diff --git a/.gitignore b/.gitignore
index ccfc525..013fe09 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 493f497..8f03300 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
+71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index a45c520..b87597c 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,359 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u362 (2023-01-17):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u362
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html
+
+* CVEs
+ - CVE-2023-21830
+ - CVE-2023-21843
+* Security fixes
+ - JDK-8285021: Improve CORBA communication
+ - JDK-8286496: Improve Thread labels
+ - JDK-8288516: Enhance font creation
+ - JDK-8289350: Better media supports
+ - JDK-8293554: Enhanced DH Key Exchanges
+ - JDK-8293598: Enhance InetAddress address handling
+ - JDK-8293717: Objective view of ObjectView
+ - JDK-8293734: Improve BMP image handling
+ - JDK-8293742: Better Banking of Sounds
+ - JDK-8295687: Better BMP bounds
+* Other changes
+ - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods
+ - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable
+ - JDK-8054066: com/sun/jdi/DoubleAgentTest.java fails with timeout
+ - JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size.
+ - JDK-8071530: Update OS detection code to reflect Windows 10 version change
+ - JDK-8073464: GC workers do not have thread names
+ - JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only
+ - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
+ - JDK-8148005: One byte may be corrupted by get_datetime_string()
+ - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
+ - JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations
+ - JDK-8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
+ - JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp
+ - JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems
+ - JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64
+ - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows
+ - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn
+ - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
+ - JDK-8265527: tools/javac/diags/CheckExamples.java fails after JDK-8078024 8u backport
+ - JDK-8269039: Disable SHA-1 Signed JARs
+ - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
+ - JDK-8270344: Session resumption errors
+ - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
+ - JDK-8274840: Update OS detection code to recognize Windows 11
+ - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
+ - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
+ - JDK-8283277: ISO 4217 Amendment 171 Update
+ - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
+ - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
+ - JDK-8289549: ISO 4217 Amendment 172 Update
+ - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents
+ - JDK-8293181: Bump update version of OpenJDK: 8u362
+ - JDK-8293461: Add a test for JDK-8290832
+ - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
+ - JDK-8294307: ISO 4217 Amendment 173 Update
+ - JDK-8294357: (tz) Update Timezone Data to 2022d
+ - JDK-8294863: Enable partial tier1 testing in GHA for JDK8
+ - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows
+ - JDK-8295173: (tz) Update Timezone Data to 2022e
+ - JDK-8295288: Some vm_flags tests associate with a wrong BugID
+ - JDK-8295714: GHA ::set-output is deprecated and will be removed
+ - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
+ - JDK-8295915: Problemlist compiler/rtm failures specific to 8u
+ - JDK-8295950: Enable langtools/tier1 in GHA for 8u
+ - JDK-8296108: (tz) Update Timezone Data to 2022f
+ - JDK-8296239: ISO 4217 Amendment 174 Update
+ - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u
+ - JDK-8296715: CLDR v42 update for tzdata 2022f
+ - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems
+ - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u
+ - JDK-8297804: (tz) Update Timezone Data to 2022g
+ - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+ - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+
+Notes on individual issues:
+===========================
+
+client-libs/javax.imageio:
+
+JDK-8295687: Better BMP bounds
+==============================
+Loading a linked ICC profile within a BMP image is now disabled by
+default. To re-enable it, set the new system property
+`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property
+replaces the old property,
+`sun.imageio.plugins.bmp.disableLinkedProfiles`.
+
+client-libs/javax.sound:
+
+JDK-8293742: Better Banking of Sounds
+=====================================
+Previously, the SoundbankReader implementation,
+`com.sun.media.sound.JARSoundbankReader`, would download a JAR
+soundbank from a URL. This behaviour is now disabled by default. To
+re-enable it, set the new system property `jdk.sound.jarsoundbank` to
+`true`.
+
+hotspot/runtime:
+
+JDK-8274840: Release Now Recognises Windows 11
+==============================================
+This release now correctly sets the `os.name` property to `Windows
+11`, as would be expected.
+
+other-libs/corba:idl:
+
+JDK-8285021: Improve CORBA communication
+========================================
+The JDK's CORBA implementation now refuses by default to deserialize
+objects, unless they have the "IOR:" prefix. The previous behaviour
+can be re-enabled by setting the new property
+`com.sun.CORBA.ORBAllowDeserializeObject` to `true`.
+
+security-libs/java.security:
+
+JDK-8269039: Disabled SHA-1 Signed JARs
+=======================================
+JARs signed with SHA-1 algorithms are now restricted by default and
+treated as if they were unsigned. This applies to the algorithms used
+to digest, sign, and optionally timestamp the JAR. It also applies to
+the signature and digest algorithms of the certificates in the
+certificate chain of the code signer and the Timestamp Authority, and
+any CRLs or OCSP responses that are used to verify if those
+certificates have been revoked. These restrictions also apply to
+signed JCE providers.
