Security vulnerability in jaz

[tknerr]

Hi everybody,

in our image scanning via mend.io we found a HIGH security vulnerability in one our FROM mcr.microsoft.com/openjdk/jdk:21-ubuntu images, which seems to be coming in via /usr/bin/jaz (which had been recently added via #132):

Unreachable: 2 Vulnerabilities were found unreachable, which are 100%% of the total vulnerabilities.
GO (/usr/bin/jaz)
+---------+------------------+----------+--------------+-------------------+---------------+-----------------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | REACHABILITY | INSTALLED VERSION | FIXED VERSION | DETAILS |
+---------+------------------+----------+--------------+-------------------+---------------+-----------------------------------------------------------+
| stdlib | CVE-2025-61729 | HIGH | Unreachable | 1.24.10 | 1.24.11 | https://www.mend.io/vulnerability-database/CVE-2025-61729 |
+---------+------------------+----------+--------------+-------------------+---------------+-----------------------------------------------------------+
| stdlib | CVE-2025-61727 | UNKNOWN | Unreachable | 1.24.10 | 1.24.11 | https://www.mend.io/vulnerability-database/CVE-2025-61727 |
+---------+------------------+----------+--------------+-------------------+---------------+-----------------------------------------------------------+

Links:

• https://www.mend.io/vulnerability-database/CVE-2025-61729
• https://www.mend.io/vulnerability-database/CVE-2025-61727

In the current mcr.microsoft.com/openjdk/jdk:21-ubuntu image from today (sha256:be600c23cdb2182ce3528b66a0bf59c781dc89e13bf3600b3deb4f5223900efd), there is jaz 0.0.0~preview+20251126.1 installed, but no newer versions available.

(maybe this is rather for the jaz repo, but I couldn't find it -- so as it surfaced via the mcr.microsoft.com/openjdk/jdk:21-ubuntu I'm reporting it here...)

[tknerr]

Latest version on jaz is installed:

# apt list --installed jaz -a
Listing... Done
jaz/jammy,now 0.0.0~preview+20251126.1 amd64 [installed]
jaz/jammy 0.0.0~preview+20251120.1 amd64
jaz/jammy 0.0.0~preview+20251118.1 amd64
jaz/jammy 0.0.0~preview+20251114.2 amd64
jaz/jammy 0.0.0~preview+20251114.1 amd64
jaz/jammy 0.0.0~preview+20251111.1 amd64
jaz/jammy 0.0.0~preview+20251108.1 amd64
jaz/jammy 0.0.0~preview+20251105.1 amd64
jaz/jammy 0.0.0~preview+20251103.3 amd64
jaz/jammy 0.0.0~preview+20251030.1 amd64
jaz/jammy 0.0.0~preview+20251027.1 amd64

Running go version /usr/bin/jaz indicates it has been built with go1.24.10 (which brings in the affected go stdlib 1.24.10):

# go version /usr/bin/jaz
/usr/bin/jaz: go1.24.10 X:systemcrypto

[brunoborges]

Thank you @tknerr for reporting. We have seen this and we are working on it already.

[karianna]

@tknerr A new image has been built and is available if you can try that out?

[brunoborges]

As @karianna said, we rebuilt the tool and published new images. These CVEs have now been addressed.

[tknerr]

Thanks @karianna @brunoborges ! 👍

Yes, I can confirm this is fixed now in latest https://mcr.microsoft.com/en-us/artifact/mar/openjdk/jdk/tag/21-ubuntu at sha256:188af8d3b089644fe00e650e4617462c0fe606ac338168115e11b5d6f127f350

jaz version 0.0.0~preview+20251205.1 is installed now:

# apt list --installed jaz -a
Listing... Done
jaz/jammy,now 0.0.0~preview+20251205.1 amd64 [installed]
jaz/jammy 0.0.0~preview+20251126.1 amd64
jaz/jammy 0.0.0~preview+20251120.1 amd64
jaz/jammy 0.0.0~preview+20251118.1 amd64
jaz/jammy 0.0.0~preview+20251114.2 amd64
jaz/jammy 0.0.0~preview+20251114.1 amd64
jaz/jammy 0.0.0~preview+20251111.1 amd64
jaz/jammy 0.0.0~preview+20251108.1 amd64
jaz/jammy 0.0.0~preview+20251105.1 amd64
jaz/jammy 0.0.0~preview+20251103.3 amd64
jaz/jammy 0.0.0~preview+20251030.1 amd64
jaz/jammy 0.0.0~preview+20251027.1 amd64

go stdlib has been updated to 1.24.11:

# go version /usr/bin/jaz
/usr/bin/jaz: go1.24.11 X:systemcrypto

Also, mend.io scan is no longer complaining after the update to go stdlib 1.24.11

Thanks again for the prompt feedback and fix! 👍