[jdk8u-dev] RFR: 8295530: Update Zlib Data Compression Library to Version 1.2.13 [v4]
Stewart X Addison
duke at openjdk.org
Fri Mar 10 12:20:14 UTC 2023
On Fri, 10 Mar 2023 09:33:09 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
> Does this qualify? It's quite a large change to be making at that stage and I'd prefer it went into 8u382.
The CVE referenced in the description was [raised by a customer](https://github.com/adoptium/adoptium-support/issues/619#issuecomment-1447720601zlib.net) about JDK17 where it was flagged by the [BDBA scanner](https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis/binary-analysis.html)
While I haven't run an equivalent scan against JDK8u I would expect the same to be true there, so it ultimately depends on whether this high vulnerability is considered a critical enough fix to warrant inclusion in 8u372. It is targetted for 17.0.7 and 11.0.19 based on [the bug](https://bugs.openjdk.org/browse/JDK-8295530) so getting it into 8u372 would put it into all streams simultaneously, but I'll defer to your judgement as to whether that's a good enough justification.
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/277
More information about the jdk8u-dev
mailing list