+
+To reduce the compatibility risk for JARs that have been previously
+timestamped, there is one exception to this policy:
+
+- Any JAR signed with SHA-1 algorithms and timestamped prior to
+ January 01, 2019 will not be restricted.
+
+This exception may be removed in a future JDK release. To determine if
+your signed JARs are affected by this change, run:
+
+$ jarsigner -verify -verbose -certs`
+
+on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
+"disabled" and a warning that the JAR will be treated as unsigned in
+the output.
+
+For example:
+
+ Signed by "CN="Signer""
+ Digest algorithm: SHA-1 (disabled)
+ Signature algorithm: SHA1withRSA (disabled), 2048-bit key
+
+ WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
+
+ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
+
+JARs affected by these new restrictions should be replaced or
+re-signed with stronger algorithms.
+
+Users can, *at their own risk*, remove these restrictions by modifying
+the `java.security` configuration file (or override it by using the
+`java.security.properties` system property) and removing "SHA1 usage
+SignedJAR & denyAfter 2019-01-01" from the
+`jdk.certpath.disabledAlgorithms` security property and "SHA1
+denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
+property.
+
+New in release OpenJDK 8u352 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u352
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
+
+* Security fixes
+ - JDK-8282252: Improve BigInteger/Decimal validation
+ - JDK-8285662: Better permission resolution
+ - JDK-8286511: Improve macro allocation
+ - JDK-8286519: Better memory handling
+ - JDK-8286526, CVE-2022-21619: Improve NTLM support
+ - JDK-8286533, CVE-2022-21626: Key X509 usages
+ - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+ - JDK-8286918, CVE-2022-21628: Better HttpServer service
+ - JDK-8288508: Enhance ECDSA usage
+* Other changes
+ - JDK-7131823: bug in GIFImageReader
+ - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
+ - JDK-8028265: Add legacy tz tests to OpenJDK
+ - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
+ - JDK-8049228: Improve multithreaded scalability of InetAddress cache
+ - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+ - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
+ - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
+ - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
+ - JDK-8139668: Generate README-build.html from markdown
+ - JDK-8143847: Remove REF_CLEANER reference category
+ - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
+ - JDK-8150669: C1 intrinsic for Class.isPrimitive
+ - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
+ - JDK-8173339: AArch64: Fix minimum stack size computations
+ - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+ - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+ - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
+ - JDK-8183107: PKCS11 regression regarding checkKeySize
+ - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
+ - JDK-8194873: right ALT key hotkeys no longer work in Swing components
+ - JDK-8201793: (ref) Reference object should not support cloning
+ - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+ - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+ - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+ - JDK-8235218: Minimal VM is broken after JDK-8173361
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
+ - JDK-8254178: Remove .hgignore
+ - JDK-8254318: Remove .hgtags
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
+ - JDK-8280963: Incorrect PrintFlags formatting on Windows
+ - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+ - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+ - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
+ - JDK-8285497: Add system property for Java SE specification maintenance version
+ - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
+ - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
+ - JDK-8287521: Bump update version of OpenJDK: 8u352
+ - JDK-8288763: Pack200 extraction failure with invalid size
+ - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+ - JDK-8290000: Bump macOS GitHub actions to macOS 11
+ - JDK-8292579: (tz) Update Timezone Data to 2022c
+ - JDK-8292688: Support Security properties in security.testlibrary.Proc
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8201793: (ref) Reference object should not support cloning
+==============================================================
+`java.lang.ref.Reference::clone` method always throws
+`CloneNotSupportedException`. `Reference` objects cannot be
+meaningfully cloned. To create a new Reference object, call the
+constructor to create a `Reference` object with the same referent and
+reference queue instead.
+
+JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+===============================================================================================
+`java.lang.ref.Reference.enqueue` method clears the reference object
+before it is added to the registered queue. When the `enqueue` method
+is called, the reference object is cleared and `get()` method will
+return null in OpenJDK 8u352.
+
+Typically when a reference object is enqueued, it is expected that the
+reference object is cleared explicitly via the `clear` method to avoid
+memory leak because its referent is no longer referenced. In other
+words the `get` method is expected not to be called in common cases
+once the `enqueue`method is called. In the case when the `get` method
+from an enqueued reference object and existing code attempts to access
+members of the referent, `NullPointerException` may be thrown. Such
+code will need to be updated.
+
+JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+=========================================================================
+This enhancement changes phantom references to be automatically
+cleared by the garbage collector as soft and weak references.
+
+An object becomes phantom reachable after it has been finalized. This
+change may cause the phantom reachable objects to be GC'ed earlier -
+previously the referent is kept alive until PhantomReference objects
+are GC'ed or cleared by the application. This potential behavioral
+change might only impact existing code that would depend on
+PhantomReference being enqueued rather than when the referent be freed
+from the heap.
