The following Fedora EPEL 8 Security updates need testing: Age URL 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f89c59b568 botan2-2.12.1-4.el8 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-742db3f554 rpki-client-7.5-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing beakerlib-1.28-1.el8 fedpkg-1.41-2.el8 java-latest-openjdk-17.0.1.0.12-3.rolling.el8 perl-DBD-Firebird-1.33-1.el8 singularity-3.8.4-1.el8 waiverdb-1.4.0-1.el8 Details about builds: ================================================================================ beakerlib-1.28-1.el8 (FEDORA-EPEL-2021-5572ddf950) A shell-level integration testing library -------------------------------------------------------------------------------- Update Information: - cleanup rlRun_LOG files at rlJournalEnd - close journal in rlDie - generate journal.xml at that moment - implemented functions rlIsOS, rlIsOSLike, rlIsOSVersion, and rlIsRHELLike - rlAssertRequired can now handle versioned dependencies - new functions rlCheckRerquired, rlCheckRecommended, and rlCheckDependencies -------------------------------------------------------------------------------- ChangeLog: * Tue Nov 9 2021 Dalibor Pospisil <dapospis@xxxxxxxxxx> - 1.28-1 - cleanup rlRun_LOG files at rlJournalEnd - close journal in rlDie - generate journal.xml at that moment - implemented functions rlIsOS, rlIsOSLike, rlIsOSVersion, and rlIsRHELLike - rlAssertRequired can now handle versioned dependencies - new functions rlCheckRerquired, rlCheckRecommended, and rlCheckDependencies -------------------------------------------------------------------------------- ================================================================================ fedpkg-1.41-2.el8 (FEDORA-EPEL-2021-05b2056bdb) Fedora utility for working with dist-git -------------------------------------------------------------------------------- Update Information: Allow branch requests for epel9-next. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 8 2021 Carl George <carl@george.computer> - 1.41-2 - Allow branch requests for epel9-next -------------------------------------------------------------------------------- ================================================================================ java-latest-openjdk-17.0.1.0.12-3.rolling.el8 (FEDORA-EPEL-2021-a21f8fb6c8) OpenJDK 17 Runtime Environment -------------------------------------------------------------------------------- Update Information: New in release OpenJDK 17.0.1 (2021-10-19): =========================================== Live versions of these release notes can be found at: * https://builds.shipilev.net/backports- monitor/release-notes-17.0.1.txt Security fixes - JDK-8263314: Enhance XML Dsig modes - JDK-8265167, CVE-2021-35556: Richer Text Editors - JDK-8265574: Improve handling of sheets - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - JDK-8265776: Improve Stream handling for SSL - JDK-8266097, CVE-2021-35561: Better hashing support - JDK-8266103: Better specified spec values - JDK-8266109: More Resilient Classloading - JDK-8266115: More Manifest Jar Loading - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - JDK-8266689, CVE-2021-35567: More Constrained Delegation - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - JDK-8267712: Better LDAP reference processing - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - JDK-8267735, CVE-2021-35586: Better BMP support - JDK-8268193: Improve requests of certificates - JDK-8268199: Correct certificate requests - JDK-8268205: Enhance DTLS client handshake - JDK-8268500: Better specified ParameterSpecs - JDK-8268506: More Manifest Digests - JDK-8269618, CVE-2021-35603: Better session identification - JDK-8269624: Enhance method selection support - JDK-8270398: Enhance canonicalization - JDK-8270404: Better canonicalization Other changes - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certi fication/QuoVadisCA.java fails, Certificate has been revoked - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - JDK-8263531: Remove unused buffer int - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - JDK-8269297: Bump version numbers for JDK 17.0.1 - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - JDK-8269763: The JEditorPane is blank after JDK-8265167 - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - JDK-8269882: stack-use-after-scope in NewObjectA - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross- Realm Setup - JDK-8270280: security/infra/java/security/cert/CertPathValidator /certification/LetsEncryptCA.java OCSP response error - JDK-8270344: Session resumption errors - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - JDK-8271276: C2: Wrong JVM state used for receiver null check - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - JDK-8271589: fatal error with variable shift count integer rotate operation. - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertP athValidator/certification/BuypassCA.java no longer needs ocspEnabled - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - JDK-8273358: macOS Monterey does not have the font Times needed by Serif Notes on individual issues: =========================== security- libs/java.security: JDK-8271434: Removed IdenTrust Root Certificate ---------------------------------------------------------------------- The following root certificate from IdenTrust has been removed from the `cacerts` keystore: Alias Name: identrustdstx3 [jdk] Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 5 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.35-3.rolling - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - Related: rhbz#2013846 * Wed Nov 3 2021 Severin Gehwolf <sgehwolf@xxxxxxxxxx> - 1:17.0.1.0.12-2.rolling - Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy secmod.db file as part of nss * Wed Oct 20 2021 Petra Alice Mikova <pmikova@xxxxxxxxxx> - 1:17.0.1.0.12-1.rolling - October CPU update to jdk 17.0.1+12 - dropped commented-out source line * Mon Oct 11 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.35-3.rolling - Update release notes to document the major changes between OpenJDK 11 & 17. * Sun Oct 10 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.35-2.rolling - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false * Sun Oct 10 