Bug#1134894: marked as done (openjdk-8: CVE-2026-34268 CVE-2026-22003 CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021)

Fri, 08 May 2026 08:07:18 -0700 

Your message dated Fri, 08 May 2026 15:05:14 +0000
with message-id <[email protected]>
and subject line Bug#1134894: fixed in openjdk-8 8u492-ga-1
has caused the Debian Bug report #1134894,
regarding openjdk-8: CVE-2026-34268 CVE-2026-22003 CVE-2026-22007 
CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1134894: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134894
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: openjdk-8
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openjdk-8.

CVE-2026-34268[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


CVE-2026-22003[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
| Edition product of Oracle Java SE (component: Hotspot).  Supported
| versions that are affected are Oracle Java SE: 8u481 and  8u481-b50;
| Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle Java SE, Oracle GraalVM Enterprise
| Edition executes to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition.  Successful attacks require human interaction
| from a person other than the attacker. Successful attacks of this
| vulnerability can result in  unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM Enterprise Edition accessible data and unauthorized ability
| to cause a hang or frequently repeatable crash (complete DOS) of
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and
| Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).


CVE-2026-22007[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


CVE-2026-22013[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JGSS).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks require human
| interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in  unauthorized access to
| critical data or complete access to all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that
| comes from the internet) and rely on the Java sandbox for security.
| This vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).


CVE-2026-22016[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JAXP).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in  unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5
| (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).


CVE-2026-22018[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Libraries).  Supported versions that are affected are Oracle Java
| SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2,
| 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks of this
| vulnerability can result in unauthorized ability to cause a partial
| denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
| for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


CVE-2026-22021[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via HTTPS to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition.  Successful attacks of this vulnerability can result in
| unauthorized ability to cause a partial denial of service (partial
| DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability can be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. This vulnerability also applies to
| Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34268
    https://www.cve.org/CVERecord?id=CVE-2026-34268
[1] https://security-tracker.debian.org/tracker/CVE-2026-22003
    https://www.cve.org/CVERecord?id=CVE-2026-22003
[2] https://security-tracker.debian.org/tracker/CVE-2026-22007
    https://www.cve.org/CVERecord?id=CVE-2026-22007
[3] https://security-tracker.debian.org/tracker/CVE-2026-22013
    https://www.cve.org/CVERecord?id=CVE-2026-22013
[4] https://security-tracker.debian.org/tracker/CVE-2026-22016
    https://www.cve.org/CVERecord?id=CVE-2026-22016
[5] https://security-tracker.debian.org/tracker/CVE-2026-22018
    https://www.cve.org/CVERecord?id=CVE-2026-22018
[6] https://security-tracker.debian.org/tracker/CVE-2026-22021
    https://www.cve.org/CVERecord?id=CVE-2026-22021

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- 
Source: openjdk-8
Source-Version: 8u492-ga-1
Done: Emilio Pozuelo Monfort <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openjdk-8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated openjdk-8 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 May 2026 16:28:05 +0200
Source: openjdk-8
Architecture: source
Version: 8u492-ga-1
Distribution: unstable
Urgency: medium
Maintainer: Java Maintenance <[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 1134894
Changes:
 openjdk-8 (8u492-ga-1) unstable; urgency=medium
 .
   * New upstream release.
     - CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018
     - CVE-2026-22021, CVE-2026-34268. Closes: #1134894.
   * debian/patches/pass-extra-flags.diff: refreshed.
   * debian/patches/jdk-target-arch-define.diff: refreshed.
   * debian/patches/gcc14.diff: drop one hunk, fixed upstream.
Checksums-Sha1:
 7728ff91b0f0d21d58faaf6e27a2bc274f227a06 4540 openjdk-8_8u492-ga-1.dsc
 bb8f07aeffb5921531d7f0ca6e75f42f7598acb0 67940318 
openjdk-8_8u492-ga.orig.tar.gz
 6cc0ccc54355be6d20162859fa06c1bc790afdfd 166920 
openjdk-8_8u492-ga-1.debian.tar.xz
 c8bad89b5c354b3d28fd9858ee1028841d54d092 13051 
openjdk-8_8u492-ga-1_source.buildinfo
Checksums-Sha256:
 dddcbe4c93ce993ee704efd26cd3a97207df9fd98cc2913990652c57456f5025 4540 
openjdk-8_8u492-ga-1.dsc
 f05deffe43ce355b222ce88c12f5f32a80848e88a9111b388cee54416b12bd20 67940318 
openjdk-8_8u492-ga.orig.tar.gz
 1c6c6ed9052d9401396bc5bd7e098121f9e5102679600e0ef4570494b09860ff 166920 
openjdk-8_8u492-ga-1.debian.tar.xz
 f3ca6c3f293984ecc52616c84ae2dbbf6ec7d05e8288c75cd251404d2f691b1a 13051 
openjdk-8_8u492-ga-1_source.buildinfo
Files:
 75c546cdf2f62ccd5a085053d7df41a7 4540 java optional openjdk-8_8u492-ga-1.dsc
 596ee3531fb3680cf56b6bceb1de9ec0 67940318 java optional 
openjdk-8_8u492-ga.orig.tar.gz
 ecd057ad25e409a5f1a5571fd445bf89 166920 java optional 
openjdk-8_8u492-ga-1.debian.tar.xz
 d7329726e8798067fc1b57e7fda64965 13051 java optional 
openjdk-8_8u492-ga-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmn99skACgkQnUbEiOQ2
gwKJrg/9FwczZUB4x+EBio+ehYSY7468HiQx5usHbj5/AnaqgiNpXEE9p9/3qs/N
s/65mdQaoQGG9Q0x5rRU85eSmXhKjc0wmA0mq9nwgRBYw8Ks/NZ+TouLq8wKEfD+
ENc+ZtZw3O+Ak+NuV3RyeNWzBZk8OfTH8fmbKuQSDbkn2EiF5SoEnA4cHQmL40/R
Nrw7tsIoRARQ1kVtTklf1SO6Ig+ARAt0nobNLXBFU74BzaMhH6yBDyIIVZ3PsSHe
9jvZpqNr93oMVDyB5SEWpQWjkac34GDoSEAepSG3mGanTssk6XmxbkzZ6//K+Z3f
b4DvXywJlQZum93aLZNFwag8WaP+aWRCiIFm8042hYDDERW0HRxKtBuc18ANDau6
g+n18m2tr156i/ew+Ju8XtNkexUwwFHmJ/kRanfk1DE4xNRQjo7yO8cPgpCr4qjx
YIG1Y0HEB960i9ibwHQEGs04lrr1yjEuHtSPf5Z//0w9m45eamvvDnJ5GYha7wQc
/e4d7Tz6jtNUloL5Bib8CuAHIxsVAxjHvDNQsKt8IqvMCYsKmvZFXvtcma26aQO2
IsZd3MntwdAHxqGkpM4OSZ8x7kdqSuQZ4GlpBuKjtjVvcaQJTW+wvFNR1QvKHOgJ
DME4V78RpanC4L3zbAxq4Rt9sJXCaosrB2AuNNw0il6Ypd4R998=
=XfLX
-----END PGP SIGNATURE-----

Attachment: pgpdr3fbZVpik.pgp
Description: PGP signature


--- End Message ---

Reply via email to