diff --git a/.gitignore b/.gitignore index f92ec58..1ed05dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index e29a21e..ccea57f 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +5da51f425a78dbdcb00909544cac3385db461e54 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index b817d9e..de59faf 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,125 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u382 (2023-07-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u382 + +* CVEs + - CVE-2023-22045 + - CVE-2023-22049 +* Security fixes + - JDK-8298676: Enhanced Look and Feel + - JDK-8300596: Enhance Jar Signature validation + - JDK-8304468: Better array usages + - JDK-8305312: Enhanced path handling +* Other changes + - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace + - JDK-8151460: Metaspace counters can have inconsistent values + - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode + - JDK-8185736: missing default exception handler in calls to rethrow_Stub + - JDK-8186801: Add regression test to test mapping based charsets (generated at build time) + - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color + - JDK-8241311: Move some charset mapping tests from closed to open + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + - JDK-8276841: Add support for Visual Studio 2022 + - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8289301: P11Cipher should not throw out of bounds exception during padding + - JDK-8293232: Fix race condition in pkcs11 SessionManager + - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation + - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 + - JDK-8298108: Add a regression test for JDK-8297684 + - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8301119: Support for GB18030-2022 + - JDK-8301400: Allow additional characters for GB18030-2022 support + - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message + - JDK-8303028: Update system property for Java SE specification maintenance version + - JDK-8303462: Bump update version of OpenJDK: 8u382 + - JDK-8304760: Add 2 Microsoft TLS roots + - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue + - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support + - JDK-8305975: Add TWCA Global Root CA + - JDK-8307134: Add GTS root CAs + - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8 + - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow + - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119 + +Notes on individual issues: +=========================== + +core-libs/java.lang: + +JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support +=========================================================================== +In order to support "Implementation Level 2" of the GB18030-2022 +standard, the JDK must be able to use characters from the CJK Unified +Ideographs Extension E block of Unicode 8.0. The addition of these +characters forms Maintenance Release 5 of the Java SE 8 specification, +which is implemented in this release of OpenJDK via the addition of a +new UnicodeBlock instance, +Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E. + +core-libs/java.util.jar: + +8300596: Enhance Jar Signature validation +========================================= +A System property "jdk.jar.maxSignatureFileSize" is introduced to +configure the maximum number of bytes allowed for the +signature-related files in a JAR file during verification. The default +value is 8000000 bytes (8 MB). + +security-libs/java.security: + +JDK-8307134: Added 4 GTS Root CA Certificates +============================================= +The following root certificates have been added to the cacerts +truststore: + +Name: Google Trust Services LLC +Alias Name: gtsrootcar1 +Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar2 +Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar3 +Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar4 +Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US + +JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates +===================================================================== +The following root certificates has been added to the cacerts +truststore: + +Name: Microsoft Corporation +Alias Name: microsoftecc2017 +Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US + +Name: Microsoft Corporation +Alias Name: microsoftrsa2017 +Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US + +JDK-8305975: Added TWCA Root CA Certificate +=========================================== +The following root certificate has been added to the cacerts +truststore: + +Name: TWCA +Alias Name: twcaglobalrootca +Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW + New in release OpenJDK 8u372 (2023-04-18): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch deleted file mode 100644 index 42ac516..0000000 --- a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch +++ /dev/null @@ -1,167 +0,0 @@ -commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 -Author: Alexey Bakhtin -Date: Tue Apr 4 10:29:11 2023 +0000 - - 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - Reviewed-by: andrew, mbalao - Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 - -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -index a79e97d7c74..5378446b97b 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitVerify(PublicKey publicKey) - throws InvalidKeyException { -- if (!(publicKey instanceof RSAPublicKey)) { -+ if (publicKey instanceof RSAPublicKey) { -+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; -+ isPublicKeyValid(rsaPubKey); -+ this.pubKey = rsaPubKey; -+ this.privKey = null; -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPublicKey"); - } -- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); -- this.privKey = null; -- resetDigest(); - } - - // initialize for signing. See JCA doc -@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitSign(PrivateKey privateKey, SecureRandom random) - throws InvalidKeyException { -- if (!