2021 Martin Balao <mbalao@xxxxxxxxxx> - 1:17.0.0.0.35-2.rolling - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Add patch to allow plain key import. * Tue Sep 14 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.35-1.rolling - Update to jdk-17+35, also known as jdk-17-ga. - Switch to GA mode. * Wed Sep 8 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.33-0.3.ea.rolling - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. * Wed Sep 8 2021 Martin Balao <mbalao@xxxxxxxxxx> - 1:17.0.0.0.33-0.3.ea.rolling - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. * Mon Sep 6 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.33-0.2.ea.rolling - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) * Mon Sep 6 2021 Martin Balao <mbalao@xxxxxxxxxx> - 1:17.0.0.0.33-0.2.ea.rolling - Support the FIPS mode crypto policy (RH1655466) - Use appropriate keystore types when in FIPS mode (RH1818909) - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) * Mon Aug 30 2021 Jiri Vanek <jvanek@xxxxxxxxxx> - 1:17.0.0.0.33-0.1.ea.rolling - alternatives creation moved to posttrans - Thus fixing the old reisntall issue: - https://bugzilla.redhat.com/show_bug.cgi?id=1200302 - https://bugzilla.redhat.com/show_bug.cgi?id=1976053 * Fri Jul 30 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.33-0.0.ea.rolling - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Resolves: rhbz#1972529 * Sat Jul 24 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.26-0.4.ea.rolling - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. * Sat Jul 24 2021 Severin Gehwolf <sgehwolf@xxxxxxxxxx> - 1:17.0.0.0.26-0.2.ea.rolling - Re-enable TestSecurityProperties after inclusion of PR3695 * Sat Jul 24 2021 Andrew Hughes <gnu.andrew@xxxxxxxxxx> - 1:17.0.0.0.26-0.2.ea.rolling - Add PR3695 to allow the system crypto policy to be turned off * Sat Jul 24 2021 Petra Alice Mikova <pmikova@xxxxxxxxxx> - 1:17.0.0.0.26-0.0.ea.rolling - update sources to jdk 17.0.0+26 - set is_ga to 0, as this is early access build - change vendor_version_string - change path to the version-numbers.conf - removed rmid binary from files and from slaves - removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407 - add lib/libsyslookup.so to files - renamed lib/security/blacklisted.certs to lib/security/blocked.certs - add lib/libsvml.so for intel - skip debuginfo check for libsyslookup.so on s390x * Fri Jul 23 2021 Jiri Vanek <jvanek@xxxxxxxxxx> - 1:16.0.2.0.7-1.rolling - bumped to security update of 16.0.2-ga * Tue Jun 29 2021 Jiri Vanek <jvanek@xxxxxxxxxx> - 1:16.0.1.0.9-5.rolling - renamed source15 to source17 to match el8 - added fips support: - added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity - removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception - adapted rh1655466-global_crypto_and_fips.patch - adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?) - adapted rh1915071-always_initialise_configurator_access.patch -------------------------------------------------------------------------------- ================================================================================ perl-DBD-Firebird-1.33-1.el8 (FEDORA-EPEL-2021-57f7e7ee94) Firebird interface for perl -------------------------------------------------------------------------------- Update Information: - Upgrade to 1.33 (#2021689) -------------------------------------------------------------------------------- ChangeLog: * Wed Nov 10 2021 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 1.33-1 - Upgrade to 1.33 (#2021689) * Sat Aug 21 2021 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 1.32-8 - Re-enabled s390x build since firebird 4.x is fixed (#1969393) * Mon Jul 26 2021 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 1.32-7 - Disabled s390x build until firebird 4.x is fixed (#1969393) * Thu Jul 22 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.32-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Fri May 21 2021 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 1.32-5 - Perl 5.34 rebuild * Wed Jan 27 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.32-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Tue Jul 28 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.32-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Tue Jun 23 2020 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 1.32-2 - Perl 5.32 rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2021689 - perl-DBD-Firebird-1.33 is available https://bugzilla.redhat.com/show_bug.cgi?id=2021689 -------------------------------------------------------------------------------- ================================================================================ singularity-3.8.4-1.el8 (FEDORA-EPEL-2021-602122542b) Application and environment virtualization -------------------------------------------------------------------------------- Update Information: Upgrade to upstream 3.8.4 -------------------------------------------------------------------------------- ChangeLog: * Tue Nov 9 2021 Dave Dykstra <dwd@xxxxxxxxxxxxxxxxx> - 3.8.4-1 - Upgrade to upstream 3.8.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2021707 - singularity-3.8.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2021707 -------------------------------------------------------------------------------- ================================================================================ waiverdb-1.4.0-1.el8 (FEDORA-EPEL-2021-f1883aea50) Service for waiving results in ResultsDB -------------------------------------------------------------------------------- Update Information: On an authentication error, waiverdb-cli will now print the actual error -------------------------------------------------------------------------------- ChangeLog: * Wed Nov 10 2021 Lukas Holecek <hluk@xxxxxxxx> - 1.4.0-1 - On an authentication error, waiverdb-cli will now print the actual error message instead of a JSONDecodeError exception. - Documentation has been updated and moved to: https://waiverdb.readthedocs.io * Fri Jul 23 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.3.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Fri Jun 4 2021 Python Maint <python-maint@xxxxxxxxxx> - 1.3.0-2 - Rebuilt for Python 3.10 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
