Request to Update Bellsoft Liberica Buildpacks to 9.4.2 as default
Closed this issue · 3 comments
Currently the default version of the default JVM , paketo-buildpacks/bellsoft-liberica:9.4.1 is using jdk version 1.8.0.342-7 for java 8 which has been identified to have various critical vulnerabilities. Request to bump up the version of liberica buildpacks to 9.4.2 which has a fix for this by including the new version 1.8.0.345 which addresses the vulnerabilities.
Expected Behavior
The Java buildpacks should by default pull bellsoft-liberica buildpacks version 9.4.2.
Current Behavior
The latest release of java buildpacks are using version 9.4.1 version of bellsoft-liberica buildpacks by default
Possible Solution
Needed a new release that includes the latest version of the bellsoft-liberica buildpacks ( 9.4.2)
jdk version 1.8.0.342-7 for java 8 which has been identified to have various critical vulnerabilities
The 8u342 has all of the fixes from Oracle's July 2022 quarterly release. I'm checking with Bellsoft to see what is fixed in 8u345 but their release notes do not indicate any CVE patches.
Request to bump up the version of liberica buildpacks to 9.4.2 which has a fix for this by including the new version 1.8.0.345 which addresses the vulnerabilities.
This will happen on Friday (two days). The normal release cadence for the paketo-buildpacks/java composite buildpack is every Friday, with the exception of patches for critical CVEs. Since there were not any listed in the release notes, we had planned for this release to go out in the normally scheduled release. I did check with the vendor, so if they come back and confirm there are CVE patches in this release, we can release this buildpack sooner.
In the meantime, I believe you can follow these instructions with the gcr.io/paketo-buildpacks/bellsoft-liberica:9.4.2 image and swap in the 9.4.2 release.
Bellsoft confirmed that there are no CVE fixes in 8u345. There was a functional regression in 8u342 which impacts Gradle. This was severe enough that it triggered an off-cycle release. This release has only this one fix, nothing else. This did not impact Java 11 or 17 so no new releases there.
Closing as this release has since shipped.