July 2020 OpenJDK security update for OpenJDK 8.

Full release notes: https://bitly.com/oj8u262

New features

Security fixes

  • JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)
  • JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
  • JDK-8230613: Better ASCII conversions
  • JDK-8231800: Better listing of arrays
  • JDK-8232014: Expand DTD support
  • JDK-8233255: Better Swing Buttons
  • JDK-8234032: Improve basic calendar services
  • JDK-8234042: Better factory production of certificates
  • JDK-8234418: Better parsing with CertificateFactory
  • JDK-8234836: Improve serialization handling
  • JDK-8236191: Enhance OID processing
  • JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
  • JDK-8237592, CVE-2020-14577: Enhance certificate verification
  • JDK-8238002, CVE-2020-14581: Better matrix operations
  • JDK-8238804: Enhance key handling process
  • JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
  • JDK-8238843: Enhanced font handing
  • JDK-8238920, CVE-2020-14583: Better Buffer support
  • JDK-8238925: Enhance WAV file playback
  • JDK-8240119, CVE-2020-14593: Less Affine Transformations
  • JDK-8240482: Improved WAV file playback
  • JDK-8241379: Update JCEKS support
  • JDK-8241522: Manifest improved jar headers redux
  • JDK-8242136, CVE-2020-14621: Better XML namespace handling

JDK-8240687: JDK Flight Recorder Integrated to OpenJDK 8u

OpenJDK 8u now contains the backport of JEP 328: Flight Recorder (https://openjdk.java.net/jeps/328) from later versions of OpenJDK.

JFR is a low-overhead framework to collect and provide data helpful to troubleshoot the performance of the OpenJDK runtime and of Java applications. It consists of a new API to define custom events under the jdk.jfr namespace and a JMX interface to interact with the framework. The recording can also be initiated with the application startup using the -XX:+FlightRecorder flag or via jcmd. JFR replaces the +XX:EnableTracing feature introduced in JEP 167, providing a more efficient way to retrieve the same information. For compatibility reasons, +XX:EnableTracing is still accepted, however no data will be printed.

While JFR is not built by default upstream, it is included in Fedora binaries for supported architectures (x86_64, AArch64 & PowerPC 64)

JDK-8205622: JFR Start Failure After AppCDS Archive Created with JFR StartFlightRecording

JFR will be disabled with a warning message if it is enabled during CDS dumping. The user will see the following warning message:

OpenJDK 64-Bit Server VM warning: JFR will be disabled during CDS dumping

if JFR is enabled during CDS dumping such as in the following command line:

$ java -Xshare:dump -XX:StartFlightRecording=dumponexit=true

JDK-8244167: Removal of Comodo Root CA Certificate

The following expired Comodo root CA certificate was removed from the cacerts keystore: + alias name "addtrustclass1ca [jdk]"

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

JDK-8244166: Removal of DocuSign Root CA Certificate

The following expired DocuSign root CA certificate was removed from the cacerts keystore: + alias name "keynectisrootca [jdk]"

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: "FIPS flag set for non-internal module" when such a library was configured for NSS in non-FIPS mode.

This change allows the JDK to work properly with recent NSS releases on GNU/Linux operating systems when the system-wide FIPS policy is turned on.

Further information can be found in JDK-8238555.

How to install

sudo dnf upgrade --advisory=FEDORA-2020-508df53719

This update has been submitted for testing by ahughes.

2 months ago

This update's test gating status has been changed to 'ignored'.

2 months ago

This update's test gating status has been changed to 'waiting'.

2 months ago

This update's test gating status has been changed to 'ignored'.

2 months ago

This update has been pushed to testing.

2 months ago

This update can be pushed to stable now if the maintainer wishes

2 months ago

This update has been submitted for stable by bodhi.

2 months ago

This update has been pushed to stable.

2 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
2 months ago
in testing
2 months ago
in stable
2 months ago

Automated Test Results