SECURITY: Fedora 36 Update: java-17-openjdk-17.0.4.0.8-1.fc36
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-34584d4257
2022-07-28 01:26:41.098924
--------------------------------------------------------------------------------
Name : java-17-openjdk
Product : Fedora 36
Version : 17.0.4.0.8
Release : 1.fc36
URL : http://openjdk.java.net/
Summary : OpenJDK 17 Runtime Environment
Description :
The OpenJDK 17 runtime environment.
--------------------------------------------------------------------------------
Update Information:
# New in release OpenJDK 17.0.4 (2022-07-19) * The release announcement can be
found at https://bit.ly/openjdk1704 * Full release details can be found at
https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt ##
Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better
properties of loaded Properties - JDK-8273056, JDK-8283875, CVE-2022-21549:
java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve
class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle
invocations - JDK-8283190: Improve MIDI processing - JDK-8284370: Improve
zlib usage - JDK-8285407, CVE-2022-34169: Improve Xalan supports ##
JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos Support has
been added for TLS channel binding tokens for Negotiate/Kerberos authentication
over HTTPS through `javax.net.HttpsURLConnection`. Channel binding tokens are
increasingly required as an enhanced form of security which can mitigate certain
kinds of socially engineered, man in the middle (MITM) attacks. They work by
communicating from a client to a server the client's understanding of the
binding between connection security (as represented by a TLS server cert) and
higher level authentication credentials (such as a username and password). The
server can then detect if the client has been fooled by a MITM and shutdown the
session/connection. The feature is controlled through a new system property
`jdk.https.negotiate.cbt` which is described fully at the following page:
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc-
files/net-properties.html#jdk.https.negotiate.cbt ## JDK-8278386: Default JDK
compressor will be closed when IOException is encountered
`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been
modified to close out the associated default JDK compressor before propagating a
`Throwable` up the stack. `ZIPOutputStream.closeEntry()` method has been
modified to close out the associated default JDK compressor before propagating
an `IOException`, not of type `ZipException`, up the stack.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-1
- Update to jdk-17.0.3.0+8
- Update release notes to 17.0.3.0+8
- Switch to GA mode for release
- Exclude x86 where java_arches is undefined, in order to unbreak build
* Fri Jul 22 2022 Jiri Vanek - 1:17.0.4.0.7-0.3.ea
- moved to build only on %{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
* Thu Jul 21 2022 Fedora Release Engineering - 1:17.0.4.0.7-0.2.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 19 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.3.0+7
- Update release notes to 17.0.3.0+7
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
* Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.5.ea
- Explicitly require crypto-policies during build and runtime for system security properties
* Thu Jul 14 2022 Jiri Vanek - 1:17.0.4.0.1-0.4.ea
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
* Thu Jul 14 2022 FeRD (Frank Dana) - 1:17.0.4.0.1-0.3.ea
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
* Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.2.ea
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
* Mon Jul 11 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea
- Update to jdk-17.0.4.0+1
- Update release notes to 17.0.4.0+1
- Switch to EA mode for 17.0.4 pre-release builds.
- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it
* Thu Jul 7 2022 Andrew Hughes - 1:17.0.3.0.7-7
- Fix whitespace in spec file
* Thu Jul 7 2022 Andrew Hughes - 1:17.0.3.0.7-7
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
* Tue Jul 5 2022 Andrew Hughes - 1:17.0.3.0.7-7
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them
* Fri Jul 1 2022 Stephan Bergmann - 1:17.0.3.0.7-6
- Fix flatpak builds by exempting them from bootstrap
* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
* Mon Jun 27 2022 Stephan Bergmann - 1:17.0.3.0.7-4
- Fix flatpak builds (catering for their uncompressed manual pages)
* Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-34584d4257' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
A java-17-openjdk security update has been released for Fedora 36.