SECURITY: Fedora 35 Update: java-11-openjdk-11.0.16.0.8-1.fc35
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-d26586b419
2022-08-03 01:48:48.037712
--------------------------------------------------------------------------------
Name : java-11-openjdk
Product : Fedora 35
Version : 11.0.16.0.8
Release : 1.fc35
URL : http://openjdk.java.net/
Summary : OpenJDK 11 Runtime Environment
Description :
The OpenJDK 11 runtime environment.
--------------------------------------------------------------------------------
Update Information:
# New in release OpenJDK 11.0.16 (2022-07-19) * The release announcement can
be found at https://bit.ly/openjdk11016 * Full release details can be found at
https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt ##
Security fixes - JDK-8277608: Address IP Addressing - JDK-8272243: Improve
DER parsing - JDK-8272249: Better properties of loaded Properties -
JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866,
CVE-2022-21541: Enhance MethodHandle invocations - JDK-8283190: Improve MIDI
processing - JDK-8284370: Improve zlib usage - JDK-8285407, CVE-2022-34169:
Improve Xalan supports ## FIPS Changes *
[RH2007331]( https://bugzilla.redhat.com/show_bug.cgi?id=2007331): SecretKey
generate/import operations don't add the CKA_SIGN attribute in FIPS mode *
[RH2036462]( https://bugzilla.redhat.com/show_bug.cgi?id=2036462):
sun.security.pkcs11.wrapper.PKCS11.getInstance breakage *
[RH2090378]( https://bugzilla.redhat.com/show_bug.cgi?id=2090378): Revert to
disabling system security properties and FIPS mode support together * Depend on
`crypto-policies` package at build-time and run-time ## Other Changes * Add
javaver- and origin-specific javadoc and javadoczip alternatives (thanks to FeRD
(Frank Dana) ) ## JDK-8285240: HTTPS Channel Binding support
for Java GSS/Kerberos Support has been added for TLS channel binding tokens for
Negotiate/Kerberos authentication over HTTPS through
`javax.net.HttpsURLConnection`. Channel binding tokens are increasingly
required as an enhanced form of security which can mitigate certain kinds of
socially engineered, man in the middle (MITM) attacks. They work by
communicating from a client to a server the client's understanding of the
binding between connection security (as represented by a TLS server cert) and
higher level authentication credentials (such as a username and password). The
server can then detect if the client has been fooled by a MITM and shutdown the
session/connection. The feature is controlled through a new system property
`jdk.https.negotiate.cbt` which is described fully at the following page:
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc-
files/net-properties.html#jdk.https.negotiate.cbt ## JDK-8278386: Default JDK
compressor will be closed when IOException is encountered
`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been
modified to close out the associated default JDK compressor before propagating a
`Throwable` up the stack. `ZIPOutputStream.closeEntry()` method has been
modified to close out the associated default JDK compressor before propagating
an `IOException`, not of type `ZipException`, up the stack. ## JDK-8277157:
Vector should throw ClassNotFoundException for a missing class of an element
`java.util.Vector` is updated to correctly report `ClassNotFoundException that
occurs during deserialization using
`java.io.ObjectInputStream.GetField.get(name, object)` when the class of an
element of the Vector is not found. Without this fix, a
`StreamCorruptedException` is thrown that does not provide information about the
missing class.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 22 2022 Andrew Hughes - 1:11.0.16.0.8-1
- Update to jdk-11.0.16+8
- Update release notes to 11.0.16+8
- Switch to GA mode for release
- Exclude x86 where java_arches is undefined, in order to unbreak build
* Fri Jul 22 2022 Jiri Vanek - 1:11.0.16.0.7-0.4.ea
- moved to build only on %{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104126
* Thu Jul 21 2022 Fedora Release Engineering - 1:11.0.16.0.7-0.3.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jul 18 2022 Andrew Hughes - 1:11.0.16.0.7-0.3.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
* Sun Jul 17 2022 Andrew Hughes - 1:11.0.16.0.7-0.2.ea
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
* Thu Jul 14 2022 Andrew Hughes - 1:11.0.16.0.7-0.1.ea
- Update to jdk-11.0.16+7
- Update release notes to 11.0.16+7
- Switch to EA mode for 11.0.16 pre-release builds.
- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
- Drop JDK-8257794 patch now upstreamed
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Use "git apply" with patches in the tarball script to allow binary diffs
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
* Thu Jul 14 2022 Jiri Vanek - 1:11.0.16.0.7-0.1.ea
- Add additional patch during tarball generation to align tests with ECC changes
* Thu Jul 14 2022 Andrew Hughes - 1:11.0.15.0.10-7
- Explicitly require crypto-policies during build and runtime for system security properties
* Thu Jul 14 2022 Jiri Vanek - 1:11.0.15.0.10-6
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
* Thu Jul 14 2022 FeRD (Frank Dana) - 1:11.0.15.0.10-5
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
* Thu Jul 14 2022 Andrew Hughes - 1:11.0.15.0.10-4
- Make use of the vendor version string to store our version & release rather than an upstream release date
* Thu Jul 7 2022 Andrew Hughes - 1:11.0.15.0.10-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:11.0.15.0.10-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-d26586b419' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
A java-11-openjdk secruity update has been released for Fedora 35.