Your message dated Thu, 24 Apr 2025 07:44:58 +0200
with message-id <aanp2qinbs23t...@eldamar.lan>
and subject line Re: Accepted openjdk-17 17.0.15+6-1 (source) into unstable
has caused the Debian Bug report #1103898,
regarding openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103898
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjdk-21
Version: 21.0.7~8ea-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:openjdk-17 17.0.15~5ea-1
Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -3 src:openjdk-11 11.0.27~4ea-1
Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -4 src:openjdk-8 8u442-ga-2
Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Hi,
The following vulnerabilities were published for OpenJDK.
CVE-2025-30698[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| 2D). Supported versions that are affected are Oracle Java SE:
| 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for
| JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17
| and 21.3.13. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data and unauthorized ability to cause
| a partial denial of service (partial DOS) of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
CVE-2025-30691[1]:
| Vulnerability in Oracle Java SE (component: Compiler). Supported
| versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle
| GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data as well as
| unauthorized read access to a subset of Oracle Java SE accessible
| data. Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21587[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE). Supported versions that are affected are Oracle Java
| SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM
| for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise
| Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data
| as well as unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30698
https://www.cve.org/CVERecord?id=CVE-2025-30698
[1] https://security-tracker.debian.org/tracker/CVE-2025-30691
https://www.cve.org/CVERecord?id=CVE-2025-30691
[2] https://security-tracker.debian.org/tracker/CVE-2025-21587
https://www.cve.org/CVERecord?id=CVE-2025-21587
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjdk-17
Source-Version: 17.0.15+6-1
On Thu, Apr 24, 2025 at 01:13:43AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 24 Apr 2025 02:05:43 +0200
> Source: openjdk-17
> Architecture: source
> Version: 17.0.15+6-1
> Distribution: unstable
> Urgency: high
> Maintainer: OpenJDK Team <openjdk...@packages.debian.org>
> Changed-By: Matthias Klose <d...@ubuntu.com>
> Changes:
> openjdk-17 (17.0.15+6-1) unstable; urgency=high
> .
> * OpenJDK 17.0.15 release, build 6.
> - Addresses CVE-2025-30698, CVE-2025-30691, CVE-2025-21587.
> .
> * Honour DEB_BUILD_OPTIONS=parallel=N while running jtreg tests (Helmut
> Grohne). Addresses: #1095920.
> Checksums-Sha1:
> 43151b7dc390d10ecd80bde224705b2828b56df5 4872 openjdk-17_17.0.15+6-1.dsc
> 963d08e242ea43318a36d8b950f71a9e3cf2bf84 616792
> openjdk-17_17.0.15+6.orig-googletest.tar.xz
> 54606bf78a82e5e46eb5c15d4b00a4d193209bb3 63619372
> openjdk-17_17.0.15+6.orig.tar.xz
> d0ddb01ffb720513da8bac66470c6db3b5c0c520 204336
> openjdk-17_17.0.15+6-1.debian.tar.xz
> b5b594b86cf778e97507af368d7fcd870995820f 15592
> openjdk-17_17.0.15+6-1_source.buildinfo
> Checksums-Sha256:
> 5582719ada74f34dbb3485f3fdfde991c50108df4b371f405555242af98f61a1 4872
> openjdk-17_17.0.15+6-1.dsc
> db220ce29459378d5fd0d725da4379cac15f0158962e018b862fdb10b460a1ee 616792
> openjdk-17_17.0.15+6.orig-googletest.tar.xz
> 10f8c1dfdeeed1b4a96bfc35700554155369d80489a344df6937222eda5ad238 63619372
> openjdk-17_17.0.15+6.orig.tar.xz
> ee43d8efb57bb97618867066998bb616aefffc662e66955615dba26e53ad55db 204336
> openjdk-17_17.0.15+6-1.debian.tar.xz
> 347487f9619c5bd9b8f1ceee37f82040989d64b2a715231048170097d74efcbd 15592
> openjdk-17_17.0.15+6-1_source.buildinfo
> Files:
> 8d81fd5f53588e7fc2a950a1b4ecc90a 4872 java optional
> openjdk-17_17.0.15+6-1.dsc
> de5c55b8e5bce1324d6baa80dc60ef28 616792 java optional
> openjdk-17_17.0.15+6.orig-googletest.tar.xz
> ddf061bc6ed94d50d45a8eb15e0637ca 63619372 java optional
> openjdk-17_17.0.15+6.orig.tar.xz
> a08890e605d13d793cc93d8de9d47480 204336 java optional
> openjdk-17_17.0.15+6-1.debian.tar.xz
> a86da6121e44fc98ea27bb60b548b86e 15592 java optional
> openjdk-17_17.0.15+6-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmgJifMQHGRva29AdWJ1
> bnR1LmNvbQAKCRC9fqpgd4+m9VoHEACj0Wgq+MizmjRP12aMKyx7ZTrpGJN4aspc
> AWVhmlS/gtTPJ3tRgTHG4Vs0pHnvtmCSytxztOTXnuQmjhnMMAQmGUD2a8Lovdoc
> rAZQi7nWQBQne+JT9cKibKB6pB813mEwixDXIiXNFcDjNamgnl3Wb/EqAwLF4GET
> vmxjbp7fnHGEjZ2YpDR5h9mr1d8snGXANgJrOtVwn8tGPlKCl4+1gfsFxXCnjxi2
> nA3fXwA4GnkHp54s9/5vfL5x+vGVAj8E2uD7BvqKLkmTfhG4VulFMuUuN7DBIT/B
> 1a97AqzLtHW1dJdHi6e0E2Sa3/A/uJxBMPBAwDhqO5xDjx0XOt18yN+Ng9UyJSLh
> o65tIkZCQTVJQV+rlM0kVj0kPLKPOINaq7RS7Pm4zflu8+CrMF7MKF7QdmhU2Vnp
> 3kBYGFHG2eg4GzsU3zEs6iJb2Xb9pwn049lrO9p5YxL5YaPijXRdzk6S0FY3JyV1
> 089mfVvt90j23X6Nugh9wPmoF4tLigFNouOnlZGf08DtgXBwH0oYXa3CHpLSdn7x
> KIVoVEn37Vkz8Kxrmkr7SaDTWXepeIlBkzWpMLgAE8k1gVLPJKgFr7R10ycHrHFH
> Z4RwkduKVsxVmUdJvIhgsFoQKBD/xaTsY/KGBkYvH6pGtPh8u4PGOv7R/NHTZyT6
> zU1xT+vOtw==
> =YWdo
> -----END PGP SIGNATURE-----
--- End Message ---
