On Tue, 10 May 2022 19:36:22 +0200 Florian Weimer <fweimer@xxxxxxxxxx> wrote: > * Vitaly Zaitsev via devel: > > > On 10/05/2022 15:29, Ben Cotton wrote: > >> This is initial step to move JDKs to be more like other JDKs, to > >> build proper transferable images, and to lower certification > >> burden of each binary. > > > > Strongly -1. Bundled versions are always outdated and may be even > > vulnerable. > > And upstream only incorporates security fixes once per quarter, so the > recent zlib bug (CVE-2018-25032) would have to be reintroduced, or a > downstream-only patched for it applied. There was some confusion > whether this bug only happened with Z_FIXED, but there's been another > reproducer now. Given the lack of public discussion (following > upstream policy), it's not clear whether this has been taken into > account. In this case upstream might actually get there first because this CVE is not yet fixed in Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2068066). Of course, this is unusual. Paul. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