+
+core-libs/java.net:
+
+JDK-8286918: Better HttpServer service
+======================================
+The HttpServer can be optionally configured with a maximum connection
+limit by setting the jdk.httpserver.maxConnections system property. A
+value of 0 or a negative integer is ignored and considered to
+represent no connection limit. In the case of a positive integer
+value, any newly accepted connections will be first checked against
+the current count of established connections and, if the configured
+limit has been reached, then the newly accepted connection will be
+closed immediately.
+
+core-libs/java.net:
+
+JDK-8286918: Better HttpServer service
+======================================
+The HttpServer can be optionally configured with a maximum connection
+limit by setting the jdk.httpserver.maxConnections system property. A
+value of 0 or a negative integer is ignored and considered to
+represent no connection limit. In the case of a positive integer
+value, any newly accepted connections will be first checked against
+the current count of established connections and, if the configured
+limit has been reached, then the newly accepted connection will be
+closed immediately.
+
+security-libs/javax.net.ssl:
+
+JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
+================================================================
+The TLSv1.3 implementation is now enabled by default for client roles
+in 8u352. It has been enabled by default for server roles since 8u272.
+
+Note that TLS 1.3 is not directly compatible with previous
+versions. Enabling it on the client may introduce compatibility issues
+on either the server or the client side. Here are some more details on
+potential compatibility issues that you should be aware of:
+
+* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
+ use a duplex-close policy. For applications that depend on the
+ duplex-close policy, there may be compatibility issues when
+ upgrading to TLS 1.3.
+
+* The signature_algorithms_cert extension requires that pre-defined
+ signature algorithms are used for certificate authentication. In
+ practice, however, an application may use non-supported signature
+ algorithms.
+
+* The DSA signature algorithm is not supported in TLS 1.3. If a server
+ is configured to only use DSA certificates, it cannot upgrade to TLS
+ 1.3.
+
+* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
+ and prior versions. If an application hard-codes cipher suites which
+ are no longer supported, it may not be able to use TLS 1.3 without
+ modifying the application code.
+
+* The TLS 1.3 session resumption and key update behaviors are
+ different from TLS 1.2 and prior versions. The compatibility should
+ be minimal, but it could be a risk if an application depends on the
+ handshake details of the TLS protocols.
+
+The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
+system property:
+
+java -Djdk.tls.client.protocols="TLSv1.2" ...
+
+Alternatively, an application can explicitly set the enabled protocols
+with the javax.net.ssl APIs e.g.
+
+sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
+
+or:
+
+SSLParameters params = sslSocket.getSSLParameters();
+params.setProtocols(new String[] {"TLSv1.2"});
+sslSocket.setSSLParameters(params);
+
New in release OpenJDK 8u345 (2022-08-01):
===========================================
Live versions of these release notes can be found at:
@@ -32,7 +385,7 @@ versions of OpenJDK 8. As a result, we have reverted this change in
New in release OpenJDK 8u342 (2022-07-19):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk8u342
+ * https://bit.ly/openjdk8u342
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
* Security fixes
@@ -212,7 +565,7 @@ Live versions of these release notes can be found at:
New in release OpenJDK 8u322 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
- * https://bitly.com/openjdk8u322
+ * https://bit.ly/openjdk8u322
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt
* Security fixes
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 552bd0f..2967a32 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -1,3 +1,20 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+ enable the crypto policies.
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java
new file mode 100644
index 0000000..199d765
--- /dev/null
+++ b/SOURCES/TestTranslations.java
@@ -0,0 +1,160 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.text.DateFormatSymbols;
+
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
+
+public class TestTranslations {
+
+ private static Map KYIV, CIUDAD_JUAREZ;
+
+ static {
+ Map map = new HashMap();
+ map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
+ "Eastern European Summer Time", "GMT+03:00", "EEST",
+ "Eastern European Time", "GMT+02:00", "EET"});
+ map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
+ "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
+ "Heure d'Europe de l'Est", "UTC+02:00", "EET"});
+ map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
+ "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+ "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+ KYIV = Collections.unmodifiableMap(map);
+
+ map = new HashMap();
+ map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
+ "Mountain Daylight Time", "MDT", "MDT",
+ "Mountain Time", "MT", "MT"});
+ map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST",
+ "Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT",
+ "Rocheuses", "UTC\u221207:00", "MT"});
