From 1490a51257aa1bd372c12e01afb4ed8b2f4f71bc Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 26 Jan 2026 19:19:14 +0000 Subject: [PATCH] Portable build --- .gitignore | 2 +- .java-1.8.0-openjdk.metadata | 2 +- SOURCES/NEWS | 86 ++++ SOURCES/fips-8u-6d1aade0648.patch | 219 --------- SOURCES/java-1.8.0-openjdk-portable.specfile | 53 ++- .../jdk8141590-bundle_libffi-followup.patch | 26 -- SOURCES/jdk8141590-bundle_libffi.patch | 430 ------------------ SOURCES/nss.fips.cfg.in | 2 +- 8 files changed, 130 insertions(+), 690 deletions(-) diff --git a/.gitignore b/.gitignore index 9ded250..ddba224 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah8u472-b08.tar.xz +SOURCES/shenandoah8u482-b08.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 848e9e1..67e6680 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -49b36394ecd6c900aff812c4bff4ad132b613f3c SOURCES/shenandoah8u472-b08.tar.xz +13abceddc732a35f2dbe547d15bb19b8aa1ab677 SOURCES/shenandoah8u482-b08.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 03a3b86..d43651e 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,92 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u482 (2026-01-20): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u482 + +* Changes + - JDK-8154043: Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups. + - JDK-8182577: Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel + - JDK-8193017: Import freetype sources into OpenJDK source tree + - JDK-8211804: Constant AO_UNUSED_MBZ uses left shift of negative value + - JDK-8212155: Race condition when posting dynamic_code_generated event leads to JVM crash + - JDK-8212678: Windows IME related patch + - JDK-8219006: AArch64: Register corruption in slow subtype check + - JDK-8222362: Upgrade to Freetype 2.10.0 + - JDK-8227324: Upgrade to freetype 2.10.1 + - JDK-8247867: Upgrade to freetype 2.10.2 + - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 + - JDK-8261170: Upgrade to FreeType 2.10.4 + - JDK-8265429: Improve GCM encryption + - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8290334: Update FreeType to 2.12.1 + - JDK-8293672: Update freetype md file + - JDK-8297088: Update LCMS to 2.14 + - JDK-8298974: Add ftcolor.c to imported freetype sources + - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent + - JDK-8306881: Update FreeType to 2.13.0 + - JDK-8316028: Update FreeType to 2.13.2 + - JDK-8316030: Update Libpng to 1.6.40 + - JDK-8317970: Bump target macosx-x64 version to 11.00.00 + - JDK-8329004: Update Libpng to 1.6.43 + - JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC + - JDK-8341496: Improve JMX connections + - JDK-8345358: Some DLL Files are missing Windows Properties + - JDK-8348596: Update FreeType to 2.13.3 + - JDK-8348598: Update Libpng to 1.6.47 + - JDK-8353299: VerifyJarEntryName.java test fails + - JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision + - JDK-8359501: Enhance Handling of URIs + - JDK-8362208: [8u] Buffer overflow in g1GCPhaseTimes.cpp::LineBuffer::_buffer + - JDK-8362308: Enhance Bitmap operations + - JDK-8362632: Improve HttpServer Request handling + - JDK-8364214: Enhance polygon data support + - JDK-8364597: Replace THL A29 Limited with Tencent + - JDK-8364660: ClassVerifier::ends_in_athrow() should be removed + - JDK-8365058: Enhance CopyOnWriteArraySet + - JDK-8365271: Improve Swing supports + - JDK-8366574: Bump update version of OpenJDK: 8u482 + - JDK-8367115: [8u] Problem list CAInterop.java#actalisauthenticationrootca test + - JDK-8367257: [8u] Problem list CAInterop.java#entrustrootcag4 test + - JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName + - JDK-8368032: Enhance Certificate Checking + - JDK-8371334: [8u] GHA: installation of VS2010 hangs + - JDK-8371352: [8u] Fix VS2010 build issue in check_code.c + - JDK-8371387: [8u] hotspot needs to recognise latest VS2022 + - JDK-8372534: Update Libpng to 1.6.51 + +Notes on individual issues: +=========================== + +core-svc/javax.management: + +JDK-8341496: Improve