Hi, ah, so it seems this is fixed in openjdk-8 from stable-security now since https://lists.debian.org/debian-security-announce/2019/msg00054.html
See e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911925#144 ff. and the security team confirms this. Regards, Rene
