Fedora 35: java-17-openjdk 2022-64431bccec
Summary
The OpenJDK 17 runtime environment.
# New in release OpenJDK 17.0.4 (2022-07-19) * The release announcement can be
found at https://mail.openjdk.org/pipermail/jdk-updates-dev/2022-July/016016.html * Full release details can be found at
https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt ##
Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better
properties of loaded Properties - JDK-8273056, JDK-8283875, CVE-2022-21549:
java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve
class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle
invocations - JDK-8283190: Improve MIDI processing - JDK-8284370: Improve
zlib usage - JDK-8285407, CVE-2022-34169: Improve Xalan supports ##
JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos Support has
been added for TLS channel binding tokens for Negotiate/Kerberos authentication
over HTTPS through `javax.net.HttpsURLConnection`. Channel binding tokens are
increasingly required as an enhanced form of security which can mitigate certain
kinds of socially engineered, man in the middle (MITM) attacks. They work by
communicating from a client to a server the client's understanding of the
binding between connection security (as represented by a TLS server cert) and
higher level authentication credentials (such as a username and password). The
server can then detect if the client has been fooled by a MITM and shutdown the
session/connection. The feature is controlled through a new system property
`jdk.https.negotiate.cbt` which is described fully at the following page:
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt ## JDK-8278386: Default JDK
compressor will be closed when IOException is encountered
`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been
modified to close out the associated default JDK compressor before propagating a
`Throwable` up the stack. `ZIPOutputStream.closeEntry()` method has been
modified to close out the associated default JDK compressor before propagating
an `IOException`, not of type `ZipException`, up the stack.
* Fri Jul 22 2022 Andrew Hughes
- Update to jdk-17.0.3.0+8
- Update release notes to 17.0.3.0+8
- Switch to GA mode for release
- Exclude x86 where java_arches is undefined, in order to unbreak build
* Fri Jul 22 2022 Jiri Vanek
- moved to build only on %{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
* Thu Jul 21 2022 Fedora Release Engineering
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 19 2022 Andrew Hughes
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
* Sat Jul 16 2022 Andrew Hughes
- Update to jdk-17.0.3.0+7
- Update release notes to 17.0.3.0+7
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
* Thu Jul 14 2022 Andrew Hughes
- Explicitly require crypto-policies during build and runtime for system security properties
* Thu Jul 14 2022 Jiri Vanek
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
* Thu Jul 14 2022 FeRD (Frank Dana)
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
* Thu Jul 14 2022 Andrew Hughes
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
* Thu Jul 14 2022 Jayashree Huttanagoudar
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
* Mon Jul 11 2022 Andrew Hughes
- Update to jdk-17.0.4.0+1
- Update release notes to 17.0.4.0+1
- Switch to EA mode for 17.0.4 pre-release builds.
- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it
* Thu Jul 7 2022 Andrew Hughes
- Fix whitespace in spec file
* Thu Jul 7 2022 Andrew Hughes
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
* Tue Jul 5 2022 Andrew Hughes
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them
* Fri Jul 1 2022 Stephan Bergmann
- Fix flatpak builds by exempting them from bootstrap
* Thu Jun 30 2022 Francisco Ferrari Bihurriet
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
* Mon Jun 27 2022 Stephan Bergmann
- Fix flatpak builds (catering for their uncompressed manual pages)
* Wed Jun 22 2022 Andrew Hughes
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
su -c 'dnf upgrade --advisory FEDORA-2022-64431bccec' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam, report it: https://pagure.io/login/
FEDORA-2022-64431bccec 2022-08-03 01:48:48.037701 Product : Fedora 35 Version : 17.0.4.0.8 Release : 1.fc35 URL : https://openjdk.org/ Summary : OpenJDK 17 Runtime Environment Description : The OpenJDK 17 runtime environment. # New in release OpenJDK 17.0.4 (2022-07-19) * The release announcement can be found at https://mail.openjdk.org/pipermail/jdk-updates-dev/2022-July/016016.html * Full release details can be found at https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt ## Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - JDK-8283190: Improve MIDI processing - JDK-8284370: Improve zlib usage - JDK-8285407, CVE-2022-34169: Improve Xalan supports ## JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through `javax.net.HttpsURLConnection`. Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection. The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully at the following page: https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt ## JDK-8278386: Default JDK compressor will be closed when IOException is encountered `DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been modified to close out the associated default JDK compressor before propagating a `Throwable` up the stack. `ZIPOutputStream.closeEntry()` method has been modified to close out the associated default JDK compressor before propagating an `IOException`, not of type `ZipException`, up the stack. * Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-1 - Update to jdk-17.0.3.0+8 - Update release notes to 17.0.3.0+8 - Switch to GA mode for release - Exclude x86 where java_arches is undefined, in order to unbreak build * Fri Jul 22 2022 Jiri Vanek - 1:17.0.4.0.7-0.3.ea - moved to build only on %{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs - reverted : -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) -- Try to build on x86 again by creating a husk of a JDK which does not depend on itself -- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable -- Replaced binaries and .so files with bash-stubs on i686 - added ExclusiveArch: %{java_arches} -- this now excludes i686 -- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) - https://bugzilla.redhat.com/show_bug.cgi?id=2104128 * Thu Jul 21 2022 Fedora Release Engineering - 1:17.0.4.0.7-0.2.ea.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Tue Jul 19 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea - Try to build on x86 again by creating a husk of a JDK which does not depend on itself * Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea - Update to jdk-17.0.3.0+7 - Update release notes to 17.0.3.0+7 - Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable - Need to include the '.S' suffix in debuginfo checks after JDK-8284661 * Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.5.ea - Explicitly require crypto-policies during build and runtime for system security properties * Thu Jul 14 2022 Jiri Vanek - 1:17.0.4.0.1-0.4.ea - Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: - https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs * Thu Jul 14 2022 FeRD (Frank Dana) - 1:17.0.4.0.1-0.3.ea - Add javaver- and origin-specific javadoc and javadoczip alternatives. * Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.2.ea - Make use of the vendor version string to store our version & release rather than an upstream release date - Include a test in the RPM to check the build has the correct vendor information. * Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea - Fix issue where CheckVendor.java test erroneously passes when it should fail. - Add proper quoting so '&' is not treated as a special character by the shell. * Mon Jul 11 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea - Update to jdk-17.0.4.0+1 - Update release notes to 17.0.4.0+1 - Switch to EA mode for 17.0.4 pre-release builds. - Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 - Print release file during build, which should now include a correct SOURCE value from .src-rev - Update tarball script with IcedTea GitHub URL and .src-rev generation - Include script to generate bug list for release notes - Update tzdata requirement to 2022a to match JDK-8283350 - Move EA designator check to prep so failures can be caught earlier - Make EA designator check non-fatal while upstream is not maintaining it * Thu Jul 7 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Fix whitespace in spec file * Thu Jul 7 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Sequence spec file sections as they are run by rpmbuild (build, install then test) * Tue Jul 5 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them * Fri Jul 1 2022 Stephan Bergmann - 1:17.0.3.0.7-6 - Fix flatpak builds by exempting them from bootstrap * Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode * Mon Jun 27 2022 Stephan Bergmann - 1:17.0.3.0.7-4 - Fix flatpak builds (catering for their uncompressed manual pages) * Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3 - Update FIPS support to bring in latest changes - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage - * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on su -c 'dnf upgrade --advisory FEDORA-2022-64431bccec' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/ Do not reply to spam, report it: https://pagure.io/login/
Change Log
References