[jdk11u-dev] RFR: 8295530: Update Zlib Data Compression Library to Version 1.2.13
Stewart X Addison
duke at openjdk.org
Thu Mar 2 11:46:21 UTC 2023
On Wed, 1 Mar 2023 20:27:53 GMT, Paul Hohensee <phh at openjdk.org> wrote:
>> Backporting zlib 1.2.13 from JDK17u due to https://nvd.nist.gov/vuln/detail/CVE-2022-37434 (9.8 CVSS score)
>> Tested on Windows which is generally the only platform I use which uses bundled zlib. This makes the `zlib` directory in the source identical to the one for JDK17u so should not cause any problems. I'll look at the feasibility of doing the same on JDK8 too.
>>
>> Reviewed-by: alanb, jpai
>
> What did your testing consist of?
@phohensee I've run through the tier1 tests on Windows ([results here](https://ci.adoptium.net/job/Test_openjdk11_hs_sanity.openjdk_x86-64_windows/729/testReport/)) plus verified with some of the compression related tests from the TCK.
Since this is likely to be relatively low risk and is already in 17 and we typically build without the in-tree zlib on other platforms I felt that was adequate. If you want me to run more exhaustive testing let me know.
-------------
PR: https://git.openjdk.org/jdk11u-dev/pull/1788
More information about the jdk-updates-dev
mailing list