From 1f775fe62ef5fcd6010a9bacdae5eb88fbfc160d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 11:06:10 +0000 Subject: [PATCH] import java-1.8.0-openjdk-1.8.0.362.b08-3.el8 --- .gitignore | 2 +- .java-1.8.0-openjdk.metadata | 2 +- SOURCES/NEWS | 357 +++++++++++++++++- SOURCES/TestSecurityProperties.java | 17 + SOURCES/TestTranslations.java | 160 ++++++++ ...f0ff74.patch => fips-8u-6d1aade0648.patch} | 18 +- ...r3776-rh1760437-nss_sqlite_db_config.patch | 125 ------ ...888-rh2055274-support_system_cacerts.patch | 173 +++++---- ...frastructure_in_dhparametergenerator.patch | 66 ---- SPECS/java-1.8.0-openjdk.spec | 188 +++++++-- 10 files changed, 791 insertions(+), 317 deletions(-) create mode 100644 SOURCES/TestTranslations.java rename SOURCES/{fips-8u-8e8bbf0ff74.patch => fips-8u-6d1aade0648.patch} (99%) delete mode 100644 SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch delete mode 100644 SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch diff --git a/.gitignore b/.gitignore index ccfc525..013fe09 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 493f497..8f03300 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index a45c520..b87597c 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,359 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u362 (2023-01-17): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u362 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html + +* CVEs + - CVE-2023-21830 + - CVE-2023-21843 +* Security fixes + - JDK-8285021: Improve CORBA communication + - JDK-8286496: Improve Thread labels + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds +* Other changes + - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods + - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable + - JDK-8054066: com/sun/jdi/DoubleAgentTest.java fails with timeout + - JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size. + - JDK-8071530: Update OS detection code to reflect Windows 10 version change + - JDK-8073464: GC workers do not have thread names + - JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only + - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails + - JDK-8148005: One byte may be corrupted by get_datetime_string() + - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java + - JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations + - JDK-8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 + - JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp + - JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems + - JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64 + - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 + - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS + - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn + - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() + - JDK-8265527: tools/javac/diags/CheckExamples.java fails after JDK-8078024 8u backport + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8270344: Session resumption errors + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8273176: handle latest VS2019 in abstract_vm_version + - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041) + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents + - JDK-8293181: Bump update version of OpenJDK: 8u362 + - JDK-8293461: Add a test for JDK-8290832 + - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294357: (tz) Update Timezone Data to 2022d + - JDK-8294863: Enable partial tier1 testing in GHA for JDK8 + - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows + - JDK-8295173: (tz) Update Timezone Data to 2022e + - JDK-8295288: Some vm_flags tests associate with a wrong BugID + - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error + - JDK-8295915: Problemlist compiler/rtm failures specific to 8u + - JDK-8295950: Enable langtools/tier1 in GHA for 8u + - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u + - JDK-8296715: CLDR v42 update for tzdata 2022f + - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems + - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u + - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + +Notes on individual issues: +=========================== + +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + +hotspot/runtime: + +JDK-8274840: Release Now Recognises Windows 11 +============================================== +This release now correctly sets the `os.name` property to `Windows +11`, as would be expected. + +other-libs/corba:idl: + +JDK-8285021: Improve CORBA communication +======================================== +The JDK's CORBA implementation now refuses by default to deserialize +objects, unless they have the "IOR:" prefix. The previous behaviour +can be re-enabled by setting the new property +`com.sun.CORBA.ORBAllowDeserializeObject` to `true`. