#21296 closed enhancement (fixed)
jdk-24.0.1
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New major version. This one brings a large variety of changes, including the removal of the Java Security Manager.
Change History (9)
comment:1 by , 11 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 11 months ago
comment:3 by , 10 months ago
| Summary: | jdk-24 → jdk-24 (wait for 24.0.1 on Tuesday) |
|---|
Waiting for 24.0.1 to come out on Tuesday before I proceed with this update.
Oracle Java SE Executive Summary
This Critical Patch Update contains 6 new security patches for Oracle Java SE. 5 of
these vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.7.
The Oracle Java SE products and versions affected by vulnerabilities that are addressed
in this Critical Patch Update are:
Oracle GraalVM Enterprise Edition, versions 20.3.17, 21.3.13
Oracle GraalVM for JDK, versions 17.0.14, 21.0.6, 24
Oracle Java SE, versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24
comment:4 by , 10 months ago
| Priority: | normal → elevated |
|---|---|
| Summary: | jdk-24 (wait for 24.0.1 on Tuesday) → jdk-24.0.1 |
JDK 24.0.1 has now been released.
We are only impacted by three of the vulnerabilities in BLFS:
- CVE-2025-21587 (7.4 High): In the JSSE component, it allows for remote code execution with no user interaction nor privileges required. Impacts all versions of Java after version 8.
- CVE-2025-30698 (5.6 Medium): In the 2D component, it allows for arbitrary code execution and unauthorized data modification, no user interaction or privileges required. Impacts all versions of Java after version 8.
- CVE-2025-30691 (4.8 Medium): In the Compiler component, it seems to allow for a low chance of arbitrary code execution or unauthorized data modification, with no user interaction required. Only affects JDK 21 and 23.
All three vulnerabilities are exploitable via the network.
comment:5 by , 10 months ago
For libreoffice to build I needed:
sed -i 's/-Djava.security.manager=allow//' external/hsqldb/ExternalProject_hsqldb.mk
Edited to add the above in a code block so it displays correctly in trac.
comment:6 by , 9 months ago
Both the x86 binary and jtreg are now on anduin. Working on the x86_64 one right now while testing the x86 one on my VM.
Today will be OpenJDK and other security updates day. I'll file my entire backlog of advisories tomorrow and then take care of Texlive.
comment:8 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
I'll handle this after GNOME is done since I have 30+ GNOME tickets to take care of