--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2020-5d0b4a2b5b
2020-07-24 01:13:00.082761
--------------------------------------------------------------------------------Name        : java-11-openjdk
Product     : Fedora 32
Version     : 11.0.8.10
Release     : 2.fc32
URL         : https://openjdk.org/
Summary     : OpenJDK Runtime Environment 11
Description :
The OpenJDK runtime environment.

--------------------------------------------------------------------------------Update Information:

# July 2020 OpenJDK security update for OpenJDK 11 Full release notes:
https://bitly.com/openjdk1108  ## Security fixes      - JDK-8230613: Better
ASCII conversions   - JDK-8231800: Better listing of arrays   - JDK-8232014:
Expand DTD support   - JDK-8233234: Better Zip Naming   - JDK-8233239,
CVE-2020-14562: Enhance TIFF support   - JDK-8233255: Better Swing Buttons   -JDK-8234032: Improve basic calendar services   - JDK-8234042: Better factory
production of certificates   - JDK-8234418: Better parsing with
CertificateFactory   - JDK-8234836: Improve serialization handling   -JDK-8236191: Enhance OID processing   - JDK-8236867, CVE-2020-14573: Enhance
Graal interface handling   - JDK-8237117, CVE-2020-14556: Better ForkJoinPool
behavior   - JDK-8237592, CVE-2020-14577: Enhance certificate verification   -JDK-8238002, CVE-2020-14581: Better matrix operations   - JDK-8238013: Enhance
String writing   - JDK-8238804: Enhance key handling process   - JDK-8238842:
AIOOBE in GIFImageReader.initializeStringTable   - JDK-8238843: Enhanced font
handing   - JDK-8238920, CVE-2020-14583: Better Buffer support   - JDK-8238925:
Enhance WAV file playback   - JDK-8240119, CVE-2020-14593: Less Affine
Transformations   - JDK-8240482: Improved WAV file playback   - JDK-8241379:
Update JCEKS support   - JDK-8241522: Manifest improved jar headers redux   -JDK-8242136, CVE-2020-14621: Better XML namespace handling  ##
[JDK-8244167](https://bugs.openjdk.org/browse/JDK-8244167): Removal of
Comodo Root CA Certificate  The following expired Comodo root CA certificate was
removed from the `cacerts` keystore: + alias name "addtrustclass1ca [jdk]"
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE  ##
[JDK-8244166](https://bugs.openjdk.org/browse/JDK-8244166): Removal of
DocuSign Root CA Certificate  The following expired DocuSign root CA certificate
was removed from the `cacerts` keystore: + alias name "keynectisrootca [jdk]"
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR  ##
[JDK-8240191](https://bugs.openjdk.org/browse/JDK-8240191): Allow SunPKCS11
initialization with NSS when external FIPS modules are present in the Security
Modules Database  The SunPKCS11 security provider can now be initialized with
NSS when FIPS-enabled external modules are configured in the Security Modules
Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a
RuntimeException with the message: "FIPS flag set for non-internal module" when
such a library was configured for NSS in non-FIPS mode.  This change allows the
JDK to work properly with recent NSS releases in GNU/Linux operating systems
when the system-wide FIPS policy is turned on.  Further information can be found
in [JDK-8238555](https://bugs.openjdk.org/browse/JDK-8238555).  ##
[JDK-8245077](https://bugs.openjdk.org/browse/JDK-8245077): Default
SSLEngine Should Create in Server Role  In JDK 11 and later,
`javax.net.ssl.SSLEngine` by default used client mode when handshaking.  As a
result, the set of default enabled protocols may differ to what is expected.
`SSLEngine` would usually be used in server mode. From this JDK release onwards,
`SSLEngine` will default to server mode. The
`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may be used to
configure the mode.  ##
[JDK-8242147](https://bugs.openjdk.org/browse/JDK-8242147): New System
Properties to Configure the TLS Signature Schemes  Two new System Properties are
added to customize the TLS signature schemes in JDK.
`jdk.tls.client.SignatureSchemes` is added for TLS client side, and
`jdk.tls.server.SignatureSchemes` is added for server side.  Each System
Property contains a comma-separated list of supported signature scheme names
specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the *Java Security
Standard Algorithm Names Specification*.
--------------------------------------------------------------------------------ChangeLog:

* Sat Jul 18 2020 Severin Gehwolf  - 1:11.0.8.10-2
- Build static-libs-image and add resulting files via -static-libs
  sub-package.
- Disable stripping of debug symbols for static libraries part of
  the -static-libs sub-package.
* Mon Jul 13 2020 Andrew Hughes  - 1:11.0.8.10-1
- Sync JDK-8247874 patch with upstream status in 11.0.9.
* Mon Jul 13 2020 Jayashree Huttanagoudar  -1:11.0.8.10-1
- Moved vendor_version_string to better place
- Added a patch jdk8247874-fix_ampersand_in_vm_bug_url.patch
* Mon Jul 13 2020 Jiri Vanek  - 1:11.0.8.10-1
- Set vendor property and vendor URLs
- Made urls to be preconfigured by OS
* Sat Jul 11 2020 Andrew Hughes  - 1:11.0.8.10-0
- Update to shenandoah-jdk-11.0.8+10 (GA)
- Add release notes for 11.0.7 & 11.0.8 releases.
- Amend release notes, removing issue actually fixed in 11.0.6.
- Update release notes with last minute fix (JDK-8248505).
- Drop JDK-8237396, JDK-8228407 & JDK-8243541 backports now applied upstream.
- Make use of --with-extra-asflags introduced in jdk-11.0.6+1.
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-5d0b4a2b5b' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 32: java-11-openjdk 2020-5d0b4a2b5b

