jdk-24.0.1

[Douglas R. Reno]

New major version. This one brings a large variety of changes, including the removal of the Java Security Manager.

[Douglas R. Reno]

I'll handle this after GNOME is done since I have 30+ GNOME tickets to take care of

[Douglas R. Reno]

Waiting for 24.0.1 to come out on Tuesday before I proceed with this update.

Oracle Java SE Executive Summary

This Critical Patch Update contains 6 new security patches for Oracle Java SE.  5 of 
these vulnerabilities may be remotely exploitable without authentication, i.e., may be 
exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.7.

The Oracle Java SE products and versions affected by vulnerabilities that are addressed 
in this Critical Patch Update are:

    Oracle GraalVM Enterprise Edition, versions 20.3.17, 21.3.13
    Oracle GraalVM for JDK, versions 17.0.14, 21.0.6, 24
    Oracle Java SE, versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24

[Douglas R. Reno]

JDK 24.0.1 has now been released.

We are only impacted by three of the vulnerabilities in BLFS:

• CVE-2025-21587 (7.4 High): In the JSSE component, it allows for remote code execution with no user interaction nor privileges required. Impacts all versions of Java after version 8.

• CVE-2025-30698 (5.6 Medium): In the 2D component, it allows for arbitrary code execution and unauthorized data modification, no user interaction or privileges required. Impacts all versions of Java after version 8.

• CVE-2025-30691 (4.8 Medium): In the Compiler component, it seems to allow for a low chance of arbitrary code execution or unauthorized data modification, with no user interaction required. Only affects JDK 21 and 23.

All three vulnerabilities are exploitable via the network.

[Joe Locash]

For libreoffice to build I needed:

sed -i 's/-Djava.security.manager=allow' external/hsqldb/ExternalProject_hsqldb.mk