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + +New in release OpenJDK 8u352 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u352 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt + +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286533, CVE-2022-21626: Key X509 usages + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8288508: Enhance ECDSA usage +* Other changes + - JDK-7131823: bug in GIFImageReader + - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] + - JDK-8049228: Improve multithreaded scalability of InetAddress cache + - JDK-8071507: (ref) Clear phantom reference as soft and weak references do + - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation + - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 + - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script + - JDK-8139668: Generate README-build.html from markdown + - JDK-8143847: Remove REF_CLEANER reference category + - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl + - JDK-8150669: C1 intrinsic for Class.isPrimitive + - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows + - JDK-8173339: AArch64: Fix minimum stack size computations + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing + - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored + - JDK-8183107: PKCS11 regression regarding checkKeySize + - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property + - JDK-8194873: right ALT key hotkeys no longer work in Swing components + - JDK-8201793: (ref) Reference object should not support cloning + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235385: Crash on aarch64 JDK due to long offset + - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8280963: Incorrect PrintFlags formatting on Windows + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 + - JDK-8285497: Add system property for Java SE specification maintenance version + - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE + - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 + - JDK-8287521: Bump update version of OpenJDK: 8u352 + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8292688: Support Security properties in security.testlibrary.Proc + +Notes on individual issues: +=========================== + +core-libs/java.lang: + +JDK-8201793: (ref) Reference object should not support cloning +============================================================== +`java.lang.ref.Reference::clone` method always throws +`CloneNotSupportedException`. `Reference` objects cannot be +meaningfully cloned. To create a new Reference object, call the +constructor to create a `Reference` object with the same referent and +reference queue instead. + +JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing +=============================================================================================== +`java.lang.ref.Reference.enqueue` method clears the reference object +before it is added to the registered queue. When the `enqueue` method +is called, the reference object is cleared and `get()` method will +return null in OpenJDK 8u352. + +Typically when a reference object is enqueued, it is expected that the +reference object is cleared explicitly via the `clear` method to avoid +memory leak because its referent is no longer referenced. In other +words the `get` method is expected not to be called in common cases +once the `enqueue`method is called. In the case when the `get` method +from an enqueued reference object and existing code attempts to access +members of the referent, `NullPointerException` may be thrown. Such +code will need to be updated. + +JDK-8071507: (ref) Clear phantom reference as soft and weak references do +========================================================================= +This enhancement changes phantom references to be automatically +cleared by the garbage collector as soft and weak references. + +An object becomes phantom reachable after it has been finalized. This +change may cause the phantom reachable objects to be GC'ed earlier - +previously the referent is kept alive until PhantomReference objects +are GC'ed or cleared by the application. This potential behavioral +change might only impact existing code that would depend on +PhantomReference being enqueued rather than when the referent be freed +from the heap. + +core-libs/java.net: + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +core-libs/java.net: + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +security-libs/javax.net.ssl: + +JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles +================================================================ +The TLSv1.3 implementation is now enabled by default for client roles +in 8u352. It has been enabled by default for server roles since 8u272. + +Note that TLS 1.3 is not directly compatible with previous +versions. Enabling it on the client may introduce compatibility issues +on either the server or the client side. Here