July 23, 2020
# July 2020 OpenJDK security update for OpenJDK 11 Full release notes: https://bitly.com/openjdk1108 ## Security fixes - JDK-8230613: Better ASCII conversions - JDK-8231800: Bet...

Summary

The OpenJDK runtime environment.

# July 2020 OpenJDK security update for OpenJDK 11 Full release notes:

https://bitly.com/openjdk1108 ## Security fixes - JDK-8230613: Better

ASCII conversions - JDK-8231800: Better listing of arrays - JDK-8232014:

Expand DTD support - JDK-8233234: Better Zip Naming - JDK-8233239,

CVE-2020-14562: Enhance TIFF support - JDK-8233255: Better Swing Buttons -JDK-8234032: Improve basic calendar services - JDK-8234042: Better factory

production of certificates - JDK-8234418: Better parsing with

CertificateFactory - JDK-8234836: Improve serialization handling -JDK-8236191: Enhance OID processing - JDK-8236867, CVE-2020-14573: Enhance

Graal interface handling - JDK-8237117, CVE-2020-14556: Better ForkJoinPool

behavior - JDK-8237592, CVE-2020-14577: Enhance certificate verification -JDK-8238002, CVE-2020-14581: Better matrix operations - JDK-8238013: Enhance

String writing - JDK-8238804: Enhance key handling process - JDK-8238842:

AIOOBE in GIFImageReader.initializeStringTable - JDK-8238843: Enhanced font

handing - JDK-8238920, CVE-2020-14583: Better Buffer support - JDK-8238925:

Enhance WAV file playback - JDK-8240119, CVE-2020-14593: Less Affine

Transformations - JDK-8240482: Improved WAV file playback - JDK-8241379:

Update JCEKS support - JDK-8241522: Manifest improved jar headers redux -JDK-8242136, CVE-2020-14621: Better XML namespace handling ##

[JDK-8244167](https://bugs.openjdk.org/browse/JDK-8244167): Removal of

Comodo Root CA Certificate The following expired Comodo root CA certificate was

removed from the `cacerts` keystore: + alias name "addtrustclass1ca [jdk]"

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,

O=AddTrust AB, C=SE ##

[JDK-8244166](https://bugs.openjdk.org/browse/JDK-8244166): Removal of

DocuSign Root CA Certificate The following expired DocuSign root CA certificate

was removed from the `cacerts` keystore: + alias name "keynectisrootca [jdk]"

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR ##

[JDK-8240191](https://bugs.openjdk.org/browse/JDK-8240191): Allow SunPKCS11

initialization with NSS when external FIPS modules are present in the Security

Modules Database The SunPKCS11 security provider can now be initialized with

NSS when FIPS-enabled external modules are configured in the Security Modules

Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a

RuntimeException with the message: "FIPS flag set for non-internal module" when

such a library was configured for NSS in non-FIPS mode. This change allows the

JDK to work properly with recent NSS releases in GNU/Linux operating systems

when the system-wide FIPS policy is turned on. Further information can be found

in [JDK-8238555](https://bugs.openjdk.org/browse/JDK-8238555). ##

[JDK-8245077](https://bugs.openjdk.org/browse/JDK-8245077): Default

SSLEngine Should Create in Server Role In JDK 11 and later,

`javax.net.ssl.SSLEngine` by default used client mode when handshaking. As a

result, the set of default enabled protocols may differ to what is expected.

`SSLEngine` would usually be used in server mode. From this JDK release onwards,

`SSLEngine` will default to server mode. The

`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may be used to

configure the mode. ##

[JDK-8242147](https://bugs.openjdk.org/browse/JDK-8242147): New System

Properties to Configure the TLS Signature Schemes Two new System Properties are

added to customize the TLS signature schemes in JDK.

`jdk.tls.client.SignatureSchemes` is added for TLS client side, and

`jdk.tls.server.SignatureSchemes` is added for server side. Each System

Property contains a comma-separated list of supported signature scheme names

specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the *Java Security

Standard Algorithm Names Specification*.

* Sat Jul 18 2020 Severin Gehwolf - 1:11.0.8.10-2

- Build static-libs-image and add resulting files via -static-libs

sub-package.

- Disable stripping of debug symbols for static libraries part of

the -static-libs sub-package.

* Mon Jul 13 2020 Andrew Hughes - 1:11.0.8.10-1

- Sync JDK-8247874 patch with upstream status in 11.0.9.

