Your message dated Mon, 03 Nov 2025 10:19:25 +0000
with message-id <[email protected]>
and subject line Bug#1118944: fixed in openjdk-8 8u472-ga-1
has caused the Debian Bug report #1118944,
regarding openjdk-8: CVE-2025-53057 CVE-2025-53066
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118944
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openjdk-8
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-8.
CVE-2025-53057[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security). Supported versions that are affected are Oracle Java SE:
| 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for
| JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition:
| 21.3.15. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition. Successful attacks of this vulnerability can result in
| unauthorized creation, deletion or modification access to critical
| data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9
| (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2025-53066[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JAXP). Supported versions that are affected are Oracle Java SE:
| 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for
| JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition:
| 21.3.15. Easily exploitable vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition. Successful attacks of this vulnerability can result in
| unauthorized access to critical data or complete access to all
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability can be exploited
| by using APIs in the specified Component, e.g., through a web
| service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53057
https://www.cve.org/CVERecord?id=CVE-2025-53057
[1] https://security-tracker.debian.org/tracker/CVE-2025-53066
https://www.cve.org/CVERecord?id=CVE-2025-53066
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openjdk-8
Source-Version: 8u472-ga-1
Done: Thorsten Glaser <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openjdk-8, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <[email protected]> (supplier of updated openjdk-8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Sun, 02 Nov 2025 17:30:44 +0000
Source: openjdk-8
Architecture: source
Version: 8u472-ga-1
Distribution: unstable
Urgency: low
Maintainer: Java Maintenance <[email protected]>
Changed-By: Thorsten Glaser <[email protected]>
Closes: 1115228 1118944
Changes:
openjdk-8 (8u472-ga-1) unstable; urgency=low
.
* New upstream release (Closes: #1118944)
* CVEs
- CVE-2025-53057
- CVE-2025-53066
* Other changes see https://bit.ly/openjdk8u472
* Update d/copyright
* Sync list of compilers and known releases
* Add patches to rename the (custom) uabs function, to avoid a
conflict with glibc 2.42 in experimental, following what jdk11
did but wasn’t yet merged to jdk8 (Closes: #1115228)
* Build with -std=gnu11 as configure tests for, not C23 ready
Checksums-Sha1:
a88c2fa9e4ecd2329f6365c4a56434d30054b148 4548 openjdk-8_8u472-ga-1.dsc
cfbcf5afb9417f08866186f807aa39aba5729461 66757756
openjdk-8_8u472-ga.orig.tar.gz
177b4dc0e5d315a84581b8ed1594e256574883c1 169256
openjdk-8_8u472-ga-1.debian.tar.xz
Checksums-Sha256:
2f96ccb1e674d3f6f509b651c8a6da9258045f14490b9e1ed01a94aa4db8d529 4548
openjdk-8_8u472-ga-1.dsc
b7d9ecbde33702d8be2f33dd9cb9153a2b4f152bf7adface51f0f2363a864f31 66757756
openjdk-8_8u472-ga.orig.tar.gz
3c7a9eb7c7953f6c9bcbd24f40bcb698890de57b70742f69eae125c141857d8f 169256
openjdk-8_8u472-ga-1.debian.tar.xz
Files:
89ecc4990647869fb59451293c0983f7 4548 java optional openjdk-8_8u472-ga-1.dsc
b25215601b0a30d5f0f895b1414bf834 66757756 java optional
openjdk-8_8u472-ga.orig.tar.gz
cfab2f43507db8d476d1aa8884118dd9 169256 java optional
openjdk-8_8u472-ga-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCQAGBQJpCH1pAAoJEHa1NLLpkAfg5dcP/0K4N298+0cmNirErdBXTA7U
YcoDeg/n8p3+n3vgXXQp0ocVp0pY6ZXlv10EgEmK6pXaPMD98IM6ZofyGAnRIY4J
+SuTOGJFdL6hBScdNa334gZGOUrLFVe8pdOpV/qIYKe4JAErf0Hpx7W9bZNVu3pT
Xt+gsHo1OaDS/oQiako5VqgJHPVQDNbAPsb+h9YXV5kCC8ZITNIVxh+99P3WUSBg
VpK/l6i27cMrsK7KodY+wjhZ9gS8DcYXuYkkkXBAb0BMGtGBXLylVIx+u/5IfU8u
HHhdVujEAXbx1ZyvOvsNJHILlQWLxvCQkeg3g5XiLIBwFaxA4wFu5Ko8NiHFHIxt
Fq9ucePrdeuGqLhn0ydDrI51IPoyVTLApl9CGef169p1lSzBSF07E3corZJF9ygv
agT+C66+qBNZgBEZQPNRn1kweyb7FoXU5WbYFGKXOOiRuR12mVsnHU8fewuVwP7n
3RzSGZ6j/3tUGhAMwRkcQXqxv18O0n5hEGUEFytLRKiCJTzqswpvm3ujGmoZP/rT
1qa3jjlYafQIbPoTxCPQbqUlY087Wh0T4dnRZedBF9axwUJobb91KZXp4ItzCXye
sGPHWKidgiuoU273RNA4j5J6QzPSE/OR/2UtODsk6xRJIFqGCctsmb3STtaCQeJn
BigaIFmM8ZgL5l+Q8oNJ
=UHDl
-----END PGP SIGNATURE-----
pgpr5ETByi9xT.pgp
Description: PGP signature
--- End Message ---
