Overview

File _patchinfo of Package patchinfo.38905

<patchinfo incident="38905">
  <issue tracker="bnc" id="1243429">VUL-0: CVE-2025-4447: java-1.8.0-ibm: Buffer Overflow in Eclipse OpenJ9</issue>
  <issue tracker="bnc" id="1241275">VUL-0: CVE-2025-30691: java-21-openjdk: openjdk: Oracle Java SE Compiler Unauthorized Data Access</issue>
  <issue tracker="bnc" id="1242208">VUL-0: java-1_8_0-ibm: Oracle April 15 2025 CPU</issue>
  <issue tracker="bnc" id="1241274">VUL-0: CVE-2025-21587: java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk: openjdk: JSSE unauthorized access, deletion or modification of critical data</issue>
  <issue tracker="bnc" id="1241276">VUL-0: CVE-2025-30698: java-11-openjdk,java-17-openjdk,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk: openjdk: Oracle Java 2D unauthorized data access and DoS</issue>
  <issue tracker="cve" id="2025-30691"/>
  <issue tracker="cve" id="2025-21587"/>
  <issue tracker="cve" id="2025-30698"/>
  <issue tracker="cve" id="2025-4447"/>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for java-1_8_0-ibm</summary>
  <description>This update for java-1_8_0-ibm fixes the following issues:

Update to Java 8.0 Service Refresh 8 Fix Pack 45.

Security issues fixed:

- Oracle April 15 2025 CPU (bsc#1242208)

  * CVE-2025-21587: unauthorized access, deletion and modification of critical data via the JSSE component
    (bsc#1241274).
  * CVE-2025-30691: unauthorized access to data via the Compiler component (bsc#1241275).
  * CVE-2025-30698: unauthorized access to data and ability to cause a partial DoS via the 2D component (bsc#1241276).

- IBM Security Update May 2025

  * CVE-2025-4447: stack based buffer overflow in Eclipse OpenJ9 through modification of file that is read when the JVM
    starts (bsc#1243429).

Other changes and issues fixed:

- Security:

  * Avoid memory leak during aes cipher initialization operations
    for IBMJCEPlus and IBMJCEPlusProviders provider.
  * Changing the default of the com.ibm.security.spnego.msinterop
    property from true to false.
  * Deserializing a com.ibm.crypto.provider.rsaprivatecrtkey object
    causes a java.io.invalidobjectexception to be thrown.
  * Failed to read private key from a JKS keystore, specified as
    JCEKS keystore.
  * HTTPS channel binding support.
  * Keytool listing PKCS12 keystore issue.
  * On Linux systems, use gcc11.2 to compile IBM PKCS11 library.
  * Support has been added to the IBM Java XMLDSigRI security provider
    for the EdDSA (Edwards-curve Digital Signature Algorithm).
  * Updates to XDH Key Agreement, AESGCM Algorithms in IBMJCEPlus
    and IBMJCEPlusFIPS providers.

- Class Libraries:

  * Update timezone information to the latest tzdata2025a.

- Java Virtual Machine:

  * A SIGSEGV/GPF event received while processing verifyerror.
  * Crash while resolving MethodHandleNatives.
  * NoSuchMethodException or NoClassDefFoundError when loading classes.

- JIT Compiler:

  * Assert in the JIT Compiler, badILOp.
  * Reduced MD5 performance.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places