+ map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST",
+ "Rocky Mountains Sommerzeit", "GMT-06:00", "MDT",
+ "Zeitzone Mountain", "GMT-07:00", "MT"});
+ CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
+ }
+
+
+ public static void main(String[] args) {
+ if (args.length < 1) {
+ System.err.println("Test must be started with the name of the locale provider.");
+ System.exit(1);
+ }
+
+ System.out.println("Checking sanity of full zone string set...");
+ boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+ .peek(l -> System.out.println("Locale: " + l))
+ .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+ .flatMap(zs -> Arrays.stream(zs))
+ .flatMap(names -> Arrays.stream(names))
+ .filter(name -> Objects.isNull(name) || name.isEmpty())
+ .findAny()
+ .isPresent();
+ if (invalid) {
+ System.err.println("Zone string for a locale returned null or empty string");
+ System.exit(2);
+ }
+
+ String localeProvider = args[0];
+ testZone(localeProvider, KYIV,
+ new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
+ testZone(localeProvider, CIUDAD_JUAREZ,
+ new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
+ }
+
+ private static void testZone(String localeProvider, Map exp, String[] ids) {
+ for (Locale l : exp.keySet()) {
+ String[] expected = exp.get(l);
+ System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
+ for (String id : ids) {
+ String expectedShortStd = null;
+ String expectedShortDST = null;
+ String expectedShortGen = null;
+
+ System.out.printf("Checking locale %s for %s...\n", l, id);
+
+ if ("JRE".equals(localeProvider)) {
+ expectedShortStd = expected[2];
+ expectedShortDST = expected[5];
+ expectedShortGen = expected[8];
+ } else if ("CLDR".equals(localeProvider)) {
+ expectedShortStd = expected[1];
+ expectedShortDST = expected[4];
+ expectedShortGen = expected[7];
+ } else {
+ System.err.printf("Invalid locale provider %s\n", localeProvider);
+ System.exit(3);
+ }
+ System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+ localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+ String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+ String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+ String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+ String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+ String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+ String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+ if (!expected[0].equals(longStd)) {
+ System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+ id, l, longStd, expected[0]);
+ System.exit(4);
+ }
+
+ if (!expectedShortStd.equals(shortStd)) {
+ System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+ id, l, shortStd, expectedShortStd);
+ System.exit(5);
+ }
+
+ if (!expected[3].equals(longDST)) {
+ System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+ id, l, longDST, expected[3]);
+ System.exit(6);
+ }
+
+ if (!expectedShortDST.equals(shortDST)) {
+ System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+ id, l, shortDST, expectedShortDST);
+ System.exit(7);
+ }
+
+ if (!expected[6].equals(longGen)) {
+ System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+ id, l, longGen, expected[6]);
+ System.exit(8);
+ }
+
+ if (!expectedShortGen.equals(shortGen)) {
+ System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+ id, l, shortGen, expectedShortGen);
+ System.exit(9);
+ }
+ }
+ }
+ }
+}
diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-6d1aade0648.patch
similarity index 99%
rename from SOURCES/fips-8u-8e8bbf0ff74.patch
rename to SOURCES/fips-8u-6d1aade0648.patch
index 2379d45..58ab6e5 100644
--- a/SOURCES/fips-8u-8e8bbf0ff74.patch
+++ b/SOURCES/fips-8u-6d1aade0648.patch
@@ -11,7 +11,7 @@ index 151e5a109f8..a8761b500e0 100644
LIB_SETUP_ON_WINDOWS
diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
-index e77ce854dc5..ec6e9b27ca5 100644
+index 71fabf4dbb3..17f4f50673d 100644
--- a/common/autoconf/generated-configure.sh
+++ b/common/autoconf/generated-configure.sh
@@ -651,6 +651,9 @@ LLVM_CONFIG
@@ -124,7 +124,7 @@ index e77ce854dc5..ec6e9b27ca5 100644
#
# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-@@ -49290,6 +49351,157 @@ fi
+@@ -49304,6 +49365,157 @@ fi
LIBS="$save_LIBS"
@@ -1532,7 +1532,7 @@ index ffee2c1603b..98119479823 100644
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-index cd0e9e98df9..fba760187c0 100644
+index 820e10164fc..6fe2c29389f 100644
--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@ import java.security.*;
@@ -1627,8 +1627,8 @@ index cd0e9e98df9..fba760187c0 100644
+ };
+ }
return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
index 2845dc37938..52337a7b6cf 100644
--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@@ -1659,7 +1659,7 @@ index 2845dc37938..52337a7b6cf 100644
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index d3d64b3facd..bfe0c593adb 100644
+index 7a93d4e6b59..681a24b905d 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -287,6 +287,13 @@ package.definition=sun.,\
@@ -1677,7 +1677,7 @@ index d3d64b3facd..bfe0c593adb 100644
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index db610d4bfbb..9d1c8fe8a8e 100644
+index 145a84f94cf..789c19a8cba 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
@@ -1722,7 +1722,7 @@ index db610d4bfbb..9d1c8fe8a8e 100644
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index a919ba3d5cd..19047c61097 100644
+index 35fa140d7a5..d4da666af3b 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -290,6 +290,13 @@ package.definition=sun.,\
