Package: openjdk-11-jdk Version: 11.0.14+9-1~deb11u1 Severity: critical Tags: security Justification: causes serious data loss X-Debbugs-Cc: mkes...@web.de, t...@security.debian.org, Debian Security Team <t...@security.debian.org>
Dear Maintainer, since weeks, there is a known undisputed CVE for all openjdk versions in Debian, https://security-tracker.debian.org/tracker/CVE-2022-21476 described as easily exploitable for unauthenticated attackers resulting in access to data. However, there seems to be no security issue handling of this CVE, instead a fix is only made available to unstable. Please include a fix for Debian stable at least. Best regards Michael -- System Information: Debian Release: 11.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-14-amd64 (SMP w/6 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openjdk-11-jdk depends on: ii libc6 2.31-13+deb11u3 ii openjdk-11-jdk-headless 11.0.14+9-1~deb11u1 ii openjdk-11-jre 11.0.14+9-1~deb11u1 Versions of packages openjdk-11-jdk recommends: ii libxt-dev 1:1.2.0-1 Versions of packages openjdk-11-jdk suggests: pn openjdk-11-demo <none> pn openjdk-11-source <none> pn visualvm <none> -- no debconf information