35045 – java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Bug 35045 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and jav...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-21 09:38 CET by Nicolas Salguero
Modified:	2026-01-29 20:22 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
CVE:	CVE-2025-64720, CVE-2025-65018, CVE-2026-21925, CVE-2026-21933, CVE-2026-21945
Status comment:

Flags:	j.alberto.vc: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-21 09:38:26 CET

Oracle CPU:
https://www.oracle.com/security-alerts/cpujan2026.html#AppendixJAVA

Nicolas Salguero 2026-01-21 09:39:36 CET

Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk
Assignee: bugsquad => nicolas.salguero
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-01-21 16:36:41 CET

Partial list:

java-11-openjdk-11.0.30.0.7-1.mga9
java-11-openjdk-demo-11.0.30.0.7-1.mga9
java-11-openjdk-demo-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-demo-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-devel-11.0.30.0.7-1.mga9
java-11-openjdk-devel-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-devel-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-headless-11.0.30.0.7-1.mga9
java-11-openjdk-headless-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-headless-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-javadoc-11.0.30.0.7-1.mga9
java-11-openjdk-javadoc-zip-11.0.30.0.7-1.mga9
java-11-openjdk-jmods-11.0.30.0.7-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-src-11.0.30.0.7-1.mga9
java-11-openjdk-src-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-src-slowdebug-11.0.30.0.7-1.mga9
java-11-openjdk-static-libs-11.0.30.0.7-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.30.0.7-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.30.0.7-1.mga9

java-17-openjdk-17.0.18.0.8-1.mga9
java-17-openjdk-demo-17.0.18.0.8-1.mga9
java-17-openjdk-demo-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-demo-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-devel-17.0.18.0.8-1.mga9
java-17-openjdk-devel-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-devel-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-headless-17.0.18.0.8-1.mga9
java-17-openjdk-headless-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-headless-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-javadoc-17.0.18.0.8-1.mga9
java-17-openjdk-javadoc-zip-17.0.18.0.8-1.mga9
java-17-openjdk-jmods-17.0.18.0.8-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-src-17.0.18.0.8-1.mga9
java-17-openjdk-src-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-src-slowdebug-17.0.18.0.8-1.mga9
java-17-openjdk-static-libs-17.0.18.0.8-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.18.0.8-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.18.0.8-1.mga9

from SRPMS:
java-11-openjdk-11.0.30.0.7-1.mga9.src.rpm
java-17-openjdk-17.0.18.0.8-1.mga9.src.rpm

Comment 2 Nicolas Salguero 2026-01-23 11:46:42 CET

Second part of the list:

java-1.8.0-openjdk-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-demo-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-devel-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-headless-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-src-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.482.b08-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.482.b08-1.mga9

java-latest-openjdk-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-demo-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-devel-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-headless-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-javadoc-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-javadoc-zip-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-jmods-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-src-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-src-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-src-slowdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-static-libs-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-25.0.2.0.10-1.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-25.0.2.0.10-1.rolling.1.mga9

from SRPMS:
java-1.8.0-openjdk-1.8.0.482.b08-1.mga9.src.rpm
java-latest-openjdk-25.0.2.0.10-1.rolling.1.mga9.src.rpm

Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Version: Cauldron => 9

Comment 3 Nicolas Salguero 2026-01-23 11:52:02 CET

Other references:
https://access.redhat.com/errata/RHSA-2026:0848 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2026:0927 (java-17-openjdk)
https://access.redhat.com/errata/RHSA-2026:0928 (java-21-openjdk)

CVE: (none) => CVE-2025-64720, CVE-2025-65018, CVE-2026-21925, CVE-2026-21933, CVE-2026-21945

Comment 4 Nicolas Salguero 2026-01-23 11:58:55 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication. (CVE-2025-64720)

LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`. (CVE-2025-65018)

Improve JMX connections. (CVE-2026-21925)

Improve HttpServer Request handling. (CVE-2026-21933)

Enhance Certificate Checking. (CVE-2026-21945)

References:
https://access.redhat.com/errata/RHSA-2026:0848
https://access.redhat.com/errata/RHSA-2026:0927
https://www.oracle.com/security-alerts/cpujan2026.html#AppendixJAVA

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 5 Herman Viaene 2026-01-23 15:50:55 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bugs 34206 and and 33648.
First install older version java 11 and java1.8.0 and run biogenesis, runs OK.
Then installed java 17 and  java latest and run my LO Base application which uses java.
With both versions the application  works as well I could expect with this crooked LO version.

CC: (none) => herman.viaene

Comment 6 Morgan Leijström 2026-01-24 02:09:56 CET

mga9 -64 OK partial test java-1.8.0:

My java based invoice program FriBok still works, incl printing.

Launching from terminal:
[morgan@svarten ~]$ cd "/home/morgan/Tribun/Eko/FriBok" ; _JAVA_OPTIONS="-Dawt.useSystemAAFontSettings=on" /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/bin/java -jar *.jar
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on
Starting up...
Title     : Fribok
Version   : 2.1-SNAPSHOT-$Rev: 218 $
Build     : 2018-04-10T16:13:11Z
Directory : /home/morgan/Tribun/Eko/FriBok

Operating system: Linux
Architecture    : amd64
Java version    : 1.8.0_482

... And here normal output during run follows...

CC: (none) => fri

katnatek 2026-01-24 22:52:31 CET

Keywords: (none) => advisory

Comment 7 katnatek 2026-01-25 02:34:30 CET

RH x86_64
installing java-17-openjdk-headless-17.0.18.0.8-1.mga9.x86_64.rpm java-17-openjdk-17.0.18.0.8-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: java-17-openjdk-headless
                                 ##################################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.18.0.8-1.mga9.x86_64/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.18.0.8-1.mga9.x86_64/conf/security/java.security.rpmnew
#
      2/2: java-17-openjdk       ###################################################################################################
      1/2: removing java-17-openjdk-1:17.0.17.0.10-1.mga9.x86_64
                                 ###################################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.17.0.10-1.mga9.x86_64
                                 ###################################################################################################

jdownlader start, selfupdate and restart after update without issue

Look good for me

Flags: (none) => test_passed_mga9_64+

katnatek 2026-01-28 20:44:15 CET

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2026-01-29 19:14:29 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2026-01-29 20:22:52 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0024.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.