This section lists and comments on the highlights of the changes in the selected update release.
-
Crash in MinINode::Ideal(PhaseGVN*, bool) that resulted in the November 2020 respin.
This section lists all the changes in the selected update release.
Issue
|
Priority
|
Title
|
Component
|
Voting
|
---|---|---|---|---|
JDK-8250861 | 2 | Crash in MinINode::Ideal(PhaseGVN*, bool) that resulted in the November 2020 respin. | hotspot / compiler | |
JDK-8236862 / CVE-2020-14779 |
2 | Enhance support of Proxy class | Serialization | |
JDK-8237995 / CVE-2020-14782 |
2 | Enhance certificate processing | Libraries | |
JDK-8237990 / CVE-2020-14781 |
2 | Enhanced LDAP contexts | JNDI | |
JDK-8241114 / CVE-2020-14792 |
2 | Better range handling | Hotspot | |
JDK-8242695 / CVE-2020-14798 |
2 | Enhanced Buffer Support | Libraries | |
JDK-8242685 / CVE-2020-14797 |
2 | Better Path Validation | Libraries | |
JDK-8242680 / CVE-2020-14796 |
2 | Improved URI support | Libraries | |
JDK-8244136 | 2 | Improved Buffer supports |
This section organizes the changes in the selected update release by the main component under which each issue is filed.
Hotspot (1)
Issue
|
Priority
|
Title
|
Component
|
Voting
|
---|---|---|---|---|
JDK-8250861 | 2 | Crash in MinINode::Ideal(PhaseGVN*, bool) that resulted in the November 2020 respin. | hotspot / compiler |
Other (8)
Issue
|
Priority
|
Title
|
Component
|
Voting
|
---|---|---|---|---|
JDK-8236862 | 2 | Enhance support of Proxy class | ||
JDK-8237995 | 2 | Enhance certificate processing | ||
JDK-8237990 | 2 | Enhanced LDAP contexts | ||
JDK-8241114 | 2 | Better range handling | ||
JDK-8242695 | 2 | Enhanced Buffer Support | ||
JDK-8242685 | 2 | Better Path Validation | ||
JDK-8242680 | 2 | Improved URI support | ||
JDK-8244136 | 2 | Improved Buffer supports |
This section summarizes JDK Common Vulnerabilities and Exposure (CVE) fixes in the selected update release.
CVE Fixes (7)
CVE
|
Component
|
Protocol
|
CVSS Version 3.0 Risk (see Risk Matrix Definitions)
Base
Score
|
Attack
Vector
|
Attack
Complex
|
Privs
Req'd
|
User
Interact
|
Scope
|
Confidentiality
|
Integrity
|
Availability
|
Notes
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2020-14792 / JDK-8241114 |
Hotspot | Multiple | 4.2 | Network | High | None | Required | Unchanged | Low | Low | None | Note 2 * |
CVE-2020-14797 / JDK-8242685 |
Libraries | Multiple | 3.7 | Network | High | None | None | Unchanged | None | Low | None | Note 2 * |
CVE-2020-14782 / JDK-8237995 |
Libraries | Multiple | 3.7 | Network | High | None | None | Unchanged | None | Low | None | Note 2 * |
CVE-2020-14781 / JDK-8237990 |
JNDI | Multiple | 3.7 | Network | High | None | None | Unchanged | Low | None | None | Note 2 * |
CVE-2020-14779 / JDK-8236862 |
Serialization | Multiple | 3.7 | Network | High | None | None | Unchanged | None | None | Low | Note 2 * |
CVE-2020-14798 / JDK-8242695 |
Libraries | Multiple | 3.1 | Network | High | None | Required | Unchanged | None | Low | None | Note 1 * |
CVE-2020-14796 / JDK-8242680 |
Libraries | Multiple | 3.1 | Network | High | None | Required | Unchanged | Low | None | None | Note 1 * |
Notes:
ID | Notes |
---|---|
1 | This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 | This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service. |
-
ID: 1
Notes: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
-
ID: 2
Notes: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.