stable

java-11-openjdk-11.0.8.10-2.fc32

FEDORA-2020-5d0b4a2b5b created by ahughes 4 years ago for Fedora 32

July 2020 OpenJDK security update for OpenJDK 11

Full release notes: https://bitly.com/openjdk1108

Security fixes

  • JDK-8230613: Better ASCII conversions
  • JDK-8231800: Better listing of arrays
  • JDK-8232014: Expand DTD support
  • JDK-8233234: Better Zip Naming
  • JDK-8233239, CVE-2020-14562: Enhance TIFF support
  • JDK-8233255: Better Swing Buttons
  • JDK-8234032: Improve basic calendar services
  • JDK-8234042: Better factory production of certificates
  • JDK-8234418: Better parsing with CertificateFactory
  • JDK-8234836: Improve serialization handling
  • JDK-8236191: Enhance OID processing
  • JDK-8236867, CVE-2020-14573: Enhance Graal interface handling
  • JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
  • JDK-8237592, CVE-2020-14577: Enhance certificate verification
  • JDK-8238002, CVE-2020-14581: Better matrix operations
  • JDK-8238013: Enhance String writing
  • JDK-8238804: Enhance key handling process
  • JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
  • JDK-8238843: Enhanced font handing
  • JDK-8238920, CVE-2020-14583: Better Buffer support
  • JDK-8238925: Enhance WAV file playback
  • JDK-8240119, CVE-2020-14593: Less Affine Transformations
  • JDK-8240482: Improved WAV file playback
  • JDK-8241379: Update JCEKS support
  • JDK-8241522: Manifest improved jar headers redux
  • JDK-8242136, CVE-2020-14621: Better XML namespace handling

JDK-8244167: Removal of Comodo Root CA Certificate

The following expired Comodo root CA certificate was removed from the cacerts keystore: + alias name "addtrustclass1ca [jdk]"

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

JDK-8244166: Removal of DocuSign Root CA Certificate

The following expired DocuSign root CA certificate was removed from the cacerts keystore: + alias name "keynectisrootca [jdk]"

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: "FIPS flag set for non-internal module" when such a library was configured for NSS in non-FIPS mode.

This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.

Further information can be found in JDK-8238555.

JDK-8245077: Default SSLEngine Should Create in Server Role

In JDK 11 and later, javax.net.ssl.SSLEngine by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine would usually be used in server mode. From this JDK release onwards, SSLEngine will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode(boolean mode) method may be used to configure the mode.

JDK-8242147: New System Properties to Configure the TLS Signature Schemes

Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes is added for TLS client side, and jdk.tls.server.SignatureSchemes is added for server side.

Each System Property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-5d0b4a2b5b

This update has been submitted for testing by ahughes.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

ahughes edited this update.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

ahughes edited this update.

4 years ago

ahughes edited this update.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon jerboaa commented & provided feedback 4 years ago
karma

Works for me.

User Icon browseria commented & provided feedback 4 years ago
karma

Works for me.

This update can be pushed to stable now if the maintainer wishes

4 years ago
User Icon frantisekz commented & provided feedback 4 years ago
karma

Seems to work fine

This update has been submitted for stable by bodhi.

4 years ago

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
modified
4 years ago

Automated Test Results