[SECURITY] Fedora 36 Update: java-11-openjdk-11.0.16.0.8-1.fc36

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-ae563934f7 2022-08-03 01:26:39.353815 -------------------------------------------------------------------------------- Name : java-11-openjdk Product : Fedora 36 Version : 11.0.16.0.8 Release : 1.fc36 URL : http://openjdk.java.net/ Summary : OpenJDK 11 Runtime Environment Description : The OpenJDK 11 runtime environment. -------------------------------------------------------------------------------- Update Information: # New in release OpenJDK 11.0.16 (2022-07-19) * The release announcement can be found at https://bit.ly/openjdk11016 * Full release details can be found at https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt ## Security fixes - JDK-8277608: Address IP Addressing - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - JDK-8283190: Improve MIDI processing - JDK-8284370: Improve zlib usage - JDK-8285407, CVE-2022-34169: Improve Xalan supports ## FIPS Changes * [RH2007331](https://bugzilla.redhat.com/show_bug.cgi?id=2007331): SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode * [RH2036462](https://bugzilla.redhat.com/show_bug.cgi?id=2036462): sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * [RH2090378](https://bugzilla.redhat.com/show_bug.cgi?id=2090378): Revert to disabling system security properties and FIPS mode support together * Depend on `crypto-policies` package at build-time and run-time ## Other Changes * Add javaver- and origin-specific javadoc and javadoczip alternatives (thanks to FeRD (Frank Dana) <ferdnyc(a)gmail.com>) ## JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through `javax.net.HttpsURLConnection`. Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection. The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully at the following page: https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc- files/net-properties.html#jdk.https.negotiate.cbt ## JDK-8278386: Default JDK compressor will be closed when IOException is encountered `DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been modified to close out the associated default JDK compressor before propagating a `Throwable` up the stack. `ZIPOutputStream.closeEntry()` method has been modified to close out the associated default JDK compressor before propagating an `IOException`, not of type `ZipException`, up the stack. ## JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element `java.util.Vector` is updated to correctly report `ClassNotFoundException that occurs during deserialization using `java.io.ObjectInputStream.GetField.get(name, object)` when the class of an element of the Vector is not found. Without this fix, a `StreamCorruptedException` is thrown that does not provide information about the missing class. -------------------------------------------------------------------------------- ChangeLog: * Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.16.0.8-1 - Update to jdk-11.0.16+8 - Update release notes to 11.0.16+8 - Switch to GA mode for release - Exclude x86 where java_arches is undefined, in order to unbreak build * Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com&gt; - 1:11.0.16.0.7-0.4.ea - moved to build only on %{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs - reverted : -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) -- Try to build on x86 again by creating a husk of a JDK which does not depend on itself -- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable -- Replaced binaries and .so files with bash-stubs on i686 - added ExclusiveArch: %{java_arches} -- this now excludes i686 -- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) - https://bugzilla.redhat.com/show_bug.cgi?id=2104126 * Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1:11.0.16.0.7-0.3.ea.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Mon Jul 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.16.0.7-0.3.ea - Try to build on x86 again by creating a husk of a JDK which does not depend on itself * Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.16.0.7-0.2.ea - Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable * Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.16.0.7-0.1.ea - Update to jdk-11.0.16+7 - Update release notes to 11.0.16+7 - Switch to EA mode for 11.0.16 pre-release builds. - Use same tarball naming style as java-17-openjdk and java-latest-openjdk - Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 - Drop JDK-8257794 patch now upstreamed - Print release file during build, which should now include a correct SOURCE value from .src-rev - Update tarball script with IcedTea GitHub URL and .src-rev generation - Use "git apply" with patches in the tarball script to allow binary diffs - Include script to generate bug list for release notes - Update tzdata requirement to 2022a to match JDK-8283350 * Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com&gt; - 1:11.0.16.0.7-0.1.ea - Add additional patch during tarball generation to align tests with ECC changes * Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.15.0.10-7 - Explicitly require crypto-policies during build and runtime for system security properties * Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com&gt; - 1:11.0.15.0.10-6 - Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: - https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs * Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com&gt; - 1:11.0.15.0.10-5 - Add javaver- and origin-specific javadoc and javadoczip alternatives. * Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.15.0.10-4 - Make use of the vendor version string to store our version & release rather than an upstream release date * Thu Jul 7 2022 Andrew Hughes <gnu.andrew(a)redhat.com&gt; - 1:11.0.15.0.10-3 - Rebase FIPS patches from fips branch and simplify by using a single patch from that repository - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage - * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com&gt; - 1:11.0.15.0.10-2 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-ae563934f7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------