25.0.0.9

IsmathBadsha · github-actions · commit 2afb018bf80a · 2025-08-29T06:10:54.000Z
diff --git a/posts/2025-09-09-25.0.0.9.adoc b/posts/2025-09-09-25.0.0.9.adoc
@@ -0,0 +1,306 @@
+---
+layout: post
+title: "TITLE"
+# Do NOT change the categories section
+categories: blog
+author_picture: https://avatars3.githubusercontent.com/IsmathBadsha
+author_github: https://github.com/IsmathBadsha
+seo-title: TITLE - makes sure it ends with - OpenLiberty.io
+seo-description: DESCRIPTION
+blog_description: DESCRIPTION
+open-graph-image: https://openliberty.io/img/twitter_card.jpg
+open-graph-image-alt: Open Liberty Logo
+---
+= TITLE
+Ismath Badsha <https://github.com/IsmathBadsha>
+:imagesdir: /
+:url-prefix:
+:url-about: /
+//Blank line here is necessary before starting the body of the post.
+
+// // // // // // // //
+// In the preceding section:
+// Do not insert any blank lines between any of the lines.
+// Do not remove or edit the variables on the lines beneath the author name.
+//
+// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it
+// can be left empty which will set it to the default
+//
+// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to
+// a custom picture, you must provide a custom string for "open-graph-image-alt".
+//
+// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4
+// Replace IsmathBadsha with your GitHub username eg: lauracowen
+// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post).
+// Replace Ismath Badsha with your name as you'd like it to be displayed, eg: Laura Cowen
+//
+// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc
+//
+// If adding image into the post add :
+// -------------------------
+// [.img_border_light]
+// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"]
+// -------------------------
+// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not           
+// around diagrams. Then double check how it looks.
+// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark
+// backgrounds.
+// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog
+// change the "IMAGE CAPTION" to a couple words of what the image is
+// // // // // // // //
+
+RELEASE_SUMMARY
+
+// // // // // // // //
+// In the preceding section:
+// Leave any instances of `tag::xxxx[]` or `end:xxxx[]` as they are.
+//
+// Replace RELEASE_SUMMARY with a short paragraph that summarises the release. Start with the lead feature but also summarise what else is new in the release. You will agree which will be the lead feature with the reviewers so you can just leave a placeholder here until after the initial review.
+// // // // // // // //
+
+// // // // // // // //
+// Replace the following throughout the document:
+//   Replace 25.0.0.9 with the version number of Open Liberty, eg: 22.0.0.2
+//   Replace 25009 with the version number of Open Liberty wihtout the periods, eg: 22002
+// // // // // // // //
+
+In link:{url-about}[Open Liberty] 25.0.0.9:
+
+* <<SUB_TAG_0, Add ECDH-ES support to JwtBuilder>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
+* <<bugs, Notable bug fixes>>
+
+
+// // // // // // // //
+// If there were updates to guides since last release, keep the following, otherwise remove section.
+// // // // // // // //
+Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>.
+
+// // // // // // // //
+// In the preceding section:
+// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
+// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3
+// Where the updates are grouped as sub-headings under a single heading 
+//   (eg all the features in a MicroProfile release), provide sub-entries in the list; 
+//   eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with 
+//   Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4)
+// // // // // // // //
+
+View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A25009+label%3A%22release+bug%22[25.0.0.9].
+
+Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].
+
+
+[#run]
+
+// // // // // // // //
+// LINKS
+//
+// OpenLiberty.io site links:
+// link:{url-prefix}/guides/maven-intro.html[Maven]
+// 
+// Off-site links:
+//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions]
+//
+// IMAGES
+//
+// Place images in ./img/blog/
+// Use the syntax:
+// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"]
+// // // // // // // //
+
+== Develop and run your apps using 25.0.0.9
+
+If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:
+
+[source,xml]
+----
+<plugin>
+    <groupId>io.openliberty.tools</groupId>
+    <artifactId>liberty-maven-plugin</artifactId>
+    <version>3.8.2</version>
+</plugin>
+----
+
+Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:
+
+[source,gradle]
+----
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.6.2'
+    }
+}
+apply plugin: 'liberty'
+----
+// // // // // // // //
+// In the preceding section:
+// Replace the Maven `3.8.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin
+// Replace the Gradle `3.6.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin
+// TODO: Update GHA to automatically do the above.  If the maven.org is problematic, then could fallback to using the GH Releases for the plugins
+// // // // // // // //
+
+Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
+
+[source]
+----
+FROM icr.io/appcafe/open-liberty
+----
+
+Or take a look at our link:{url-prefix}/start/[Downloads page].
+
+If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. 
