Stay Secure with the Latest Linux Advisories

security advisorysecurity updateFedora

Fedora 32 Update: OpenJDK Security Enhancements in FEDORA-2020-5d0b4a2b5b

# July 2020 OpenJDK security update for OpenJDK 11 Full release notes: https://mail.openjdk.org/pipermail/jdk-updates-dev/2020-July/003498.html ## Security fixes - JDK-8230613: Better ASCII conversions - JDK-8231800: Better listing of arrays - JDK-8232014: Expand DTD support - JDK-8233234: Better Zip Naming - JDK-8233239, CVE-2020-14562: Enhance TIFF support - JDK-8233255: Better Swing Buttons -. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-5d0b4a2b5b 2020-07-24 01:13:00.082761 --------------------------------------------------------------------------------Name : java-11-openjdk Product : Fedora 32 Version : 11.0.8.10 Release : 2.fc32 URL : https://openjdk.org/ Summary : OpenJDK Runtime Environment 11 Description : The OpenJDK runtime environment. --------------------------------------------------------------------------------Update Information: # July 2020 OpenJDK security update for OpenJDK 11 Full release notes: https://mail.openjdk.org/pipermail/jdk-updates-dev/2020-July/003498.html ## Security fixes - JDK-8230613: Better ASCII conversions - JDK-8231800: Better listing of arrays - JDK-8232014: Expand DTD support - JDK-8233234: Better Zip Naming - JDK-8233239, CVE-2020-14562: Enhance TIFF support - JDK-8233255: Better Swing Buttons -JDK-8234032: Improve basic calendar services - JDK-8234042: Better factory production of certificates - JDK-8234418: Better parsing with CertificateFactory - JDK-8234836: Improve serialization handling -JDK-8236191: Enhance OID processing - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior - JDK-8237592, CVE-2020-14577: Enhance certificate verification -JDK-8238002, CVE-2020-14581: Better matrix operations - JDK-8238013: Enhance String writing - JDK-8238804: Enhance key handling process - JDK-8238842: AIOOBE inGIFImageReader.initializeStringTable - JDK-8238843: Enhanced font handing - JDK-8238920, CVE-2020-14583: Better Buffer support - JDK-8238925: Enhance WAV file playback - JDK-8240119, CVE-2020-14593: Less Affine Transformations - JDK-8240482: Improved WAV file playback - JDK-8241379: Update JCEKS support - JDK-8241522: Manifest improved jar headers redux -JDK-8242136, CVE-2020-14621: Better XML namespace handling ## [JDK-8244167](https://bugs.openjdk.org/browse/JDK-8244167): Removal of Comodo Root CA Certificate The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + alias name "addtrustclass1ca [jdk]" Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE ## [JDK-8244166](https://bugs.openjdk.org/browse/JDK-8244166): Removal of DocuSign Root CA Certificate The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + alias name "keynectisrootca [jdk]" Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR ## [JDK-8240191](https://bugs.openjdk.org/browse/JDK-8240191): Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: "FIPS flag set for non-internal module" when such a library was configured for NSS in non-FIPS mode. This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on. Further information can be found in [JDK-8238555](https://bugs.openjdk.org/browse/JDK-8238555). ## [JDK-8245077](https://bugs.openjdk.org/browse/JDK-8245077): Default SSLEngine Should Create in Server Role In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client modewhen handshaking. As a result, the set of default enabled protocols may differ to what is expected. `SSLEngine` would usually be used in server mode. From this JDK release onwards, `SSLEngine` will default to server mode. The `javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may be used to configure the mode. ## [JDK-8242147](https://bugs.openjdk.org/browse/JDK-8242147): New System Properties to Configure the TLS Signature Schemes Two new System Properties are added to customize the TLS signature schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS client side, and `jdk.tls.server.SignatureSchemes` is added for server side. Each System Property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections. The names are described in the "Signature Schemes" section of the *Java Security Standard Algorithm Names Specification*. --------------------------------------------------------------------------------ChangeLog: * Sat Jul 18 2020 Severin Gehwolf - 1:11.0.8.10-2 - Build static-libs-image and add resulting files via -static-libs sub-package. - Disable stripping of debug symbols for static libraries part of the -static-libs sub-package. * Mon Jul 13 2020 Andrew Hughes - 1:11.0.8.10-1 - Sync JDK-8247874 patch with upstream status in 11.0.9. * Mon Jul 13 2020 Jayashree Huttanagoudar -1:11.0.8.10-1 - Moved vendor_version_string to better place - Added a patch jdk8247874-fix_ampersand_in_vm_bug_url.patch * Mon Jul 13 2020 Jiri Vanek - 1:11.0.8.10-1 - Set vendor property and vendor URLs - Made urls to be preconfigured by OS * Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-0 - Update to shenandoah-jdk-11.0.8+10 (GA) - Add release notes for 11.0.7 & 11.0.8 releases. - Amend release notes, removing issue actually fixed in 11.0.6. - Update release notes with last minute fix (JDK-8248505). - Drop JDK-8237396, JDK-8228407 & JDK-8243541 backports now appliedupstream. - Make use of --with-extra-asflags introduced in jdk-11.0.6+1. --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-5d0b4a2b5b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . Debian Security Announcement DEBIAN-2021-6c7e8a9a4b introduces crucial updates to OpenSSL addressing vulnerabilities and enhancing performance.. Fedora Update, OpenJDK Security, Java Runtime Environment, Fedora Security, OpenJDK Enhancements. . Severity: Critical. LinuxSecurity.com Team

Jul 23, 2020 •Critical Fedora