[USN-7672-1] CRaC JDK 17 vulnerabilities
[USN-7673-1] CRaC JDK 21 vulnerabilities
[USN-7675-1] poppler vulnerability
[USN-7676-1] SQLite vulnerability
[USN-7667-1] OpenJDK 8 vulnerabilities
[USN-7672-1] CRaC JDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7672-1
July 28, 2025
openjdk-17-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
Summary:
Several security issues were fixed in CRaC JDK 17.
Software Description:
- openjdk-17-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
It was discovered that the 2D component of CRaC JDK 17 did not properly
manage memory under certain circumstances. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
(CVE-2025-30749, CVE-2025-50106)
VMashroor Hasan Bhuiyan discovered that the JSSE component of CRaC JDK 17
did not properly manage TLS 1.3 handshakes under certain circumstances.
An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-30754)
Martin van Wingerden and Violeta Georgieva of Broadcom discovered
that the Networking component of CRaC JDK 17 did not properly
manage network connections under certain circumstances. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2025-50059)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2025-07-15
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
openjdk-17-crac-jdk 17.0.16+8-0ubuntu2~25.04
openjdk-17-crac-jdk-headless 17.0.16+8-0ubuntu2~25.04
openjdk-17-crac-jre 17.0.16+8-0ubuntu2~25.04
openjdk-17-crac-jre-headless 17.0.16+8-0ubuntu2~25.04
openjdk-17-crac-jre-zero 17.0.16+8-0ubuntu2~25.04
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7672-1
CVE-2025-30749, CVE-2025-30754, CVE-2025-50059, CVE-2025-50106
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.16+8-0ubuntu2~25.04
[USN-7673-1] CRaC JDK 21 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7673-1
July 28, 2025
openjdk-21-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
Summary:
Several security issues were fixed in CRaC JDK 21.
Software Description:
- openjdk-21-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
It was discovered that the 2D component of CRaC JDK 21 did not properly
manage memory under certain circumstances. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
(CVE-2025-30749, CVE-2025-50106)
VMashroor Hasan Bhuiyan discovered that the JSSE component of CRaC JDK 21
did not properly manage TLS 1.3 handshakes under certain circumstances.
An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-30754)
Martin van Wingerden and Violeta Georgieva of Broadcom discovered
that the Networking component of CRaC JDK 21 did not properly
manage network connections under certain circumstances. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2025-50059)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2025-07-15
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
openjdk-21-crac-jdk 21.0.8+9-0ubuntu2~25.04
openjdk-21-crac-jdk-headless 21.0.8+9-0ubuntu2~25.04
openjdk-21-crac-jre 21.0.8+9-0ubuntu2~25.04
openjdk-21-crac-jre-headless 21.0.8+9-0ubuntu2~25.04
openjdk-21-crac-jre-zero 21.0.8+9-0ubuntu2~25.04
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7673-1
CVE-2025-30749, CVE-2025-30754, CVE-2025-50059, CVE-2025-50106
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.8+9-0ubuntu2~25.04
[USN-7675-1] poppler vulnerability
==========================================================================
Ubuntu Security Notice USN-7675-1
July 28, 2025
poppler vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
poppler could be made to crash or run programs if it opened a specially
crafted file.
Software Description:
- poppler: PDF rendering library
Details:
Kevin Backhouse discovered that poppler incorrectly handled documents with
a large number of annotations. If a user or automated system were tricked
into opening a specially crafted document, a remote attacker could use
this issue to cause poppler to consume resources, leading to a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
libpoppler147 25.03.0-3ubuntu1.1
poppler-utils 25.03.0-3ubuntu1.1
Ubuntu 24.04 LTS
libpoppler134 24.02.0-1ubuntu9.5
poppler-utils 24.02.0-1ubuntu9.5
Ubuntu 22.04 LTS
libpoppler118 22.02.0-2ubuntu0.9
poppler-utils 22.02.0-2ubuntu0.9
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7675-1
CVE-2025-52886
Package Information:
https://launchpad.net/ubuntu/+source/poppler/25.03.0-3ubuntu1.1
https://launchpad.net/ubuntu/+source/poppler/24.02.0-1ubuntu9.5
https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.9
[USN-7676-1] SQLite vulnerability
==========================================================================
Ubuntu Security Notice USN-7676-1
July 28, 2025
sqlite3 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
SQLite could be made to crash or run programs if it received specially
crafted input.
Software Description:
- sqlite3: C library that implements an SQL database engine
Details:
It was discovered that SQLite incorrectly handled certain numbers of
aggregate terms. An attacker could use this issue to cause SQLite to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
libsqlite3-0 3.46.1-3ubuntu0.2
Ubuntu 24.04 LTS
libsqlite3-0 3.45.1-1ubuntu2.4
Ubuntu 22.04 LTS
libsqlite3-0 3.37.2-2ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7676-1
CVE-2025-6965
Package Information:
https://launchpad.net/ubuntu/+source/sqlite3/3.46.1-3ubuntu0.2
https://launchpad.net/ubuntu/+source/sqlite3/3.45.1-1ubuntu2.4
https://launchpad.net/ubuntu/+source/sqlite3/3.37.2-2ubuntu0.5
[USN-7667-1] OpenJDK 8 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7667-1
July 24, 2025
openjdk-8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK 8.
Software Description:
- openjdk-8: Open Source Java implementation
Details:
It was discovered that the 2D component of OpenJDK 8 did not properly
manage memory under certain circumstances. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
(CVE-2025-30749, CVE-2025-50106)
Mashroor Hasan Bhuiyan discovered that the JSSE component of OpenJDK 8
did not properly manage TLS 1.3 handshakes under certain circumstances.
An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-30754)
It was discovered that the Scripting component of OpenJDK 8 did not
properly manage properties under certain circumstances. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2025-30761)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2025-07-15
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~25.04.2
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~25.04.2
openjdk-8-jre 8u462-ga~us1-0ubuntu2~25.04.2
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~25.04.2
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~25.04.2
Ubuntu 24.04 LTS
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~24.04.2
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~24.04.2
openjdk-8-jre 8u462-ga~us1-0ubuntu2~24.04.2
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~24.04.2
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~24.04.2
Ubuntu 22.04 LTS
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~22.04.2
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~22.04.2
openjdk-8-jre 8u462-ga~us1-0ubuntu2~22.04.2
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~22.04.2
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~22.04.2
Ubuntu 20.04 LTS
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~20.04.2
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~20.04.2
Available with Ubuntu Pro
openjdk-8-jre 8u462-ga~us1-0ubuntu2~20.04.2
Available with Ubuntu Pro
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~20.04.2
Available with Ubuntu Pro
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~20.04.2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~18.04.2
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~18.04.2
Available with Ubuntu Pro
openjdk-8-jre 8u462-ga~us1-0ubuntu2~18.04.2
Available with Ubuntu Pro
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~18.04.2
Available with Ubuntu Pro
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~18.04.2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
openjdk-8-jdk 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
openjdk-8-jre 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
openjdk-8-jre-headless 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
openjdk-8-jre-jamvm 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
openjdk-8-jre-zero 8u462-ga~us1-0ubuntu2~16.04.2
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7667-1
CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50106
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u462-ga~us1-0ubuntu2~25.04.2
https://launchpad.net/ubuntu/+source/openjdk-8/8u462-ga~us1-0ubuntu2~24.04.2
https://launchpad.net/ubuntu/+source/openjdk-8/8u462-ga~us1-0ubuntu2~22.04.2
