diff --git a/.gitignore b/.gitignore index 8e6cb15..f92ec58 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 458b439..e29a21e 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -10817d699dd7c85b03cfbd8eb820e00b19ddcae7 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz +3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 6a65607..33e4199 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,210 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u372 (2023-04-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u372 + +* CVEs + - CVE-2023-21930 + - CVE-2023-21937 + - CVE-2023-21938 + - CVE-2023-21939 + - CVE-2023-21954 + - CVE-2023-21967 + - CVE-2023-21968 +* Security fixes + - JDK-8287404: Improve ping times + - JDK-8288436: Improve Xalan supports + - JDK-8294474: Better AES support + - JDK-8295304: Runtime support improvements + - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296676, JDK-8296622: Improve String platform support + - JDK-8296684: Improve String platform support + - JDK-8296692: Improve String platform support + - JDK-8296700: Improve String platform support + - JDK-8296832: Improve Swing platform support + - JDK-8297371: Improve UTF8 representation redux + - JDK-8298191: Enhance object reclamation process + - JDK-8298310: Enhance TLS session negotiation + - JDK-8298667: Improved path handling + - JDK-8299129: Enhance NameService lookups +* New features + - JDK-8230305: Cgroups v2: Container awareness +* Other changes + - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html + - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows + - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be + - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation + - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java + - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows + - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB + - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu + - JDK-8156579: Two JavaBeans tests failed + - JDK-8156581: Cleanup of ProblemList.txt + - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail + - JDK-8177560: @headful key can be removed from the tests for JavaSound + - JDK-8196196: Headful tests should not be run in headless mode + - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails + - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp + - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow + - JDK-8205959: Do not restart close if errno is EINTR + - JDK-8216366: Add rationale to PER_CPU_SHARES define + - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails + - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes) + - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12 + - JDK-8229202: Docker reporting causes secondary crashes in error handling + - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy + - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8234484: Add ability to configure third port for remote JMX + - JDK-8237479: 8230305 causes slowdebug build failure + - JDK-8239559: Cgroups: Incorrect detection logic on some systems + - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111 + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 + - JDK-8242468: VS2019 build missing vcruntime140_1.dll + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java + - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible) + - JDK-8245654: Add Certigna Root CA + - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8252359: HotSpot Not Identifying it is Running in a Container + - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota + - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist + - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high + - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly + - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems + - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code + - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards + - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8262379: Add regression test for JDK-8257746 + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 + - JDK-8280048: Missing comma in copyright header + - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired + - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template + - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283606: Tests may fail with zh locale on MacOS + - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124 + - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem + - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 + - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287463: JFR: Disable TestDevNull.java on Windows + - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun + - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u + - JDK-8292083: Detected container memory limit may exceed physical machine memory + - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features + - JDK-8295322: Tests for JDK-8271459 were not backported to 11u + - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 + - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing + - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException + - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent + - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 + - JDK-8297329: [8u] hotspot needs to recognise VS2019 + - JDK-8297739: Bump update version of OpenJDK: 8u372 + - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's + - JDK-8298027: Remove SCCS id's from awt jtreg tests + - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299445: EndingDotHostname.java fails because of compilation errors + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u + - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u + - JDK-8300014: Some backports placed the tests in the wrong location + - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems + - JDK-8301122: [8u] Fix unreliable vs2010 download link + - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper + - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig + - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport + - JDK-8301550: [8u] Enable additional linux build testing in GitHub + - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors + - JDK-8301760: Fix possible leak in SpNegoContext dispose + - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391 + - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391 + - JDK-8304053: Revert os specific stubs for SystemMetrics + - JDK-8305113: (tz) Update Timezone Data to 2023c + +Notes on individual issues: +=========================== + +hotspot: +core-libs: + +JDK-8305562: Cgroups v2: Container awareness +============================================ +The HotSpot runtime code as well as the core libraries code in the JDK +has been updated in order to detect a cgroup v2 host system when +running OpenJDK within a Linux container. + +Since the 8u202 release of OpenJDK, the container detection code +recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later +releases, both versions of the underlying cgroups pseudo filesystem +will be detected and corresponding container limits applied to the +OpenJDK runtime. + +Without this enhancement, OpenJDK would not apply container resource +limits when running on a cgroup v2 Linux host system, but would use +the underlying hosts' resource limits instead. + +client-libs/javax.swing: + +JDK-8296832: Improve Swing platform support +=========================================== +Earlier OpenJDK releases would always render HTML object tags embedded in +Swing HTML components. With this release, rendering only occurs when the +new system property "swing.html.object" is set to true. By default, it +is set to false. + +core-svc/javax.management: + +JDK-8234484: Added Ability to Configure Third Port for Remote JMX +================================================================= +A local access port can now be configured for JMX connections by +setting the property `com.sun.management.jmxremote.local.port`. This +local port was previously selected at random, which could lead to port +collisions. The property works in the same way as the existing +properties for configuring the remote access port +(`com.sun.management.jmxremote.port`) and the RMI port +(`com.sun.management.jmxremote.rmi.port`) + +security-libs/java.security: + +JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate +========================================================== +The following root certificate has been added to the cacerts truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR + New in release OpenJDK 8u362 (2023-01-17): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch new file mode 100644 index 0000000..42ac516 --- /dev/null +++ b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch @@ -0,0 +1,167 @@ +commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 +Author: Alexey Bakhtin +Date: Tue Apr 4 10:29:11 2023 +0000 + + 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + + Reviewed-by: andrew, mbalao + Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 + +diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java +index a79e97d7c74..5378446b97b 100644 +--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java ++++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java +@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { + @Override + protected void engineInitVerify(PublicKey publicKey) + throws InvalidKeyException { +- if (!(publicKey instanceof RSAPublicKey)) { ++ if (publicKey instanceof RSAPublicKey) { ++ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; ++ isPublicKeyValid(rsaPubKey); ++ this.pubKey = rsaPubKey; ++ this.privKey = null; ++ resetDigest(); ++ } else { + throw new InvalidKeyException("key must be RSAPublicKey"); + } +- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); +- this.privKey = null; +- resetDigest(); + } + + // initialize for signing. See JCA doc +@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { + @Override + protected void engineInitSign(PrivateKey privateKey, SecureRandom random) + throws InvalidKeyException { +- if (!(privateKey instanceof RSAPrivateKey)) { ++ if (privateKey instanceof RSAPrivateKey) { ++ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; ++ isPrivateKeyValid(rsaPrivateKey); ++ this.privKey = rsaPrivateKey; ++ this.pubKey = null; ++ this.random = ++ (random == null ? JCAUtil.getSecureRandom() : random); ++ resetDigest(); ++ } else { + throw new InvalidKeyException("key must be RSAPrivateKey"); + } +- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); +- this.pubKey = null; +- this.random = +- (random == null? JCAUtil.getSecureRandom() : random); +- resetDigest(); + } + + /** +@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { + } + } + ++ /** ++ * Validate the specified RSAPrivateKey ++ */ ++ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { ++ try { ++ if (prKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; ++ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ crtKey.getModulus().bitLength(), ++ crtKey.getPublicExponent()); ++ } else { ++ throw new InvalidKeyException( ++ "Some of the CRT-specific components are not available"); ++ } ++ } else { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ prKey.getModulus().bitLength(), ++ null); ++ } ++ } catch (InvalidKeyException ikEx) { ++ throw ikEx; ++ } catch (Exception e) { ++ throw new InvalidKeyException( ++ "Can not access private key components", e); ++ } ++ isValid(prKey); ++ } ++ ++ /** ++ * Validate the specified RSAPublicKey ++ */ ++ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { ++ try { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ pKey.getModulus().bitLength(), ++ pKey.getPublicExponent()); ++ } catch (InvalidKeyException ikEx) { ++ throw ikEx; ++ } catch (Exception e) { ++ throw new InvalidKeyException( ++ "Can not access public key components", e); ++ } ++ isValid(pKey); ++ } ++ + /** + * Validate the specified RSAKey and its associated parameters against + * internal signature parameters. + */ +- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { ++ private void isValid(RSAKey rsaKey) throws InvalidKeyException { + try { + AlgorithmParameterSpec keyParams = rsaKey.getParams(); + // validate key parameters +@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { + } + checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); + } +- return rsaKey; + } catch (SignatureException e) { + throw new InvalidKeyException(e); + } +diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java +index 6b219937981..b3c1fae9672 100644 +--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java ++++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java +@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl + RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); + // check all CRT-specific components are available, if any one + // missing, return a non-CRT key instead +- if ((key.getPublicExponent().signum() == 0) || +- (key.getPrimeExponentP().signum() == 0) || +- (key.getPrimeExponentQ().signum() == 0) || +- (key.getPrimeP().signum() == 0) || +- (key.getPrimeQ().signum() == 0) || +- (key.getCrtCoefficient().signum() == 0)) { ++ if (checkComponents(key)) { ++ return key; ++ } else { + return new RSAPrivateKeyImpl( + key.algid, + key.getModulus(), +- key.getPrivateExponent() +- ); +- } else { +- return key; ++ key.getPrivateExponent()); + } + } + ++ /** ++ * Validate if all CRT-specific components are available. ++ */ ++ static boolean checkComponents(RSAPrivateCrtKey key) { ++ return !((key.getPublicExponent().signum() == 0) || ++ (key.getPrimeExponentP().signum() == 0) || ++ (key.getPrimeExponentQ().signum() == 0) || ++ (key.getPrimeP().signum() == 0) || ++ (key.getPrimeQ().signum() == 0) || ++ (key.getCrtCoefficient().signum() == 0)); ++ } ++ + /** + * Generate a new key from the specified type and components. + * Returns a CRT key if possible and a non-CRT key otherwise. diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch deleted file mode 100644 index ca3e985..0000000 --- a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -index cf4becb7db..4ab2ac0a31 100644 ---- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - ctx = getLdapCtxFromUrl( - r.getDomainName(), url, new LdapURL(u), env); - return ctx; -+ } catch (AuthenticationException e) { -+ // do not retry on a different endpoint to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - // try the next element - lastException = e; -@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - for (String u : urls) { - try { - return getUsingURL(u, env); -+ } catch (AuthenticationException e) { -+ // do not retry on a different URL to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - ex = e; - } diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 1b0c998..72a406d 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -326,7 +326,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u362-b09 +%global openjdk_revision jdk8u372-b07 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -347,7 +347,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1493,8 +1493,6 @@ Patch600: rh1750419-redhat_alt_java.patch Patch111: jdk8218811-perfMemory_linux.patch # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch -# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked -Patch113: jdk8275535-rh2053256-ldap_auth.patch ############################################# # @@ -1542,13 +1540,15 @@ Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u362 +# Patches appearing in 8u382 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key +Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -1618,8 +1618,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022g required as of JDK-8297804 -BuildRequires: tzdata-java >= 2022g +# 2023c required as of JDK-8305113 +BuildRequires: tzdata-java >= 2023c # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1932,7 +1932,6 @@ sh %{SOURCE12} %patch111 %patch112 %patch581 -%patch113 pushd %{top_level_dir_name} # Add crypto policy and FIPS support @@ -1941,6 +1940,8 @@ pushd %{top_level_dir_name} %patch1000 -p1 # cacerts patch; must follow FIPS patch as it also alters java.security %patch539 -p1 +# 8u382 fix +%patch2001 -p1 popd # RPM-only fixes @@ -2720,6 +2721,19 @@ cjc.mainProgram(args) %endif %changelog +* Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.372.b07-1 +- Update to shenandoah-jdk8u372-b07 (GA) +- Update release notes for shenandoah-8u372-b07. +- Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07 +- Reintroduce jconsole-plugin.patch from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Drop JDK-8275535/RH2053256 patch which is now upstream +- Include JDK-8271199 backport early ahead of 8u382 (RH2175317) +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 + * Tue Jan 24 2023 Andrew Hughes - 1:1.8.0.362.b09-2 - Update cacerts patch to fix OPENJDK-1433 SecurityManager issue - Update to shenandoah-jdk8u352-b09 (GA)