diff --git a/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch new file mode 100644 index 0000000..e578e00 --- /dev/null +++ b/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch @@ -0,0 +1,20 @@ +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 06:57:19 2020 +0100 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:56:48 2020 -0300 +@@ -627,7 +627,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } +@@ -745,7 +745,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 92e04fa..2ade38c 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -244,7 +244,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 3 +%global rpmrelease 4 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1175,6 +1175,8 @@ Patch401: pr3655-toggle_system_crypto_policy.patch # RH1566890: CVE-2018-3639 Patch529: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch531: rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch +# RH1868759: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer +Patch540: rh1868759-pkcs11_cancel_on_failure.patch ############################################# # @@ -1664,9 +1666,10 @@ sh %{SOURCE12} %patch579 %patch580 %patch581 +%patch539 +%patch540 # RPM-only fixes -%patch539 %patch1000 %patch1001 %patch1002 @@ -2357,6 +2360,10 @@ require "copy_jdk_configs.lua" %endif %changelog +* Thu Sep 17 2020 Andrew Hughes - 1:1.8.0.265.b01-4 +- Add patch to cancel PKCS#11 operations on failure (RH1868759) +- Resolves: rhbz#1868759 + * Tue Aug 25 2020 Andrew Hughes - 1:1.8.0.265.b01-3 - Add backport of JDK-8251117 to allow key length to be retrieved from PKCS#11 FIPS keys - Resolves: rhbz#1860993