* Mon Jul 13 2020 Jayashree Huttanagoudar -1:11.0.8.10-1

- Moved vendor_version_string to better place

- Added a patch jdk8247874-fix_ampersand_in_vm_bug_url.patch

* Mon Jul 13 2020 Jiri Vanek - 1:11.0.8.10-1

- Set vendor property and vendor URLs

- Made urls to be preconfigured by OS

* Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-0

- Update to shenandoah-jdk-11.0.8+10 (GA)

- Add release notes for 11.0.7 & 11.0.8 releases.

- Amend release notes, removing issue actually fixed in 11.0.6.

- Update release notes with last minute fix (JDK-8248505).

- Drop JDK-8237396, JDK-8228407 & JDK-8243541 backports now applied upstream.

- Make use of --with-extra-asflags introduced in jdk-11.0.6+1.

su -c 'dnf upgrade --advisory FEDORA-2020-5d0b4a2b5b' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2020-5d0b4a2b5b 2020-07-24 01:13:00.082761 Product : Fedora 32 Version : 11.0.8.10 Release : 2.fc32 URL : https://openjdk.org/ Summary : OpenJDK Runtime Environment 11 Description : The OpenJDK runtime environment. # July 2020 OpenJDK security update for OpenJDK 11 Full release notes: https://bitly.com/openjdk1108 ## Security fixes - JDK-8230613: Better ASCII conversions - JDK-8231800: Better listing of arrays - JDK-8232014: Expand DTD support - JDK-8233234: Better Zip Naming - JDK-8233239, CVE-2020-14562: Enhance TIFF support - JDK-8233255: Better Swing Buttons -JDK-8234032: Improve basic calendar services - JDK-8234042: Better factory production of certificates - JDK-8234418: Better parsing with CertificateFactory - JDK-8234836: Improve serialization handling -JDK-8236191: Enhance OID processing - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior - JDK-8237592, CVE-2020-14577: Enhance certificate verification -JDK-8238002, CVE-2020-14581: Better matrix operations - JDK-8238013: Enhance String writing - JDK-8238804: Enhance key handling process - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable - JDK-8238843: Enhanced font handing - JDK-8238920, CVE-2020-14583: Better Buffer support - JDK-8238925: Enhance WAV file playback - JDK-8240119, CVE-2020-14593: Less Affine Transformations - JDK-8240482: Improved WAV file playback - JDK-8241379: Update JCEKS support - JDK-8241522: Manifest improved jar headers redux -JDK-8242136, CVE-2020-14621: Better XML namespace handling ## [JDK-8244167](https://bugs.openjdk.org/browse/JDK-8244167): Removal of Comodo Root CA Certificate The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + alias name "addtrustclass1ca [jdk]" Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE ## [JDK-8244166](https://bugs.openjdk.org/browse/JDK-8244166): Removal of DocuSign Root CA Certificate The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + alias name "keynectisrootca [jdk]" Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR ## [JDK-8240191](https://bugs.openjdk.org/browse/JDK-8240191): Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: "FIPS flag set for non-internal module" when such a library was configured for NSS in non-FIPS mode. This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on. Further information can be found in [JDK-8238555](https://bugs.openjdk.org/browse/JDK-8238555). ## [JDK-8245077](https://bugs.openjdk.org/browse/JDK-8245077): Default SSLEngine Should Create in Server Role In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. `SSLEngine` would usually be used in server mode. From this JDK release onwards, `SSLEngine` will default to server mode. The `javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may be used to configure the mode. ## [JDK-8242147](https://bugs.openjdk.org/browse/JDK-8242147): New System Properties to Configure the TLS Signature Schemes Two new System Properties are added to customize the TLS signature schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS client side, and `jdk.tls.server.SignatureSchemes` is added for server side. Each System Property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections. The names are described in the "Signature Schemes" section of the *Java Security Standard Algorithm Names Specification*. * Sat Jul 18 2020 Severin Gehwolf - 1:11.0.8.10-2 - Build static-libs-image and add resulting files via -static-libs sub-package. - Disable stripping of debug symbols for static libraries part of the -static-libs sub-package. * Mon Jul 13 2020 Andrew Hughes - 1:11.0.8.10-1 - Sync JDK-8247874 patch with upstream status in 11.0.9. * Mon Jul 13 2020 Jayashree Huttanagoudar -1:11.0.8.10-1 - Moved vendor_version_string to better place - Added a patch jdk8247874-fix_ampersand_in_vm_bug_url.patch * Mon Jul 13 2020 Jiri Vanek - 1:11.0.8.10-1 - Set vendor property and vendor URLs - Made urls to be preconfigured by OS * Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-0 - Update to shenandoah-jdk-11.0.8+10 (GA) - Add release notes for 11.0.7 & 11.0.8 releases. - Amend release notes, removing issue actually fixed in 11.0.6. - Update release notes with last minute fix (JDK-8248505). - Drop JDK-8237396, JDK-8228407 & JDK-8243541 backports now applied upstream. - Make use of --with-extra-asflags introduced in jdk-11.0.6+1. su -c 'dnf upgrade --advisory FEDORA-2020-5d0b4a2b5b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 32
Version : 11.0.8.10
Release : 2.fc32
URL : https://openjdk.org/
Summary : OpenJDK Runtime Environment 11

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved