On 10/02/2025 5:32 am, Thorsten Glaser wrote:
Hi,
I’ve got this report against openjdk-8 in Debian about CVE-2025-21502
and I cannot find whether this even affects openjdk-8 at all, nor if
it’s fixed in 8u442.
There are links to commits in 21/17/11 and a page saying Oracle’s
8u431-perf is affected with the fix in 8u441-perf, but without a
link to a commit saying so ☹
8u-perf is an Oracle product. You won't find any links to commits for it.
I also cannot read JDK-8330045 (wants a login, in contrast to the
other JDK-####### bugs I peeked into).
So, what’s the state of this?
The entry here lists all the affected versions:
https://www.oracle.com/security-alerts/cpujan2025.html
David
-----
Thanks in advance,
//mirabilos
