Overview

File _patchinfo of Package patchinfo.40563

<patchinfo incident="40563">
  <issue tracker="cve" id="2025-30749"/>
  <issue tracker="cve" id="2025-50106"/>
  <issue tracker="cve" id="2025-30761"/>
  <issue tracker="cve" id="2025-30754"/>
  <issue tracker="bnc" id="1246580">VUL-0: CVE-2025-30761: java-10-openjdk,java-11-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-9-openjdk: Improve scripting supports (Oracle CPU 2025-07)</issue>
  <issue tracker="bnc" id="1246806">trackerbug: packages embed rebuild-counter</issue>
  <issue tracker="bnc" id="1246584">VUL-0: CVE-2025-50106: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: openjdk: Glyph out-of-memory access and crash (Oracle CPU 2025-07)</issue>
  <issue tracker="bnc" id="1246598">VUL-0: CVE-2025-30754: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: openjdk: incomplete handshake may lead to weakening TLS protections</issue>
  <issue tracker="bnc" id="1246595">VUL-0: CVE-2025-30749: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: openjdk: several scenarios can lead to heap corruption</issue>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for java-1_8_0-openjdk</summary>
  <description>This update for java-1_8_0-openjdk fixes the following issues:

Update to version jdk8u462 (icedtea-3.36.0).

Security issues fixed:
  
- CVE-2025-30749: heap corruption allows unauthenticated attacker with network access to compromise and takeover Java
  applications that load and run untrusted code (bsc#1246595).
- CVE-2025-30754: incomplete handshake allows unauthenticated attacker with network access via TLS to gain unauthorized
  update, insert, delete and read access to sensitive data (bsc#1246598).
- CVE-2025-30761: issue in Scripting component allows unauthenticated attacker with network access to gain
  unauthorized creation, deletion or modification access to critical data (bsc#1246580).
- CVE-2025-50106: Glyph out-of-memory access allows unauthenticated attacker with network access to compromise and
  takeover Java applications that load and run untrusted code (bsc#1246584).

Other issues fixed:
  
- Import of OpenJDK 8 u462 build 08
  + JDK-8026976: ECParameters, Point does not match field size.
  + JDK-8071996: split_if accesses NULL region of ConstraintCast.
  + JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names.
  + JDK-8186787: clang-4.0 SIGSEGV in Unsafe_PutByte.
  + JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken.
  + JDK-8278472: Invalid value set to CANDIDATEFORM structure.
  + JDK-8293107: GHA: Bump to Ubuntu 22.04.
  + JDK-8303770: Remove Baltimore root certificate expiring in May 2025.
  + JDK-8309841: Jarsigner should print a warning if an entry is removed.
  + JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract.
  + JDK-8345625: Better HTTP connections.
  + JDK-8346887: DrawFocusRect() may cause an assertion failure.
  + JDK-8349111: Enhance Swing supports.
  + JDK-8350498: Remove two Camerfirma root CA certificates.
  + JDK-8352716: (tz) Update Timezone Data to 2025b.
  + JDK-8353433: XCG currency code not recognized in JDK 8u.
  + JDK-8356096: ISO 4217 Amendment 179 Update.
  + JDK-8359170: Add 2 TLS and 2 CS Sectigo roots.
- Backports
  + JDK-8358538: Update GHA Windows runner to 2025.
- JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places