are some more details on +potential compatibility issues that you should be aware of: + +* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions + use a duplex-close policy. For applications that depend on the + duplex-close policy, there may be compatibility issues when + upgrading to TLS 1.3. + +* The signature_algorithms_cert extension requires that pre-defined + signature algorithms are used for certificate authentication. In + practice, however, an application may use non-supported signature + algorithms. + +* The DSA signature algorithm is not supported in TLS 1.3. If a server + is configured to only use DSA certificates, it cannot upgrade to TLS + 1.3. + +* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 + and prior versions. If an application hard-codes cipher suites which + are no longer supported, it may not be able to use TLS 1.3 without + modifying the application code. + +* The TLS 1.3 session resumption and key update behaviors are + different from TLS 1.2 and prior versions. The compatibility should + be minimal, but it could be a risk if an application depends on the + handshake details of the TLS protocols. + +The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols +system property: + +java -Djdk.tls.client.protocols="TLSv1.2" ... + +Alternatively, an application can explicitly set the enabled protocols +with the javax.net.ssl APIs e.g. + +sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + +or: + +SSLParameters params = sslSocket.getSSLParameters(); +params.setProtocols(new String[] {"TLSv1.2"}); +sslSocket.setSSLParameters(params); + New in release OpenJDK 8u345 (2022-08-01): =========================================== Live versions of these release notes can be found at: @@ -32,7 +385,7 @@ versions of OpenJDK 8. As a result, we have reverted this change in New in release OpenJDK 8u342 (2022-07-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u342 + * https://bit.ly/openjdk8u342 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt * Security fixes @@ -212,7 +565,7 @@ Live versions of these release notes can be found at: New in release OpenJDK 8u322 (2022-01-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u322 + * https://bit.ly/openjdk8u322 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt * Security fixes diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java index 552bd0f..2967a32 100644 --- a/SOURCES/TestSecurityProperties.java +++ b/SOURCES/TestSecurityProperties.java @@ -1,3 +1,20 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java new file mode 100644 index 0000000..199d765 --- /dev/null +++ b/SOURCES/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET", + "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST", + "Heure d'Europe de l'Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST", + "Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT", + "Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST", + "Rocky Mountains Sommerzeit", "GMT-06:00", "MDT", + "Zeitzone Mountain", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-6d1aade0648.patch similarity index 99% rename from SOURCES/fips-8u-8e8bbf0ff74.patch rename to SOURCES/fips-8u-6d1aade0648.patch index 2379d45..58ab6e5 100644 --- a/SOURCES/fips-8u-8e8bbf0ff74.patch +++ b/SOURCES/fips-8u-6d1aade0648.patch @@ -11,7 +11,7 @@ index 151e5a109f8..a8761b500e0 100644 LIB_SETUP_ON_WINDOWS diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index e77ce854dc5..ec6e9b27ca5 100644 +index 71fabf4dbb3..17f4f50673d 100644 --- a/common/autoconf/generated-configure.sh +++ b/common/autoconf/generated-configure.sh @@ -651,6 +651,9 @@ LLVM_CONFIG @@ -124,7 +124,7 @@ index e77ce854dc5..ec6e9b27ca5 100644 # # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -49290,6 +49351,157 @@ fi +@@ -49304,6 +49365,157 @@ fi LIBS="$save_LIBS" @@ -1532,7 +1532,7 @@ index ffee2c1603b..98119479823 100644 "FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -index cd0e9e98df9..fba760187c0 100644 +index 820e10164fc..6fe2c29389f 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java @@ -31,6 +31,7 @@ import java.security.*; @@ -1627,8 +1627,8 @@ index cd0e9e98df9..fba760187c0 100644 + }; + } return new ProtocolVersion[]{ + ProtocolVersion.TLS13, ProtocolVersion.TLS12, - ProtocolVersion.TLS11, diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java index 2845dc37938..52337a7b6cf 100644 --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java @@ -1659,7 +1659,7 @@ index 2845dc37938..52337a7b6cf 100644 "sun.security.ssl.SSLContextImpl$TLSContext"); if (isfips == false) { diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index d3d64b3facd..bfe0c593adb 100644 +index 7a93d4e6b59..681a24b905d 100644 --- a/jdk/src/share/lib/security/java.security-aix +++ b/jdk/src/share/lib/security/java.security-aix @@ -287,6 +287,13 @@ package.definition=sun.,\ @@ -1677,7 +1677,7 @@ index