Synopsis
The remote Fedora host is missing a security update.
Description
# July 2020 OpenJDK security update for OpenJDK 8.
Full release notes: https://bitly.com/oj8u262
## New features
- [JDK-8223147](https://bugs.openjdk.java.net/browse/JDK-8 223147): JFR Backport
## Security fixes
- JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
## [JDK-8240687](https://bugs.openjdk.java.net/browse/JDK-8240687):
JDK Flight Recorder Integrated to OpenJDK 8u
OpenJDK 8u now contains the backport of JEP 328: Flight Recorder (https://openjdk.java.net/jeps/328) from later versions of OpenJDK.
JFR is a low-overhead framework to collect and provide data helpful to troubleshoot the performance of the OpenJDK runtime and of Java applications. It consists of a new API to define custom events under the jdk.jfr namespace and a JMX interface to interact with the framework. The recording can also be initiated with the application startup using the -XX:+FlightRecorder flag or via jcmd. JFR replaces the +XX:EnableTracing feature introduced in JEP 167, providing a more efficient way to retrieve the same information. For compatibility reasons, +XX:EnableTracing is still accepted, however no data will be printed.
While JFR is not built by default upstream, it is included in Fedora binaries for supported architectures (x86_64, AArch64 & PowerPC 64)
## [JDK-8205622](https://bugs.openjdk.java.net/browse/JDK-8205622):
JFR Start Failure After AppCDS Archive Created with JFR StartFlightRecording
JFR will be disabled with a warning message if it is enabled during CDS dumping. The user will see the following warning message :
OpenJDK 64-Bit Server VM warning: JFR will be disabled during CDS dumping
if JFR is enabled during CDS dumping such as in the following command line :
$ java -Xshare:dump -XX:StartFlightRecording=dumponexit=true
## [JDK-8244167](https://bugs.openjdk.java.net/browse/JDK-8244167):
Removal of Comodo Root CA Certificate
The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + alias name 'addtrustclass1ca [jdk]'
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
## [JDK-8244166](https://bugs.openjdk.java.net/browse/JDK-8244166):
Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + alias name 'keynectisrootca [jdk]'
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
## [JDK-8240191](https://bugs.openjdk.java.net/browse/JDK-8240191):
Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: 'FIPS flag set for non-internal module' when such a library was configured for NSS in non-FIPS mode.
This change allows the JDK to work properly with recent NSS releases on GNU/Linux operating systems when the system-wide FIPS policy is turned on.
Further information can be found in [JDK-8238555](https://bugs.openjdk.java.net/browse/JDK-8238555).
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected 1:java-1.8.0-openjdk package.
Plugin Details
File Name: fedora_2020-e418151dc3.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:fedoraproject:fedora:1:java-1.8.0-openjdk, cpe:/o:fedoraproject:fedora:32
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 7/23/2020
Vulnerability Publication Date: 7/15/2020