From 1d0aac65a3579b8cd88aae99dec06babd389f504 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 02 2021 06:10:58 +0000 Subject: import java-11-openjdk-11.0.10.0.9-4.el8 --- diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..21ced06 --- /dev/null +++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,68 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -193,9 +203,8 @@ + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.misc.SharedSecrets; +-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index c75414d..531df1b 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -41,11 +41,11 @@ %global normal_suffix "" %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. -%global debug_on with full debugging on -%global fastdebug_on with minimal debugging on %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. -%global for_fastdebug_on for packages with minimal debugging on -%global for_debug for packages with debugging on +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation %if %{with release} %global include_normal_build 1 @@ -72,7 +72,7 @@ # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin # != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} -%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) @@ -311,7 +311,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global buildver 9 -%global rpmrelease 2 +%global rpmrelease 4 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -378,6 +378,8 @@ # Never generate lib-style provides/requires for slowdebug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ %else # Don't generate provides/requires for JDK provided shared libraries at all. %global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ @@ -1179,18 +1181,22 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch + +# FIPS support patches # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch # RH1818909: No ciphersuites availale for SSLSocket in FIPS mode Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1868740: FIPS: IllegalAccessException by pkcs11 provider Patch1005: rh1868740-cryptoki_access_to_sunjce.patch # RH1883849: FIPS: IllegalAccessException by pkcs11 provider with security manager on Patch1006: rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch ############################################# # @@ -1598,6 +1604,7 @@ popd # openjdk %patch1004 %patch1005 %patch1006 +%patch1007 # Extract systemtap tapsets %if %{with_systemtap} @@ -2258,6 +2265,20 @@ end %endif %changelog +* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.9-4 +- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs. +- Resolves: rhbz#1915071 + +* Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-3 +- Fix debug and fastdebug descriptions to emphasise the difference is optimisation or no optimisation. +- Resolves: rhbz#1908972 + +* Sun Jan 17 2021 Jiri Vanek - 1:11.0.10.0.9-3 +- Removed lib-style provides for fastdebug_suffix_unquoted +- Fixed missing condition for fastdebug packages being counted as debug ones +- Fix typo in variable +- Resolves: rhbz#1908972 + * Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-2 - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Resolves: rhbz#1894083