d3d64b3facd..bfe0c593adb 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index db610d4bfbb..9d1c8fe8a8e 100644 +index 145a84f94cf..789c19a8cba 100644 --- a/jdk/src/share/lib/security/java.security-linux +++ b/jdk/src/share/lib/security/java.security-linux @@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider @@ -1722,7 +1722,7 @@ index db610d4bfbb..9d1c8fe8a8e 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index a919ba3d5cd..19047c61097 100644 +index 35fa140d7a5..d4da666af3b 100644 --- a/jdk/src/share/lib/security/java.security-macosx +++ b/jdk/src/share/lib/security/java.security-macosx @@ -290,6 +290,13 @@ package.definition=sun.,\ @@ -1740,7 +1740,7 @@ index a919ba3d5cd..19047c61097 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 86265ba5fb6..7eda556ae13 100644 +index f79ba37ddb9..300132384a1 100644 --- a/jdk/src/share/lib/security/java.security-solaris +++ b/jdk/src/share/lib/security/java.security-solaris @@ -288,6 +288,13 @@ package.definition=sun.,\ @@ -1758,7 +1758,7 @@ index 86265ba5fb6..7eda556ae13 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index 9b4bda23cbe..dfa1a669aa9 100644 +index d70503ce95f..64db5a5cd1e 100644 --- a/jdk/src/share/lib/security/java.security-windows +++ b/jdk/src/share/lib/security/java.security-windows @@ -290,6 +290,13 @@ package.definition=sun.,\ diff --git a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch b/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch deleted file mode 100644 index ddab642..0000000 --- a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch +++ /dev/null @@ -1,125 +0,0 @@ -# HG changeset patch -# User mbalao -# Date 1529971845 -28800 -# Tue Jun 26 08:10:45 2018 +0800 -# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc -# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff -8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 -Reviewed-by: valeriep, weijun - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java -@@ -197,7 +197,7 @@ - - if (configDir != null) { - String configDirPath = null; -- String sqlPrefix = "sql:/"; -+ String sqlPrefix = "sql:"; - if (!configDir.startsWith(sqlPrefix)) { - configDirPath = configDir; - } else { -diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c -@@ -69,9 +69,14 @@ - int res = 0; - FPTR_Initialize initialize = - (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); -+ #ifdef SECMOD_DEBUG -+ FPTR_GetError getError = -+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError"); -+ #endif // SECMOD_DEBUG - unsigned int flags = 0x00; - const char *configDir = NULL; - const char *functionName = NULL; -+ const char *configFile = NULL; - - /* If we cannot initialize, exit now */ - if (initialize == NULL) { -@@ -97,13 +102,18 @@ - flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag - } - -+ configFile = "secmod.db"; -+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) { -+ configFile = "pkcs11.txt"; -+ } -+ - /* - * If the NSS_Init function is requested then call NSS_Initialize to - * open the Cert, Key and Security Module databases, read only. - */ - if (strcmp("NSS_Init", functionName) == 0) { - flags = flags | 0x01; // NSS_INIT_READONLY flag -- res = initialize(configDir, "", "", "secmod.db", flags); -+ res = initialize(configDir, "", "", configFile, flags); - - /* - * If the NSS_InitReadWrite function is requested then call -@@ -111,7 +121,7 @@ - * read/write. - */ - } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { -- res = initialize(configDir, "", "", "secmod.db", flags); -+ res = initialize(configDir, "", "", configFile, flags); - - /* - * If the NSS_NoDB_Init function is requested then call -@@ -137,6 +147,13 @@ - (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); - } - dprintf1("-res: %d\n", res); -+ #ifdef SECMOD_DEBUG -+ if (res == -1) { -+ if (getError != NULL) { -+ dprintf1("-NSS error: %d\n", getError()); -+ } -+ } -+ #endif // SECMOD_DEBUG - - return (res == 0) ? JNI_TRUE : JNI_FALSE; - } -diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h ---- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h -+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h -@@ -34,6 +34,10 @@ - const char *certPrefix, const char *keyPrefix, - const char *secmodName, unsigned int flags); - -+#ifdef SECMOD_DEBUG -+typedef int (*FPTR_GetError)(void); -+#endif //SECMOD_DEBUG -+ - // in secmod.h - //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, - // PRBool recurse); -diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt -new file mode 100644 ---- /dev/null -+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt -@@ -0,0 +1,4 @@ -+library= -+name=NSS Internal PKCS #11 Module -+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) -diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java -+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java -@@ -55,7 +55,7 @@ - - DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; - if (useSqlite) { -- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); -+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR); - } else { - System.setProperty("pkcs11test.nss.db", DBDIR); - } -@@ -67,6 +67,7 @@ - if (useSqlite) { - copyFile("key4.db", BASE, DBDIR); - copyFile("cert9.db", BASE, DBDIR); -+ copyFile("pkcs11.txt", BASE, DBDIR); - } else { - copyFile("secmod.db", BASE, DBDIR); - copyFile("key3.db", BASE, DBDIR); diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch index 413ca99..1b88f2a 100644 --- a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch +++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch @@ -1,18 +1,16 @@ -commit c28417b0f421b80cd7efa339a3cce5609aafc880 -Author: Andrew John Hughes -Date: Mon Apr 18 20:04:49 2022 +0100 - - Support security.systemCACerts security property which can be disabled with -Djava.security.disableSystemCACerts=true - - PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) - PR3575: System cacerts database handling should not affect jssecacerts - RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds - diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -index e7b4763db53..4b38d1f9465 100644 +index e7b4763db53..e8ec8467e6a 100644 --- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -@@ -68,7 +68,7 @@ final class TrustStoreManager { +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import sun.security.action.*; ++import sun.security.tools.KeyStoreUtil; + import sun.security.validator.TrustStoreUtil; + + /** +@@ -68,7 +69,7 @@ final class TrustStoreManager { * The preference of the default trusted KeyStore is: * javax.net.ssl.trustStore * jssecacerts @@ -21,35 +19,29 @@ index e7b4763db53..4b38d1f9465 100644 */ private static final class TrustStoreDescriptor { private static final String fileSep = File.separator; -@@ -79,6 +79,11 @@ final class TrustStoreManager { - defaultStorePath + fileSep + "cacerts"; +@@ -76,7 +77,7 @@ final class TrustStoreManager { + GetPropertyAction.privilegedGetProperty("java.home") + + fileSep + "lib" + fileSep + "security"; + private static final String defaultStore = +- defaultStorePath + fileSep + "cacerts"; ++ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); private static final String jsseDefaultStore = defaultStorePath + fileSep + "jssecacerts"; -+ /* Check system cacerts DB */ -+ private static final boolean systemStoreOff = -+ privilegedGetBooleanProperty("java.security.disableSystemCACerts"); -+ private static final String systemStore = (systemStoreOff ? defaultStore : -+ privilegedGetSecurityProperty("security.systemCACerts")); - // the trust store name - private final String storeName; -@@ -139,28 +144,35 @@ final class TrustStoreManager { +@@ -139,6 +140,10 @@ final class TrustStoreManager { String storePropPassword = System.getProperty( "javax.net.ssl.trustStorePassword", ""); + if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { -+ SSLLogger.fine("System store disabled: " + systemStoreOff); -+ SSLLogger.fine("System store: " + systemStore); ++ SSLLogger.fine("Default store: " + defaultStore); + } + String temporaryName = ""; File temporaryFile = null; long temporaryTime = 0L; - if (!"NONE".equals(storePropName)) { +@@ -146,21 +151,22 @@ final class TrustStoreManager { String[] fileNames = -- new String[] {storePropName, defaultStore}; -+ new String[] {storePropName, -+ systemStore, defaultStore}; + new String[] {storePropName, defaultStore}; for (String fileName : fileNames) { - File f = new File(fileName); - if (f.isFile() && f.canRead()) { @@ -84,62 +76,69 @@ index e7b4763db53..4b38d1f9465 100644 } } } else { -@@ -390,4 +402,31 @@ final class TrustStoreManager { - return TrustStoreUtil.getTrustedCerts(ks); - } - } -+ -+ private static String privilegedGetSecurityProperty(final String prop) { -+ if (System.getSecurityManager() == null) { -+ return Security.getProperty(prop); -+ } else { -+ return AccessController.doPrivileged(new PrivilegedAction() { -+ @Override -+ public String run() { -+ return Security.getProperty(prop); -+ } -+ }); -+ } -+ } -+ -+ /** -+ * Returns {@code true} if the {@code System} property is present and set to @{code "true"}. -+ * -+ * @param prop the name of the property to check. -+ * @return true if the property is present and set to {@code "true"}. -+ */ -+ private static boolean privilegedGetBooleanProperty(final String prop) { -+ if (System.getSecurityManager() == null) { -+ return Boolean.getBoolean(prop); -+ } else { -+ return AccessController.doPrivileged(new GetBooleanAction(prop)); -+ } -+ } - } diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -index fcc77786da1..639fc220b6b 100644 +index fcc77786da1..f554f83a8b4 100644 --- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -34,6 +34,7 @@ import java.io.InputStreamReader; +@@ -33,7 +33,10 @@ import java.io.InputStreamReader; + import