diff --git a/.gitignore b/.gitignore index e9d062c..be6fed1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk17-jdk-17+35.tar.xz +SOURCES/openjdk-jdk17u-jdk-17.0.1+12.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata index 5e77c19..9f9c152 100644 --- a/.java-17-openjdk.metadata +++ b/.java-17-openjdk.metadata @@ -1,2 +1,2 @@ -a2bffc90da173240cdf0e3ea6971d4ba432b3cfe SOURCES/openjdk-jdk17-jdk-17+35.tar.xz +67b0461c80bd3e2faea3e97464fbcffdda4badfe SOURCES/openjdk-jdk17u-jdk-17.0.1+12.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index cf7bae0..9d37ff9 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,97 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.1 (2021-10-19): +=========================================== +Live versions of these release notes can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt + +* Security fixes + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268500: Better specified ParameterSpecs + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8263531: Remove unused buffer int + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms + - JDK-8269297: Bump version numbers for JDK 17.0.1 + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270344: Session resumption errors + - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added + - JDK-8271276: C2: Wrong JVM state used for receiver null check + - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 + - JDK-8271589: fatal error with variable shift count integer rotate operation. + - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java + - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests + - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + New in release OpenJDK 17.0.0 (2021-09-14): =========================================== The full list of changes in the interim releases from 11u to 17u can be found at: diff --git a/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch b/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch deleted file mode 100644 index 9acd70d..0000000 --- a/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit e506cb23cfce35d1bc997d1e280f4dc40c9b3397 -Author: Severin Gehwolf -Date: Mon Aug 16 09:57:28 2021 +0000 - - 8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - Backport-of: d38b31438dd4730ee2149c02277d60c35b9d7d81 - -diff --git openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk -index 4d0c0c00dbf..ef7eadae206 100644 ---- openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk -+++ openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk -@@ -435,7 +435,7 @@ endif - - ifeq ($(USE_EXTERNAL_HARFBUZZ), true) - LIBFONTMANAGER_EXTRA_SRC = -- BUILD_LIBFONTMANAGER_FONTLIB += $(LIBHARFBUZZ_LIBS) -+ BUILD_LIBFONTMANAGER_FONTLIB += $(HARFBUZZ_LIBS) - else - LIBFONTMANAGER_EXTRA_SRC = libharfbuzz - diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec index de95030..b8964d1 100644 --- a/SPECS/java-17-openjdk.spec +++ b/SPECS/java-17-openjdk.spec @@ -274,7 +274,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 0 +%global updatever 1 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -284,10 +284,15 @@ # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place %global buildjdkver 17 -# We don't add any LTS designator for STS packages (this package). -# Neither for Fedora nor EPEL which would have %%{rhel} macro defined. +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else %global lts_designator "" %global lts_designator_zip "" +%endif # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 @@ -297,8 +302,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 35 -%global rpmrelease 4 +%global buildver 12 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1108,8 +1113,7 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz -#Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}.tar.xz +Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). @@ -1193,8 +1197,6 @@ Patch1012: rh1996182-extend_security_policy.patch # OpenJDK patches appearing in 17.0.1 # ############################################# -# JDK-8272332, RH2004078: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 -Patch100: jdk8272332-rh2004078-broken_harfbuzz_linking.patch BuildRequires: autoconf BuildRequires: automake @@ -1541,7 +1543,6 @@ pushd %{top_level_dir_name} %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch100 -p1 popd # openjdk %patch1000 @@ -2271,6 +2272,23 @@ require "copy_jdk_configs.lua" %endif %changelog +* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2013841 + +* Thu Oct 28 2021 Severin Gehwolf - 1:17.0.1.0.12-2 +- Set LTS designator. +- Related: rhbz#2013841 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-1 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- Resolves: rhbz#2013841 + +* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-1 +- October CPU update to jdk 17.0.1+12 +- Dropped commented-out source line +- Resolves: rhbz#2013841 + * Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-4 - Bump release to avoid conflict with RHEL 8.6. - Resolves: rhbz#1994084