@@ -1740,7 +1740,7 @@ index a919ba3d5cd..19047c61097 100644
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index 86265ba5fb6..7eda556ae13 100644
+index f79ba37ddb9..300132384a1 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -288,6 +288,13 @@ package.definition=sun.,\
@@ -1758,7 +1758,7 @@ index 86265ba5fb6..7eda556ae13 100644
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index 9b4bda23cbe..dfa1a669aa9 100644
+index d70503ce95f..64db5a5cd1e 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -290,6 +290,13 @@ package.definition=sun.,\
diff --git a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch b/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
deleted file mode 100644
index ddab642..0000000
--- a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-# HG changeset patch
-# User mbalao
-# Date 1529971845 -28800
-# Tue Jun 26 08:10:45 2018 +0800
-# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
-# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
-8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
-Reviewed-by: valeriep, weijun
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
-@@ -197,7 +197,7 @@
-
- if (configDir != null) {
- String configDirPath = null;
-- String sqlPrefix = "sql:/";
-+ String sqlPrefix = "sql:";
- if (!configDir.startsWith(sqlPrefix)) {
- configDirPath = configDir;
- } else {
-diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
-@@ -69,9 +69,14 @@
- int res = 0;
- FPTR_Initialize initialize =
- (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
-+ #ifdef SECMOD_DEBUG
-+ FPTR_GetError getError =
-+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
-+ #endif // SECMOD_DEBUG
- unsigned int flags = 0x00;
- const char *configDir = NULL;
- const char *functionName = NULL;
-+ const char *configFile = NULL;
-
- /* If we cannot initialize, exit now */
- if (initialize == NULL) {
-@@ -97,13 +102,18 @@
- flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
- }
-
-+ configFile = "secmod.db";
-+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
-+ configFile = "pkcs11.txt";
-+ }
-+
- /*
- * If the NSS_Init function is requested then call NSS_Initialize to
- * open the Cert, Key and Security Module databases, read only.
- */
- if (strcmp("NSS_Init", functionName) == 0) {
- flags = flags | 0x01; // NSS_INIT_READONLY flag
-- res = initialize(configDir, "", "", "secmod.db", flags);
-+ res = initialize(configDir, "", "", configFile, flags);
-
- /*
- * If the NSS_InitReadWrite function is requested then call
-@@ -111,7 +121,7 @@
- * read/write.
- */
- } else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
-- res = initialize(configDir, "", "", "secmod.db", flags);
-+ res = initialize(configDir, "", "", configFile, flags);
-
- /*
- * If the NSS_NoDB_Init function is requested then call
-@@ -137,6 +147,13 @@
- (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
- }
- dprintf1("-res: %d\n", res);
-+ #ifdef SECMOD_DEBUG
-+ if (res == -1) {
-+ if (getError != NULL) {
-+ dprintf1("-NSS error: %d\n", getError());
-+ }
-+ }
-+ #endif // SECMOD_DEBUG
-
- return (res == 0) ? JNI_TRUE : JNI_FALSE;
- }
-diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
---- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
-+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
-@@ -34,6 +34,10 @@
- const char *certPrefix, const char *keyPrefix,
- const char *secmodName, unsigned int flags);
-
-+#ifdef SECMOD_DEBUG
-+typedef int (*FPTR_GetError)(void);
-+#endif //SECMOD_DEBUG
-+
- // in secmod.h
- //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
- // PRBool recurse);
-diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
-@@ -0,0 +1,4 @@
-+library=
-+name=NSS Internal PKCS #11 Module
-+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
-+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
-+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
-@@ -55,7 +55,7 @@
-
- DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
- if (useSqlite) {
-- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
-+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
- } else {
- System.setProperty("pkcs11test.nss.db", DBDIR);
- }
-@@ -67,6 +67,7 @@
- if (useSqlite) {
- copyFile("key4.db", BASE, DBDIR);
- copyFile("cert9.db", BASE, DBDIR);
-+ copyFile("pkcs11.txt", BASE, DBDIR);
- } else {
- copyFile("secmod.db", BASE, DBDIR);
- copyFile("key3.db", BASE, DBDIR);
diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
index 413ca99..1b88f2a 100644
--- a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
+++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
@@ -1,18 +1,16 @@
-commit c28417b0f421b80cd7efa339a3cce5609aafc880
-Author: Andrew John Hughes
-Date: Mon Apr 18 20:04:49 2022 +0100
-
- Support security.systemCACerts security property which can be disabled with -Djava.security.disableSystemCACerts=true
-
- PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
- PR3575: System cacerts database handling should not affect jssecacerts
- RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
-
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-index e7b4763db53..4b38d1f9465 100644
+index e7b4763db53..e8ec8467e6a 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-@@ -68,7 +68,7 @@ final class TrustStoreManager {
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import sun.security.action.*;
++import sun.security.tools.KeyStoreUtil;
+ import sun.security.validator.TrustStoreUtil;
+
+ /**
+@@ -68,7 +69,7 @@ final class TrustStoreManager {
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
@@ -21,35 +19,29 @@ index e7b4763db53..4b38d1f9465 100644
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
-@@ -79,6 +79,11 @@ final class TrustStoreManager {
- defaultStorePath + fileSep + "cacerts";
+@@ -76,7 +77,7 @@ final class TrustStoreManager {
+ GetPropertyAction.privilegedGetProperty("java.home") +
+ fileSep + "lib" + fileSep + "security";
+ private static final String defaultStore =
+- defaultStorePath + fileSep + "cacerts";
++ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
-+ /* Check system cacerts DB */
-+ private static final boolean systemStoreOff =
-+ privilegedGetBooleanProperty("java.security.disableSystemCACerts");
-+ private static final String systemStore = (systemStoreOff ? defaultStore :
-+ privilegedGetSecurityProperty("security.systemCACerts"));
- // the trust store name
- private final String storeName;
-@@ -139,28 +144,35 @@ final class TrustStoreManager {
+@@ -139,6 +140,10 @@ final class TrustStoreManager {
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
-+ SSLLogger.fine("System store disabled: " + systemStoreOff);
-+ SSLLogger.fine("System store: " + systemStore);
++ SSLLogger.fine("Default store: " + defaultStore);
+ }
+
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
- if (!"NONE".equals(storePropName)) {
+@@ -146,21 +151,22 @@ final class TrustStoreManager {
String[] fileNames =
-- new String[] {storePropName, defaultStore};
-+ new String[] {storePropName,
-+ systemStore, defaultStore};
+ new String[] {storePropName, defaultStore};
for (String fileName : fileNames) {
- File f = new File(fileName);
- if (f.isFile() && f.canRead()) {
@@ -84,62 +76,69 @@ index e7b4763db53..4b38d1f9465 100644
}
}
} else {
-@@ -390,4 +402,31 @@ final class TrustStoreManager {
- return TrustStoreUtil.getTrustedCerts(ks);
- }
- }
-+
-+ private static String privilegedGetSecurityProperty(final String prop) {
-+ if (System.getSecurityManager() == null) {
-+ return Security.getProperty(prop);
-+ } else {
-+ return AccessController.doPrivileged(new PrivilegedAction() {
-+ @Override
-+ public String run() {
-+ return Security.getProperty(prop);
-+ }
-+ });
-+ }
-+ }
-+
-+ /**
-+ * Returns {@code true} if the {@code System} property is present and set to @{code "true"}.
-+ *
-+ * @param prop the name of the property to check.
-+ * @return true if the property is present and set to {@code "true"}.
-+ */
-+ private static boolean privilegedGetBooleanProperty(final String prop) {
-+ if (System.getSecurityManager() == null) {
-+ return Boolean.getBoolean(prop);
-+ } else {
-+ return AccessController.doPrivileged(new GetBooleanAction(prop));
-+ }
-+ }
- }
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-index fcc77786da1..639fc220b6b 100644
+index fcc77786da1..f554f83a8b4 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-@@ -34,6 +34,7 @@ import java.io.InputStreamReader;
+@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
+
import java.net.URL;
++import java.security.AccessController;
import java.security.KeyStore;
++import java.security.PrivilegedAction;
+import java.security.Security;
import java.security.cert.X509Certificate;
import java.text.Collator;
-@@ -103,9 +104,18 @@ public class KeyStoreUtil {
- throws Exception
- {
- String sep = File.separator;
-- File file = new File(System.getProperty("java.home") + sep
-- + "lib" + sep + "security" + sep
-- + "cacerts");
+@@ -54,6 +57,33 @@ public class KeyStoreUtil {
+
+ private static final String JKS = "jks";
+
++ private static final String PROP_NAME = "security.systemCACerts";
++
++ /**
++ * Returns the value of the security property propName, which can be overridden
++ * by a system property of the same name
++ *
++ * @param propName the name of the system or security property
++ * @return the value of the system or security property
++ */
++ @SuppressWarnings("removal")
++ public static String privilegedGetOverridable(String propName) {
++ if (System.getSecurityManager() == null) {
++ return getOverridableProperty(propName);
++ } else {
++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName));
++ }
++ }
++
++ private static String getOverridableProperty(String propName) {
++ String val = System.getProperty(propName);
++ if (val == null) {
++ return Security.getProperty(propName);
++ } else {
++ return val;
++ }
++ }
++
+ /**
+ * Returns true if the certificate is self-signed, false otherwise.
+ */
+@@ -96,20 +126,38 @@ public class KeyStoreUtil {
+ }
+ }
+
++ /**
++ * Returns the path to the cacerts DB
++ */
++ public static File getCacertsKeyStoreFile()
++ {
++ String sep = File.separator;
+ File file = null;
-+ /* Check system cacerts DB first */
-+ String systemDB = Security.getProperty("security.systemCACerts");
-+ boolean systemStoreOff = Boolean.getBoolean("java.security.disableSystemCACerts");
-+ if (!systemStoreOff && systemDB != null && !"".equals(systemDB)) {
++ /* Check system cacerts DB first, preferring system property over security property */
++ String systemDB = privilegedGetOverridable(PROP_NAME);
++ if (systemDB != null && !"".equals(systemDB)) {
+ file = new File(systemDB);
+ }
+ if (file == null || !file.exists()) {
@@ -147,9 +146,31 @@ index fcc77786da1..639fc220b6b 100644
+ + "lib" + sep + "security" + sep
+ + "cacerts");
+ }
- if (!file.exists()) {
- return null;
- }
++ if (file.exists()) {
++ return file;
++ }
++ return null;
++ }
++
+ /**
+ * Returns the keystore with the configured CA certificates.
