Fedora 32: FEDORA-2020-e418151dc3 Critical: OpenJDK 8 Security Fixes

The OpenJDK runtime environment 8.

# July 2020 OpenJDK security update for OpenJDK 8. Full release notes:

https://mail.openjdk.org/pipermail/jdk8u-dev/2020-July/012143.html ## New features *

[JDK-8223147](https://bugs.openjdk.org/browse/JDK-8223147): JFR Backport

## Security fixes - JDK-8028431, CVE-2020-14579: NullPointerException in

DerValue.equals(DerValue) - JDK-8028591, CVE-2020-14578:

NegativeArraySizeException in

sun.security.util.DerInputStream.getUnalignedBitString() - JDK-8230613: Better

ASCII conversions - JDK-8231800: Better listing of arrays - JDK-8232014:

Expand DTD support - JDK-8233255: Better Swing Buttons - JDK-8234032:

Improve basic calendar services - JDK-8234042: Better factory production of

certificates - JDK-8234418: Better parsing with CertificateFactory -JDK-8234836: Improve serialization handling - JDK-8236191: Enhance OID

processing - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior -JDK-8237592, CVE-2020-14577: Enhance certificate verification - JDK-8238002,

CVE-2020-14581: Better matrix operations - JDK-8238804: Enhance key handling

process - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable -JDK-8238843: Enhanced font handing - JDK-8238920, CVE-2020-14583: Better

Buffer support - JDK-8238925: Enhance WAV file playback - JDK-8240119,

CVE-2020-14593: Less Affine Transformations - JDK-8240482: Improved WAV file

playback - JDK-8241379: Update JCEKS support - JDK-8241522: Manifest

improved jar headers redux - JDK-8242136, CVE-2020-14621: Better XML namespace

handling ## [JDK-8240687](https://bugs.openjdk.org/browse/JDK-8240687):

JDK Flight Recorder Integrated to OpenJDK 8u OpenJDK 8u now contains the

backport of JEP 328: Flight Recorder (https://openjdk.org/jeps/328) from

later versions of OpenJDK. JFR is a low-overhead framework to collect and

provide data helpful to troubleshoot the performance of the OpenJDK runtime and

of Java applications. It consists of a new API to define custom events under the

jdk.jfr namespace and a JMX interface to interact with the framework. The

recording can also be initiated with the application startup using the

-XX:+FlightRecorder flag or via jcmd. JFR replaces the +XX:EnableTracing feature

introduced in JEP 167, providing a more efficient way to retrieve the same

information. For compatibility reasons, +XX:EnableTracing is still accepted,

however no data will be printed. While JFR is not built by default upstream, it

is included in Fedora binaries for supported architectures (x86_64, AArch64 &

PowerPC 64) ## [JDK-8205622](https://bugs.openjdk.org/browse/JDK-8205622):

JFR Start Failure After AppCDS Archive Created with JFR StartFlightRecording

JFR will be disabled with a warning message if it is enabled during CDS dumping.

The user will see the following warning message: OpenJDK 64-Bit Server VM

warning: JFR will be disabled during CDS dumping if JFR is enabled during CDS

dumping such as in the following command line: $ java -Xshare:dump

-XX:StartFlightRecording=dumponexit=true ##

[JDK-8244167](https://bugs.openjdk.org/browse/JDK-8244167): Removal of

Comodo Root CA Certificate The following expired Comodo root CA certificate was

removed from the `cacerts` keystore: + alias name "addtrustclass1ca [jdk]"

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,

O=AddTrust AB, C=SE ##

[JDK-8244166](https://bugs.openjdk.org/browse/JDK-8244166): Removal of

DocuSign Root CA Certificate The following expired DocuSign root CA certificate

was removed from the `cacerts` keystore: + alias name "keynectisrootca [jdk]"

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR ##

[JDK-8240191](https://bugs.openjdk.org/browse/JDK-8240191): Allow SunPKCS11

initialization with NSS when external FIPS modules are present in the Security

Modules Database The SunPKCS11 security provider can now be initialized with

NSS when FIPS-enabled external modules are configured in the Security Modules

Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a

RuntimeException with the message: "FIPS flag set for non-internal module" when

such a library was configured for NSS in non-FIPS mode. This change allows the

JDK to work properly with recent NSS releases on GNU/Linux operating systems

when the system-wide FIPS policy is turned on. Further information can be found

in [JDK-8238555](https://bugs.openjdk.org/browse/JDK-8238555).

* Mon Jul 13 2020 Jiri Vanek - 1:1.8.0.262.b10-1

- Set vendor property and vendor URLs

- Made URLs to be preconfigured by OS

* Sun Jul 12 2020 Andrew Hughes - 1:1.8.0.262.b10-0

- Update to aarch64-shenandoah-jdk8u262-b10.

- Update release notes for 8u262 release.

- Remove issues in NEWS file duplicated between 8u252 & 8u262 releases.

- Update generate_source_tarball.sh script to use the PR3756 patch and retain the secp256k1 curve.

- Add the -'4curve' suffix to the tarball name.

- Adjust JDK-8143245/PR3548 patch following context changes due to JDK-8203287 for JFR

- Adjust RH1648644 following context changes due to introduction of JFR packages

- Split JDK-8042159 patch into per-repo patches as upstream.

- Update JDK-8042159 JDK patch to apply after JDK-8238002 changes to Awt2dLibraries.gmk

- Remove JDK-8244461 & JDK-8233880 backports included upstream in 8u262-b03.

- Enable JFR in our builds, ahead of upstream default.

- Only enable JFR for JIT builds, as it is not supported with Zero.

- Turn off JFR on x86 for now due to assert(SerializePageShiftCount == count) crash.

- Explicitly list jfr.jar, default.jfc & profile.jfc in the spec file.

- Introduce jfr_arches for architectures which support JFR.

- Fix typo in jfr_arches which leads to ppc64 being wrongly excluded.

- Add jfr binary to devel package and alternatives set

- With JDK-8248399 fixed, a broken jfr binary is no longer installed on architectures without JFR.

- Require tzdata 2020a so system tzdata matches resource updates in b07

- Use sa_arches for libsaproc.so inclusion.

* Wed May 27 2020 Jiri Andrlik - 1:1.8.0.252.b09-2

- backports of provides fixes from master

su -c 'dnf upgrade --advisory FEDORA-2020-e418151dc3' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/