diff --git a/.gitignore b/.gitignore index fc7b991..d3039f1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u242-b08-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u252-b09-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 44b8e22..5a5d0be 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -c274c0cdb494aa6954f3e525121ab46c2293b7e6 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u242-b08-4curve.tar.xz -c1e848fdb04f351350fe2aeda17fc22a3ed41d3e SOURCES/tapsets-icedtea-3.15.0.tar.xz +9417f1f9fa52d6882a0ffe26c00a478d8bb6465d SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u252-b09-4curve.tar.xz +7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS new file mode 100644 index 0000000..59f5724 --- /dev/null +++ b/SOURCES/NEWS @@ -0,0 +1,113 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 8u252 (2020-04-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj8u252 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u252.txt + +* Security fixes + - JDK-8223898, CVE-2020-2754: Forward references to Nashorn + - JDK-8223904, CVE-2020-2755: Improve Nashorn matching + - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs + - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues + - JDK-8225603: Enhancement for big integers + - JDK-8227542: Manifest improved jar headers + - JDK-8231415, CVE-2020-2773: Better signatures in XML + - JDK-8233250: Better X11 rendering + - JDK-8233410: Better Build Scripting + - JDK-8234027: Better JCEKS key support + - JDK-8234408, CVE-2020-2781: Improve TLS session handling + - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers + - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers + - JDK-8235274, CVE-2020-2805: Enhance typing of methods + - JDK-8236201, CVE-2020-2830: Better Scanner conversions + - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap +* Other changes + - JDK-8005819: Support cross-realm MSSFU + - JDK-8022263: use same Clang warnings on BSD as on Linux + - JDK-8038631: Create wrapper for awt.Robot with additional functionality + - JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor is invalid + - JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and some unit tests + - JDK-8068184: Fix for JDK-8032832 caused a deadlock + - JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature + - JDK-8132130: some docs cleanup + - JDK-8135318: CMS wrong max_eden_size for check_gc_overhead_limit + - JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal + - JDK-8144446: Automate the Marlin crash test + - JDK-8144526: Remove Marlin logging use of deleted internal API + - JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats + - JDK-8144654: Improve Marlin logging + - JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with huge coordinates and round joins + - JDK-8166976: TestCipherPBECons has wrong @run line + - JDK-8167409: Invalid value passed to critical JNI function + - JDK-8181872: C1: possible overflow when strength reducing integer multiply by constant + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191227: issues with unsafe handle resolution + - JDK-8197441: Signature#initSign/initVerify for an invalid private/public key fails with ClassCastException for SunPKCS11 provider + - JDK-8204152: SignedObject throws NullPointerException for null keys with an initialized Signature object + - JDK-8215756: Memory leaks in the AWT on macOS + - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win) + - JDK-8219244: NMT: Change ThreadSafepointState's allocation type from mtInternal to mtThread + - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions + - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test + - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test + - JDK-8229022: BufferedReader performance can be improved by using StringBuilder + - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC + - JDK-8229872: (fs) Increase buffer size used with getmntent + - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception + - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type + - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 + - JDK-8235904: Infinite loop when rendering huge lines + - JDK-8236179: C1 register allocation error with T_ADDRESS + - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read + - JDK-8240521: Revert backport of 8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call + - JDK-8241296: Segfault in JNIHandleBlock::oops_do() + - JDK-8241307: Marlin renderer should not be the default in 8u252 + +Notes on individual issues: +=========================== + +hotspot/svc: + +JDK-8174881: Binary format for HPROF updated +============================================ + +When dumping the heap in binary format, HPROF format 1.0.2 is always +used now. Previously, format 1.0.1 was used for heaps smaller than +2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the +serviceability agent. + +security-libs/java.security: + +JDK-8229518: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature +==================================================================================== + +The SunRsaSign and SunJCE providers have been enhanced with support +for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS +signature and OAEP using FIPS 180-4 digest algorithms. New +constructors and methods have been added to relevant JCA/JCE classes +under the `java.security.spec` and `javax.crypto.spec` packages for +supporting additional RSASSA-PSS parameters. + +security-libs/javax.crypto: + +JDK-8205471: RSASSA-PSS Signature Support Added to SunMSCAPI +============================================================ + +The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider. + +security-libs/javax.security: + +JDK-8227564: Allow SASL Mechanisms to Be Restricted +=================================================== + +A security property named `jdk.sasl.disabledMechanisms` has been added +that can be used to disable SASL mechanisms. Any disabled mechanism +will be ignored if it is specified in the `mechanisms` argument of +`Sasl.createSaslClient` or the `mechanism` argument of +`Sasl.createSaslServer`. The default value for this security property +is empty, which means that no mechanisms are disabled out-of-the-box. diff --git a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch index 533ea2d..ae48068 100644 --- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch +++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch @@ -10,7 +10,7 @@ Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4 --- openjdk.orig///common/autoconf/flags.m4 +++ openjdk///common/autoconf/flags.m4 -@@ -389,6 +389,21 @@ +@@ -402,6 +402,21 @@ AC_SUBST($2CXXSTD_CXXFLAG) fi @@ -44,11 +44,11 @@ diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/a + $(REALIGN_CFLAG) EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@ EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@ - + EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@ diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in --- openjdk.orig///common/autoconf/spec.gmk.in +++ openjdk///common/autoconf/spec.gmk.in -@@ -334,6 +334,7 @@ +@@ -366,6 +366,7 @@ NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@ NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@ diff --git a/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch b/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch index 4859ca6..06973aa 100644 --- a/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch +++ b/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch @@ -7,18 +7,10 @@ PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings Summary: Add -systemlineendings option to keytool to allow system line endings to be used again. -diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/classes/sun/security/pkcs10/PKCS10.java ---- openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +++ openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java -@@ -30,6 +30,7 @@ - import java.io.IOException; - import java.math.BigInteger; - -+import java.security.AccessController; - import java.security.cert.CertificateException; - import java.security.NoSuchAlgorithmException; - import java.security.InvalidKeyException; -@@ -39,6 +40,7 @@ +@@ -35,6 +35,7 @@ import java.util.Base64; @@ -26,7 +18,7 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class import sun.security.util.*; import sun.security.x509.AlgorithmId; import sun.security.x509.X509Key; -@@ -76,6 +78,14 @@ +@@ -74,6 +75,14 @@ * @author Hemma Prafullchandra */ public class PKCS10 { @@ -41,7 +33,7 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class /** * Constructs an unsigned PKCS #10 certificate request. Before this * request may be used, it must be encoded and signed. Then it -@@ -293,13 +303,39 @@ +@@ -303,13 +312,39 @@ */ public void print(PrintStream out) throws IOException, SignatureException { @@ -83,10 +75,10 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class out.println("-----END NEW CERTIFICATE REQUEST-----"); } -diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/classes/sun/security/tools/keytool/Main.java ---- openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java +++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java -@@ -124,6 +124,7 @@ +@@ -126,6 +126,7 @@ private String infilename = null; private String outfilename = null; private String srcksfname = null; @@ -94,7 +86,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ // User-specified providers are added before any command is called. // However, they are not removed before the end of the main() method. -@@ -186,7 +187,7 @@ +@@ -188,7 +189,7 @@ CERTREQ("Generates.a.certificate.request", ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME, STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, @@ -103,7 +95,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ CHANGEALIAS("Changes.an.entry.s.alias", ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, -@@ -319,6 +320,7 @@ +@@ -321,6 +322,7 @@ STARTDATE("startdate", "", "certificate.validity.start.date.time"), STOREPASS("storepass", "", "keystore.password"), STORETYPE("storetype", "", "keystore.type"), @@ -111,7 +103,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"), V("v", null, "verbose.output"), VALIDITY("validity", "", "validity.number.of.days"); -@@ -559,6 +561,8 @@ +@@ -561,6 +563,8 @@ protectedPath = true; } else if (collator.compare(flags, "-srcprotected") == 0) { srcprotectedPath = true; @@ -120,7 +112,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ } else { System.err.println(rb.getString("Illegal.option.") + flags); tinyHelp(); -@@ -1463,7 +1467,7 @@ +@@ -1464,7 +1468,7 @@ // Sign the request and base-64 encode it request.encodeAndSign(subject, signature); @@ -129,13 +121,13 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ checkWeak(rb.getString("the.generated.certificate.request"), request); } -@@ -4540,4 +4544,3 @@ +@@ -4544,4 +4548,3 @@ return new Pair<>(a,b); } } - -diff --git a/src/share/classes/sun/security/tools/keytool/Resources.java b/src/share/classes/sun/security/tools/keytool/Resources.java ---- openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java @@ -168,6 +168,8 @@ "keystore password"}, //-storepass diff --git a/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch b/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch index b52c087..00e3a2e 100644 --- a/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch +++ b/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch @@ -35,7 +35,7 @@ diff --git openjdk.orig/jdk/src/share/classes/sun/security/util/ECUtil.java open +++ openjdk/jdk/src/share/classes/sun/security/util/ECUtil.java @@ -41,6 +41,9 @@ - public class ECUtil { + public final class ECUtil { + /* Are we debugging ? */ + private static final Debug debug = Debug.getInstance("ecc"); diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 951a792..a7c874e 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -212,7 +212,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u242-b08 +%global shenandoah_revision aarch64-shenandoah-jdk8u252-b09 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -228,7 +228,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 4 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -578,6 +578,7 @@ exit 0 %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/ASSEMBLY_EXCEPTION %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/THIRD_PARTY_README +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS %dir %{_jvmdir}/%{sdkdir -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security @@ -1046,6 +1047,9 @@ Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}-4curve. # Custom README for -src subpackage Source2: README.md +# Release notes +Source7: NEWS + # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). # Systemtap tapsets. Zipped up to keep it small. @@ -1624,7 +1628,8 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -export EXTRA_CFLAGS +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +export EXTRA_CFLAGS EXTRA_ASFLAGS (cd %{top_level_dir_name}/common/autoconf bash ./autogen.sh @@ -1663,6 +1668,7 @@ bash ../../configure \ --with-stdc++lib=dynamic \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-asflags="$EXTRA_ASFLAGS" \ --with-extra-ldflags="%{ourldflags}" \ --with-num-cores="$NUM_PROC" @@ -1886,6 +1892,11 @@ if ! echo $suffix | grep -q "debug" ; then cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi +# Install release notes +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +install -d -m 755 ${commondocdir} +cp -a %{SOURCE7} ${commondocdir} + # Install icons and menu entries for s in 16 24 32 48 ; do install -D -p -m 644 \ @@ -2128,6 +2139,54 @@ require "copy_jdk_configs.lua" %endif %changelog +* Sun Apr 19 2020 Andrew Hughes - 1:1.8.0.252.b09-3 +- Add release notes. +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:1.8.0.252.b09-2 +- Make use of --with-extra-asflags introduced in jdk8u252-b01. +- Resolves: rhbz#1810557 + +* Mon Apr 06 2020 Andrew Hughes - 1:1.8.0.252.b09-1 +- Update to aarch64-shenandoah-jdk8u252-b09. +- Switch to GA mode for final release. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b08-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b08. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b07-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b07. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b06-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b06. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b05. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b04. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b03. +- Adjust PR2974/RH1337583 & PR3083/RH1346460 following context changes in JDK-8230978 +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b02. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b01. +- Switch to EA mode. +- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change +- Resolves: rhbz#1810557 + * Fri Mar 27 2020 Andrew John Hughes - 1:1.8.0.242.b08-4 - Need to support noarch for creating source RPMs for non-scratch builds. - Resolves: rhbz#1737112