+ */
+ public static KeyStore getCacertsKeyStore()
+ throws Exception
+ {
+- String sep = File.separator;
+- File file = new File(System.getProperty("java.home") + sep
+- + "lib" + sep + "security" + sep
+- + "cacerts");
+- if (!file.exists()) {
+- return null;
+- }
+ KeyStore caks = null;
++ File file = getCacertsKeyStoreFile();
++ if (file == null) { return null; }
+ try (FileInputStream fis = new FileInputStream(file)) {
+ caks = KeyStore.getInstance(JKS);
+ caks.load(fis, null);
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index bfe0c593adb..093bc09bf95 100644
--- a/jdk/src/share/lib/security/java.security-aix
diff --git a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch b/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch
deleted file mode 100644
index d9cbac4..0000000
--- a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
---- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
-@@ -1,5 +1,6 @@
- /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2014 Red Hat Inc.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
-@@ -61,13 +62,13 @@
-
- private static void checkKeySize(int keysize)
- throws InvalidParameterException {
-- boolean supported = ((keysize == 2048) || (keysize == 3072) ||
-+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
- ((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
-
- if (!supported) {
- throw new InvalidParameterException(
- "DH key size must be multiple of 64 and range " +
-- "from 512 to 1024 (inclusive), or 2048, 3072. " +
-+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
- "The specific key size " + keysize + " is not supported");
- }
- }
-diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
---- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
-+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
-@@ -1,5 +1,6 @@
- /*
- * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2014 Red Hat Inc.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
-@@ -58,7 +59,7 @@
- */
- private enum Sizes {
- two56(256), three84(384), five12(512), seven68(768), ten24(1024),
-- twenty48(2048);
-+ twenty48(2048), forty96(4096);
-
- private final int intSize;
- private final BigInteger bigIntValue;
-@@ -130,6 +131,19 @@
- kp = kpg.generateKeyPair();
- checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
-
-+ kpg.initialize(Sizes.forty96.getIntSize());
-+ kp = kpg.generateKeyPair();
-+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
-+
-+ publicKey = (DHPublicKey)kp.getPublic();
-+ p = publicKey.getParams().getP();
-+ g = publicKey.getParams().getG();
-+
-+ // test w/ all values specified
-+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
-+ kp = kpg.generateKeyPair();
-+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
-+
- System.out.println("OK");
- }
-
-
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 9429248..36389b4 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -23,6 +23,8 @@
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
@@ -31,6 +33,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global jpeg_lib |libjavajpeg[.]so.*
+%else
+%global system_libs 0
+%global link_type bundled
+%global jpeg_lib |libjpeg[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -150,11 +162,15 @@
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%global bootstrap_targets images
%global release_targets images docs-zip
@@ -265,7 +281,7 @@
# New Version-String scheme-style defines
%global majorver 8
-# Standard JPackage naming and versioning defines.
+# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
@@ -297,7 +313,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
-%global openjdk_revision jdk8u345-b01
+%global openjdk_revision jdk8u362-b08
%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
@@ -306,7 +322,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop files
%global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches
-%global fipsver 8e8bbf0ff74
+%global fipsver 6d1aade0648
# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@@ -316,7 +332,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 2
+%global rpmrelease 3
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -356,8 +372,7 @@
# as to why some libraries *cannot* be excluded. In particular,
# these are:
# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
-
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
%global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$
@@ -781,6 +796,7 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
+%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
%dir %{_jvmdir}/%{jredir -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@@ -863,7 +879,11 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
+%if %{system_libs}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
+%else
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
+%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@@ -904,6 +924,7 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@@ -1104,9 +1125,8 @@ Provides: java%{?1} = %{epoch}:%{javaver}
Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem
-# Require zoneinfo data provided by tzdata-java subpackage.
