Sicherheit: Mehrere Probleme in java-11-openjdk
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in java-11-openjdk
ID: FEDORA-2021-35145352b0
Distribution: Fedora
Plattformen: Fedora 34
Datum: Mo, 25. Oktober 2021, 19:57
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35603
Applikationen: OpenJDK


Fedora Update Notification
2021-10-25 15:13:36.975490

Name : java-11-openjdk
Product : Fedora 34
Version :
Release : 1.fc34
URL : http://openjdk.java.net/
Summary : OpenJDK 11 Runtime Environment
Description :
The OpenJDK 11 runtime environment.

Update Information:

# New in release OpenJDK 11.0.13 (2021-10-19): Live versions of these release
notes can be found at: * https://bitly.com/openjdk11013 *
https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt ##
Security fixes - JDK-8163326, CVE-2021-35550: Update the default enabled
cipher suites preference - JDK-8254967, CVE-2021-35565:
com.sun.net.HttpsServer spins on TLS session close - JDK-8263314: Enhance XML
Dsig modes - JDK-8265167, CVE-2021-35556: Richer Text Editors -
Improve handling of sheets - JDK-8265580, CVE-2021-35559: Enhanced style for
RTF kit - JDK-8265776: Improve Stream handling for SSL - JDK-8266097,
CVE-2021-35561: Better hashing support - JDK-8266103: Better specified spec
values - JDK-8266109: More Resilient Classloading - JDK-8266115: More
Manifest Jar Loading - JDK-8266137, CVE-2021-35564: Improve Keystore
- JDK-8266689, CVE-2021-35567: More Constrained Delegation - JDK-8267086:
ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic -
JDK-8267712: Better LDAP reference processing - JDK-8267729, CVE-2021-35578:
Improve TLS client handshaking - JDK-8267735, CVE-2021-35586: Better BMP
support - JDK-8268193: Improve requests of certificates - JDK-8268199:
Correct certificate requests - JDK-8268205: Enhance DTLS client handshake -
JDK-8268506: More Manifest Digests - JDK-8269618, CVE-2021-35603: Better
session identification - JDK-8269624: Enhance method selection support -
JDK-8270398: Enhance canonicalization - JDK-8270404: Better canonicalization
## Major Changes *
[JDK-8271434](https://bugs.openjdk.java.net/browse/JDK-8271434): Removed
IdenTrust Root Certificate *
[JDK-8261922](https://bugs.openjdk.java.net/browse/JDK-8261922): Updated keytool
to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 *
[JDK-8210799](https://bugs.openjdk.java.net/browse/JDK-8210799): ChaCha20 and
Poly1305 TLS Cipher Suites *
[JDK-8219551](https://bugs.openjdk.java.net/browse/JDK-8219551): Updated the
Default Enabled Cipher Suites Preference ## FIPS Mode Changes - The
provider in FIPS mode will now eagerly login to the NSS software token on
initialisation - `keytool` in FIPS mode now supports importing plain private
keys by the provider adding them to the NSS database. This can be disabled

* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:
- Update to jdk-
- Update release notes to
- Update tarball generation script to use git following OpenJDK 11u's move
to github
- Remove "-clean" suffix as no 11.0.13 builds are unclean.
- Drop JDK-8269668 patch which is now applied upstream.
- Extend the default security policy to accomodate PKCS11 accessing
- Allow plain key import to be disabled with
- Restructure the build so a minimal initial build is then used for the final
build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can
do a full build
* Tue Oct 5 2021 Martin Balao <mbalao@redhat.com> - 1:
- Add patch to login to the NSS software token when in FIPS mode.
- Add patch to allow plain key import.
* Thu Sep 2 2021 Jiri Vanek <jvanek@redhat.com> - 1:
- Added posttrans hook which persist sanity of dir->symlink change in case
of update from ancient versions
- Minor cosmetic improvements to make spec more comparable between variants
* Tue Aug 31 2021 Jiri Vanek <jvanek@redhat.com> - 1:
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
* Mon Aug 9 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:
- Remove non-Free test from source tarball.
* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
- Resolves: rhbz#1977671
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> -
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:
- Update to jdk-
- Update release notes to
- Switch to GA mode for final release.
* Thu Jul 8 2021 Andrew Hughes <gnu.andrew@redhat.com> -
- Update to jdk-
- Update release notes to
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
- Use the "reverse" build loop (debug first) as the main and only build
loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer
have javadoc packages.
* Tue Jun 8 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:
- Minor code cleanups on FIPS detection patch and check for
SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and
detected by RPM.
* Tue Jun 8 2021 Martin Balao <mbalao@redhat.com> - 1:
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK
* Wed Jun 2 2021 Andrew John Hughes <gnu.andrew@redhat.com> -
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-"
and the name in the config file.
- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with
- No need to substitute path to nss.fips.cfg as java.security file supports a
java.home variable.
- Disable FIPS mode support unless com.redhat.fips is set to "true".
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false
to disable).
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it
always occurs (RH1915071)
- Resolves: rhbz#1830090
* Wed Jun 2 2021 Martin Balao <mbalao@redhat.com> - 1:
- Support the FIPS mode crypto policy (RH1655466)
- Use appropriate keystore types when in FIPS mode (RH1818909)
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in
use (RH1860986)
- Resolves: rhbz#1830090

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-35145352b0' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Pro-Linux @Facebook
Neue Nachrichten