Comments (3)
dmikusa
commented on May 5, 2024
jdk version 1.8.0.342-7 for java 8 which has been identified to have various critical vulnerabilities
The 8u342 has all of the fixes from Oracle's July 2022 quarterly release. I'm checking with Bellsoft to see what is fixed in 8u345 but their release notes do not indicate any CVE patches.
Request to bump up the version of liberica buildpacks to 9.4.2 which has a fix for this by including the new version 1.8.0.345 which addresses the vulnerabilities.
This will happen on Friday (two days). The normal release cadence for the paketo-buildpacks/java composite buildpack is every Friday, with the exception of patches for critical CVEs. Since there were not any listed in the release notes, we had planned for this release to go out in the normally scheduled release. I did check with the vendor, so if they come back and confirm there are CVE patches in this release, we can release this buildpack sooner.
In the meantime, I believe you can follow these instructions with the gcr.io/paketo-buildpacks/bellsoft-liberica:9.4.2 image and swap in the 9.4.2 release.
from java.
dmikusa
commented on May 5, 2024
Bellsoft confirmed that there are no CVE fixes in 8u345. There was a functional regression in 8u342 which impacts Gradle. This was severe enough that it triggered an off-cycle release. This release has only this one fix, nothing else. This did not impact Java 11 or 17 so no new releases there.
from java.
dmikusa
commented on May 5, 2024
Closing as this release has since shipped.
from java.
Related Issues (20)
- Implement RFC0044: Disable SBOM HOT 2
- Java Buildpack 10.2.0 Error HOT 2
- When the image built using bootBuildImage creates files or folders with Chinese names at runtime, their names will be garbled HOT 1
- When BP_JVM_VERSION is 21, the workspace owner has a problem. HOT 3
- No builldpack.toml found in java 10.7.0 HOT 4
- Maven Buildpack fails with code 145 HOT 7
- Validating stack mixins fails HOT 1
- Add Node into the buildpack order group HOT 6
- Add custom folders during paketo build HOT 12
- OpenJDK error with cgroups v2 HOT 6
- Enable option and support to specify a different JVM as an environment variable. HOT 5
- Implement RFC0052: Graceful Stack Upgrades HOT 3
- including newrelic buildpack HOT 7
- Spring Boot Native Builds with bellsoft-liberica:9.9.0-ea crash since this morning with 403 HOT 3
- Make it easier to run apps that require fonts HOT 2
- Support ability to use cyclonedx-maven-plugin HOT 6
- Support Structured Log Format HOT 1
- repo.spring.io brown-out process is breaking spring boot builds HOT 4
- build image un-idempotency HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java.