Dear Maintainer,
i saw that the CVE is already fixed for sid. I'm unsure if we have to
try to create a bullseye backport of the 11.0.15+10-1 for ourself or if
we have to wait a bit longer until it's fixed for bullseye too. We are
using the container images of debian with this openjdk-jre for our
services and we are looking forward to an update.
Cheers
Sascha
On Thu, 05 May 2022 10:45:26 +0200 Michael Kesper <mkes...@web.de> wrote:
Package: openjdk-11-jdk
Version: 11.0.14+9-1~deb11u1
Severity: critical
Tags: security
Justification: causes serious data loss
X-Debbugs-Cc: mkes...@web.de, t...@security.debian.org, Debian Security Team
<t...@security.debian.org>
Dear Maintainer,
since weeks, there is a known undisputed CVE for all openjdk versions in Debian,
https://security-tracker.debian.org/tracker/CVE-2022-21476
described as easily exploitable for unauthenticated attackers resulting in
access to data.
However, there seems to be no security issue handling of this CVE, instead a fix
is only made available to unstable.
Please include a fix for Debian stable at least.
Best regards
Michael
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable'), (100, 'bullseye-fasttrack'), (100,
'bullseye-backports-staging')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-14-amd64 (SMP w/6 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openjdk-11-jdk depends on:
ii libc6 2.31-13+deb11u3
ii openjdk-11-jdk-headless 11.0.14+9-1~deb11u1
ii openjdk-11-jre 11.0.14+9-1~deb11u1
Versions of packages openjdk-11-jdk recommends:
ii libxt-dev 1:1.2.0-1
Versions of packages openjdk-11-jdk suggests:
pn openjdk-11-demo <none>
pn openjdk-11-source <none>
pn visualvm <none>
-- no debconf information