34487 – java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Bug 34487 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and jav...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-07-18 15:41 CEST by Nicolas Salguero
Modified:	2025-09-16 18:35 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
CVE:	CVE-2025-30749, CVE-2025-30754, CVE-2025-50059, CVE-2025-30761, CVE-2025-50106
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-18 15:41:43 CEST

RedHat has issued advisories on July 15 and 17:
https://access.redhat.com/errata/RHSA-2025:10862 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2025:10867 (java-17-openjdk)
https://access.redhat.com/errata/RHSA-2025:10874 (java-21-openjdk)

The advisory for java-11-openjdk will come.

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpujul2025.html#AppendixJAVA

Nicolas Salguero 2025-07-18 15:44:05 CEST

Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
CVE: (none) => CVE-2025-30749, CVE-2025-30754, CVE-2025-50059, CVE-2025-30761, CVE-2025-50106
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-07-19 21:35:37 CEST

The RedHat URLs indicate that the following are fixed:
Security Fix(es):
    JDK: Better Glyph drawing (CVE-2025-30749)
    JDK: Enhance TLS protocol support (CVE-2025-30754)
    JDK: Improve scripting supports (CVE-2025-30761)
    JDK: Better Glyph drawing redux (CVE-2025-50106)
but I find no clue for the fixes other than updating RH systems. Their documentation on the subjet is *very* recent.

BTAIM hoping they cando better, assigning to the Java stack maintainers.

Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2025-08-29 09:32:08 CEST

RedHat has issued an advisory on July 21:
https://access.redhat.com/errata/RHSA-2025:10865 (java-11-openjdk)

Comment 3 Nicolas Salguero 2025-09-02 13:59:16 CEST

For Mageia 9:

java-1.8.0-openjdk-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-demo-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-devel-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-headless-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-src-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.462.b08-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.462.b08-1.mga9

java-11-openjdk-11.0.28.0.6-1.mga9
java-11-openjdk-demo-11.0.28.0.6-1.mga9
java-11-openjdk-demo-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-demo-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-devel-11.0.28.0.6-1.mga9
java-11-openjdk-devel-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-devel-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-headless-11.0.28.0.6-1.mga9
java-11-openjdk-headless-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-headless-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-javadoc-11.0.28.0.6-1.mga9
java-11-openjdk-javadoc-zip-11.0.28.0.6-1.mga9
java-11-openjdk-jmods-11.0.28.0.6-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-src-11.0.28.0.6-1.mga9
java-11-openjdk-src-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-src-slowdebug-11.0.28.0.6-1.mga9
java-11-openjdk-static-libs-11.0.28.0.6-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.28.0.6-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.28.0.6-1.mga9

java-17-openjdk-17.0.16.0.8-1.mga9
java-17-openjdk-demo-17.0.16.0.8-1.mga9
java-17-openjdk-demo-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-demo-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-devel-17.0.16.0.8-1.mga9
java-17-openjdk-devel-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-devel-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-headless-17.0.16.0.8-1.mga9
java-17-openjdk-headless-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-headless-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-javadoc-17.0.16.0.8-1.mga9
java-17-openjdk-javadoc-zip-17.0.16.0.8-1.mga9
java-17-openjdk-jmods-17.0.16.0.8-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-src-17.0.16.0.8-1.mga9
java-17-openjdk-src-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-src-slowdebug-17.0.16.0.8-1.mga9
java-17-openjdk-static-libs-17.0.16.0.8-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.16.0.8-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.16.0.8-1.mga9

java-latest-openjdk-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-demo-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-devel-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-headless-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-javadoc-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-javadoc-zip-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-jmods-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-src-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-src-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-src-slowdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-static-libs-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-24.0.2.0.12-1.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-24.0.2.0.12-1.rolling.1.mga9

from SRPMS:
java-1.8.0-openjdk-1.8.0.462.b08-1.mga9.src.rpm
java-11-openjdk-11.0.28.0.6-1.mga9.src.rpm
java-17-openjdk-17.0.16.0.8-1.mga9.src.rpm
java-latest-openjdk-24.0.2.0.12-1.rolling.1.mga9.src.rpm

Comment 4 Nicolas Salguero 2025-09-05 14:04:00 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Better Glyph drawing. (CVE-2025-30749)

Enhance TLS protocol support. (CVE-2025-30754)

Improve scripting supports. (CVE-2025-30761)

Improve HTTP client header handling. (CVE-2025-50059)

Better Glyph drawing redux. (CVE-2025-50106)

References:
https://www.oracle.com/security-alerts/cpujul2025.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2025:10862
https://access.redhat.com/errata/RHSA-2025:10865
https://access.redhat.com/errata/RHSA-2025:10867

Assignee: java => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Nicolas Salguero 2025-09-05 14:04:06 CEST

Status: NEW => ASSIGNED

Comment 5 Morgan Leijström 2025-09-05 22:30:12 CEST

mga9 -64 OK partial test java-1.8.0:
My java based invoice program FriBok still works, incl printing.

