Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

openjdk 11.0.17 in bullseye

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
aggaa
Posts: 10
Joined: 2022-07-20 16:43

openjdk 11.0.17 in bullseye

#1 Post by aggaa »

OpenJDK 11.0.17 was released on 10/18. This is the quarterly critical patch update. When can we see it included in Debian bullseye?
https://wiki.openjdk.org/display/JDKUpdates/JDK11u
https://packages.debian.org/bullseye/openjdk-11-jdk

Thanks.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: openjdk 11.0.17 in bullseye

#2 Post by sunrat »

If it's a security update, the answer will be "soon".
You can check progress yourself at https://tracker.debian.org/pkg/openjdk-11
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#3 Post by aggaa »

Yes it is a security update. But I see from https://tracker.debian.org/pkg/openjdk-11 that its still not resolved. Any ETA? Thanks.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: openjdk 11.0.17 in bullseye

#4 Post by sunrat »

We are not developers here, just lowly users. The tracker is the best source to follow progress.
The suffix "~deb11u1" in the current Bullseye package shows there has been update to the original package anyway. Often the Debian packagers will do this to incorporate fixes from a higher version. It's possible a higher version bump in Stable may cause issues for some users and Debian tries to avoid such occurrences.
Is there some particular bug fix you need from the higher version?
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#5 Post by aggaa »

Every quarterly openjdk 11 release incorporates bunch of security fixes. This one (11.0.17) has following:
source: https://mail.openjdk.org/pipermail/jdk- ... 18119.html

New in release OpenJDK 11.0.17 (2022-10-18):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11017
* https://builds.shipilev.net/backports-m ... .0.17.html

* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286533, CVE-2022-21626: Key X509 usages
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
- JDK-8293429: [11u] minor update in attribute style

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#6 Post by aggaa »

Looks like we are still blocked on this (per tracker https://tracker.debian.org/pkg/openjdk-11). I am just concerned that we are missing above security fixes in bullseye.

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#7 Post by aggaa »

Just wondering if there are any updates here. I know this is a community based project. But given that this is a security related issue, it is getting the right attention/priority? Thanks.

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#8 Post by aggaa »

Just checking if anyone has any updates here? This is the first time we are seeing this much delay in incorporating OpenJDK's quarterly security update into Bullseye. Its about 2 months since 11.0.17 came out.

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#9 Post by aggaa »

Can anyone please provide an update here? I see following on the tracker. What does it mean?
[2022-12-27] openjdk-11 REMOVED from testing (Debian testing watch)

dlu2021
Posts: 197
Joined: 2021-08-13 19:55
Location: Minnesota
Has thanked: 7 times
Been thanked: 37 times

Re: openjdk 11.0.17 in bullseye

#10 Post by dlu2021 »

It looks like it is being dropped from Bookworm because openjdk-17 is the new default:

https://bugs.debian.org/cgi-bin/bugrepo ... ug=1023237

User avatar
kent_dorfman766
Posts: 529
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 56 times
Been thanked: 69 times

Re: openjdk 11.0.17 in bullseye

#11 Post by kent_dorfman766 »

I know it is a PITA, but you should be able to install the update manually, independently of whether its in the debian/security repo. I mean it's just an archive of jar/class files, right? Just something else you'd need to manually track once you diverge from the "distro source".

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#12 Post by aggaa »

We are using distroless Java docker image from google (https://github.com/GoogleContainerTools ... /README.md). Installing openJDK manually defeats the whole purpose of using distroless images.
I can understand that openjdk-17 is the new default for Bookworm. But what about Bullseye?

User avatar
canci
Global Moderator
Global Moderator
Posts: 2497
Joined: 2006-09-24 11:28
Has thanked: 135 times
Been thanked: 134 times

Re: openjdk 11.0.17 in bullseye

#13 Post by canci »

aggaa wrote: 2022-11-29 17:27 Just wondering if there are any updates here.
This is a user forum. You've been told where to look/ask about the new version, yet you keep behaving like an entitled customer and keep asking the wrong people. What do you expect will happen here?
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

aggaa
Posts: 10
Joined: 2022-07-20 16:43

Re: openjdk 11.0.17 in bullseye

#14 Post by aggaa »

canci wrote: 2023-01-12 19:16
aggaa wrote: 2022-11-29 17:27 Just wondering if there are any updates here.
This is a user forum. You've been told where to look/ask about the new version, yet you keep behaving like an entitled customer and keep asking the wrong people. What do you expect will happen here?
Sorry if I missed that hint. Where should I look/ask about the new version?

dlu2021
Posts: 197
Joined: 2021-08-13 19:55
Location: Minnesota
Has thanked: 7 times
Been thanked: 37 times

Re: openjdk 11.0.17 in bullseye

#15 Post by dlu2021 »

aggaa wrote: 2023-01-12 19:39 Sorry if I missed that hint. Where should I look/ask about the new version?
FYI, it looks like 11.0.18 just hit stable security:

https://tracker.debian.org/pkg/openjdk-11

Post Reply