diff --git a/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch b/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch
new file mode 100644
index 0000000..24da3a6
--- /dev/null
+++ b/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch
@@ -0,0 +1,183 @@
+diff --git a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java
+--- a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java
++++ b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java
+@@ -157,6 +157,7 @@
+ return true;
+ };
+
++ private static final Predicate<String> IS_HOST = "host"::equalsIgnoreCase;
+ private static final Predicate<String> IS_PROXY_HEADER = (k) ->
+ k != null && k.length() > 6 && "proxy-".equalsIgnoreCase(k.substring(0,6));
+ private static final Predicate<String> NO_PROXY_HEADER =
+@@ -228,7 +229,8 @@
+
+ public static final BiPredicate<String, String> PROXY_TUNNEL_FILTER =
+ (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_TUNNEL_DISABLED_SCHEMES,
+- IS_PROXY_HEADER);
++ // Allows Proxy-* and Host headers when establishing the tunnel.
++ IS_PROXY_HEADER.or(IS_HOST));
+ public static final BiPredicate<String, String> PROXY_FILTER =
+ (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_DISABLED_SCHEMES,
+ ALL_HEADERS);
+diff --git a/test/jdk/java/net/httpclient/DigestEchoServer.java b/test/jdk/java/net/httpclient/DigestEchoServer.java
+--- a/test/jdk/java/net/httpclient/DigestEchoServer.java
++++ b/test/jdk/java/net/httpclient/DigestEchoServer.java
+@@ -82,6 +82,8 @@
+ Boolean.parseBoolean(System.getProperty("test.debug", "false"));
+ public static final boolean NO_LINGER =
+ Boolean.parseBoolean(System.getProperty("test.nolinger", "false"));
++ public static final boolean TUNNEL_REQUIRES_HOST =
++ Boolean.parseBoolean(System.getProperty("test.requiresHost", "false"));
+ public enum HttpAuthType {
+ SERVER, PROXY, SERVER307, PROXY305
+ /* add PROXY_AND_SERVER and SERVER_PROXY_NONE */
+@@ -1524,6 +1526,36 @@
+ }
+ }
+
++ boolean badRequest(StringBuilder response, String hostport, List<String> hosts) {
++ String message = null;
++ if (hosts.isEmpty()) {
++ message = "No host header provided\r\n";
++ } else if (hosts.size() > 1) {
++ message = "Multiple host headers provided\r\n";
++ for (String h : hosts) {
++ message = message + "host: " + h + "\r\n";
++ }
++ } else {
++ String h = hosts.get(0);
++ if (!hostport.equalsIgnoreCase(h)
++ && !hostport.equalsIgnoreCase(h + ":80")
++ && !hostport.equalsIgnoreCase(h + ":443")) {
++ message = "Bad host provided: [" + h
++ + "] doesnot match [" + hostport + "]\r\n";
++ }
++ }
++ if (message != null) {
++ int length = message.getBytes(StandardCharsets.UTF_8).length;
++ response.append("HTTP/1.1 400 BadRequest\r\n")
++ .append("Content-Length: " + length)
++ .append("\r\n\r\n")
++ .append(message);
++ return true;
++ }
++
++ return false;
++ }
++
+ boolean authorize(StringBuilder response, String requestLine, String headers) {
+ if (authorization != null) {
+ return authorization.authorize(response, requestLine, headers);
+@@ -1637,6 +1669,7 @@
+ assert connect.equalsIgnoreCase("connect");
+ String hostport = tokenizer.nextToken();
+ InetSocketAddress targetAddress;
++ List<String> hosts = new ArrayList<>();
+ try {
+ URI uri = new URI("https", hostport, "/", null, null);
+ int port = uri.getPort();
+@@ -1661,9 +1694,30 @@
+ System.out.println(now() + "Tunnel: Reading header: "
+ + (line = readLine(ccis)));
+ headers.append(line).append("\r\n");
++ int index = line.indexOf(':');
++ if (index >= 0) {
++ String key = line.substring(0, index).trim();
++ if (key.equalsIgnoreCase("host")) {
++ hosts.add(line.substring(index+1).trim());
++ }
++ }
++ }
++ StringBuilder response = new StringBuilder();
++ if (TUNNEL_REQUIRES_HOST) {
++ if (badRequest(response, hostport, hosts)) {
++ System.out.println(now() + "Tunnel: Sending " + response);
++ // send the 400 response
++ pw.print(response.toString());
++ pw.flush();
++ toClose.close();
++ continue;
++ } else {
++ assert hosts.size() == 1;
++ System.out.println(now()
++ + "Tunnel: Host header verified " + hosts);
++ }
+ }
+
+- StringBuilder response = new StringBuilder();
+ final boolean authorize = authorize(response, requestLine, headers.toString());
+ if (!authorize) {
+ System.out.println(now() + "Tunnel: Sending "
+diff --git a/test/jdk/java/net/httpclient/HttpsTunnelTest.java b/test/jdk/java/net/httpclient/HttpsTunnelTest.java
+--- a/test/jdk/java/net/httpclient/HttpsTunnelTest.java
++++ b/test/jdk/java/net/httpclient/HttpsTunnelTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -47,8 +47,9 @@
+ * proxy P is downgraded to HTTP/1.1, then a new h2 request
+ * going to a different host through the same proxy will not
+ * be preemptively downgraded. That, is the stack should attempt
+- * a new h2 connection to the new host.
