Open JDK build number for JDK 8 is displayed incorrectly in java -version output.
25.05.0.0
25.05.0.0
Release date: June 4, 2025
This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 25.04.0.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_452-b9 |
11 |
11.0.27+6-LTS |
17 |
17.0.15+6-LTS |
21 |
21.0.7+6-LTS |
What’s New
-
Zing 25.05.0.0 implements an additional parameter to the
Xlogcommand line option when you are using unified logging,savecount. You can use this parameter to preserve the starting logs during log rotation, for example:-Xlog:gc:gc.log::filecount=5,filesize=20M,savecount=1Note that this parameter only works with unified logging. If you have unified logging disabled, you can still achieve the same result using the command line option
-XX:StartupGCLogSaveCount=<number of save counts>. -
Zing 25.05.0.0 introduces two new command line options which modify the behavior of code cache flushing:
-
-XX:+EnableC1FlushingUnderEmergency- Enables C1 code cache flushing after the emergency threshold has been reached. This option is true by default. -
-XX:+EnableTier2FlushingUnderEmergency- Enables Tier 2 code cache flushing after the emergency threshold has been reached. This option is true by default.
These new options apply to both
-XX:+UseEmergencyCodeCacheFlushing, which is default, and-XX:+UseIncrementalCodeCacheFlushing, which is non-default. When-XX:+UseIncrementalCodeCacheFlushingis enabled, the older flagsEnableC1FlushingandEnableTier2Flushingcontrol which code blobs are flushed as long as code cache is below the "high" threshold. The new flags control code caching behaviour after the "high" threshold is crossed. -
-
The size of Zing installer and the installation on disc were reduced by removing files from the directory
product/etc/connected-compiler/bin (lib). -
April 2025 PSU release security fixes.
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JSSE |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 2 |
|
2D |
Multiple |
Yes |
5.6 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
Low |
21, 17, 11, 8 |
Note 1 |
|
CVE-2025-23083 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Node (Node.js) |
None |
No |
7.7 |
Local |
Low |
None |
None |
Unchanged |
High |
High |
None |
None |
|
CVE-2024-47606 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (gstreamer) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-54534 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2025-30691 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Compiler |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
Additional CVEs addressed are:
-
The patch for CVE-2024-54534 also addresses CVE-2024-27856, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54543, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158, and CVE-2025-24162.
-
The patch for CVE-2024-47606 also addresses CVE-2024-47544, CVE-2024-47545, CVE-2024-47546, CVE-2024-47596, CVE-2024-47597, CVE-2024-47775, CVE-2024-47776, CVE-2024-47777, and CVE-2024-47778.
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2025