java-17-openjdk-17.0.18.0.8-1.el9.ML.1

エラータID: AXSA:2026-123:03

リリース日: 
2026/02/02 Monday - 18:23
題名: 
java-17-openjdk-17.0.18.0.8-1.el9.ML.1
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and
the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

JDK: Improve JMX connections (CVE-2026-21925)
JDK: Improve HttpServer Request handling (CVE-2026-21933)
JDK: Enhance Certificate Checking (CVE-2026-21945)
libpng: LIBPNG buffer overflow (CVE-2025-64720)
libpng: LIBPNG heap buffer overflow (CVE-2025-65018)

Bug Fix(es):

When using a P11SecretKey for both signing and encryption in FIPS mode, the
FIPS PKCS11 provider would fail with a CKR_ATTRIBUTE_VALUE_INVALID error. This
was due to the default configuration not applying the CKA_ENCRYPT=true attribute
to the key. The configuration in this release is updated to include this
attribute. (RHEL-142862, RHEL-142881, RHEL-142882, RHEL-142883, RHEL-142884,
RHEL-142885, RHEL-142886, RHEL-142887, RHEL-142888)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2025-64720
CVE-2025-65018
CVE-2026-21925
CVE-2026-21933
CVE-2026-21945

解決策: 

Update packages.

CVE: 
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. java-17-openjdk-17.0.18.0.8-1.el9.ML.1.src.rpm
    MD5: a143ad820944972d6cdce1fe43986dc3
    SHA-256: 9c73ebb507143ce0c45aa26bc33afc32f75bc3a0b2561f867f6b464dc5819b0e
    Size: 64.06 MB

Asianux Server 9 for x86_64
  1. java-17-openjdk-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 0783dfd173db862f4552ae6f5a4ba5cf
    SHA-256: fd784727b684611a0ba01cb2a6ba0055db03889a346a19a74d2d58f355c573ee
    Size: 427.76 kB
  2. java-17-openjdk-demo-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 1af001feabaf92b8d170e3a016e2d04e
    SHA-256: 6b69273626c76ef545d054505e55249d27592f715d2d26d4200f820182c4c598
    Size: 3.41 MB
  3. java-17-openjdk-demo-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: d6125501aaa1c54ba9adba6509db4b80
    SHA-256: 96f90f9dae46576fc202916a0dbcf58f832bd52f159019df90ee7fa31fee2817
    Size: 3.41 MB
  4. java-17-openjdk-demo-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: c59d9150de55400823fd0b34a5e5763d
    SHA-256: 82d3189bc26977bb7de7addd776bd8dfdfad24d8957f47ad1a69c48efb3349c3
    Size: 3.41 MB
  5. java-17-openjdk-devel-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 3667d622be37b70bc1e84a728811b809
    SHA-256: b704cba86437c737cf87934b04f4338608ae6cd05929f5c9e3b9cb21df700a62
    Size: 4.72 MB
  6. java-17-openjdk-devel-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: dcee5dfd650698cfc932197b2ab5e75c
    SHA-256: e59a1df773de1c67357510ce49c3ec7e1a0239533ef6194c7b4f1639305a5867
    Size: 4.72 MB
  7. java-17-openjdk-devel-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 955b4886a0dfba21cb7a07e6eb1e4ff4
    SHA-256: f593425c367648923a7bffe90100afa8ff64a7fe178860024b9b40e25e85558b
    Size: 4.72 MB
  8. java-17-openjdk-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 5f94b4ce1f100f665e7969b6cf1bf0cc
    SHA-256: a0321ba8ced4f3b7d9a1699c207b6d5bfc0c3884ce75b6e73e1210f77bc2d550
    Size: 435.40 kB
  9. java-17-openjdk-headless-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 1ca616b1f313a9e58ed712221a887bf5
    SHA-256: fe712abe79ebef535eb4e5c014d7d689513bb1814aa17023a8ac1b75a87f0f99
    Size: 44.13 MB
  10. java-17-openjdk-headless-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: a3d68c6eaaf59514752434d85ea9bab2
    SHA-256: c6e44b95a314c2b8941edcebcac799ced1180a3733723c929838458930333408
    Size: 49.05 MB
  11. java-17-openjdk-headless-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 750c591369e9eb2b688c041f820dfd42
    SHA-256: 309aa6296116d8e3e7ac3616c1b3832682b26b3bf57d9341606339bbbe6d223e
    Size: 45.88 MB
  12. java-17-openjdk-javadoc-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 54db7024c54560c7452aff85faa23100
    SHA-256: 906fa7c9eed0c0b32e0aa71b1d24b20c351efba5616ed2cb41a8485d9498c118
    Size: 14.67 MB
  13. java-17-openjdk-javadoc-zip-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 1a8e35f7cfd5ac5fac705828ef871599
    SHA-256: fd0dac707324eaf30f196a23e673f1c2aab9439aad820e18afb341d6a772fea8
    Size: 39.45 MB
  14. java-17-openjdk-jmods-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: df8c89f9b920ac205cebc4995937eb82
    SHA-256: d90a2430c78346fbdd181e6fe9d70f5b01945a59d05d79aa90fa283ca4074328
    Size: 245.18 MB
  15. java-17-openjdk-jmods-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 5b4b83e9f3c605013bc1473bc26fb0b8
    SHA-256: 19313c4e59bfb8737c4eb3b49e789b9be197bbd40be1bb80353ea763645857ca
    Size: 243.64 MB
  16. java-17-openjdk-jmods-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: d91a0af677c078859772b65fdd284a57
    SHA-256: 4d2091e78bdb267da2da203d86dac83d0351f401c4f6cf2785cf8cd070d6d5be
    Size: 173.70 MB
  17. java-17-openjdk-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: fb44fcf1f682a8efbecbceab161fae9a
    SHA-256: 369e63e3ce1d23b7ecbcab13bb5061d12e0c5fd35608ff4488f9c90f546b9188
    Size: 406.99 kB
  18. java-17-openjdk-src-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: aca5156f195db5aa3a6b070b0f16e58a
    SHA-256: f7fa5a1b46cc79a19b82dd4c1298d7ac03a1f30188db8797a345067b1b8dbe2b
    Size: 44.88 MB
  19. java-17-openjdk-src-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: f5d9776dc38e530aeaa3e048a0fc4336
    SHA-256: 897550ac385502e03e6fec1c6901b17cc03de9a9b44e84c8078faaa6d3706c7b
    Size: 44.88 MB
  20. java-17-openjdk-src-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 3a53f5f88fee203f4aec84fa992f3bd9
    SHA-256: 71b0e49576e4991b12491d693eed174fcb485162eb191534cbba8edf0289b3aa
    Size: 44.88 MB
  21. java-17-openjdk-static-libs-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: 92a089d1974b1520fe05169d99be331e
    SHA-256: 478f1ef5b2ece40c92131a0686bf1dd0ab8113214feafe8f0fc42240e9067dc0
    Size: 27.87 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: d3994f8981ced5a1d8efbf7fed771c44
    SHA-256: a1bc05de2bd7638149d161d831e86bce1a8651663481eb1c2c7ef069c96d4cd6
    Size: 27.97 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.18.0.8-1.el9.ML.1.x86_64.rpm
    MD5: a5ee47971c7ddf589c69acd9afd045dd
    SHA-256: d7af684471e6f83b6fb5a0451b363f29ac9fb17397d569d1a1198728414977dd
    Size: 21.59 MB