-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
P4
-
None
-
Affects Version/s: 11, 17, 21
-
Component/s: core-libs
-
linux
A DESCRIPTION OF THE PROBLEM :
We would like to seek your guidance regarding the possibility of backporting an upstream OpenJDK fix into JDK 11, 17, 21 distribution.
During our JDK 11 baseline adoption for one of our enterprise product, we observed that certain XML-related components bundled with OpenJDK 11 (for example, Xalan/Serializer) include versions that are flagged for known vulnerabilities. We understand that the corresponding fixes are already available in the OpenJDK project in later JDK versions (OpenJDK22). We believe the same has been back ported into JDK8u411 as well.
https://bugs.openjdk.org/browse/JDK-8305814
https://nvd.nist.gov/vuln/detail/cve-2022-34169
https://www.cve.org/CVERecord?id=CVE-2022-34169
Commit Details :
https://github.com/openjdk/jdk/commit/b1625af600c253e872232dc62bf353db88c97079
To align with JDK recommendations and avoid explicitly bundling external replacements (which may lead to JPMS or split-package concerns), we would like to understand:
Whether there is an existing plan to backport the relevant OpenJDK fix(es) into the OpenJDK 11, 17 and 21 distribution.
Any guidance on the recommended next steps would be greatly appreciated.
Thank you for your continued efforts in maintaining and supporting OpenJDK distributions.
REGRESSION : Last worked in version 8u481
We would like to seek your guidance regarding the possibility of backporting an upstream OpenJDK fix into JDK 11, 17, 21 distribution.
During our JDK 11 baseline adoption for one of our enterprise product, we observed that certain XML-related components bundled with OpenJDK 11 (for example, Xalan/Serializer) include versions that are flagged for known vulnerabilities. We understand that the corresponding fixes are already available in the OpenJDK project in later JDK versions (OpenJDK22). We believe the same has been back ported into JDK8u411 as well.
https://bugs.openjdk.org/browse/JDK-8305814
https://nvd.nist.gov/vuln/detail/cve-2022-34169
https://www.cve.org/CVERecord?id=CVE-2022-34169
Commit Details :
https://github.com/openjdk/jdk/commit/b1625af600c253e872232dc62bf353db88c97079
To align with JDK recommendations and avoid explicitly bundling external replacements (which may lead to JPMS or split-package concerns), we would like to understand:
Whether there is an existing plan to backport the relevant OpenJDK fix(es) into the OpenJDK 11, 17 and 21 distribution.
Any guidance on the recommended next steps would be greatly appreciated.
Thank you for your continued efforts in maintaining and supporting OpenJDK distributions.
REGRESSION : Last worked in version 8u481