#1010597 openjdk-11-jdk: CVE-2022-21476 unfixed for weeks

Package:
openjdk-11-jdk
Source:
openjdk-11
Description:
OpenJDK Development Kit (JDK)
Submitter:
Michael Kesper
Date:
2022-05-05 14:51:08 UTC
Severity:
critical
Tags:
#1010597#5
Date:
2022-05-05 08:45:26 UTC
From:
To:
Dear Maintainer,

since weeks, there is a known undisputed CVE for all openjdk versions in Debian,
https://security-tracker.debian.org/tracker/CVE-2022-21476
described as easily exploitable for unauthenticated attackers resulting in access to data.

However, there seems to be no security issue handling of this CVE, instead a fix
is only made available to unstable.

Please include a fix for Debian stable at least.

Best regards
Michael
#1010597#10
Date:
2022-05-05 10:04:07 UTC
From:
To:
Dear Maintainer,

i saw that the CVE is already fixed for sid. I'm unsure if we have to
try to create a bullseye backport of the 11.0.15+10-1 for ourself or if
we have to wait a bit longer until it's fixed for bullseye too. We are
using the container images of debian with this openjdk-jre for our
services and we are looking forward to an update.

Cheers
Sascha
#1010597#23
Date:
2022-05-05 14:49:45 UTC
From:
To:
close 1010597 11.0.15+10-1
# pending in upcoming DSA
close 1010597 11.0.15+10-1~deb11u1
close 1010597 11.0.15+10-1~deb10u1
thanks