Red Hat Product Errata RHBA-2025:10338 - Bug Fix Advisory
Issued:
2025-07-07
Updated:
2025-07-07

RHBA-2025:10338 - Bug Fix Advisory

Synopsis

updated Red Hat OpenJDK 11 els for RHEL 9 container images

Type/Severity

Bug Fix Advisory

Topic

Updated Red Hat OpenJDK 11 els for RHEL 9 container images are now available

Description

The Red Hat OpenJDK 11 els for RHEL 9 container images have been updated to address the following security advisory: RHSA-2025:10136 (see References)

Users of Red Hat OpenJDK 11 els for RHEL 9 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution

The Red Hat OpenJDK 11 els for RHEL 9 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.

Affected Products

  • OpenJDK Java Extended Life Cycle Support 11 for RHEL 9 x86_64
  • OpenJDK Java Extended Life Cycle Support 11 for RHEL 9 s390x
  • OpenJDK Java Extended Life Cycle Support 11 for RHEL 9 ppc64le
  • OpenJDK Java Extended Life Cycle Support 11 for RHEL 9 aarch64

Fixes

  • BZ - 2370010 - CVE-2025-4435 cpython: Tarfile extracts filtered members when errorlevel=0
  • BZ - 2370013 - CVE-2024-12718 cpython: python: Bypass extraction filter to modify file metadata outside extraction directory
  • BZ - 2370014 - CVE-2025-4330 cpython: python: Extraction filter bypass for linking outside extraction directory
  • BZ - 2370016 - CVE-2025-4517 python: cpython: Arbitrary writes via tarfile realpath overflow
  • BZ - 2372426 - CVE-2025-4138 cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

aarch64

openjdk-els/openjdk-11-rhel9@sha256:a934f687953475f0d4d9dd5fdb214d3e22a73d5c0655b8d4d56862af2a2342b5
openjdk-els/openjdk-11-runtime-rhel9@sha256:947bc1a37e68630bafb2e53573812bc741a8c5c8629cd46557d006d5a2da2ae0

ppc64le

openjdk-els/openjdk-11-rhel9@sha256:a59db3ebd7ca540bd0af1444fc56a5c3c48c1ede3a89e3cc6375afb4dca8a86e
openjdk-els/openjdk-11-runtime-rhel9@sha256:7b98e6f90c271a1ecabdb16daf950615c14da0f347bf523808056c17b9dde850

s390x

openjdk-els/openjdk-11-rhel9@sha256:16653db555adb8679c48bfba2f56c21155e5457d47a28979df11564fc2f59635
openjdk-els/openjdk-11-runtime-rhel9@sha256:2b0379e7066eb10f971a4bda108544c62674ca0e3f349ed9413c424783b420c1

x86_64

openjdk-els/openjdk-11-rhel9@sha256:041ca3a2668c9fe42ad1cb64d6b333c29e351cba16018caa22be2734e3c626b8
openjdk-els/openjdk-11-runtime-rhel9@sha256:b402e0e03fe8c804e2fd08a3460c2092c9ba7b239c399ddd907e6d61b7b8b8de

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.