java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1
エラータID: AXSA:2026-130:04
リリース日:
2026/02/03 Tuesday - 17:10
題名:
java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.
Security Fix(es):
JDK: Improve JMX connections (CVE-2026-21925)
JDK: Improve HttpServer Request handling (CVE-2026-21933)
JDK: Enhance Certificate Checking (CVE-2026-21945)
libpng: LIBPNG buffer overflow (CVE-2025-64720)
libpng: LIBPNG heap buffer overflow (CVE-2025-65018)
Bug Fix(es):
When using a P11SecretKey for both signing and encryption in FIPS mode, the
FIPS PKCS11 provider would fail with a CKR_ATTRIBUTE_VALUE_INVALID error. This
was due to the default configuration not applying the CKA_ENCRYPT=true attribute
to the key. The configuration in this release is updated to include this
attribute. (RHEL-142865, RHEL-142866, RHEL-142867, RHEL-142868, RHEL-142869,
RHEL-142870, RHEL-142871, RHEL-142872, RHEL-142873, RHEL-142874)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
CVE(s):
CVE-2025-64720
CVE-2025-65018
CVE-2026-21925
CVE-2026-21933
CVE-2026-21945
SRPMS(s):
java-1.8.0-openjdk-1.8.0.482.b08-1.el9.alma.1.src.rpm
Additional info:
https://access.redhat.com/errata/RHSA-2026:0932
https://www.cve.org/CVERecord?id=CVE-2025-64720
https://www.cve.org/CVERecord?id=CVE-2025-65018
https://www.cve.org/CVERecord?id=CVE-2026-21925
https://www.cve.org/CVERecord?id=CVE-2026-21933
https://www.cve.org/CVERecord?id=CVE-2026-21945
解決策:
Update packages.
CVE:
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1.src.rpm
MD5: 0a3e762f4c9af4f0e094457bd9313d16
SHA-256: e9a413e44121fdb027731da428cf61c3f37b13e73eedf0d0451d6cb8234ee9f8
Size: 58.52 MB
Asianux Server 9 for x86_64
- java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: ac0d2151c04c5d494417cb00a61bc783
SHA-256: eda396a5954b60bf0a44b1eefde149b06313c5834e1244e2ce9edfe31581226e
Size: 421.92 kB - java-1.8.0-openjdk-demo-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 123d6b84666649279d4b9e5c6e611a3f
SHA-256: 0117e907b1c038c224970359acbf23ea0a7ba1c6bf3ecd1620d75da34b5c6e26
Size: 2.04 MB - java-1.8.0-openjdk-demo-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: e2aab509fd39e8073d80d2cc0618c892
SHA-256: 917aa0733a8cc841907a9edd4b039058523f390c9b11947c04e8bbf32af49993
Size: 2.06 MB - java-1.8.0-openjdk-demo-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: e10ecbaf926b7af5ecf41d36873d252d
SHA-256: 7f2b41a97f7d34c257eb8aa711561b272b1a700867354c10173da7beb983c6e1
Size: 2.06 MB - java-1.8.0-openjdk-devel-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 7f71a649938bd25e52fbce7e5256edcc
SHA-256: a83bddf410a08ba022bad111b0233dff1da21626f2c4d1a4777f9517315d8d19
Size: 9.35 MB - java-1.8.0-openjdk-devel-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: b8cf87591e0935a10c7f8860cd3a288f
SHA-256: 909318fb2ee20e2f2d536992e78b92f27e8132c6bdfcd444f90ced656d3cb56b
Size: 9.36 MB - java-1.8.0-openjdk-devel-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: fad521dd4c6ca612a865b48645d4f0db
SHA-256: e8b5d78a1a510da51dbe56620e6664a6123f0201394d41fd64ffc28a48a619d8
Size: 9.36 MB - java-1.8.0-openjdk-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 3cf8f5ee3c5e1f5c78828d0589417573
SHA-256: 7a01ec95452a85c58aa23353cfe4b1cbe635a6de61a5d6acb40b1aefbaa75026
Size: 433.54 kB - java-1.8.0-openjdk-headless-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: f06c2285efbbeae60285c2b283f030bb
SHA-256: 8ed149ad3535171e04d30018a6d077bbb5a8f38e53600a93afaa873fb90a3b40
Size: 33.19 MB - java-1.8.0-openjdk-headless-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: a7bc210531ff4a6155434c979499cd3d
SHA-256: 2bea9effc483dfc0928e620cef5c84af3d71583ed36a8abf451438f2ae91b93a
Size: 36.94 MB - java-1.8.0-openjdk-headless-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 66873edeacbf42b322d8b70f98c4ea55
SHA-256: d1b428fd7055aefab2974ac6289c7a907d1af438301c4fe227c1cba4c49f7694
Size: 34.42 MB - java-1.8.0-openjdk-javadoc-1.8.0.482.b08-1.el9.ML.1.noarch.rpm
MD5: c0582dff8786b3cda795202335873a6f
SHA-256: 9be40dd20f9c7b0cc9460f04fc439486dbf86e46634559013536e342f12ffcd0
Size: 14.45 MB - java-1.8.0-openjdk-javadoc-zip-1.8.0.482.b08-1.el9.ML.1.noarch.rpm
MD5: 8094fd947a92f329247f958fc28f6d25
SHA-256: 754c000cc72b6d64f78b062e69946273f4f24087d23821f57278d0d7e2258716
Size: 40.72 MB - java-1.8.0-openjdk-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 6f9077b9a737612dc4f49d23dcf9536b
SHA-256: c2538b4486b5e73a1c813e0206f1a2d8dac80f4531fdafc642d49811743e6859
Size: 406.73 kB - java-1.8.0-openjdk-src-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 36bb5939bbe7d9c2f5ba1b732740c26d
SHA-256: d116ea079796ec9add6db2270d3f845a5e652d306dfe98c622a5a80592ec8244
Size: 44.66 MB - java-1.8.0-openjdk-src-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 2cf0ba828bd02321c2661c3b9c80bdd5
SHA-256: 28c3adf3fec1a6c3c3f0571f112dab0099ae064d7a7d4a7e284270e206b373b8
Size: 44.66 MB - java-1.8.0-openjdk-src-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
MD5: 70fcb8a3d52293ee2789a7e72e346966
SHA-256: 9ffc928338a9028c83f40a4c337e0d27df947bedf1e16e35c17d64f82c04e7db
Size: 44.66 MB