java-17-openjdk-17.0.17.0.10-1.el9.ML.1

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and
the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

* JDK: Enhance Path Factories (CVE-2025-53066)
* JDK: Enhance Certificate Handling (CVE-2025-53057)

Bug Fix(es):

* Since the 8.8 release of Asianux Server 8 and the 9.2 release of Asianux
Server 9, OpenJDK 17 has used a single build repackaged for each major Asianux
Server release. With this release, this same build is now also used by the
following older releases: 8.4, 8.6 and 9.0 (RHEL-118788, RHEL-118789,
RHEL-118792)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2025-53057
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
Enterprise Edition product of Oracle Java SE (component: Security). Supported
versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28,
17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM
Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
Edition. Successful attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data or all Oracle Java
SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability can be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. This
vulnerability also applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely on the
Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2025-53066
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
Enterprise Edition product of Oracle Java SE (component: JAXP). Supported
versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28,
17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM
Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
Edition. Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle Java SE, Oracle GraalVM
for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This
vulnerability can be exploited by using APIs in the specified Component, e.g.,
through a web service which supplies data to the APIs. This vulnerability also
applies to Java deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for
security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).