Your message dated Thu, 24 Apr 2025 07:47:00 +0200
with message-id <aanqvdsrbuf0n...@eldamar.lan>
and subject line Re: Accepted openjdk-11 11.0.27+6-1 (source) into unstable
has caused the Debian Bug report #1103899,
regarding openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103899
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjdk-21
Version: 21.0.7~8ea-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:openjdk-17 17.0.15~5ea-1
Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -3 src:openjdk-11 11.0.27~4ea-1
Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -4 src:openjdk-8 8u442-ga-2
Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Hi,
The following vulnerabilities were published for OpenJDK.
CVE-2025-30698[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| 2D). Supported versions that are affected are Oracle Java SE:
| 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for
| JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17
| and 21.3.13. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data and unauthorized ability to cause
| a partial denial of service (partial DOS) of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
CVE-2025-30691[1]:
| Vulnerability in Oracle Java SE (component: Compiler). Supported
| versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle
| GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data as well as
| unauthorized read access to a subset of Oracle Java SE accessible
| data. Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21587[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE). Supported versions that are affected are Oracle Java
| SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM
| for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise
| Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data
| as well as unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30698
https://www.cve.org/CVERecord?id=CVE-2025-30698
[1] https://security-tracker.debian.org/tracker/CVE-2025-30691
https://www.cve.org/CVERecord?id=CVE-2025-30691
[2] https://security-tracker.debian.org/tracker/CVE-2025-21587
https://www.cve.org/CVERecord?id=CVE-2025-21587
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjdk-11
Source-Version: 11.0.27+6-1
On Thu, Apr 24, 2025 at 01:56:35AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 24 Apr 2025 02:53:57 +0200
> Source: openjdk-11
> Architecture: source
> Version: 11.0.27+6-1
> Distribution: unstable
> Urgency: high
> Maintainer: OpenJDK Team <openjdk...@packages.debian.org>
> Changed-By: Matthias Klose <d...@ubuntu.com>
> Changes:
> openjdk-11 (11.0.27+6-1) unstable; urgency=high
> .
> * OpenJDK 11.0.27 release, build 6.
> - Addresses CVE-2025-30698, CVE-2025-30691, CVE-2025-21587.
> .
> [ Vladimir Petko ]
> * d/t/problems.csv: Disable tests failing due to upstream bugs.
> .
> [ Matthias Klose ]
> * Honour DEB_BUILD_OPTIONS=parallel=N while running jtreg tests (Helmut
> Grohne). Addresses: #1095920.
> Checksums-Sha1:
> df3b80c9d7ec5cdef7ec6fbb1c8a5aec47707522 4668 openjdk-11_11.0.27+6-1.dsc
> 39df40772ffebe6c7287dbd0068dc7b09a86ee81 69793012
> openjdk-11_11.0.27+6.orig.tar.xz
> cc7954892aa56e0c84666bda93a986a1f7279fea 169092
> openjdk-11_11.0.27+6-1.debian.tar.xz
> 4390d025f9b970d080a2787d5027766a12adebc5 15548
> openjdk-11_11.0.27+6-1_source.buildinfo
> Checksums-Sha256:
> 45f66f3c7aa348f6c384d71bd2f8844f213df720985fe5df42fd43b37b4ec852 4668
> openjdk-11_11.0.27+6-1.dsc
> e295de73fc59adf1a108dfa4ca940aac1eef49fa172309540481fd6f3efa2954 69793012
> openjdk-11_11.0.27+6.orig.tar.xz
> 25c4af711f9c325335f1c29c42e84f116d1a10545c3992f40fc5875bcd364af8 169092
> openjdk-11_11.0.27+6-1.debian.tar.xz
> 5f31375c0563b0e106d2bba3fc8e29f217ad7c3d9c3c4eafbb0a2de5a277fee2 15548
> openjdk-11_11.0.27+6-1_source.buildinfo
> Files:
> 708dc4e890aea0d31616ece967d48c9a 4668 java optional
> openjdk-11_11.0.27+6-1.dsc
> 293b2fe45c5e8f9b0c7603649c770d66 69793012 java optional
> openjdk-11_11.0.27+6.orig.tar.xz
> 92e866479806407c8ec076de1ee31d98 169092 java optional
> openjdk-11_11.0.27+6-1.debian.tar.xz
> 5b86e397ed679bfaad017ba202f9b3ae 15548 java optional
> openjdk-11_11.0.27+6-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmgJk7MQHGRva29AdWJ1
> bnR1LmNvbQAKCRC9fqpgd4+m9bXAD/0f7CQmDNeu9sSP26gChuTuC66ciE1BmJCg
> ixz9yeqZPBbZE6Lj5O6BIP9+1BohiKjzw81hzhUPNKdnEBYERszYJZg1736l31OP
> pqYaUtOYdHxG9LBht8WSYkxo0mMEH/5sz1aEl9sqB4njgnMNrGElsyNOxpYychcy
> 7n0jukbjBSNNEPb0++DwEGN+QkxT247K6NsDWryvczdIoFeuHpfU2+LDy11Eu9zp
> ZBlMlJoapZ66J8ltshNcycEFNnEhu7tjt+jwwPHeeL5Wu2tLc4+iHGz5Ihje2urB
> 1QAun59nf5cZkqs+kRcyliYgS+NFh2w6DDhLnwP1zcNEQY2c/74Rv1NTljLJhy+7
> 5uela1z3KE/Z12zb74ieNd/7bZrdQ5b1nPi7Zly/q7Q/pyymKsrOBEmp0juwxr3B
> G01eACgYopkXqd/gDPZfDpDGZRUemmG2gEW5iMfFJpvzf/mFxrMP/EQP+aDygYXf
> QHSm51YWQXRJFKyzzu5AZLpZ6bREnY9UXpsMApRR2G6hzmKHqjeIKkbSnu0NFkzX
> iuy2DFMuxKj2ecN+zZwUvfWhUwAgx8wW5NK2DWxB7TNbZ+BxL+zXApbVDYlqaE4k
> SxmIagyezrLum7K9K/8zA9kx7BPM/qdJuRtElOCmGcyOP/i3zPsRrGA21ZwzPe5g
> FCEhHkRJwQ==
> =wDUV
> -----END PGP SIGNATURE-----
--- End Message ---
