ALSA-2021:3893

[ALSA-2021:3893] Important: java-1.8.0-openjdk security and bug fix update

Type:

security

Severity:

important

Release date:

2021-11-12

Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586)

* OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071) (CVE-2021-35588)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Previously, OpenJDK's FIPS mode would be enabled if it detected that the system crypto policy was set to FIPS. This meant that containers running on a FIPS mode kernel would not enable FIPS mode without the crypto policy being changed. With this update, OpenJDK queries the NSS library as to whether FIPS mode is active or not. (RHBZ#2014201)

* The use of the NSS FIPS mode by OpenJDK requires the JDK to login to the NSS software token. Previously, this happened indirectly as part of some crypto operations, but not others. With this update, the JDK logs in to the token on initialisation. (RHBZ#2014204)

* While in FIPS mode, the NSS Software Token does not allow the import of private or secret plain keys. This caused the OpenJDK keytool application to fail when used with OpenJDK in FIPS mode. With this update, OpenJDK will now import such keys into the NSS database. This behaviour may be disabled using -Dcom.AlmaLinux.fips.plainKeySupport=false. (RHBZ#2014193)

References:

Updated packages listed below:

Architecture	Package	Checksum
noarch	java-1.8.0-openjdk-javadoc-zip-1.8.0.312.b07-1.el8_4.noarch.rpm	37bdf3b739c3f88d9abbffec13b7933fe8e5772a9c25e3d435a6f6f496e817c5
noarch	java-1.8.0-openjdk-javadoc-1.8.0.312.b07-1.el8_4.noarch.rpm	a2d282a0eb19c08591554b012e20a696b77d2f154308a41f47b908c6f9f518b3
x86_64	java-1.8.0-openjdk-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	1499058f94c7d5461aeb7777a00a3551583b6070ffa37d680961c5efd12d6c11
x86_64	java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.rpm	1a12aecce70da14662e7d5300fab466cd904c7da6072bd7772aa053baacddff0
x86_64	java-1.8.0-openjdk-headless-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	2e0c1a253e45e65c32a9e206b57eac84761e2b492839c8dcc6cc94ef1fdda736
x86_64	java-1.8.0-openjdk-headless-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	3c9cc73490c96a8e37cc86c8231c5943ff38f5c90d86a56253dc7ed27a195e4b
x86_64	java-1.8.0-openjdk-demo-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	463198c66f058d2e00dcf509f3b70d758bdce9674d7d58bbaea6cb28da9df826
x86_64	java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	62242a0db0023586e4ee929356f4436ce618e6f3a7dc1ff52cb5928119966220
x86_64	java-1.8.0-openjdk-demo-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	64a08e4f8826199ffc49916b9c064e7cffab5460190062563c404bc0ab3ec6f4
x86_64	java-1.8.0-openjdk-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	8a9393053c0f068c83fb3396761d1adf5a41ce08d20f898c4c76bf933967f391
x86_64	java-1.8.0-openjdk-demo-1.8.0.312.b07-1.el8_4.x86_64.rpm	932cfeee0ec44f37188f63d04d2643699390f26e881b80904d2f44ff6996834a
x86_64	java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	9906ccbed5e14ec48ae51bbe3c55442d569405ea8cec033bf678f76dbac0f397
x86_64	java-1.8.0-openjdk-headless-1.8.0.312.b07-1.el8_4.x86_64.rpm	9c92982fbb88fc13f8378bf71488fdc420225ea1f240e945e21ae0795aa8b02f
x86_64	java-1.8.0-openjdk-devel-1.8.0.312.b07-1.el8_4.x86_64.rpm	b612ee5be7f53fe4861db752644cb4d231f86cdc710bb24cf9b37b6042f49338
x86_64	java-1.8.0-openjdk-accessibility-1.8.0.312.b07-1.el8_4.x86_64.rpm	c00d2945a51eced4319cfcef21129fbec47644bf709272efb7dcf17ab454bec2
x86_64	java-1.8.0-openjdk-devel-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	c7b796c5705e75e8bd3d5dcdd244b501b2a7974fcc8cbd6895aa1492cbd4f315
x86_64	java-1.8.0-openjdk-src-slowdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	c939aa78a376c911cb2f0d2e21ce13a2cf286cfad4becab7e9ff1430ff6a385c
x86_64	java-1.8.0-openjdk-src-1.8.0.312.b07-1.el8_4.x86_64.rpm	d28433bd359f8159379e4810ecc733f4e59664003e02d6ad97f41162236a317e
x86_64	java-1.8.0-openjdk-src-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	dcd5af5ec5756779e3ea1196927b9366a747ee6da4f5502738999e3ad1605140
x86_64	java-1.8.0-openjdk-devel-fastdebug-1.8.0.312.b07-1.el8_4.x86_64.rpm	e10f3a4c8ecd4be3161f843df458c722b6848cc5d8707303336c41ae0c46b79c

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.