Update to shenandoah-jdk8u352-b08 (GA)

Update release notes for shenandoah-8u352-b08.
Fix broken links and missing release notes in older releases.
Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete
 - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges"
 - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists
 - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys

Resolves: rhbz#2160111

.gitignore

@@ -262,3 +262,4 @@
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b01-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b07-4curve.tar.xz
+/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz

NEWS

@@ -9,6 +9,20 @@ Live versions of these release notes can be found at:
   * https://bit.ly/openjdk8u362
   * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html
 
+* CVEs
+  - CVE-2023-21830
+  - CVE-2023-21843
+* Security fixes
+  - JDK-8285021: Improve CORBA communication
+  - JDK-8286496: Improve Thread labels
+  - JDK-8288516: Enhance font creation
+  - JDK-8289350: Better media supports
+  - JDK-8293554: Enhanced DH Key Exchanges
+  - JDK-8293598: Enhance InetAddress address handling
+  - JDK-8293717: Objective view of ObjectView
+  - JDK-8293734: Improve BMP image handling
+  - JDK-8293742: Better Banking of Sounds
+  - JDK-8295687: Better BMP bounds
 * Other changes
   - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods
   - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable
@@ -40,33 +54,60 @@ Live versions of these release notes can be found at:
   - JDK-8274840: Update OS detection code to recognize Windows 11
   - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
   - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
+  - JDK-8283277: ISO 4217 Amendment 171 Update
   - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
   - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
   - JDK-8284622: Update versions of some Github Actions used in JDK workflow
   - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
   - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
+  - JDK-8289549: ISO 4217 Amendment 172 Update
   - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents
   - JDK-8293181: Bump update version of OpenJDK: 8u362
   - JDK-8293461: Add a test for JDK-8290832
   - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
+  - JDK-8294307: ISO 4217 Amendment 173 Update
   - JDK-8294357: (tz) Update Timezone Data to 2022d
   - JDK-8294863: Enable partial tier1 testing in GHA for JDK8
   - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows
   - JDK-8295173: (tz) Update Timezone Data to 2022e
   - JDK-8295288: Some vm_flags tests associate with a wrong BugID
   - JDK-8295714: GHA ::set-output is deprecated and will be removed
+  - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
   - JDK-8295915: Problemlist compiler/rtm failures specific to 8u
   - JDK-8295950: Enable langtools/tier1 in GHA for 8u
   - JDK-8296108: (tz) Update Timezone Data to 2022f
+  - JDK-8296239: ISO 4217 Amendment 174 Update
   - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u
   - JDK-8296715: CLDR v42 update for tzdata 2022f
   - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems
   - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u
   - JDK-8297804: (tz) Update Timezone Data to 2022g
+  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
 
 Notes on individual issues:
 ===========================
 
+client-libs/javax.imageio:
+
+JDK-8295687: Better BMP bounds
+==============================
+Loading a linked ICC profile within a BMP image is now disabled by
+default. To re-enable it, set the new system property
+`sun.imageio.bmp.enabledLinkedProfiles` to `true`.  This new property
+replaces the old property,
+`sun.imageio.plugins.bmp.disableLinkedProfiles`.
+
+client-libs/javax.sound:
+
+JDK-8293742: Better Banking of Sounds
+=====================================
+Previously, the SoundbankReader implementation,
+`com.sun.media.sound.JARSoundbankReader`, would download a JAR
+soundbank from a URL.  This behaviour is now disabled by default. To
+re-enable it, set the new system property `jdk.sound.jarsoundbank` to
+`true`.
+
 hotspot/runtime:
 
 JDK-8274840: Release Now Recognises Windows 11
@@ -74,6 +115,15 @@ JDK-8274840: Release Now Recognises Windows 11
 This release now correctly sets the `os.name` property to `Windows
 11`, as would be expected.
 
