The Liberty-for-Java Buildpack v3.62 adds Liberty runtime 21.0.0.10 as the alternate runtime and keeps 21.0.0.9 as the default runtime.
The IBM JRE Version is updated to 8 SR6 FP36. The Liberty buildpack is now including the IBM Semeru Runtime Open Edition for Java 11 (11.0.12_7_openj9-0.27.0) and is replacing the runtime from Eclipse. The default and alternate runtimes 21.0.0.9 and 21.0.0.10 address the following PSIRT security vulnerabilities:
- Vulnerability in Apache Commons Compress library that is used by Websphere Application Server Liberty (CVE-2021-36090, CVE-2021-35517).
- Vulnerability in WebSphere Application Server to information disclosure (CVE-2021-29842).
This buildpack contains two production versions of Liberty — a default version that remains constant for approximately three months and the latest version, as an alternate.
An existing application will not be affected by the new buildpack until you redeploy or restage it. After redeployment, existing applications should continue to run “as is” without any additional changes. New applications will automatically use the new buildpack.