On 4/20/2022 5:06 PM, Vitaly Provodin wrote:
Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…) It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default). On Linux and macOS users can work around the issue by installing proper zlib on their systems. Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines. It looks like after implementing https://bugs.openjdk.java.net/browse/JDK-8249963 (which also discussed here https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html) the resolution of such issues can be shifted to users but what can be done now
Hi Vitaly, A better forum might be core-lib-dev[1], and build-dev as you already cc'd. Brad [1] https://mail.openjdk.java.net/mailman/listinfo/core-libs-dev