java.net.URL; ++import java.security.AccessController; import java.security.KeyStore; ++import java.security.PrivilegedAction; +import java.security.Security; import java.security.cert.X509Certificate; import java.text.Collator; -@@ -103,9 +104,18 @@ public class KeyStoreUtil { - throws Exception - { - String sep = File.separator; -- File file = new File(System.getProperty("java.home") + sep -- + "lib" + sep + "security" + sep -- + "cacerts"); +@@ -54,6 +57,33 @@ public class KeyStoreUtil { + + private static final String JKS = "jks"; + ++ private static final String PROP_NAME = "security.systemCACerts"; ++ ++ /** ++ * Returns the value of the security property propName, which can be overridden ++ * by a system property of the same name ++ * ++ * @param propName the name of the system or security property ++ * @return the value of the system or security property ++ */ ++ @SuppressWarnings("removal") ++ public static String privilegedGetOverridable(String propName) { ++ if (System.getSecurityManager() == null) { ++ return getOverridableProperty(propName); ++ } else { ++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); ++ } ++ } ++ ++ private static String getOverridableProperty(String propName) { ++ String val = System.getProperty(propName); ++ if (val == null) { ++ return Security.getProperty(propName); ++ } else { ++ return val; ++ } ++ } ++ + /** + * Returns true if the certificate is self-signed, false otherwise. + */ +@@ -96,20 +126,38 @@ public class KeyStoreUtil { + } + } + ++ /** ++ * Returns the path to the cacerts DB ++ */ ++ public static File getCacertsKeyStoreFile() ++ { ++ String sep = File.separator; + File file = null; -+ /* Check system cacerts DB first */ -+ String systemDB = Security.getProperty("security.systemCACerts"); -+ boolean systemStoreOff = Boolean.getBoolean("java.security.disableSystemCACerts"); -+ if (!systemStoreOff && systemDB != null && !"".equals(systemDB)) { ++ /* Check system cacerts DB first, preferring system property over security property */ ++ String systemDB = privilegedGetOverridable(PROP_NAME); ++ if (systemDB != null && !"".equals(systemDB)) { + file = new File(systemDB); + } + if (file == null || !file.exists()) { @@ -147,9 +146,31 @@ index fcc77786da1..639fc220b6b 100644 + + "lib" + sep + "security" + sep + + "cacerts"); + } - if (!file.exists()) { - return null; - } ++ if (file.exists()) { ++ return file; ++ } ++ return null; ++ } ++ + /** + * Returns the keystore with the configured CA certificates. + */ + public static KeyStore getCacertsKeyStore() + throws Exception + { +- String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); +- if (!file.exists()) { +- return null; +- } + KeyStore caks = null; ++ File file = getCacertsKeyStoreFile(); ++ if (file == null) { return null; } + try (FileInputStream fis = new FileInputStream(file)) { + caks = KeyStore.getInstance(JKS); + caks.load(fis, null); diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix index bfe0c593adb..093bc09bf95 100644 --- a/jdk/src/share/lib/security/java.security-aix diff --git a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch b/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch deleted file mode 100644 index d9cbac4..0000000 --- a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java ---- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2014 Red Hat Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -61,13 +62,13 @@ - - private static void checkKeySize(int keysize) - throws InvalidParameterException { -- boolean supported = ((keysize == 2048) || (keysize == 3072) || -+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) || - ((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0))); - - if (!supported) { - throw new InvalidParameterException( - "DH key size must be multiple of 64 and range " + -- "from 512 to 1024 (inclusive), or 2048, 3072. " + -+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " + - "The specific key size " + keysize + " is not supported"); - } - } -diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java ---- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java -+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2014 Red Hat Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -58,7 +59,7 @@ - */ - private enum Sizes { - two56(256), three84(384), five12(512), seven68(768), ten24(1024), -- twenty48(2048); -+ twenty48(2048), forty96(4096); - - private final int intSize; - private final BigInteger bigIntValue; -@@ -130,6 +131,19 @@ - kp = kpg.generateKeyPair(); - checkKeyPair(kp, Sizes.twenty48, Sizes.five12); - -+ kpg.initialize(Sizes.forty96.getIntSize()); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48); -+ -+ publicKey = (DHPublicKey)kp.getPublic(); -+ p = publicKey.getParams().getP(); -+ g = publicKey.getParams().getG(); -+ -+ // test w/ all values specified -+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize())); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24); -+ - System.out.println("OK"); - } - - diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 9429248..36389b4 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -23,6 +23,8 @@ %bcond_with artifacts # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so %if %{with fresh_libjvm} @@ -31,6 +33,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global jpeg_lib |libjavajpeg[.]so.