Source: openjdk-21
Version: 21.0.7~8ea-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:openjdk-17 17.0.15~5ea-1
Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587 Control: reassign -3 src:openjdk-11 11.0.27~4ea-1
Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587 Control: reassign -4 src:openjdk-8 8u442-ga-2
Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587

Hi,

The following vulnerabilities were published for OpenJDK.

CVE-2025-30698[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| 2D). Supported versions that are affected are Oracle Java SE:
| 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for
| JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17
| and 21.3.13. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data and unauthorized ability to cause
| a partial denial of service (partial DOS) of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).


CVE-2025-30691[1]:
| Vulnerability in Oracle Java SE (component: Compiler). Supported
| versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle
| GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data as well as
| unauthorized read access to a subset of Oracle Java SE accessible
| data. Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).


CVE-2025-21587[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE). Supported versions that are affected are Oracle Java
| SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM
| for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise
| Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data
| as well as unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30698
https://www.cve.org/CVERecord?id=CVE-2025-30698
[1] https://security-tracker.debian.org/tracker/CVE-2025-30691
https://www.cve.org/CVERecord?id=CVE-2025-30691
[2] https://security-tracker.debian.org/tracker/CVE-2025-21587
https://www.cve.org/CVERecord?id=CVE-2025-21587

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)