Fedora Update Notification
2021-10-29 22:48:33.394572

Name        : java-11-openjdk
Product     : Fedora 35
Version     :
Release     : 1.fc35
URL         : https://openjdk.java.net/
Summary     : OpenJDK 11 Runtime Environment
Description :
The OpenJDK 11 runtime environment.

Update Information:

# New in release OpenJDK 11.0.13 (2021-10-19):  Live versions of these release
notes can be found at:  * https://bitly.com/openjdk11013 *
https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt  ##
Security fixes   - JDK-8163326, CVE-2021-35550: Update the default enabled
cipher suites preference   - JDK-8254967, CVE-2021-35565:
com.sun.net.HttpsServer spins on TLS session close   - JDK-8263314: Enhance XML
Dsig modes   - JDK-8265167, CVE-2021-35556: Richer Text Editors   - JDK-8265574:
Improve handling of sheets   - JDK-8265580, CVE-2021-35559: Enhanced style for
RTF kit   - JDK-8265776: Improve Stream handling for SSL   - JDK-8266097,
CVE-2021-35561: Better hashing support   - JDK-8266103: Better specified spec
values   - JDK-8266109: More Resilient Classloading   - JDK-8266115: More
Manifest Jar Loading   - JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation   - JDK-8267086:
ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic   -
JDK-8267712: Better LDAP reference processing   - JDK-8267729, CVE-2021-35578:
Improve TLS client handshaking   - JDK-8267735, CVE-2021-35586: Better BMP
support   - JDK-8268193: Improve requests of certificates   - JDK-8268199:
Correct certificate requests   - JDK-8268205: Enhance DTLS client handshake   -
JDK-8268506: More Manifest Digests   - JDK-8269618, CVE-2021-35603: Better
session identification   - JDK-8269624: Enhance method selection support   -
JDK-8270398: Enhance canonicalization   - JDK-8270404: Better canonicalization
## Major Changes *
[JDK-8271434](https://bugs.openjdk.java.net/browse/JDK-8271434): Removed
IdenTrust Root Certificate *
[JDK-8261922](https://bugs.openjdk.java.net/browse/JDK-8261922): Updated keytool
to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 *
[JDK-8210799](https://bugs.openjdk.java.net/browse/JDK-8210799): ChaCha20 and
Poly1305 TLS Cipher Suites *
[JDK-8219551](https://bugs.openjdk.java.net/browse/JDK-8219551): Updated the
Default Enabled Cipher Suites Preference  ## FIPS Mode Changes - The `SunPKCS11`
provider in FIPS mode will now eagerly login to the NSS software token on
initialisation - `keytool` in FIPS mode now supports importing plain private
keys by the provider adding them to the NSS database. This can be disabled using

* Wed Oct 13 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
- Update tarball generation script to use git following OpenJDK 11u's move to github
- Remove "-clean" suffix as no 11.0.13 builds are unclean.
- Drop JDK-8269668 patch which is now applied upstream.
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
* Tue Oct  5 2021 Martin Balao  - 1:
- Add patch to login to the NSS software token when in FIPS mode.
- Add patch to allow plain key import.
* Thu Sep  2 2021 Jiri Vanek  - 1:
- Added posttrans hook which persist sanity of dir->symlink change in case of update from ancient versions
- Minor cosmetic improvements to make spec more comparable between variants
* Tue Aug 31 2021 Jiri Vanek  - 1:
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
* Mon Aug  9 2021 Andrew Hughes  - 1:
- Remove non-Free test from source tarball.
* Wed Jul 28 2021 Severin Gehwolf  - 1:
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
- Resolves: rhbz#1977671
* Thu Jul 22 2021 Fedora Release Engineering  - 1:
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jul 13 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
- Switch to GA mode for final release.
* Thu Jul  8 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
- Skip as only adds a test change
* Thu Jul  8 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
* Mon Jul  5 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
* Fri Jul  2 2021 Andrew Hughes  - 1:
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
* Fri Jul  2 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
* Mon Jun 28 2021 Andrew Hughes  - 1:
- Update to jdk-
- Update release notes to
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
* Tue Jun  8 2021 Andrew Hughes  - 1:
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
* Tue Jun  8 2021 Martin Balao  - 1:
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
* Wed Jun  2 2021 Andrew John Hughes  - 1:
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
- Disable FIPS mode support unless com.redhat.fips is set to "true".
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
- Resolves: rhbz#1830090
* Wed Jun  2 2021 Martin Balao  - 1:
- Support the FIPS mode crypto policy (RH1655466)
- Use appropriate keystore types when in FIPS mode (RH1818909)
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
- Resolves: rhbz#1830090

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-eb3e3e87d3' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure