Your message dated Thu, 24 Apr 2025 07:42:30 +0200
with message-id <aanpruygquokq...@eldamar.lan>
and subject line Re: Accepted openjdk-21 21.0.7+6-1 (source) into unstable
has caused the Debian Bug report #1103897,
regarding openjdk-21: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103897: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103897
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjdk-21
Version: 21.0.7~8ea-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:openjdk-17 17.0.15~5ea-1
Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -3 src:openjdk-11 11.0.27~4ea-1
Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -4 src:openjdk-8 8u442-ga-2
Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Hi,
The following vulnerabilities were published for OpenJDK.
CVE-2025-30698[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| 2D). Supported versions that are affected are Oracle Java SE:
| 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for
| JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17
| and 21.3.13. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data and unauthorized ability to cause
| a partial denial of service (partial DOS) of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
CVE-2025-30691[1]:
| Vulnerability in Oracle Java SE (component: Compiler). Supported
| versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle
| GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data as well as
| unauthorized read access to a subset of Oracle Java SE accessible
| data. Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21587[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE). Supported versions that are affected are Oracle Java
| SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM
| for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise
| Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data
| as well as unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30698
https://www.cve.org/CVERecord?id=CVE-2025-30698
[1] https://security-tracker.debian.org/tracker/CVE-2025-30691
https://www.cve.org/CVERecord?id=CVE-2025-30691
[2] https://security-tracker.debian.org/tracker/CVE-2025-21587
https://www.cve.org/CVERecord?id=CVE-2025-21587
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjdk-21
Source-Version: 21.0.7+6-1
On Thu, Apr 24, 2025 at 12:26:35AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 24 Apr 2025 01:57:46 +0200
> Source: openjdk-21
> Architecture: source
> Version: 21.0.7+6-1
> Distribution: unstable
> Urgency: high
> Maintainer: OpenJDK Team <openjdk...@packages.debian.org>
> Changed-By: Matthias Klose <d...@ubuntu.com>
> Changes:
> openjdk-21 (21.0.7+6-1) unstable; urgency=high
> .
> * OpenJDK 21.0.7 release, build 6.
> - Addresses CVE-2025-30698, CVE-2025-30691, CVE-2025-21587.
> .
> * Honour DEB_BUILD_OPTIONS=parallel=N while running jtreg tests (Helmut
> Grohne). Addresses: #1095920.
> Checksums-Sha1:
> dbd1500615f5702a4f1ca0662e19d97027ac204d 5300 openjdk-21_21.0.7+6-1.dsc
> 963d08e242ea43318a36d8b950f71a9e3cf2bf84 616792
> openjdk-21_21.0.7+6.orig-googletest.tar.xz
> bda3df0e15fe1bb536e0d9dc6412d851a17b2f92 67282264
> openjdk-21_21.0.7+6.orig.tar.xz
> f09d2173e8bfec279663ee2d779f04ceecfd4c3e 216352
> openjdk-21_21.0.7+6-1.debian.tar.xz
> db65be63452a2e21d03586a762fe8c28598efc93 15587
> openjdk-21_21.0.7+6-1_source.buildinfo
> Checksums-Sha256:
> fc7a5365bc46c7a5f76682bf6b28336dc646cabf53f7299cae8b36200fb94754 5300
> openjdk-21_21.0.7+6-1.dsc
> db220ce29459378d5fd0d725da4379cac15f0158962e018b862fdb10b460a1ee 616792
> openjdk-21_21.0.7+6.orig-googletest.tar.xz
> 2e8d3b80dab4fdcaeb46e21aea5ea85f9e02e2bd585997836edfd396a543b14f 67282264
> openjdk-21_21.0.7+6.orig.tar.xz
> 30b2f7a4039aaf3fba56a9cc83c8ad3a83a49306803a9abb6b116893bafab0d7 216352
> openjdk-21_21.0.7+6-1.debian.tar.xz
> a08e535ced1b30c62679b7b3f0e59c098c56d2b88e364709a8655f4a943fb9a7 15587
> openjdk-21_21.0.7+6-1_source.buildinfo
> Files:
> 692873fd014b7c0fa45fdd540c76ff2c 5300 java optional openjdk-21_21.0.7+6-1.dsc
> de5c55b8e5bce1324d6baa80dc60ef28 616792 java optional
> openjdk-21_21.0.7+6.orig-googletest.tar.xz
> bbbe3ccc1362edc5a151972305d34047 67282264 java optional
> openjdk-21_21.0.7+6.orig.tar.xz
> d0c9029a898240ea169cb4d16027a709 216352 java optional
> openjdk-21_21.0.7+6-1.debian.tar.xz
> 2460f3c868123fdbe448abe77e5b41c4 15587 java optional
> openjdk-21_21.0.7+6-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmgJf6AQHGRva29AdWJ1
> bnR1LmNvbQAKCRC9fqpgd4+m9UvsD/9TyPKZg06GlvXLD/j3D/AtsctZE0tLhdwz
> 3KYUbM5L3jz8tbPzXatHdOKod+zDzcdsy7EL28rPHEsUWK1QLjCj+TGM54b99s+w
> ICfNTt/J0ZqMlcjv0kDjykGtaCttBm5TVQ9LZH7A4gJ1of5TfgmELXVbK1Eo4NVK
> qtvmKrtlzbLxjhxd7xVFXohQEq0OZFdVv8pV1O6FCyYruyrJtzKRnVTc2tGhLHYm
> wi1mRjzwiNz3k1NVUqqcn4+osWXWV1t6ywoRqE9nebUdXW5mNq6cKUPbwYqTjClf
> KoyAs4BR+B9T24Ntft+AjFCTI7hrop0szeNwsQrJQPKkCzCWYj/5OsVL3dsqOYKH
> WircTveyeCT/2rTDyYRaEsadYxrvcbVq6baq/YPx+YALzZctU4e+yXPQ/iihT1N/
> CPUQ0KV6Yz6NbfxHYW4JjXGK/u135FmeMwronpiuux5vno0IT7CgKuzMWWGEv/g7
> kJ7MnkMt88vszsY4zFz0wcIhGim1hiMIn2iqEw5deqew0Ach0qcaZNkKtrTFhS28
> d6rpJUlauuFWNpvRWYM0Vlztmx7RhnGAwWSpmAW4KgDybASfq9wGtuh3uPUQj8QA
> wuRb0cHxpjxGOu2U6jDPBpAj0QaHjUtkyRbv/XFxTagHUWf7/T1PY7IeqhbWcv6Y
> ufKUoRiu3g==
> =60c1
> -----END PGP SIGNATURE-----
--- End Message ---
