* Vitaly Zaitsev via devel: > On 10/05/2022 15:29, Ben Cotton wrote: >> This is initial step to move JDKs to be more like other JDKs, to build >> proper transferable images, and to lower certification burden of each >> binary. > > Strongly -1. Bundled versions are always outdated and may be even > vulnerable. And upstream only incorporates security fixes once per quarter, so the recent zlib bug (CVE-2018-25032) would have to be reintroduced, or a downstream-only patched for it applied. There was some confusion whether this bug only happened with Z_FIXED, but there's been another reproducer now. Given the lack of public discussion (following upstream policy), it's not clear whether this has been taken into account. Once the vulnerability scanners get better, we should really avoid copies of the demangler code because of its occasional vulnerabilities. They won't be exploitable in OpenJDK (at all), but scanners will eventually flag the presence of that code, still requiring security updates. If demangling can be disabled (so that mangled names show up in crash dumps), I think eliminating the remaining libstdc++ dependencies is a few week's work, mostly involving documenting interposable functions on the GCC side. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