+
+[link=https://stackoverflow.com/tags/open-liberty]
+image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/32660
+// Contact/Reviewer: tloodu
+// // // // // // // // 
+[#SUB_TAG_0]
+== Add ECDH-ES support to JwtBuilder
+
+Please provide a summary of the update, including the following points:
+   
+   - A sentence or two that introduces the update to someone new to the general technology/concept.
+     - JwtBuilder now supports use of ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm. This enables usage of Elliptic Curve algorithms for wrapping the Content Encryption Key (CEK) of a JWE.
+   - The Human-readable name and short feature name for your feature- eg WebSockets feature (websockets-1.0).
+     - This is enabled in the `keyManagementKeyAlgorithm` attribute in the `jwtBuilder` element of the `JSON Web Token 1.0` (`jwt-1.0`) feature.
+   - Who is the target persona? Who do you expect to use the update? eg application developer, operations. 
+     - Application developers.
+   - What was the problem before and how does your update make their life better? (Why should they care?)
+     - Developers were limited to using RSA-OAEP as the key management algorithm when encrypting or deriving the Content Encryption Key of a JWE. The ECDH-ES option allows for an alternative with better security.
+   - Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a `server.xml` snippet. 
+     - To use ECDH-ES, an Elliptic Curve public key must be defined in the `keyManagementKeyAlias` attribute. An EC public and private key pair can be created using securityUtility or keytool:
+       - `./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password`
+       - `keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password`
+     - ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a JwtBuilder configuration.
+     - The EC public key for encryption must be specified with its alias under `keyManagementKeyAlias`. Additionally, its keystore must be specified under `trustStoreRef`.
+     - Server.xml:
+
+```xml
+<jwtBuilder
+    keyManagementKeyAlgorithm="ECDH-ES"
+    keyManagementKeyAlias="myECPublicKey"
+    trustStoreRef="myTrustStore" ... />
+```
+   - Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology? 
+     - https://openliberty.io/docs/latest/reference/config/jwtBuilder.html
+    
+    
+
+
+   
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+
+For more details, check the LINK[LINK_DESCRIPTION].
+
+// // // // // // // //
+// In the preceding section:
+// Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list
+// Replace SUB_FEATURE_TITLE/FEATURE_X_TITLE with the given title from the contents list 
+// Replace FEATURE with the feature name for the server.xml file e.g. mpHealth-1.4
+// Replace LINK with the link for extra information given for the feature
+// Replace LINK_DESCRIPTION with a readable description of the information
+// // // // // // // //
+
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|Link[CVE-XXXX-XXXXX]
+|Score
+|vulnerability
+|Affected versions
+|Affected Features and other notes
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [25.0.0.9]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
+[#bugs]
+== Notable bugs fixed in this release
+
+
+We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the  link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A25009+label%3A%22release+bug%22[full list of bugs fixed in 25.0.0.9].
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32507[IBM WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32497[`CORBA MARSHAL` when sending a `Comparable` field containing a `String`]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32487[IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability (CVE-2025-36124 CVSS 5.9)]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32478[Address CVE-2025-36000]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32446[IBM WebSphere Application Server Liberty is affected by a denial of service (CVE-2025-36047 CVSS 5.3)]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32197[MP OpenAPI does not preserve the order of maps when merging documents]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32151[Using parentLast delegation causes inconsistent parent delegation when using common library references]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/32118[DuplicateHomeNameException occurs during EJB application restart after an error occurs during the application start]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/31962[openidConnectClient cannot handle low case "bearer" as token_type]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/31949[Cannot stop generating `trace.log` file]
++
+
+* link:https://github.com/OpenLiberty/open-liberty/issues/31374[For HTTP stats, the http route attribute is not merging/abstracting requests that contain Path params for springboot application]
++
+
+
+// // // // // // // //
+// In the preceding section:
+// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release.
+// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution.
+// If the issue on Github is missing any information, leave a comment in the issue along the lines of:
+// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)" 
+// Feel free to message the owner(s) directly as well, especially if no action has been taken by them.
+// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs)
+// // // // // // // //
+
+
+// // // // // // // //
+// If there were updates to guides since last release, keep the following, otherwise remove section.
+// Check with Gilbert Kwan, otherwise Michal Broz or YK Chang
+// // // // // // // //
+[#guides]
+== New and updated guides since the previous release
+As Open Liberty features and functionality continue to grow, we continue to add link:https://openliberty.io/guides/?search=new&key=tag[new guides to openliberty.io] on those topics to make their adoption as easy as possible.  Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.
+
+// // // // // // // //
+// In the following section, list any new guides, or changes/updates to existing guides.  
+// The following is an example of how the list can be structured (similar to the bugs section):
+// * link:{url-prefix}/guides/[new/updated guide].html[Guide Title]
+//  ** Description of the guide or the changes made to the guide.
+// // // // // // // //
+
+
+== Get Open Liberty 25.0.0.9 now
+
+Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.