Notes to self for next time:
__How to start from CLI:
cd "/home/morgan/Tribun/Eko/FriBok" ; _JAVA_OPTIONS="-Dawt.useSystemAAFontSettings=on" /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/bin/java -jar *.jar

Which in CLI now returns amongst other output:
...
Title     : Fribok
Version   : 2.1-SNAPSHOT-$Rev: 218 $
Build     : 2018-04-10T16:13:11Z
Directory : /home/morgan/Tribun/Eko/FriBok

Operating system: Linux
Architecture    : amd64
Java version    : 1.8.0_462
...

CC: (none) => fri

Comment 6 katnatek 2025-09-06 03:31:02 CEST

RH i586

installing java-17-openjdk-headless-17.0.16.0.8-1.mga9.i586.rpm java-17-openjdk-17.0.16.0.8-1.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     #######################################################################################
      1/2: java-17-openjdk-headless
                                 ######################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/net.properties created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/net.properties.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/security/java.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/security/java.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/conf/security/java.security.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/lib/security/default.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/lib/security/default.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/lib/security/public_suffix_list.dat created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.i386/lib/security/public_suffix_list.dat.rpmnew
#
      2/2: java-17-openjdk       #######################################################################################
      1/2: removing java-17-openjdk-1:17.0.15.0.6-1.mga9.i586
                                 #######################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.15.0.6-1.mga9.i586
                                 ###############################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/lib/security/public_suffix_list.dat saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/lib/security/public_suffix_list.dat.rpmsave
##warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/lib/security/default.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/lib/security/default.policy.rpmsave
###warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/security/java.security saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/security/java.security.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/security/java.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/security/java.policy.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/net.properties saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.i386/conf/net.properties.rpmsave
###

jdownloader start , update and restart after the update without issues

katnatek 2025-09-06 03:55:55 CEST

Keywords: (none) => advisory

Comment 7 Herman Viaene 2025-09-08 11:17:49 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bugs 34206 and and 33648
Installed all versions in one go, then run my LO Base application on Mageia's (defective) latest version and get the same results: crashes with 1.8.0 and 11, expacted behavior OK with 17 and 24.
Also run Biogenesis. Not sure what it exactly represents, but items (organisms) on the screen move and grow, So this should also be OK.
AFAICS, this is good enough to go.

CC: (none) => herman.viaene

Comment 8 katnatek 2025-09-12 19:36:05 CEST

Morgan test 1.8.0, I test java 17 & Herman test all the versions with consistent results

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2025-09-13 02:08:23 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 katnatek 2025-09-16 04:01:01 CEST

ping

CC: (none) => dan

Comment 11 katnatek 2025-09-16 04:49:43 CEST

RH x86_64

installing java-17-openjdk-headless-17.0.16.0.8-1.mga9.x86_64.rpm java-17-openjdk-17.0.16.0.8-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: java-17-openjdk-headless
                                 #################################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/net.properties created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/net.properties.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/security/java.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/security/java.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/conf/security/java.security.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/lib/security/default.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/lib/security/default.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/lib/security/public_suffix_list.dat created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.16.0.8-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmnew
#
      2/2: java-17-openjdk       ##################################################################################################
      1/2: removing java-17-openjdk-1:17.0.15.0.6-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.15.0.6-1.mga9.x86_64
                                 ########################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/lib/security/public_suffix_list.dat saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/lib/security/default.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/lib/security/default.policy.rpmsave
####warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/security/java.security saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/security/java.security.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/security/java.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/security/java.policy.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/net.properties saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.15.0.6-1.mga9.x86_64/conf/net.properties.rpmsave

jdownloader start, update and restart without issues

Comment 12 Mageia Robot 2025-09-16 18:35:01 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0233.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.