bugs.openjdk.org/browse/JDK-8284772
>
> --
> Best regards, Sergey.
>
We're not maintainers, Oracle are. I guess their efforts are now focused
on 21. They are aware of this and have apparently added it to 17.0.10-oracle
and 11.0.22-oracle already, and I see a request for 21 too [0]
[0] https://bugs.openjdk.org/browse/JDK-8313765?focusedCommentId=14604862&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14604862
Best regards,
--
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20230818/fe7ffb41/signature.asc>
More information about the jdk-updates-dev
mailing list