(privateKey instanceof RSAPrivateKey)) { -+ if (privateKey instanceof RSAPrivateKey) { -+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; -+ isPrivateKeyValid(rsaPrivateKey); -+ this.privKey = rsaPrivateKey; -+ this.pubKey = null; -+ this.random = -+ (random == null ? JCAUtil.getSecureRandom() : random); -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPrivateKey"); - } -- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); -- this.pubKey = null; -- this.random = -- (random == null? JCAUtil.getSecureRandom() : random); -- resetDigest(); - } - - /** -@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { - } - } - -+ /** -+ * Validate the specified RSAPrivateKey -+ */ -+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { -+ try { -+ if (prKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; -+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ crtKey.getModulus().bitLength(), -+ crtKey.getPublicExponent()); -+ } else { -+ throw new InvalidKeyException( -+ "Some of the CRT-specific components are not available"); -+ } -+ } else { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ prKey.getModulus().bitLength(), -+ null); -+ } -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access private key components", e); -+ } -+ isValid(prKey); -+ } -+ -+ /** -+ * Validate the specified RSAPublicKey -+ */ -+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { -+ try { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ pKey.getModulus().bitLength(), -+ pKey.getPublicExponent()); -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access public key components", e); -+ } -+ isValid(pKey); -+ } -+ - /** - * Validate the specified RSAKey and its associated parameters against - * internal signature parameters. - */ -- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { -+ private void isValid(RSAKey rsaKey) throws InvalidKeyException { - try { - AlgorithmParameterSpec keyParams = rsaKey.getParams(); - // validate key parameters -@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { - } - checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); - } -- return rsaKey; - } catch (SignatureException e) { - throw new InvalidKeyException(e); - } -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -index 6b219937981..b3c1fae9672 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl - RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); - // check all CRT-specific components are available, if any one - // missing, return a non-CRT key instead -- if ((key.getPublicExponent().signum() == 0) || -- (key.getPrimeExponentP().signum() == 0) || -- (key.getPrimeExponentQ().signum() == 0) || -- (key.getPrimeP().signum() == 0) || -- (key.getPrimeQ().signum() == 0) || -- (key.getCrtCoefficient().signum() == 0)) { -+ if (checkComponents(key)) { -+ return key; -+ } else { - return new RSAPrivateKeyImpl( - key.algid, - key.getModulus(), -- key.getPrivateExponent() -- ); -- } else { -- return key; -+ key.getPrivateExponent()); - } - } - -+ /** -+ * Validate if all CRT-specific components are available. -+ */ -+ static boolean checkComponents(RSAPrivateCrtKey key) { -+ return !((key.getPublicExponent().signum() == 0) || -+ (key.getPrimeExponentP().signum() == 0) || -+ (key.getPrimeExponentQ().signum() == 0) || -+ (key.getPrimeP().signum() == 0) || -+ (key.getPrimeQ().signum() == 0) || -+ (key.getCrtCoefficient().signum() == 0)); -+ } -+ - /** - * Generate a new key from the specified type and components. - * Returns a CRT key if possible and a non-CRT key otherwise. diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index c7897c2..7c9fd2b 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -218,7 +218,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -1056,8 +1056,6 @@ Patch12: jdk8186464-rh1433262-zip64_failure.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -1123,14 +1121,6 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: unzip -%ifarch %{arm} -BuildRequires: devtoolset-7-build -BuildRequires: devtoolset-7-binutils -BuildRequires: devtoolset-7-gcc -BuildRequires: devtoolset-7-gcc-c++ -BuildRequires: devtoolset-7-gdb -%endif - # Use OpenJDK 7 where available (on RHEL) to avoid # having to use the rhel-7.x-java-unsafe-candidate hack %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1432,8 +1422,6 @@ sh %{SOURCE12} # Upstreamed fixes pushd %{top_level_dir_name} -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -1496,10 +1484,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg %build -%ifarch %{arm} -%{?enable_devtoolset7:%{enable_devtoolset7}} -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1523,9 +1507,6 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -%ifarch %{arm} -EXTRA_CFLAGS="$EXTRA_CFLAGS -Wno-nonnull" -%endif EXTRA_ASFLAGS="${EXTRA_CFLAGS}" export EXTRA_CFLAGS EXTRA_ASFLAGS @@ -2200,6 +2181,24 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-1 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** +- Resolves: rhbz#2221106 + +* Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea +- Update to shenandoah-jdk8u382-b04 (EA) +- Update release notes for shenandoah-8u382-b04. +- Related: rhbz#2221106 + +* Wed Jun 28 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Update release notes for shenandoah-8u382-b01. +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Related: rhbz#2221106 + * Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.372.b07-1 - Update to shenandoah-jdk8u372-b07 (GA) - Update release notes for shenandoah-8u372-b07.