On Mon, May 20, 2019 at 03:15:13PM +0200, Aleksey Shipilev wrote: > On 5/20/19 3:08 PM, Emmanuel Bourg wrote: > > Le 20/05/2019 à 14:38, Aleksey Shipilev a écrit : > > > >> Yes. Security fixes and Japanese epoch changes are delivered in 11.0.3+7, after security embargo was > >> lifted. The fixes are not in 11.0.3+6, which was tagged before the embargo lifted. You are looking > >> for these: > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/175eb80c253a > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/2996b4523925 > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/f0d8b845de21 > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/1084d119236b > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c61b8801f0e4 > >> http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/59610bddd37a > > > > Thank you. As I understand the rev 1084d119236b is the fix for > > CVE-2019-2684, and 59610bddd37a is the fix for CVE-2019-2602. But I'm > > not sure about c61b8801f0e4, is there a related CVE? > > I don't think there is, but I am not the authoritative source on this. I just listed the differences > between +6 and +7 (which came from the security-related repo after the fork for release). > > See more here: > https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html > https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-April/009115.html > > -Aleksey > Hello Aleksey, Thank you for posting this to the list. Reconciling the Debian version numbers with those found in AdoptOpenJDK has been a recent topic of discussion with several of my coworkers and so I was preparing to bring up the issue here as well, but you beat me to it. For reference for the list, the upstream tags can be seen here: http://hg.openjdk.java.net/jdk-updates/jdk11u/tags So 11.0.3+7 == 11.0.3-ga. For stable backports and buster, I agree that we should upload an 11.0.3-ga package, particularly given the vulnerabilities still present in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602 https://security-tracker.debian.org/tracker/source-package/openjdk-11 It would be nice to do the same for buster, although now that 11.0.4+x has been introduced to unstable, I believe we'll have to be creative with the naming, either by introducing an epoch or using the "11.0.4+1_really11.0.3-ga" trick. In general, I think it would be helpful for our users if we uploaded the prereleases to experimental but stuck to GA releases for unstable, testing, and backports. I think it is easy to mistake, for example, an 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being distributed by other projects. Matthias, since you've been handling all of the recent uploads, do you have specific thoughts or concerns about an upload of 11.0.3-ga? Thank you, tony
Attachment:
signature.asc
Description: PGP signature