On Tue, 10 May 2022 19:36:22 +0200
Florian Weimer <fweimer(a)redhat.com> wrote:
* Vitaly Zaitsev via devel:
> On 10/05/2022 15:29, Ben Cotton wrote:
>> This is initial step to move JDKs to be more like other JDKs, to
>> build proper transferable images, and to lower certification
>> burden of each binary.
>
> Strongly -1. Bundled versions are always outdated and may be even
> vulnerable.
And upstream only incorporates security fixes once per quarter, so the
recent zlib bug (CVE-2018-25032) would have to be reintroduced, or a
downstream-only patched for it applied. There was some confusion
whether this bug only happened with Z_FIXED, but there's been another
reproducer now. Given the lack of public discussion (following
upstream policy), it's not clear whether this has been taken into
account.
In this case upstream might actually get there first because this CVE
is not yet fixed in Fedora
(
https://bugzilla.redhat.com/show_bug.cgi?id=2068066). Of course, this
is unusual.
Paul.