+other-libs/corba:idl:
+
+JDK-8285021: Improve CORBA communication
+========================================
+The JDK's CORBA implementation now refuses by default to deserialize
+objects, unless they have the "IOR:" prefix.  The previous behaviour
+can be re-enabled by setting the new property
+`com.sun.CORBA.ORBAllowDeserializeObject` to `true`.
+
 security-libs/java.security:
 
 JDK-8269039: Disabled SHA-1 Signed JARs
@@ -241,6 +291,19 @@ the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 
+core-libs/java.net:
+
+JDK-8286918: Better HttpServer service
+======================================
+The HttpServer can be optionally configured with a maximum connection
+limit by setting the jdk.httpserver.maxConnections system property. A
+value of 0 or a negative integer is ignored and considered to
+represent no connection limit. In the case of a positive integer
+value, any newly accepted connections will be first checked against
+the current count of established connections and, if the configured
+limit has been reached, then the newly accepted connection will be
+closed immediately.
+
 security-libs/javax.net.ssl:
 
 JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@@ -322,7 +385,7 @@ versions of OpenJDK 8.  As a result, we have reverted this change in
 New in release OpenJDK 8u342 (2022-07-19):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bitly.com/openjdk8u342
+  * https://bit.ly/openjdk8u342
   * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
 
 * Security fixes
@@ -502,7 +565,7 @@ Live versions of these release notes can be found at:
 New in release OpenJDK 8u322 (2022-01-18):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bitly.com/openjdk8u322
+  * https://bit.ly/openjdk8u322
   * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt
 
 * Security fixes

java-1.8.0-openjdk.spec

@@ -331,7 +331,7 @@
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
 %global shenandoah_project      openjdk
 %global shenandoah_repo         shenandoah-jdk8u
-%global openjdk_revision        jdk8u362-b07
+%global openjdk_revision        jdk8u362-b08
 %global shenandoah_revision     shenandoah-%{openjdk_revision}
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
@@ -352,7 +352,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global milestone          fcs
 %global milestone_version  %{nil}
@@ -1472,8 +1472,6 @@ Patch1001: fips-8u-%{fipsver}.patch
 #############################################
 # PR2737: Allow multiple initialization of PKCS11 libraries
 Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch
-# PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x)
-Patch504: rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch
 # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions
 Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch
 # RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings
@@ -1923,7 +1921,6 @@ sh %{SOURCE12}
 
 # Upstreamable fixes
 %patch502
-%patch504
 %patch512
 %patch523
 %patch528
@@ -2720,6 +2717,16 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b08-3
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Fix broken links and missing release notes in older releases.
+- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete
+  - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges"
+  - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists
+  - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys
+- Resolves: rhbz#2160111
+
 * Wed Jan 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b07-0.3.ea
 - Update to shenandoah-jdk8u362-b07 (EA)
 - Update release notes for shenandoah-8u362-b07.

rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch

@@ -1,66 +0,0 @@
-diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
---- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
-@@ -1,5 +1,6 @@
- /*
-  * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2014 Red Hat Inc.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -61,13 +62,13 @@
- 
-     private static void checkKeySize(int keysize)
-             throws InvalidParameterException {
--        boolean supported = ((keysize == 2048) || (keysize == 3072) ||
-+        boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
-             ((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
- 
-         if (!supported) {
-             throw new InvalidParameterException(
-                     "DH key size must be multiple of 64 and range " +
--                    "from 512 to 1024 (inclusive), or 2048, 3072. " +
-+                    "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
-                     "The specific key size " + keysize + " is not supported");
-         }
-     }
-diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
---- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
-+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
-@@ -1,5 +1,6 @@
- /*
-  * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2014 Red Hat Inc.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -58,7 +59,7 @@
-      */
-     private enum Sizes {
-         two56(256), three84(384), five12(512), seven68(768), ten24(1024),
--        twenty48(2048);
-+        twenty48(2048), forty96(4096);
- 
-         private final int intSize;
-         private final BigInteger bigIntValue;
-@@ -130,6 +131,19 @@
-         kp = kpg.generateKeyPair();
-         checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
- 
-+        kpg.initialize(Sizes.forty96.getIntSize());
-+        kp = kpg.generateKeyPair();
-+        checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
-+
-+        publicKey = (DHPublicKey)kp.getPublic();
-+        p = publicKey.getParams().getP();
-+        g = publicKey.getParams().getG();
-+
-+        // test w/ all values specified
-+        kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
-+        kp = kpg.generateKeyPair();
-+        checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
-+
-         System.out.println("OK");
-     }
- 
-

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b07-4curve.tar.xz) = bfe0f85c713cf9f6eaf0dff09332dc0273f1192918c81fd99c327d4d510f1ac0a51ac290150eaf2bd362e5afcb1f25c275ddd3e35996067b3eb59fe769ae384e
+SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz) = e112367213834e0653218a099c8a75558b794702591407170e742a3df6bd5b0780cbf87b85e2a125a50d613ae00501d7ee5bd1708d03a75bca615ef83fc8239b