JMX connections +==================================== +With this release of OpenJDK, SSL connections created by +`javax.rmi.ssl.SslRMIClientSocketFactory` now enable HTTPS-based +endpoint identification by default. This can be disabled by setting +the new system property +`jdk.rmi.ssl.client.enableEndpointIdentification` to false. + +security-libs/java.security: + +JDK-8368032: Enhance Certificate Checking +========================================= +OpenJDK supports the authorityInfoAccess extension in X.509 +certificates when the `com.sun.security.enableAIAcaIssuers` system +property is set to `true`. With this release of OpenJDK, a security +and system property `com.sun.security.allowedAIALocations` is +introduced which acts as a filter on the URIs specified in the +extension. By default, the property is empty, which will cause all +URIs to be denied when the extension is enabled. A value of `any` may +be used to allow all URIs or a whitespace-separated list of filters +may be used for more fine-grained control. The syntax of the filters +is specified in the `java.security` file. A non-empty value for the +system property takes precedence over the security property. + New in release OpenJDK 8u472 (2025-10-21): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch index a775969..26ec233 100644 --- a/SOURCES/fips-8u-6d1aade0648.patch +++ b/SOURCES/fips-8u-6d1aade0648.patch @@ -10,225 +10,6 @@ index 151e5a109f..a8761b500e 100644 LIB_SETUP_STATIC_LINK_LIBSTDCPP LIB_SETUP_ON_WINDOWS -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index c6144b1968..9ac55d20d3 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -655,6 +655,9 @@ ENABLE_LIBFFI_BUNDLING - LIBFFI_LIBS - LIBFFI_CFLAGS - STATIC_CXX_SETTING -+USE_SYSCONF_NSS -+NSS_LIBS -+NSS_CFLAGS - LIBDL - LIBM - LIBZIP_CAN_USE_MMAP -@@ -1119,6 +1122,7 @@ with_fontconfig - with_fontconfig_include - with_giflib - with_zlib -+enable_sysconf_nss - with_stdc__lib - with_libffi - with_libffi_include -@@ -1232,6 +1236,8 @@ FREETYPE_CFLAGS - FREETYPE_LIBS - ALSA_CFLAGS - ALSA_LIBS -+NSS_CFLAGS -+NSS_LIBS - LIBFFI_CFLAGS - LIBFFI_LIBS - CCACHE' -@@ -1874,6 +1880,8 @@ Optional Features: - disable bundling of the freetype library with the - build result [enabled on Windows or when using - --with-freetype, disabled otherwise] -+ --enable-sysconf-nss build the System Configurator (libsysconf) using the -+ system NSS library if available [disabled] - --enable-libffi-bundling - enable bundling of libffi.so to make the built JDK - runnable on more systems -@@ -2129,6 +2137,8 @@ Some influential environment variables: - linker flags for FREETYPE, overriding pkg-config - ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config - ALSA_LIBS linker flags for ALSA, overriding pkg-config -+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config -+ NSS_LIBS linker flags for NSS, overriding pkg-config - LIBFFI_CFLAGS - C compiler flags for LIBFFI, overriding pkg-config - LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config -@@ -4109,6 +4119,11 @@ fi - - - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+ -+ - # - # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -50141,6 +50156,157 @@ fi - LIBS="$save_LIBS" - - -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 -+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ # Check whether --enable-sysconf-nss was given. -+if test "${enable_sysconf_nss+set}" = set; then : -+ enableval=$enable_sysconf_nss; -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ -+else -+ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 -+$as_echo "$sysconf_nss" >&6; } -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ -+pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 -+$as_echo_n "checking for NSS... " >&6; } -+ -+if test -n "$NSS_CFLAGS"; then -+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+if test -n "$NSS_LIBS"; then -+ pkg_cv_NSS_LIBS="$NSS_LIBS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+ -+ -+ -+if test $pkg_failed = yes; then -+ -+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then -+ _pkg_short_errors_supported=yes -+else -+ _pkg_short_errors_supported=no -+fi -+ if test $_pkg_short_errors_supported = yes; then -+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` -+ else -+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` -+ fi -+ # Put the nasty error message in config.log where it belongs -+ echo "$NSS_PKG_ERRORS" >&5 -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ NSS_FOUND=no -+elif test $pkg_failed = untried; then -+ NSS_FOUND=no -+else -+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS -+ NSS_LIBS=$pkg_cv_NSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ NSS_FOUND=yes -+fi -+ if test "x${NSS_FOUND}" = "xyes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 -+$as_echo_n "checking for system FIPS support in NSS... " >&6; } -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main (void) -+{ -+SECMOD_GetSystemFIPSEnabled() -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ ac_ext=cpp -+ac_cpp='$CXXCPP $CPPFLAGS' -+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -+ -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 -+ fi -+ fi -+ -+ -+ - ############################################################################### - # - # statically link libstdc++ before C++ ABI is stablized on Linux unless diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 index 4ed8b4fdd6..caf293be72 100644 --- a/common/autoconf/libraries.m4 diff --git a/SOURCES/java-1.8.0-openjdk-portable.specfile b/SOURCES/java-1.8.0-openjdk-portable.specfile index d9c64bb..d318b5c 100644 --- a/SOURCES/java-1.8.0-openjdk-portable.specfile +++ b/SOURCES/java-1.8.0-openjdk-portable.specfile @@ -37,10 +37,12 @@ %global system_libs 1 %global link_type system %global jpeg_lib |libjavajpeg[.]so.* +%global freetype_lib %{nil} %else %global system_libs 0 %global link_type bundled %global jpeg_lib |libjpeg[.]so.* +%global freetype_lib |libfreetype[.]so.* %endif # Turn off the debug package as we just produce a bunch of tarballs @@ -269,7 +271,7 @@ # Define version of OpenJDK 8 used %global project openjdk %global repo shenandoah-jdk8u -%global openjdk_revision 8u472-b08 +%global openjdk_revision 8u482-b08 %global shenandoah_revision shenandoah%{openjdk_revision} # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 @@ -367,7 +369,7 @@ # as to why some libraries *cannot* be excluded. In particular, # these are: # libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so -%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* +%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*%{freetype_lib}|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ @@ -654,7 +656,6 @@ BuildRequires: desktop-file-utils BuildRequires: elfutils-devel BuildRequires: file BuildRequires: fontconfig-devel -BuildRequires: freetype-devel # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 BuildRequires: gcc-c++ @@ -688,20 +689,23 @@ BuildRequires: systemtap-sdt-devel %endif %if %{system_libs} +BuildRequires: freetype-devel BuildRequires: giflib-devel BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: zlib-devel %else +# Version in jdk/src/share/native/sun/awt/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.13.3 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.2 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h -Provides: bundled(lcms2) = 2.11.0 +Provides: bundled(lcms2) = 2.14.0 # Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in jdk/src/share/native/sun/awt/libpng/png.h -Provides: bundled(libpng) = 1.6.39 +Provides: bundled(libpng) = 1.6.51 # Version in jdk/src/share/native/java/util/zip/zlib/zlib.h Provides: bundled(zlib) = 1.3.1 # We link statically against libstdc++ to increase portability @@ -935,9 +939,13 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg # Setup security policy -#Commented because NA to portable +# Commented because N/A to portable #sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} +(cd %{top_level_dir_name}/common/autoconf + bash ./autogen.sh +) + %build # How many CPU's do we have? @@ -970,10 +978,6 @@ EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" export EXTRA_CFLAGS EXTRA_ASFLAGS -(cd %{top_level_dir_name}/common/autoconf - bash ./autogen.sh -) - function buildjdk() { local outputdir=${1} local buildjdk=${2} @@ -1016,7 +1020,6 @@ function buildjdk() { --enable-libffi-bundling \ %endif --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \ - --with-native-debug-symbols=${debug_symbols} \ --with-milestone=%{milestone} \ --with-update-version=%{updatever} \ --with-build-number=%{buildver} \ @@ -1026,10 +1029,12 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ + --with-native-debug-symbols=${debug_symbols} \ --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=${link_opt} \ --with-giflib=${link_opt} \ + --with-freetype=${link_opt} \ %if %{with system_libs} --with-libjpeg=${link_opt} \ --with-libpng=${link_opt} \ @@ -1331,6 +1336,13 @@ export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + # Check blacklisted.certs is valid (OPENJDK-4362) + jtreg_test=$(pwd)/%{top_level_dir_name}/jdk/test/lib/security/CheckBlacklistedCerts.java + jtreg_class=$(basename ${jtreg_test} | sed "s|\.java||") + jtreg_dir=$(dirname ${jtreg_test}) + $JAVA_HOME/bin/javac -d . ${jtreg_test} + $JAVA_HOME/bin/java -Dtest.src=${jtreg_dir} ${jtreg_class} + # Check src.zip has all sources. See RHBZ#1130490 unzip -l $JAVA_HOME/src.zip | grep 'sun.misc.Unsafe' @@ -1551,9 +1563,26 @@ done %endif %changelog -* Tue Oct 28 2025 eabdullin - 1:1.8.0.472.b08-1 +* Mon Jan 26 2026 eabdullin - 1:1.8.0.482.b08-1 - Portable build +* Mon Jan 19 2026 Andrew Hughes - 1:1.8.0.482.b08-1 +- Update to 8u482-b08 (GA). +- Update release notes for 8u482-b08. +- Remove generated-configure.sh changes from JDK-8141590 & FIPS patch as we already autogenerate this +- Turn on system FreeType as on later JDK versions and add to _privatelibs +- Set bundled FreeType version to 2.13.2 following JDK-8316028 +- Bump LCMS 2 version to 2.14.0 following JDK-8297088 +- Bump libpng version to 1.6.51 following JDK-8372534 +- Add test to ensure blocked.certs is valid (OPENJDK-4362) +- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh +- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** +- Resolves: OPENJDK-4348 +- Resolves: OPENJDK-4265 +- Resolves: OPENJDK-4272 +- Resolves: OPENJDK-4385 +- Resolves: OPENJDK-4394 + * Thu Oct 16 2025 Andrew Hughes - 1:1.8.0.472.b08-1 - Update to 8u472-b08 (GA). - Update release notes for 8u472-b08. diff --git a/SOURCES/jdk8141590-bundle_libffi-followup.patch b/SOURCES/jdk8141590-bundle_libffi-followup.patch index 73b09ab..1cffa3a 100644 --- a/SOURCES/jdk8141590-bundle_libffi-followup.patch +++ b/SOURCES/jdk8141590-bundle_libffi-followup.patch @@ -6,32 +6,6 @@ CommitDate: Thu Jan 16 22:50:24 2025 +0000 Search /usr/lib64 on architectures other than x86_64 -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index 587b4c2657..5aeebe49a3 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -4493,7 +4493,7 @@ VS_TOOLSET_SUPPORTED_2022=true - #CUSTOM_AUTOCONF_INCLUDE - - # Do not change or remove the following line, it is needed for consistency checks: --DATE_WHEN_GENERATED=1737049912 -+DATE_WHEN_GENERATED=1737067804 - - ############################################################################### - # -@@ -50590,9 +50590,11 @@ $as_echo_n "checking for libffi lib file location... " >&6; } - as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5 - fi - else -- # Fallback on the default /usr/lib dir -+ # Fallback on the default /usr/lib and /usr/lib64 dirs - if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then - LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?" -+ elif test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?" - else - as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5 - fi diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 index 4ed8b4fdd6..6ab6dbc075 100644 --- a/common/autoconf/libraries.m4 diff --git