I cannot find anything like a patch or link to one in all the URLs above.

https://nvd.nist.gov/vuln/detail/CVE-2025-21502 says:
"This vulnerability is currently awaiting analysis"
https://www.cve.org/CVERecord?id=CVE-2025-21502
does not really add anything.

This may be a 'wait' situation.

Assignee: bugsquad => java

mga9-64 Tested java 1.8 OK
Runs my invoicing/bookkeeping program FriBok

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to Oracle Java SE accessible. This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. (CVE-2025-21502)

References:
https://access.redhat.com/errata/RHBA-2025:0418
https://access.redhat.com/errata/RHSA-2025:0429
https://access.redhat.com/errata/RHSA-2025:0422
https://www.oracle.com/security-alerts/cpujan2025.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
java-17-openjdk-17.0.14.0.7-1.mga9
java-17-openjdk-demo-17.0.14.0.7-1.mga9
java-17-openjdk-demo-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-demo-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-devel-17.0.14.0.7-1.mga9
java-17-openjdk-devel-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-devel-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-headless-17.0.14.0.7-1.mga9
java-17-openjdk-headless-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-headless-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-javadoc-17.0.14.0.7-1.mga9
java-17-openjdk-javadoc-zip-17.0.14.0.7-1.mga9
java-17-openjdk-jmods-17.0.14.0.7-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-src-17.0.14.0.7-1.mga9
java-17-openjdk-src-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-src-slowdebug-17.0.14.0.7-1.mga9
java-17-openjdk-static-libs-17.0.14.0.7-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.14.0.7-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.14.0.7-1.mga9

java-11-openjdk-11.0.26.0.4-1.mga9
java-11-openjdk-demo-11.0.26.0.4-1.mga9
java-11-openjdk-demo-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-demo-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-devel-11.0.26.0.4-1.mga9
java-11-openjdk-devel-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-devel-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-headless-11.0.26.0.4-1.mga9
java-11-openjdk-headless-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-headless-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-javadoc-11.0.26.0.4-1.mga9
java-11-openjdk-javadoc-zip-11.0.26.0.4-1.mga9
java-11-openjdk-jmods-11.0.26.0.4-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-src-11.0.26.0.4-1.mga9
java-11-openjdk-src-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-src-slowdebug-11.0.26.0.4-1.mga9
java-11-openjdk-static-libs-11.0.26.0.4-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.26.0.4-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.26.0.4-1.mga9

java-1.8.0-openjdk-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-demo-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-devel-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-headless-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-src-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.442.b06-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.442.b06-1.mga9

java-latest-openjdk-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-demo-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-devel-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-headless-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-javadoc-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-javadoc-zip-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-jmods-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-src-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-src-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-src-slowdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-static-libs-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-23.0.2.0.7-1.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-23.0.2.0.7-1.rolling.1.mga9

from SRPMS:
java-17-openjdk-17.0.14.0.7-1.mga9.src.rpm
java-11-openjdk-11.0.26.0.4-1.mga9.src.rpm
java-1.8.0-openjdk-1.8.0.442.b06-1.mga9.src.rpm
java-latest-openjdk-23.0.2.0.7-1.rolling.1.mga9.src.rpm

Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: java => qa-bugs
Whiteboard: MGA9TOO => (none)

MGA9-64 Plasma Wayland on Compaq H000SB.
Omitted debug and src packages in installation, no issues.
As in bug 33648 tested all versions one by one, running my LO Base application on Mageia's (defective) latest version aand get teh same results: crashes with 1.8.0 and 11, expacted behavior OK wuth 17 and 23.

CC: (none) => herman.viaene

RH x86_64

installing java-17-openjdk-17.0.14.0.7-1.mga9.x86_64.rpm java-17-openjdk-headless-17.0.14.0.7-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: java-17-openjdk-headless
                                 #############################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/net.properties created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/net.properties.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/security/java.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/security/java.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/conf/security/java.security.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/lib/security/default.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/lib/security/default.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.14.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmnew
#
      2/2: java-17-openjdk       ##################################################################################################
      1/2: removing java-17-openjdk-1:17.0.13.0.11-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.13.0.11-1.mga9.x86_64
                                 ########################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/public_suffix_list.dat saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/default.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/default.policy.rpmsave
######warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.security saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.security.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.policy.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/net.properties saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/net.properties.rpmsave
####

jdowloader start, apply updates and restart application without issues

Apparently, the only package on this long list that I needed on my production machine is java-17-openjdk-headless, and that for Libreoffice. Herman has already covered that one, so I went looking for something else to use for a test. I came up with two games/simulations/educational tools, Biogenesis and Micropolisj.

Micropolisj is a simulation game, based on Sim City, where you build "cities" on a map. Biogenesis "simulates in a visual fashion the processes involved in the evolution of unicellular organisms at nature."

I installed both, which drew in java-17-openjdk-17.0.14.0.7-1.mga9, and ran each with no apparent issues. I'm apparently a better farmer than city builder, so I didn't do too well at Micropolisj, but that's my fault. Biogenesis was easier, as all I did there was start a culture and watch it "work." But neither crashed, so it looks like it's OK.

CC: (none) => andrewsfarm

MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics.

Updated java-17-openjdk and java-17-openjdk-headless with no issues.Ran Used Libreoffice to read some old doc, xls, odt, and ods files, and did some minor editing - which I didn't save. No issues noted.

I think this is good to go. Validating.

Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

The advisory file is missing the packages.

CC: (none) => dan

Fixed

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0042.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED