Read Time:2 Minute, 17 Second
FEDORA-2023-585aca2233
Packages in this update:
java-17-openjdk-17.0.6.0.10-1.fc37
Update description:
CVEs Fixed
CVE-2023-21835
CVE-2023-21843
Security Fixes
JDK-8286070: Improve UTF8 representation
JDK-8286496: Improve Thread labels
JDK-8287411: Enhance DTLS performance
JDK-8288516: Enhance font creation
JDK-8289350: Better media supports
JDK-8293554: Enhanced DH Key Exchanges
JDK-8293598: Enhance InetAddress address handling
JDK-8293717: Objective view of ObjectView
JDK-8293734: Improve BMP image handling
JDK-8293742: Better Banking of Sounds
JDK-8295687: Better BMP bounds
Major Changes
JDK-8295687: Better BMP bounds
Loading a linked ICC profile within a BMP image is now disabled by default. To re-enable it, set the new system property
sun.imageio.bmp.enabledLinkedProfiles to true. This new property replaces the old property, sun.imageio.plugins.bmp.disableLinkedProfiles.
JDK-8293742: Better Banking of Sounds
Previously, the SoundbankReader implementation, com.sun.media.sound.JARSoundbankReader, would download a JAR soundbank from a URL. This behaviour is now disabled by default. To re-enable it, set the new system property jdk.sound.jarsoundbank to true.
JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to hold principals and credentials so that it rejected null values. Attempts to call add(null), contains(null) or remove(null) were changed to throw a NullPointerException.
However, the logout() methods in the LoginModule implementations within the JDK were not updated to check for null values, which may occur in the event of a failed login. As a result, a logout() call may throw a NullPointerException.
The LoginModule implementations have now been updated with such checks and an implementation note added to the specification to suggest that the same change is made in third party modules. Developers of third party modules are advised to verify that their logout() method does not throw a NullPointerException.
JDK-8287411: Enhance DTLS performance
The JDK now exchanges DTLS cookies for all handshakes, new and resumed. The previous behaviour can be re-enabled by setting the new system property jdk.tls.enableDtlsResumeCookie to false.
FIPS Changes
Previous releases hardcoded the NSS database password used in FIPS mode to be the empty string, preventing the use of databases which had another PIN set. This release now allows both the database location and its PIN to be configured using the properties fips.nssdb.path and fips.nssdb.pin respectively. The properties can be set either permanently in the java.security file or at runtime using the -Dfips.nssdb.path or -Dfips.nssdb.pin arguments to the JVM. The default values of both remain as before.
