Bug 58741 - openjdk-17: Multiple issues (5.2)
Summary: openjdk-17: Multiple issues (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.2-3-errata
Assignee: Quality Assurance
QA Contact: Dirk Wiesenthal
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-10-27 12:07 CET by Quality Assurance
Modified: 2025-10-29 16:43 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-10-27 12:07:45 CET 
New Debian openjdk-17 17.0.17+10-1~deb12u1 fixes:
This update addresses the following issues:
* Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM  Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf,  11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8;  Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit  vulnerability allows unauthenticated attacker with network access via  multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,  Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability  can result in unauthorized creation, deletion or modification access to  critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM  Enterprise Edition accessible data. Note: This vulnerability can be  exploited by using APIs in the specified Component, e.g., through a web  service which supplies data to the APIs. This vulnerability also applies to  Java deployments, typically in clients running sandboxed Java Web Start  applications or sandboxed Java applets, that load and run untrusted code  (e.g., code that comes from the internet) and rely on the Java sandbox for  security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector:  (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2025-53057)
* Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM  Enterprise Edition product of Oracle Java SE (component: JAXP). Supported  versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28,  17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle  GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability  allows unauthenticated attacker with network access via multiple protocols  to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM  Enterprise Edition. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java  SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible  data. Note: This vulnerability can be exploited by using APIs in the  specified Component, e.g., through a web service which supplies data to the  APIs. This vulnerability also applies to Java deployments, typically in  clients running sandboxed Java Web Start applications or sandboxed Java  applets, that load and run untrusted code (e.g., code that comes from the  internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score  7.5 (Confidentiality impacts). CVSS Vector:  (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2025-53066)
Comment 1 Quality Assurance univentionstaff 2025-10-27 13:00:07 CET 
--- mirror/ftp/pool/main/o/openjdk-17/openjdk-17_17.0.16+8-1~deb12u1.dsc
+++ apt/ucs_5.2-0-errata5.2-3/source/openjdk-17_17.0.17+10-1~deb12u1.dsc
@@ -1,6 +1,34 @@
-17.0.16+8-1~deb12u1 [Sun, 10 Aug 2025 23:44:27 +0200] Moritz Mühlenhoff <jmm@debian.org>:
-
-  * Rebuild for Bookworm
+17.0.17+10-1~deb12u1 [Thu, 23 Oct 2025 12:33:48 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * Rebuild for bookworm
+
+17.0.17+10-1 [Wed, 22 Oct 2025 08:14:04 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * OpenJDK 17.0.17 release, build 10.
+    - CVEs:
+      + CVE-2025-53057, 8360937: Enhance certificate handling.
+      + CVE-2025-53066, 8356294: Enhance Path Factories.
+
+  [ Vladimir Petko ]
+  * d/t/jtreg-autopkgtest.*: Force utf-8 encoding.
+
+17.0.17~8ea-1 [Sat, 27 Sep 2025 16:17:54 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * OpenJDK 17.0.17 early access, build 8.
+
+  [ Vladimir Petko ]
+  * d/t/problems.csv: Synchronize problem list.
+  * d/p/jdk-8369450.patch: Fix ftbfs due to rust-coreutils date. LP: #2127120.
+
+17.0.17~5ea-1 [Fri, 29 Aug 2025 12:15:33 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * OpenJDK 17.0.17 early access, build 5.
+
+  [ Matthias Klose ]
+  * Build using GCC 15 on development releases.
+
+  [ Vladimir Petko ]
+  * d/rules: Disable jtreg test for riscv on focal.
 
 17.0.16+8-1 [Sat, 19 Jul 2025 12:22:09 +0200] Matthias Klose <doko@ubuntu.com>:
 

<http://piuparts.knut.univention.de/5.2-3/#9169599985402300260>
Comment 2 Dirk Wiesenthal univentionstaff 2025-10-29 13:55:20 CET 
OK: bug
OK: yaml
~OK: piuparts