* +%else +%global system_libs 0 +%global link_type bundled +%global jpeg_lib |libjpeg[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -150,11 +162,15 @@ # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %global bootstrap_targets images %global release_targets images docs-zip @@ -265,7 +281,7 @@ # New Version-String scheme-style defines %global majorver 8 -# Standard JPackage naming and versioning defines. +# Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} @@ -297,7 +313,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u345-b01 +%global openjdk_revision jdk8u362-b08 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -306,7 +322,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop files %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches -%global fipsver 8e8bbf0ff74 +%global fipsver 6d1aade0648 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) @@ -316,7 +332,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -356,8 +372,7 @@ # as to why some libraries *cannot* be excluded. In particular, # these are: # libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so -%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* - +%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ @@ -781,6 +796,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream %dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/lib @@ -863,7 +879,11 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so +%if %{system_libs} %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so +%else +%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so +%endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so @@ -904,6 +924,7 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* @@ -1104,9 +1125,8 @@ Provides: java%{?1} = %{epoch}:%{javaver} Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ Requires: javapackages-filesystem -# Require zoneinfo data provided by tzdata-java subpackage. -# 2022a required as of JDK-8283350 in 8u342 -Requires: tzdata-java >= 2022a +# 2022g required as of JDK-8297804 +Requires: tzdata-java >= 2022g # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1303,6 +1323,9 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in +# Ensure translations are available for new timezones +Source18: TestTranslations.java + Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. @@ -1361,8 +1384,6 @@ Patch1001: fips-8u-%{fipsver}.patch ############################################# # PR2737: Allow multiple initialization of PKCS11 libraries Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch -# PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x) -Patch504: rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch # RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings @@ -1422,14 +1443,12 @@ Patch202: jdk8035341-allow_using_system_installed_libpng.patch # 8042159: Allow using a system-installed lcms2 Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch -# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 -Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u332 +# Patches appearing in 8u362 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be @@ -1480,12 +1499,8 @@ BuildRequires: desktop-file-utils BuildRequires: elfutils-devel BuildRequires: fontconfig-devel BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXext-devel @@ -1508,8 +1523,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022a required as of JDK-8283350 in 8u342 -BuildRequires: tzdata-java >= 2022a +# 2022g required as of JDK-8297804 +BuildRequires: tzdata-java >= 2022g # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1517,6 +1532,24 @@ BuildRequires: gcc >= 4.8.3-8 BuildRequires: systemtap-sdt-devel %endif +%if %{system_libs} +BuildRequires: giflib-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h +Provides: bundled(lcms2) = 2.10.0 +# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in jdk/src/share/native/sun/awt/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1805,14 +1838,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/ # OpenJDK patches +%if %{system_libs} # Remove libraries that are linked sh %{SOURCE12} +%endif # System library fixes +%if %{system_libs} %patch201 %patch202 %patch203 %patch204 +%endif %patch1 %patch3 @@ -1830,14 +1867,12 @@ sh %{SOURCE12} # Upstreamable fixes %patch502 -%patch504 %patch512 %patch523 %patch528 %patch571 %patch574 %patch112 -%patch580 %patch581 %patch113 @@ -1918,6 +1953,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1954,12 +1990,20 @@ function buildjdk() { local buildjdk=${2} local maketargets="${3}" local debuglevel=${4} + local link_opt=${5} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} # Variable used in hs_err hook on build failures local top_builddir_abs_path=$(pwd)/${outputdir} echo "Using output directory: ${outputdir}"; + + if [ "x${link_opt}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version echo "Using make targets: ${maketargets}" @@ -1990,12 +2034,14 @@ function buildjdk() { --with-debug-level=${debuglevel} \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ - --with-libjpeg=system \ - --with-giflib=system \ - --with-libpng=system \ - --with-lcms=system \ - --with-stdc++lib=dynamic \ + --with-zlib=${link_opt} \ + --with-giflib=${link_opt} \ +%if %{with system_libs} + --with-libjpeg=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ +%endif + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-asflags="$EXTRA_ASFLAGS" \ @@ -2064,8 +2110,13 @@ function installjdk() { ${imagepath}/jre/lib/security/java.security # Use system-wide tzdata - rm ${imagepath}/jre/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + mv ${imagepath}/jre/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/jre/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv %{cacerts_file} ${imagepath}/jre/lib/security # add alt-java man page pushd ${imagepath} @@ -2101,6 +2152,7 @@ builddir=%{buildoutputdir -- $suffix} bootbuilddir=boot${builddir} installdir=%{installoutputdir -- $suffix} bootinstalldir=boot${installdir} +link_opt="%{link_type}" # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these @@ -2114,13 +2166,13 @@ else fi if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} installjdk ${bootbuilddir} ${bootinstalldir} - buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} %{!?with_artifacts:rm -rf ${bootinstalldir}} else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} fi @@ -2151,10 +2203,6 @@ export SEC_DEBUG="-Djava.security.debug=properties" $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false -# Check correct vendor values have been set -$JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} - # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2165,6 +2213,13 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} + +# Check translations are available for new timezones +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib @@ -2635,6 +2690,65 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-3 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Fix broken links and missing release notes in older releases. +- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete + - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges" + - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists + - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys +- Resolves: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:1.8.0.362.b07-0.3.ea +- Update to shenandoah-jdk8u362-b07 (EA) +- Update release notes for shenandoah-8u362-b07. +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Drop tzdata patches for 2022d & 2022e (JDK-8294357 & JDK-8295173) which are now upstream +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- Drop JDK-8255559/RH2124390 patch which is now upstream +- Resolves: rhbz#2150193 + +* Tue Jan 10 2023 Andrew Hughes - 1:1.8.0.362.b01-0.3.ea +- Update to shenandoah-jdk8u362-b01 (EA) +- Update release notes for shenandoah-8u362-b01. +- Switch to EA mode for 8u362 pre-release builds. +- Drop JDK-8195607/PR3776/RH1760437 now this is upstream +- Related: rhbz#2150193 + +* Thu Nov 10 2022 Andrew Hughes - 1:1.8.0.352.b08-3 +- Add backport of JDK-8255559 to fix file descriptor leak in XML code +- Resolves: rhbz#2124390 + +* Wed Oct 19 2022 Andrew Hughes - 1:1.8.0.352.b08-2 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Switch to GA mode for final release. +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Add test to ensure timezones can be translated +- Resolves: rhbz#2133695 + +* Wed Oct 12 2022 Andrew Hughes - 1:1.8.0.352.b07-0.2.ea +- Update to shenandoah-jdk8u352-b07 (EA) +- Update release notes for shenandoah-8u352-b07. +- Switch to EA mode for 8u352 pre-release builds. +- Rebase FIPS patch against 8u352-b07 +- Resolves: rhbz#2130612 + +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2048542 + +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4 +- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts= +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Related: rhbz#2055274 + +* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3 +- Disable copy-jdk-configs for Flatpak builds +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102733 + * Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2 - Update to shenandoah-jdk8u345-b01 (GA) - Update release notes for 8u345-b01.