Bug#1103900: marked as done (openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587)

Debian Bug Tracking System Sun, 11 May 2025 20:48:26 -0700

Your message dated Mon, 12 May 2025 05:45:26 +0200
with message-id <acfu1u223cy_p...@eldamar.lan>
and subject line Re: Accepted openjdk-8 8u452-ga-1 (source) into unstable
has caused the Debian Bug report #1103900,
regarding openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103900: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103900
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openjdk-21
Version: 21.0.7~8ea-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:openjdk-17 17.0.15~5ea-1
Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -3 src:openjdk-11 11.0.27~4ea-1
Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Control: reassign -4 src:openjdk-8 8u442-ga-2
Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587

Hi,

The following vulnerabilities were published for OpenJDK.

CVE-2025-30698[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| 2D).  Supported versions that are affected are Oracle Java SE:
| 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for
| JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17
| and  21.3.13. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in  unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as  unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data and unauthorized ability to cause
| a partial denial of service (partial DOS) of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality,
| Integrity and Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).


CVE-2025-30691[1]:
| Vulnerability in Oracle Java SE (component: Compiler).  Supported
| versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle
| GraalVM for JDK: 21.0.6 and  24. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE.  Successful attacks of this
| vulnerability can result in  unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data as well as
| unauthorized read access to a subset of Oracle Java SE accessible
| data. Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).


CVE-2025-21587[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE).  Supported versions that are affected are Oracle Java
| SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM
| for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise
| Edition:20.3.17 and  21.3.13. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks of this
| vulnerability can result in  unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data
| as well as  unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30698
    https://www.cve.org/CVERecord?id=CVE-2025-30698
[1] https://security-tracker.debian.org/tracker/CVE-2025-30691
    https://www.cve.org/CVERecord?id=CVE-2025-30691
[2] https://security-tracker.debian.org/tracker/CVE-2025-21587
    https://www.cve.org/CVERecord?id=CVE-2025-21587

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openjdk-8
Source-Version: 8u452-ga-1

On Mon, May 12, 2025 at 02:37:28AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA384
> 
> Format: 1.8
> Date: Sun, 11 May 2025 22:09:45 +0000
> Source: openjdk-8
> Architecture: source
> Version: 8u452-ga-1
> Distribution: unstable
> Urgency: low
> Maintainer: Java Maintenance <pkg-java-maintain...@lists.alioth.debian.org>
> Changed-By: Thorsten Glaser <t...@mirbsd.de>
> Closes: 1095932
> Changes:
>  openjdk-8 (8u452-ga-1) unstable; urgency=low
>  .
>    * Revert previous workaround
>    * Use = ipv := for jre_hl_tools gmake variable (Closes: #1095932)
>    * Explicitly use R³:no
>    * New upstream release
>    * CVEs
>      - CVE-2025-21587
>      - CVE-2025-30691
>      - CVE-2025-30698
>    * Other changes see
>      https://mail.openjdk.org/pipermail/jdk8u-dev/2025-April/019989.html
>    * Add Roberto as ELTS fallback for pochu
>    * Bump Policy, (should be) no change needed
> Checksums-Sha1:
>  2093aaa836ea30c650f8b0c45ad800f18842598e 4508 openjdk-8_8u452-ga-1.dsc
>  d0da3332084a3c9044a10ecb18c45a3233552524 66723094 
> openjdk-8_8u452-ga.orig.tar.gz
>  f78dd9e8f4df069952e7efa605d01a4c07c3b7fc 166588 
> openjdk-8_8u452-ga-1.debian.tar.xz
> Checksums-Sha256:
>  aebf53b9b4b8a98640a706a9ba235fc9a6f0d55049f3ecb8b26689a888a84ce5 4508 
> openjdk-8_8u452-ga-1.dsc
>  becf5f49c2818a31991743ab52ec23f78e2ab18d02cd5362e67382efc90f0252 66723094 
> openjdk-8_8u452-ga.orig.tar.gz
>  d2c11048f323d19f971ffc33746df1da4f572a32bf7fdc8d422a8a46c279dbf9 166588 
> openjdk-8_8u452-ga-1.debian.tar.xz
> Files:
>  5d74b38015cb75f3b1b367dd21496306 4508 java optional openjdk-8_8u452-ga-1.dsc
>  e9d7cd452f66503f5da788ae92a77ef8 66723094 java optional 
> openjdk-8_8u452-ga.orig.tar.gz
>  d12aa5e5d041c424d3ec2edab75ae111 166588 java optional 
> openjdk-8_8u452-ga-1.debian.tar.xz
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCQAGBQJoIVm7AAoJEHa1NLLpkAfgkSEQAMt2nGTDRiK19UcrDpCYX8j7
> 7qKt2ZZSGxiYKjwX/JZz4wqEwujJDMD4icXPXRIYrxAB7lpZsn6bXHUcvkij9jWg
> M76tRdrxNb29oiaoCtt/guPvCy4x1vRoSROWETi+OE0drS1gdFB/8dRO6FjfFcq4
> 5vXUFae1Mj4B3VNBK9U7VhTPkMjtT6HnHK4Z1GSZ7e+jTLVsmekBSrSzQm3UMlbr
> nv7Qzhc+edk2PLLcW9iqCSX374f/9mzwAFe+8Akq5qo9yK0zlKLgSWvDZBgiVJIZ
> A02lMaR7eAb0dyWtUo9HDH8YYejANsCbniCesvBxcsXvfCVQEhBw4OxPtyYGIk1e
> klJG2timPXfsAENeAegoTCG6gyuKbktnxoc5w408v9lUdRZhwVHzjO/hpnDK8nyz
> ghgbtdQV4ERIxGC4JoLsegipp6QijlCc0fATx7SRn4NbtTVPfP3jG+p3aUEkztjz
> huI2RCJxM7YI70vSiqawCctJQRHplGW2r2PZ7DW1GwMHFS9anNVe4uLrqTxYoBpx
> 1GeSfce6tdimEvtvTyS81hroOQkKZ6RjDXWgIW1IkyWiPQkOx2KIxFFbf9/szKjj
> MiG1AnL89c61/nGs+Ge5gmlNcKPqh+5iXWPWWIcTcKHwKC2YVCaAwYCUBpTtZK2S
> Rxr/X3Lv4a3e0jBi8qi5
> =8yIA
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1103900: marked as done (openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587)

Reply via email to