openjdk 11.0.17 in bullseye

Discussion about development of the Debian OS itself
Post Reply
Message
Author
aggaa
Posts: 6
Joined: 2022-07-20 16:43

openjdk 11.0.17 in bullseye

#1 Post by aggaa »

OpenJDK 11.0.17 was released on 10/18. This is the quarterly critical patch update. When can we see it included in Debian bullseye?
https://wiki.openjdk.org/display/JDKUpdates/JDK11u
https://packages.debian.org/bullseye/openjdk-11-jdk

Thanks.

User avatar
sunrat
Administrator
Administrator
Posts: 5084
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 53 times
Been thanked: 186 times

Re: openjdk 11.0.17 in bullseye

#2 Post by sunrat »

If it's a security update, the answer will be "soon".
You can check progress yourself at https://tracker.debian.org/pkg/openjdk-11
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

aggaa
Posts: 6
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#3 Post by aggaa »

Yes it is a security update. But I see from https://tracker.debian.org/pkg/openjdk-11 that its still not resolved. Any ETA? Thanks.

User avatar
sunrat
Administrator
Administrator
Posts: 5084
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 53 times
Been thanked: 186 times

Re: openjdk 11.0.17 in bullseye

#4 Post by sunrat »

We are not developers here, just lowly users. The tracker is the best source to follow progress.
The suffix "~deb11u1" in the current Bullseye package shows there has been update to the original package anyway. Often the Debian packagers will do this to incorporate fixes from a higher version. It's possible a higher version bump in Stable may cause issues for some users and Debian tries to avoid such occurrences.
Is there some particular bug fix you need from the higher version?
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

aggaa
Posts: 6
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#5 Post by aggaa »

Every quarterly openjdk 11 release incorporates bunch of security fixes. This one (11.0.17) has following:
source: https://mail.openjdk.org/pipermail/jdk- ... 18119.html

New in release OpenJDK 11.0.17 (2022-10-18):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11017
* https://builds.shipilev.net/backports-m ... .0.17.html

* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286533, CVE-2022-21626: Key X509 usages
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
- JDK-8293429: [11u] minor update in attribute style

aggaa
Posts: 6
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#6 Post by aggaa »

Looks like we are still blocked on this (per tracker https://tracker.debian.org/pkg/openjdk-11). I am just concerned that we are missing above security fixes in bullseye.

aggaa
Posts: 6
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#7 Post by aggaa »

Just wondering if there are any updates here. I know this is a community based project. But given that this is a security related issue, it is getting the right attention/priority? Thanks.

Post Reply