Control: tags -1 + confirmed On Wed, 2020-11-25 at 20:23 -0800, tony mancill wrote: > I propose that openjdk-11 be updated to upstream 11.0.9.1+1 in the > upcoming stable point release. This update addresses a regression > [1] introduced in upstream release 11.0.9+11, which is present in > buster via a security upload [2]. This keeps Debian on par with > other vendors - e.g. RedHat [3], Ubuntu [4], and AdoptOpenJDK [5] - > and introduces the same upstream version currently available in > testing and unstable. > > Without this update, users may encounter crashes during bytecode > compilation. This this is not an optional component of the JVM, > there is no work-around and users would have to downgrade to 11.0.8 > (which has open CVEs). > > I have prepared an update and performed basic smoke-testing of the > resulting binaries. The attached debdiff is based on the version > uploaded by Moritz Mühlenhoff for the DSA, 11.0.9+11-1~deb10u1. I > checked with the OpenJDK Maintainers [6], where we agreed that this > update for the regression wouldn't follow the DSA process.
I'd have been more inclined to suggest fixing it via a DSA as a regression if it's going to affect lots of users (even though it's not a security update), given that's how the issue was introduced in the first place. I can see Moritz was involved in the discussion though, so I'm not going to push that too much right now. But this really shouldn't end up being SRM having to choose between security regressions or functional regressions for users when the latter were introduced via a DSA. One difference between stable and unstable/testing that might be relevant here is that stable still has the mips architecture. I have to be honest that, from previous experiences with OpenJDK updates in (old)stable, that and the reintroduction of tests being run does concern me. But fingers crossed it all turns out fine. Regards, Adam
