[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

On Mon, May 20, 2019 at 03:15:13PM +0200, Aleksey Shipilev wrote:
> On 5/20/19 3:08 PM, Emmanuel Bourg wrote:
> > Le 20/05/2019 à 14:38, Aleksey Shipilev a écrit :
> > 
> >> Yes. Security fixes and Japanese epoch changes are delivered in 11.0.3+7, after security embargo was
> >> lifted. The fixes are not in 11.0.3+6, which was tagged before the embargo lifted. You are looking
> >> for these:
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/175eb80c253a
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/2996b4523925
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/f0d8b845de21
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/1084d119236b
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c61b8801f0e4
> >>   http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/59610bddd37a
> > 
> > Thank you. As I understand the rev 1084d119236b is the fix for
> > CVE-2019-2684, and 59610bddd37a is the fix for CVE-2019-2602. But I'm
> > not sure about c61b8801f0e4, is there a related CVE?
> I don't think there is, but I am not the authoritative source on this. I just listed the differences
> between +6 and +7 (which came from the security-related repo after the fork for release).
> See more here:
>   https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html
>   https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-April/009115.html
> -Aleksey

Hello Aleksey,

Thank you for posting this to the list.  Reconciling the Debian version
numbers with those found in AdoptOpenJDK has been a recent topic of
discussion with several of my coworkers and so I was preparing to bring
up the issue here as well, but you beat me to it.

For reference for the list, the upstream tags can be seen here:


So 11.0.3+7 == 11.0.3-ga.

For stable backports and buster, I agree that we should upload an
11.0.3-ga package, particularly given the vulnerabilities still present
in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602


It would be nice to do the same for buster, although now that 11.0.4+x
has been introduced to unstable, I believe we'll have to be creative
with the naming, either by introducing an epoch or using the
"11.0.4+1_really11.0.3-ga" trick.

In general, I think it would be helpful for our users if we uploaded the
prereleases to experimental but stuck to GA releases for unstable,
testing, and backports.  I think it is easy to mistake, for example, an
11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being
distributed by other projects.

Matthias, since you've been handling all of the recent uploads, do you
have specific thoughts or concerns about an upload of 11.0.3-ga?

Thank you,

Attachment: signature.asc
Description: PGP signature

Reply to: