From 6cf82c686c98b935797424863d880c5289244316 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 17 2024 15:20:28 +0000
Subject: import java-1.8.0-openjdk-1.8.0.402.b06-1.el7_9


---

diff --git a/.gitignore b/.gitignore
index 00e22cb..c5c84f7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 53c78a9..7711961 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-2ca27b0d535c9dcf71679cad14be5660d0554f82 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz
+0ca0a2433bfd7aa62a21fc37c8079f540e672a9c SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index 0916d11..9ea10d0 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,131 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u402 (2024-01-16):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u402
+
+* CVEs
+  - CVE-2024-20918
+  - CVE-2024-20919
+  - CVE-2024-20921
+  - CVE-2024-20926
+  - CVE-2024-20945
+  - CVE-2024-20952
+* Security fixes
+  - JDK-8308204: Enhanced certificate processing
+  - JDK-8314284: Enhance Nashorn performance
+  - JDK-8314295: Enhance verification of verifier
+  - JDK-8314307: Improve loop handling
+  - JDK-8314468: Improve Compiler loops
+  - JDK-8316976: Improve signature handling
+  - JDK-8317547: Enhance TLS connection support
+* Other changes
+  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+  - JDK-8029995: accept yes/no for boolean krb5.conf settings
+  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
+  - JDK-8176509: Use pandoc for converting build readme to html
+  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
+  - JDK-8207404: MulticastSocket tests failing on AIX
+  - JDK-8212677: X11 default visual support for IM status window on VNC
+  - JDK-8239365: ProcessBuilder test modifications for AIX execution
+  - JDK-8271838: AmazonCA.java interop test fails
+  - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
+  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
+  - JDK-8307837: [8u] Check step in GHA should also print errors
+  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
+  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
+  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
+  - JDK-8315280: Bump update version of OpenJDK: 8u402
+  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
+  - JDK-8317291: Missing null check for nmethod::is_native_method()
+  - JDK-8317373: Add Telia Root CA v2
+  - JDK-8317374: Add Let's Encrypt ISRG Root X2
+  - JDK-8318759: Add four DigiCert root certificates
+  - JDK-8319187: Add three eMudhra emSign roots
+  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
+  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
+
+Notes on individual issues:
+===========================
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8029995: accept yes/no for boolean krb5.conf settings
+=========================================================
+The krb5.conf configuration file now also accepts "yes" and "no", as
+alternatives to the existing "true" and "false" support, when using
+settings that take boolean values.
+
+security-libs/java.security:
+
+JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+===============================================================================================================================
+A maximum signature file size property, jdk.jar.maxSignatureFileSize,
+was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
+default of 8MB. This default proved to be too small for some JAR
+files. This release, 8u402, increases it to 16MB.
+
+JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
+=================================================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Let's Encrypt
+Alias Name: letsencryptisrgx2
+Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
+
+JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
+=============================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: DigiCert, Inc.
+Alias Name: digicertcseccrootg5
+Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicertcsrsarootg5
+Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlseccrootg5
+Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlsrsarootg5
+Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
+============================================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag1
+Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsigneccrootcag3
+Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag2
+Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+JDK-8317373: Added Telia Root CA v2 Certificate
+===============================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Telia Root CA v2
+Alias Name: teliarootcav2
+Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
+
 New in release OpenJDK 8u392 (2023-10-17):
 ===========================================
 Live versions of these release notes can be found at:
@@ -52,8 +177,8 @@ Notes on individual issues:
 
 other-libs/corba:idl:
 