+- * @bug 8196967
++ * a new h2 connection to the new host. It also verifies that
++ * the stack sends the appropriate "host" header to the proxy.
++ * @bug 8196967 8222527
+ * @library /lib/testlibrary http2/server
+ * @build jdk.testlibrary.SimpleSSLContext HttpServerAdapters DigestEchoServer HttpsTunnelTest
+ * @modules java.net.http/jdk.internal.net.http.common
+@@ -58,7 +59,10 @@
+ * java.base/sun.net.www.http
+ * java.base/sun.net.www
+ * java.base/sun.net
+- * @run main/othervm -Djdk.internal.httpclient.debug=true HttpsTunnelTest
++ * @run main/othervm -Dtest.requiresHost=true
++ * -Djdk.httpclient.HttpClient.log=headers
++ * -Djdk.internal.httpclient.debug=true HttpsTunnelTest
++ *
+ */
+
+ public class HttpsTunnelTest implements HttpServerAdapters {
+@@ -145,6 +149,7 @@
+ if (!lines.equals(respLines)) {
+ throw new RuntimeException("Unexpected response 1: " + respLines);
+ }
++
+ HttpRequest.BodyPublisher reqBody2 = HttpRequest.BodyPublishers.ofString(body);
+ HttpRequest req2 = HttpRequest
+ .newBuilder(uri2)
+diff --git a/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java
+--- a/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java
++++ b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -23,7 +23,7 @@
+
+ /**
+ * @test
+- * @bug 8087112
++ * @bug 8087112 8222527
+ * @summary this test verifies that a client may provides authorization
+ * headers directly when connecting with a server over SSL, and
+ * it verifies that the client honor the jdk.http.auth.*.disabledSchemes
+@@ -43,9 +43,11 @@
+ * ProxyAuthDisabledSchemesSSL SSL
+ * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic
+ * -Djdk.http.auth.tunneling.disabledSchemes=Basic
++ * -Dtest.requiresHost=true
+ * ProxyAuthDisabledSchemesSSL SSL PROXY
+ * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Digest
+ * -Djdk.http.auth.tunneling.disabledSchemes=Digest
++ * -Dtest.requiresHost=true
+ * ProxyAuthDisabledSchemesSSL SSL PROXY
+ */
+
diff --git a/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch
new file mode 100644
index 0000000..b00022f
--- /dev/null
+++ b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch
@@ -0,0 +1,32 @@
+
+# HG changeset patch
+# User thartmann
+# Date 1604482955 -3600
+# Node ID 27723943c0dd65a191cbefe031cec001521e4b13
+# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2
+8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
+Summary: Added missing NULL checks.
+Reviewed-by: kvn, chagedorn
+
+diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp
+--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100
++++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100
+@@ -917,7 +917,7 @@
+
+ // Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z)
+ // if x == y and the additions can't overflow.
+- if (phase->eqv(x,y) &&
++ if (phase->eqv(x,y) && tx != NULL &&
+ !can_overflow(tx, x_off) &&
+ !can_overflow(tx, y_off)) {
+ return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2));
+@@ -925,7 +925,7 @@
+ } else {
+ // Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1)
+ // if x == y and the additions can't overflow.
+- if (phase->eqv(x,y) &&
++ if (phase->eqv(x,y) && tx != NULL &&
+ !can_overflow(tx, x_off) &&
+ !can_overflow(tx, y_off)) {
+ return new AddINode(x,phase->intcon(MIN2(x_off,y_off)));
+
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index 5c3926b..5fccb6b 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -285,7 +285,7 @@
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 11
-%global rpmrelease 0
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# priority must be 7 digits in total
# setting to 1, so debug ones can have 0
@@ -787,17 +787,20 @@ exit 0
}
%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir %%1}/lib/static
+%dir %{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir %%1}
-%license %{buildoutputdir %%1}/images/%{jdkimage}/legal
+%license %{_jvmdir}/%{sdkdir %%1}/legal
}
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir %%1}.zip
-%license %{buildoutputdir %%1}/images/%{jdkimage}/legal
+%license %{_jvmdir}/%{sdkdir %%1}/legal
}
# not-duplicated requires/provides/obsolate for normal/debug packages
@@ -1054,6 +1057,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
Patch7: jdk8009550-rh910107-search_for_versioned_libpcsclite.patch
# S390 ambiguous log2_intptr call
Patch8: s390-8214206_fix.patch
+# JDK-8222527, RH1869530: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy
+Patch13: jdk8222527-rh1869530-host_header_for_proxies.patch
#############################################
#
@@ -1072,6 +1077,8 @@ Patch8: s390-8214206_fix.patch
#############################################
# JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
Patch9: jdk8254177-tzdata2020b.patch
+# JDK-8250861, RH1895274: Crash in MinINode::Ideal(PhaseGVN*, bool)
+Patch12: jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1086,13 +1093,6 @@ BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-%ifarch %{arm}
-BuildRequires: devtoolset-7-build
-BuildRequires: devtoolset-7-binutils
-BuildRequires: devtoolset-7-gcc
-BuildRequires: devtoolset-7-gcc-c++
-BuildRequires: devtoolset-7-gdb
-%endif
BuildRequires: gtk2-devel
# LCMS on rhel7 is older then LCMS in intree JDK
BuildRequires: lcms2-devel
@@ -1378,6 +1378,8 @@ pushd %{top_level_dir_name}
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch12 -p1
+%patch13 -p1
popd # openjdk
%patch1000
@@ -1430,10 +1432,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
%build
-%ifarch %{arm}
-%{?enable_devtoolset7:%{enable_devtoolset7}}
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1487,9 +1485,11 @@ bash ../configure \
%ifarch %{ppc64le}
--with-jobs=1 \
%endif
- --with-version-build=%{buildver} \
+ --with-version-build=1 \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
+ --with-version-patch=1 \
+ --with-version-date="2020-11-04" \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
@@ -1739,7 +1739,9 @@ cp -a %{buildoutputdir $suffix}/images/%{static_libs_image}/lib/*.a \
# Always take docs from normal build to avoid building them twice
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
cp -a %{buildoutputdir $normal_suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}
-cp -a %{buildoutputdir $normal_suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
+#built_doc_archive=jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+built_doc_archive=jdk-11.0.9.1+1%{lts_designator_zip}-docs.zip
+cp -a %{buildoutputdir $normal_suffix}/bundles/${built_doc_archive} $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}.zip
# Install release notes
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix}
@@ -1967,6 +1969,25 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Thu Nov 12 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.11-2
+- Add backport of JDk-8222537 so the Host header is sent when using proxies.
+- Resolves: rhbz#1869530
+
+* Wed Nov 04 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.9.11-1
+- Update to jdk-11.0.9.1+1
+- RPM version stays at 11.0.9.11 so as to not break upgrade path.
+- Adds a single patch for JDK-8250861.
+- Resolves: rhbz#1895275
+
+* Thu Oct 29 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-1
+- Move all license files to NVR-specific JVM directory.
+- This bad placement was killing parallel installability and thus having a bad impact on leapp, if used.
+- Resolves: rhbz#1896609
+
+* Mon Oct 19 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.9.11-1
+- Fix directory ownership of static-libs package
+- Resolves: rhbz#1896610
+
* Thu Oct 15 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.11-0
- Delay tzdata 2020b dependency until tzdata update has shipped.
- Resolves: rhbz#1876665