-# 2022a required as of JDK-8283350 in 8u342
-Requires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+Requires: tzdata-java >= 2022g
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1303,6 +1323,9 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
Source20: repackReproduciblePolycies.sh
# New versions of config files with aarch64 support. This is not upstream yet.
@@ -1361,8 +1384,6 @@ Patch1001: fips-8u-%{fipsver}.patch
#############################################
# PR2737: Allow multiple initialization of PKCS11 libraries
Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch
-# PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x)
-Patch504: rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch
# Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions
Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch
# RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings
@@ -1422,14 +1443,12 @@ Patch202: jdk8035341-allow_using_system_installed_libpng.patch
# 8042159: Allow using a system-installed lcms2
Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
-# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
-Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
-# Patches appearing in 8u332
+# Patches appearing in 8u362
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
@@ -1480,12 +1499,8 @@ BuildRequires: desktop-file-utils
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXext-devel
@@ -1508,8 +1523,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2022a required as of JDK-8283350 in 8u342
-BuildRequires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1517,6 +1532,24 @@ BuildRequires: gcc >= 4.8.3-8
BuildRequires: systemtap-sdt-devel
%endif
+%if %{system_libs}
+BuildRequires: giflib-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
+Provides: bundled(lcms2) = 2.10.0
+# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in jdk/src/share/native/sun/awt/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1805,14 +1838,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
# OpenJDK patches
+%if %{system_libs}
# Remove libraries that are linked
sh %{SOURCE12}
+%endif
# System library fixes
+%if %{system_libs}
%patch201
%patch202
%patch203
%patch204
+%endif
%patch1
%patch3
@@ -1830,14 +1867,12 @@ sh %{SOURCE12}
# Upstreamable fixes
%patch502
-%patch504
%patch512
%patch523
%patch528
%patch571
%patch574
%patch112
-%patch580
%patch581
%patch113
@@ -1918,6 +1953,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
%build
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1954,12 +1990,20 @@ function buildjdk() {
local buildjdk=${2}
local maketargets="${3}"
local debuglevel=${4}
+ local link_opt=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures
local top_builddir_abs_path=$(pwd)/${outputdir}
echo "Using output directory: ${outputdir}";
+
+ if [ "x${link_opt}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
@@ -1990,12 +2034,14 @@ function buildjdk() {
--with-debug-level=${debuglevel} \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
- --with-libjpeg=system \
- --with-giflib=system \
- --with-libpng=system \
- --with-lcms=system \
- --with-stdc++lib=dynamic \
+ --with-zlib=${link_opt} \
+ --with-giflib=${link_opt} \
+%if %{with system_libs}
+ --with-libjpeg=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+%endif
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \
@@ -2064,8 +2110,13 @@ function installjdk() {
${imagepath}/jre/lib/security/java.security
# Use system-wide tzdata
- rm ${imagepath}/jre/lib/tzdb.dat
- ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+ mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
+ ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+
+ # Rename OpenJDK cacerts database
+ mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
+ # Install cacerts symlink needed by some apps which hard-code the path
+ ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
# add alt-java man page
pushd ${imagepath}
@@ -2101,6 +2152,7 @@ builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
+link_opt="%{link_type}"
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
@@ -2114,13 +2166,13 @@ else
fi
if ${run_bootstrap} ; then
- buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir}
- buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
- buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
@@ -2151,10 +2203,6 @@ export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-# Check correct vendor values have been set
-$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
-
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2165,6 +2213,13 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
+
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
@@ -2635,6 +2690,65 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-3
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Fix broken links and missing release notes in older releases.
+- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete
+ - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges"
+ - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists
+ - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys
+- Resolves: rhbz#2160111
+
+* Wed Jan 11 2023 Andrew Hughes - 1:1.8.0.362.b07-0.3.ea
+- Update to shenandoah-jdk8u362-b07 (EA)
+- Update release notes for shenandoah-8u362-b07.
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Drop tzdata patches for 2022d & 2022e (JDK-8294357 & JDK-8295173) which are now upstream
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- Drop JDK-8255559/RH2124390 patch which is now upstream
+- Resolves: rhbz#2150193
+
+* Tue Jan 10 2023 Andrew Hughes - 1:1.8.0.362.b01-0.3.ea
+- Update to shenandoah-jdk8u362-b01 (EA)
+- Update release notes for shenandoah-8u362-b01.
+- Switch to EA mode for 8u362 pre-release builds.
+- Drop JDK-8195607/PR3776/RH1760437 now this is upstream
+- Related: rhbz#2150193
+
+* Thu Nov 10 2022 Andrew Hughes - 1:1.8.0.352.b08-3
+- Add backport of JDK-8255559 to fix file descriptor leak in XML code
+- Resolves: rhbz#2124390
+
+* Wed Oct 19 2022 Andrew Hughes - 1:1.8.0.352.b08-2
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2133695
+
+* Wed Oct 12 2022 Andrew Hughes - 1:1.8.0.352.b07-0.2.ea
+- Update to shenandoah-jdk8u352-b07 (EA)
+- Update release notes for shenandoah-8u352-b07.
+- Switch to EA mode for 8u352 pre-release builds.
+- Rebase FIPS patch against 8u352-b07
+- Resolves: rhbz#2130612
+
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2048542
+
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4
+- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts=
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Related: rhbz#2055274
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3
+- Disable copy-jdk-configs for Flatpak builds
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102733
+
* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2
- Update to shenandoah-jdk8u345-b01 (GA)
- Update release notes for 8u345-b01.