a/SOURCES/jdk8141590-bundle_libffi.patch b/SOURCES/jdk8141590-bundle_libffi.patch index a200be7..eec0d19 100644 --- a/SOURCES/jdk8141590-bundle_libffi.patch +++ b/SOURCES/jdk8141590-bundle_libffi.patch @@ -1,433 +1,3 @@ -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index ad3f7f232e..587b4c2657 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -649,6 +649,9 @@ LLVM_LIBS - LLVM_LDFLAGS - LLVM_CFLAGS - LLVM_CONFIG -+LIBFFI_LIB_FILE -+LIBFFI_LIB_DIR -+ENABLE_LIBFFI_BUNDLING - LIBFFI_LIBS - LIBFFI_CFLAGS - STATIC_CXX_SETTING -@@ -1117,6 +1120,10 @@ with_fontconfig_include - with_giflib - with_zlib - with_stdc__lib -+with_libffi -+with_libffi_include -+with_libffi_lib -+enable_libffi_bundling - with_msvcr_dll - with_msvcp_dll - with_vcruntime_1_dll -@@ -1867,6 +1874,9 @@ Optional Features: - disable bundling of the freetype library with the - build result [enabled on Windows or when using - --with-freetype, disabled otherwise] -+ --enable-libffi-bundling -+ enable bundling of libffi.so to make the built JDK -+ runnable on more systems - --enable-sjavac use sjavac to do fast incremental compiles - [disabled] - --disable-precompiled-headers -@@ -1996,6 +2006,11 @@ Optional Packages: - force linking of the C++ runtime on Linux to either - static or dynamic, default is static with dynamic as - fallback -+ --with-libffi specify prefix directory for the libffi package -+ (expecting the libraries under PATH/lib and the -+ headers under PATH/include) -+ --with-libffi-include specify directory for the libffi include files -+ --with-libffi-lib specify directory for the libffi library - --with-msvcr-dll path to microsoft C runtime dll (msvcr*.dll) - (Windows only) [probed] - --with-msvcp-dll path to microsoft C++ runtime dll (msvcp*.dll) -@@ -2878,6 +2893,52 @@ $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - - } # ac_fn_c_check_header_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ test -x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. -@@ -4432,7 +4493,7 @@ VS_TOOLSET_SUPPORTED_2022=true - #CUSTOM_AUTOCONF_INCLUDE - - # Do not change or remove the following line, it is needed for consistency checks: --DATE_WHEN_GENERATED=1716396030 -+DATE_WHEN_GENERATED=1737049912 - - ############################################################################### - # -@@ -50215,8 +50276,70 @@ $as_echo "static" >&6; } - fi - - -+ -+# Check whether --with-libffi was given. -+if test "${with_libffi+set}" = set; then : -+ withval=$with_libffi; -+fi -+ -+ -+# Check whether --with-libffi-include was given. -+if test "${with_libffi_include+set}" = set; then : -+ withval=$with_libffi_include; -+fi -+ -+ -+# Check whether --with-libffi-lib was given. -+if test "${with_libffi_lib+set}" = set; then : -+ withval=$with_libffi_lib; -+fi -+ -+ # Check whether --enable-libffi-bundling was given. -+if test "${enable_libffi_bundling+set}" = set; then : -+ enableval=$enable_libffi_bundling; -+fi -+ -+ -+ # Check if ffi is needed - if test "x$JVM_VARIANT_ZERO" = xtrue || test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then -- # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS -+ NEEDS_LIB_FFI=true -+ else -+ NEEDS_LIB_FFI=false -+ fi -+ -+ if test "x$NEEDS_LIB_FFI" = xfalse; then -+ if test "x${with_libffi}" != x || test "x${with_libffi_include}" != x || test "x${with_libffi_lib}" != x; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libffi not used, so --with-libffi is ignored" >&5 -+$as_echo "$as_me: WARNING: libffi not used, so --with-libffi is ignored" >&2;} -+ fi -+ LIBFFI_CFLAGS= -+ LIBFFI_LIBS= -+ else -+ LIBFFI_FOUND=no -+ -+ if test "x${with_libffi}" = xno || test "x${with_libffi_include}" = xno || test "x${with_libffi_lib}" = xno; then -+ as_fn_error $? "It is not possible to disable the use of libffi. Remove the --without-libffi option." "$LINENO" 5 -+ fi -+ -+ if test "x${with_libffi}" != x; then -+ LIBFFI_LIB_PATH="${with_libffi}/lib" -+ LIBFFI_LIBS="-L${with_libffi}/lib -lffi" -+ LIBFFI_CFLAGS="-I${with_libffi}/include" -+ LIBFFI_FOUND=yes -+ fi -+ if test "x${with_libffi_include}" != x; then -+ LIBFFI_CFLAGS="-I${with_libffi_include}" -+ LIBFFI_FOUND=yes -+ fi -+ if test "x${with_libffi_lib}" != x; then -+ LIBFFI_LIB_PATH="${with_libffi_lib}" -+ LIBFFI_LIBS="-L${with_libffi_lib} -lffi" -+ LIBFFI_FOUND=yes -+ fi -+ # Do not try pkg-config if we have a sysroot set. -+ if test "x$SYSROOT" = x; then -+ if test "x$LIBFFI_FOUND" = xno; then -+ # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS - - pkg_failed=no - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBFFI" >&5 -@@ -50272,40 +50395,224 @@ fi - # Put the nasty error message in config.log where it belongs - echo "$LIBFFI_PKG_ERRORS" >&5 - -- as_fn_error $? "Package requirements (libffi) were not met: -- --$LIBFFI_PKG_ERRORS -- --Consider adjusting the PKG_CONFIG_PATH environment variable if you --installed software in a non-standard prefix. -- --Alternatively, you may set the environment variables LIBFFI_CFLAGS --and LIBFFI_LIBS to avoid the need to call pkg-config. --See the pkg-config man page for more details. --" "$LINENO" 5 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ LIBFFI_FOUND=no - elif test $pkg_failed = untried; then -- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 --$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} --as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it --is in your PATH or set the PKG_CONFIG environment variable to the full --path to pkg-config. -- --Alternatively, you may set the environment variables LIBFFI_CFLAGS --and LIBFFI_LIBS to avoid the need to call pkg-config. --See the pkg-config man page for more details. -- --To get pkg-config, see . --See \`config.log' for more details" "$LINENO" 5; } -+ LIBFFI_FOUND=no - else - LIBFFI_CFLAGS=$pkg_cv_LIBFFI_CFLAGS - LIBFFI_LIBS=$pkg_cv_LIBFFI_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 - $as_echo "yes" >&6; } -- : -+ LIBFFI_FOUND=yes -+fi -+ fi -+ fi -+ if test "x$LIBFFI_FOUND" = xno; then -+ for ac_header in ffi.h -+do : -+ ac_fn_cxx_check_header_mongrel "$LINENO" "ffi.h" "ac_cv_header_ffi_h" "$ac_includes_default" -+if test "x$ac_cv_header_ffi_h" = xyes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_FFI_H 1 -+_ACEOF -+ -+ LIBFFI_FOUND=yes -+ LIBFFI_CFLAGS= -+ LIBFFI_LIBS=-lffi -+ -+else -+ LIBFFI_FOUND=no -+ -+fi -+ -+done -+ -+ fi -+ if test "x$LIBFFI_FOUND" = xno; then -+ -+ # Print a helpful message on how to acquire the necessary build dependency. -+ # ffi is the help tag: freetype, cups, pulse, alsa etc -+ MISSING_DEPENDENCY=ffi -+ -+ if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then -+ cygwin_help $MISSING_DEPENDENCY -+ elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then -+ msys_help $MISSING_DEPENDENCY -+ else -+ PKGHANDLER_COMMAND= -+ -+ case $PKGHANDLER in -+ apt-get) -+ apt_help $MISSING_DEPENDENCY ;; -+ yum) -+ yum_help $MISSING_DEPENDENCY ;; -+ port) -+ port_help $MISSING_DEPENDENCY ;; -+ pkgutil) -+ pkgutil_help $MISSING_DEPENDENCY ;; -+ pkgadd) -+ pkgadd_help $MISSING_DEPENDENCY ;; -+ esac -+ -+ if test "x$PKGHANDLER_COMMAND" != x; then -+ HELP_MSG="You might be able to fix this by running '$PKGHANDLER_COMMAND'." -+ fi -+ fi -+ -+ as_fn_error $? "Could not find libffi! $HELP_MSG" "$LINENO" 5 -+ fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libffi works" >&5 -+$as_echo_n "checking if libffi works... " >&6; } -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ OLD_CFLAGS="$CFLAGS" -+ CFLAGS="$CFLAGS $LIBFFI_CFLAGS" -+ OLD_LIBS="$LIBS" -+ LIBS="$LIBS $LIBFFI_LIBS" -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main (void) -+{ -+ -+ ffi_call(NULL, NULL, NULL, NULL); -+ return 0; -+ -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ LIBFFI_WORKS=yes -+else -+ LIBFFI_WORKS=no -+ - fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ CFLAGS="$OLD_CFLAGS" -+ LIBS="$OLD_LIBS" -+ ac_ext=cpp -+ac_cpp='$CXXCPP $CPPFLAGS' -+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBFFI_WORKS" >&5 -+$as_echo "$LIBFFI_WORKS" >&6; } - -+ if test "x$LIBFFI_WORKS" = xno; then -+ -+ # Print a helpful message on how to acquire the necessary build dependency. -+ # ffi is the help tag: freetype, cups, pulse, alsa etc -+ MISSING_DEPENDENCY=ffi -+ -+ if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then -+ cygwin_help $MISSING_DEPENDENCY -+ elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then -+ msys_help $MISSING_DEPENDENCY -+ else -+ PKGHANDLER_COMMAND= -+ -+ case $PKGHANDLER in -+ apt-get) -+ apt_help $MISSING_DEPENDENCY ;; -+ yum) -+ yum_help $MISSING_DEPENDENCY ;; -+ port) -+ port_help $MISSING_DEPENDENCY ;; -+ pkgutil) -+ pkgutil_help $MISSING_DEPENDENCY ;; -+ pkgadd) -+ pkgadd_help $MISSING_DEPENDENCY ;; -+ esac -+ -+ if test "x$PKGHANDLER_COMMAND" != x; then -+ HELP_MSG="You might be able to fix this by running '$PKGHANDLER_COMMAND'." -+ fi - fi - -+ as_fn_error $? "Found libffi but could not link and compile with it. $HELP_MSG" "$LINENO" 5 -+ fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libffi should be bundled" >&5 -+$as_echo_n "checking if libffi should be bundled... " >&6; } -+ if test "x$enable_libffi_bundling" = "x"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ ENABLE_LIBFFI_BUNDLING=false -+ elif test "x$enable_libffi_bundling" = "xno"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, forced" >&5 -+$as_echo "no, forced" >&6; } -+ ENABLE_LIBFFI_BUNDLING=false -+ elif test "x$enable_libffi_bundling" = "xyes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, forced" >&5 -+$as_echo "yes, forced" >&6; } -+ ENABLE_LIBFFI_BUNDLING=true -+ else -+ as_fn_error $? "Invalid value for --enable-libffi-bundling" "$LINENO" 5 -+ fi -+ -+ # Find the libffi.so.X to bundle -+ if test "x${ENABLE_LIBFFI_BUNDLING}" = "xtrue"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libffi lib file location" >&5 -+$as_echo_n "checking for libffi lib file location... " >&6; } -+ if test "x${LIBFFI_LIB_PATH}" != x; then -+ if test -e ${LIBFFI_LIB_PATH}/libffi.so.?; then -+ LIBFFI_LIB_FILE="${LIBFFI_LIB_PATH}/libffi.so.?" -+ else -+ as_fn_error $? "Could not locate libffi.so.? for bundling in ${LIBFFI_LIB_PATH}" "$LINENO" 5 -+ fi -+ else -+ # If we don't have an explicit path, look in a few obvious places -+ if test "x${OPENJDK_TARGET_CPU}" = "xx86"; then -+ if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?" -+ elif test -e ${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.?" -+ else -+ as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5 -+ fi -+ elif test "x${OPENJDK_TARGET_CPU}" = "xx86_64"; then -+ if test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?" -+ elif test -e ${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.?" -+ else -+ as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5 -+ fi -+ else -+ # Fallback on the default /usr/lib dir -+ if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then -+ LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?" -+ else -+ as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5 -+ fi -+ fi -+ fi -+ # Make sure the wildcard is evaluated -+ LIBFFI_LIB_FILE="$(ls ${LIBFFI_LIB_FILE})" -+ LIBFFI_LIB_DIR="$(dirname ${LIBFFI_LIB_FILE})" -+ LIBFFI_LIB_FILE="$(basename ${LIBFFI_LIB_FILE})" -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${LIBFFI_LIB_FILE} in ${LIBFFI_LIB_DIR}" >&5 -+$as_echo "${LIBFFI_LIB_FILE} in ${LIBFFI_LIB_DIR}" >&6; } -+ fi -+ fi -+ -+ -+ -+ -+ -+ -+ - if test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then - # Extract the first word of "llvm-config", so it can be a program name with args. - set dummy llvm-config; ac_word=$2 diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 index 6efae578ea..4ed8b4fdd6 100644 --- a/common/autoconf/libraries.m4 diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index 2d9ec35..cdde3e7 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -4,5 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips -attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } +attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }