This section lists all the changes in the selected update release.
|
Issue
|
Priority
|
Title
|
Component
|
Voting
|
|---|---|---|---|---|
| JDK-7065233 | 4 | To interpret case-insensitive string locale independently | security-libs / javax.crypto | |
| JDK-8219597 | 4 | (bf) Heap buffer state changes could provoke unexpected exceptions | core-libs / java.nio | |
| JDK-8224549 / CVE-2020-2757 |
2 | Less Blocking Array Queues | Serialization | |
| JDK-8224541 / CVE-2020-2756 |
2 | Better mapping of serial ENUMs | Serialization | |
| JDK-8225603 | 2 | Enhancement for big integers | core-libs / java.math | |
| JDK-8227542 | 2 | Manifest improved jar headers | core-svc / java.lang.instrument | |
| JDK-8231415 / CVE-2020-2773 |
2 | Better signatures in XML | Security | |
| JDK-8233250 | 2 | Better X11 rendering | client-libs / 2d | |
| JDK-8233410 | 2 | Better Build Scripting | infrastructure / build | |
| JDK-8234027 | 2 | Better JCEKS key support | security-libs / java.security | |
| JDK-8234408 / CVE-2020-2781 |
2 | Improve TLS session handling | JSSE | |
| JDK-8234825 / CVE-2020-2800 |
2 | Better Headings for HTTP Servers | Lightweight HTTP Server | |
| JDK-8234841 / CVE-2020-2803 |
2 | Enhance buffering of byte buffers | Libraries | |
| JDK-8235274 / CVE-2020-2805 |
2 | Enhance typing of methods | Libraries | |
| JDK-8236201 / CVE-2020-2830 |
2 | Better Scanner conversions | Concurrency | |
| JDK-8238960 | 2 | linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap | infrastructure / build | |
| JDK-8240621 | 3 | Build failure on Windows after JDK-8044500 | security-libs / javax.security |
This section organizes the changes in the selected update release by the main component under which each issue is filed.
Core Libs (8)
|
Issue
|
Priority
|
Title
|
Component
|
Voting
|
|---|---|---|---|---|
| JDK-8219597 | 4 | (bf) Heap buffer state changes could provoke unexpected exceptions | core-libs / java.nio | |
| JDK-8224549 | 2 | Less Blocking Array Queues | core-libs / java.io:serialization | |
| JDK-8224541 | 2 | Better mapping of serial ENUMs | core-libs / java.io:serialization | |
| JDK-8225603 | 2 | Enhancement for big integers | core-libs / java.math | |
| JDK-8234825 | 2 | Better Headings for HTTP Servers | core-libs / java.net | |
| JDK-8234841 | 2 | Enhance buffering of byte buffers | core-libs / java.nio | |
| JDK-8235274 | 2 | Enhance typing of methods | core-libs / java.lang.invoke | |
| JDK-8236201 | 2 | Better Scanner conversions | core-libs / java.util.regex |
Security Libs (5)
|
Issue
|
Priority
|
Title
|
Component
|
Voting
|
|---|---|---|---|---|
| JDK-7065233 | 4 | To interpret case-insensitive string locale independently | security-libs / javax.crypto | |
| JDK-8231415 | 2 | Better signatures in XML | security-libs / javax.xml.crypto | |
| JDK-8234027 | 2 | Better JCEKS key support | security-libs / java.security | |
| JDK-8234408 | 2 | Improve TLS session handling | security-libs / javax.net.ssl | |
| JDK-8240621 | 3 | Build failure on Windows after JDK-8044500 | security-libs / javax.security |
Client Libs (1)
|
Issue
|
Priority
|
Title
|
Component
|
Voting
|
|---|---|---|---|---|
| JDK-8233250 | 2 | Better X11 rendering | client-libs / 2d |
Other (3)
|
Issue
|
Priority
|
Title
|
Component
|
Voting
|
|---|---|---|---|---|
| JDK-8227542 | 2 | Manifest improved jar headers | core-svc / java.lang.instrument | |
| JDK-8233410 | 2 | Better Build Scripting | infrastructure / build | |
| JDK-8238960 | 2 | linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap | infrastructure / build |
This section summarizes JDK Common Vulnerabilities and Exposure (CVE) fixes in the selected update release.
CVE Fixes (8)
|
CVE
|
Component
|
Protocol
|
CVSS Version 3.0 Risk (see Risk Matrix Definitions)
Base
Score
|
Attack
Vector
|
Attack
Complex
|
Privs
Req'd
|
User
Interact
|
Scope
|
Confidentiality
|
Integrity
|
Availability
|
Notes
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2020-2805 / JDK-8235274 |
Libraries | Multiple | 8.3 | Network | High | None | Required | Changed | High | High | High | Note 1 * |
| CVE-2020-2803 / JDK-8234841 |
Libraries | Multiple | 8.3 | Network | High | None | Required | Changed | High | High | High | Note 1 * |
| CVE-2020-2781 / JDK-8234408 |
JSSE | HTTPS | 5.3 | Network | Low | None | None | Unchanged | None | None | Low | Note 3 * |
| CVE-2020-2830 / JDK-8236201 |
Concurrency | Multiple | 5.3 | Network | Low | None | None | Unchanged | None | None | Low | Note 3 * |
| CVE-2020-2800 / JDK-8234825 |
Lightweight HTTP Server | Multiple | 4.8 | Network | High | None | None | Unchanged | Low | Low | None | Note 2 * |
| CVE-2020-2773 / JDK-8231415 |
Security | Multiple | 3.7 | Network | High | None | None | Unchanged | None | None | Low | Note 3 * |
| CVE-2020-2757 / JDK-8224549 |
Serialization | Multiple | 3.7 | Network | High | None | None | Unchanged | None | None | Low | Note 3 * |
| CVE-2020-2756 / JDK-8224541 |
Serialization | Multiple | 3.7 | Network | High | None | None | Unchanged | None | None | Low | Note 3 * |
Notes:
| ID | Notes |
|---|---|
| 1 | This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
| 2 | This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service. |
| 3 | This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service. |
-
ID: 1
Notes: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
-
ID: 2
Notes: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
-
ID: 3
Notes: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
Security-Related Non-CVE (6)
|
Issue
|
Priority
|
Title
|
Component
|
|---|---|---|---|
| JDK-8225603 | 2 | Enhancement for big integers | core-libs / java.math |
| JDK-8227542 | 2 | Manifest improved jar headers | core-svc / java.lang.instrument |
| JDK-8233250 | 2 | Better X11 rendering | client-libs / 2d |
| JDK-8233410 | 2 | Better Build Scripting | infrastructure / build |
| JDK-8234027 | 2 | Better JCEKS key support | security-libs / java.security |
| JDK-8238960 | 2 | linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap | infrastructure / build |