Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
openjdk 11.0.17 in bullseye
openjdk 11.0.17 in bullseye
OpenJDK 11.0.17 was released on 10/18. This is the quarterly critical patch update. When can we see it included in Debian bullseye?
https://wiki.openjdk.org/display/JDKUpdates/JDK11u
https://packages.debian.org/bullseye/openjdk-11-jdk
Thanks.
https://wiki.openjdk.org/display/JDKUpdates/JDK11u
https://packages.debian.org/bullseye/openjdk-11-jdk
Thanks.
- sunrat
- Administrator
- Posts: 6463
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 116 times
- Been thanked: 472 times
Re: openjdk 11.0.17 in bullseye
If it's a security update, the answer will be "soon".
You can check progress yourself at https://tracker.debian.org/pkg/openjdk-11
You can check progress yourself at https://tracker.debian.org/pkg/openjdk-11
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: openjdk 11.0.17 in bullseye
Yes it is a security update. But I see from https://tracker.debian.org/pkg/openjdk-11 that its still not resolved. Any ETA? Thanks.
- sunrat
- Administrator
- Posts: 6463
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 116 times
- Been thanked: 472 times
Re: openjdk 11.0.17 in bullseye
We are not developers here, just lowly users. The tracker is the best source to follow progress.
The suffix "~deb11u1" in the current Bullseye package shows there has been update to the original package anyway. Often the Debian packagers will do this to incorporate fixes from a higher version. It's possible a higher version bump in Stable may cause issues for some users and Debian tries to avoid such occurrences.
Is there some particular bug fix you need from the higher version?
The suffix "~deb11u1" in the current Bullseye package shows there has been update to the original package anyway. Often the Debian packagers will do this to incorporate fixes from a higher version. It's possible a higher version bump in Stable may cause issues for some users and Debian tries to avoid such occurrences.
Is there some particular bug fix you need from the higher version?
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: openjdk 11.0.17 in bullseye
Every quarterly openjdk 11 release incorporates bunch of security fixes. This one (11.0.17) has following:
source: https://mail.openjdk.org/pipermail/jdk- ... 18119.html
New in release OpenJDK 11.0.17 (2022-10-18):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11017
* https://builds.shipilev.net/backports-m ... .0.17.html
* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286533, CVE-2022-21626: Key X509 usages
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
- JDK-8293429: [11u] minor update in attribute style
source: https://mail.openjdk.org/pipermail/jdk- ... 18119.html
New in release OpenJDK 11.0.17 (2022-10-18):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11017
* https://builds.shipilev.net/backports-m ... .0.17.html
* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286533, CVE-2022-21626: Key X509 usages
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1
- JDK-8293429: [11u] minor update in attribute style
Re: openjdk 11.0.17 in bullseye
Looks like we are still blocked on this (per tracker https://tracker.debian.org/pkg/openjdk-11). I am just concerned that we are missing above security fixes in bullseye.
Re: openjdk 11.0.17 in bullseye
Just wondering if there are any updates here. I know this is a community based project. But given that this is a security related issue, it is getting the right attention/priority? Thanks.
Re: openjdk 11.0.17 in bullseye
Just checking if anyone has any updates here? This is the first time we are seeing this much delay in incorporating OpenJDK's quarterly security update into Bullseye. Its about 2 months since 11.0.17 came out.
Re: openjdk 11.0.17 in bullseye
Can anyone please provide an update here? I see following on the tracker. What does it mean?
[2022-12-27] openjdk-11 REMOVED from testing (Debian testing watch)
[2022-12-27] openjdk-11 REMOVED from testing (Debian testing watch)
-
- Posts: 210
- Joined: 2021-08-13 19:55
- Location: Minnesota
- Has thanked: 7 times
- Been thanked: 41 times
Re: openjdk 11.0.17 in bullseye
It looks like it is being dropped from Bookworm because openjdk-17 is the new default:
https://bugs.debian.org/cgi-bin/bugrepo ... ug=1023237
https://bugs.debian.org/cgi-bin/bugrepo ... ug=1023237
- kent_dorfman766
- Posts: 540
- Joined: 2022-12-16 06:34
- Location: socialist states of america
- Has thanked: 59 times
- Been thanked: 70 times
Re: openjdk 11.0.17 in bullseye
I know it is a PITA, but you should be able to install the update manually, independently of whether its in the debian/security repo. I mean it's just an archive of jar/class files, right? Just something else you'd need to manually track once you diverge from the "distro source".
Re: openjdk 11.0.17 in bullseye
We are using distroless Java docker image from google (https://github.com/GoogleContainerTools ... /README.md). Installing openJDK manually defeats the whole purpose of using distroless images.
I can understand that openjdk-17 is the new default for Bookworm. But what about Bullseye?
I can understand that openjdk-17 is the new default for Bookworm. But what about Bullseye?
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 136 times
Re: openjdk 11.0.17 in bullseye
This is a user forum. You've been told where to look/ask about the new version, yet you keep behaving like an entitled customer and keep asking the wrong people. What do you expect will happen here?
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
Re: openjdk 11.0.17 in bullseye
Sorry if I missed that hint. Where should I look/ask about the new version?
-
- Posts: 210
- Joined: 2021-08-13 19:55
- Location: Minnesota
- Has thanked: 7 times
- Been thanked: 41 times