-8303384: Improved communication in CORBA
-========================================
+JDK-8303384: Improved communication in CORBA
+============================================
 The JDK's CORBA implementation now provides the option to limit
 serialisation in stub objects to those with the "IOR:" prefix.  For
 ORB constrained stub classes:
diff --git a/SOURCES/jdk8312489-max_sig_default_increase.patch b/SOURCES/jdk8312489-max_sig_default_increase.patch
deleted file mode 100644
index adf9e09..0000000
--- a/SOURCES/jdk8312489-max_sig_default_increase.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-commit c38a36f124a7eb28920cc367cb01b67d973a55c0
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Wed Oct 11 01:42:03 2023 +0100
-
-    Backport e47a84f23dd2608c6f5748093eefe301fb5bf750
-
-diff --git a/jdk/src/share/classes/java/util/jar/JarFile.java b/jdk/src/share/classes/java/util/jar/JarFile.java
-index a26dcc4a1c7..ac2e1c9d6a8 100644
---- a/jdk/src/share/classes/java/util/jar/JarFile.java
-+++ b/jdk/src/share/classes/java/util/jar/JarFile.java
-@@ -436,7 +436,9 @@ class JarFile extends ZipFile {
-                 throw new IOException("Unsupported size: " + uncompressedSize +
-                         " for JarEntry " + ze.getName() +
-                         ". Allowed max size: " +
--                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
-+                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
-+                        "You can use the jdk.jar.maxSignatureFileSize " +
-+                        "system property to increase the default value.");
-             }
-             int len = (int)uncompressedSize;
-             byte[] b = IOUtils.readAllBytes(is);
-diff --git a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-index c335e964f63..afdfa406b92 100644
---- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-+++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-@@ -855,16 +855,16 @@ public class SignatureFileVerifier {
-          * the maximum allowed number of bytes for the signature-related files
-          * in a JAR file.
-          */
--        Integer tmp = AccessController.doPrivileged(new GetIntegerAction(
--                "jdk.jar.maxSignatureFileSize", 8000000));
-+        int tmp = AccessController.doPrivileged(new GetIntegerAction(
-+                "jdk.jar.maxSignatureFileSize", 16000000));
-         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
-             if (debug != null) {
--                debug.println("Default signature file size 8000000 bytes " +
--                        "is used as the specified size for the " +
--                        "jdk.jar.maxSignatureFileSize system property " +
-+                debug.println("The default signature file size of 16000000 bytes " +
-+                        "will be used for the jdk.jar.maxSignatureFileSize " +
-+                        "system property since the specified value " +
-                         "is out of range: " + tmp);
-             }
--            tmp = 8000000;
-+            tmp = 16000000;
-         }
-         return tmp;
-     }
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 62bc6d0..205fa71 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -189,7 +189,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision jdk8u392-b08
+%global openjdk_revision jdk8u402-b06
 %global shenandoah_revision shenandoah-%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
@@ -233,7 +233,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      1
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -737,8 +737,8 @@ Provides: java-%{javaver}%1 = %{epoch}:%{version}-%{release}
 %if %is_system_jdk
 Provides: java-%{origin}%1 = %{epoch}:%{version}-%{release}
 Provides: jre-%{origin}%1 = %{epoch}:%{version}-%{release}
-Provides: java%1 = %{epoch}:%{version}-%{release}
-Provides: jre%1 = %{epoch}:%{version}-%{release}
+Provides: java%1 = %{epoch}:%{javaver}
+Provides: jre%1 = %{epoch}:%{javaver}
 %endif
 # Standard JPackage extensions provides.
 Provides: java-fonts%1 = %{epoch}:%{version}
@@ -782,8 +782,8 @@ Provides: java-%{javaver}-headless%1 = %{epoch}:%{version}-%{release}
 %if %is_system_jdk
 Provides: java-%{origin}-headless%1 = %{epoch}:%{version}-%{release}
 Provides: jre-%{origin}-headless%1 = %{epoch}:%{version}-%{release}
-Provides: jre-headless%1 = %{epoch}:%{version}-%{release}
-Provides: java-headless%1 = %{epoch}:%{version}-%{release}
+Provides: jre-headless%1 = %{epoch}:%{javaver}
+Provides: java-headless%1 = %{epoch}:%{javaver}
 %endif
 # Standard JPackage extensions provides.
 Provides: jndi%1 = %{epoch}:%{version}
@@ -824,8 +824,8 @@ Provides: java-%{javaver}-%{origin}-devel%1 = %{epoch}:%{version}-%{release}
 %if %is_system_jdk
 Provides: java-devel-%{origin}%1 = %{epoch}:%{version}-%{release}
 Provides: java-sdk-%{origin}%1 = %{epoch}:%{version}-%{release}
-Provides: java-devel%1 = %{epoch}:%{version}-%{release}
-Provides: java-sdk%1 = %{epoch}:%{version}-%{release}
+Provides: java-devel%1 = %{epoch}:%{javaver}
+Provides: java-sdk%1 = %{epoch}:%{javaver}
 %endif
 
 #Obsoletes: java-1.7.0-openjdk-devel%1
@@ -1059,8 +1059,6 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
 Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
 # JDK-8186464, RH1433262: ZipFile cannot read some InfoZip ZIP64 zip files
 Patch12: jdk8186464-rh1433262-zip64_failure.patch
-# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-Patch2000: jdk8312489-max_sig_default_increase.patch
 
 #############################################
 #
@@ -1136,14 +1134,6 @@ BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
 BuildRequires: unzip
-%ifarch %{arm}
-BuildRequires: devtoolset-7-build
-BuildRequires: devtoolset-7-binutils
-BuildRequires: devtoolset-7-gcc
-BuildRequires: devtoolset-7-gcc-c++
-BuildRequires: devtoolset-7-gdb
-%endif 
-
 # Use OpenJDK 7 where available (on RHEL) to avoid
 # having to use the rhel-7.x-java-unsafe-candidate hack
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1446,8 +1436,6 @@ sh %{SOURCE12}
 
 # Upstreamed fixes
 pushd %{top_level_dir_name}
-# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381
-%patch2000 -p1
 popd
 
 # RPM-only fixes
@@ -1511,10 +1499,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 
 
 %build
-%ifarch %{arm}
-%{?enable_devtoolset7:%{enable_devtoolset7}}
-%endif
-
 # How many CPU's do we have?
 export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
 export NUM_PROC=${NUM_PROC:-1}
@@ -1538,9 +1522,6 @@ EXTRA_CPP_FLAGS="%ourcppflags"
 # fix rpmlint warnings
 EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
 %endif
-%ifarch %{arm}
-EXTRA_CFLAGS="$EXTRA_CFLAGS -Wno-nonnull"
-%endif
 EXTRA_ASFLAGS="${EXTRA_CFLAGS}"
 export EXTRA_CFLAGS EXTRA_ASFLAGS
 
@@ -2288,6 +2269,26 @@ require "copy_jdk_configs.lua"
 %endif
 
 %changelog
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.402.b06-0.1.ea
+- Update to shenandoah-jdk8u402-b06 (GA)
+- Update release notes for shenandoah-8u402-b06.
+- Drop local copy of JDK-8312489 which is now included upstream
+- Switch to GA mode.
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-17914
+- Resolves: RHEL-20965
+
+* Wed Jan 03 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.402.b01-0.1.ea
+- Update to shenandoah-jdk8u402-b01 (EA)
+- Update release notes for shenandoah-8u402-b01.
+- Switch to EA mode.
+- Sync NEWS with vanilla branch version.
+- Related: RHEL-17914
+
+* Sat Dec 16 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-3
+- Restore %%{epoch}:%%{javaver} versioning to jre, java, jre-headless, java-headless, java-devel & java-sdk
+- Resolves: RHEL-19630
+
 * Mon Oct 16 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-2
 - Revert jcmd move as jcmd will not operate without tools.jar
 - Related: RHEL-13577