Update to shenandoah-jdk8u392-b08 (GA)

Update release notes for shenandoah-8u392-b08.
Sync the copy of the portable specfile with the latest update
Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
Update bug URL for RHEL to point to the Red Hat customer portal
Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
Regenerate PR2462 patch following JDK-8315135
Bump version of bundled libpng to 1.6.39
Add backport of JDK-8312489 heading upstream for 8u402 (see OPENJDK-2095)
Add missing JFR, alt-java, jre-* and java-* alternative ghosts
Move jcmd to the headless package

** This tarball is embargoed until 2023-10-17 @ 1pm PT. **

- Resolves: RHEL-12210
- Resolves: RHEL-13579
- Resolves: RHEL-13580
- Resolves: RHEL-13581
- Resolves: RHEL-11315
- Resolves: RHEL-13585
- Resolves: RHEL-2381

.gitignore

@@ -287,3 +287,5 @@
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b04-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b01.tar.xz
+/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b07.tar.xz
+/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz

NEWS

@@ -8,18 +8,107 @@ New in release OpenJDK 8u392 (2023-10-17):
 Live versions of these release notes can be found at:
   * https://bit.ly/openjdk8u392
 
+* CVEs
+  - CVE-2023-22067
+  - CVE-2023-22081
+* Security fixes
+  - JDK-8286503, JDK-8312367: Enhance security classes
+  - JDK-8297856: Improve handling of Bidi characters
+  - JDK-8303384: Improved communication in CORBA
+  - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
+  - JDK-8309966: Enhanced TLS connections
 * Other changes
+  - JDK-6722928: Provide a default native GSS-API library on Windows
+  - JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
+  - JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
   - JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+  - JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
   - JDK-8200468: Port the native GSS-API bridge to Windows
+  - JDK-8202952: C2: Unexpected dead nodes after matching
   - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
+  - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
+  - JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
+  - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
+  - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
+  - JDK-8232225: Rework the fix for JDK-8071483
+  - JDK-8242330: Arrays should be cloned in several JAAS Callback classes
   - JDK-8253269: The CheckCommonColors test should provide more info on failure
+  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
+  - JDK-8284910: Buffer clean in PasswordCallback
+  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+  - JDK-8287663: Add a regression test for JDK-8287073
+  - JDK-8295685: Update Libpng to 1.6.38
+  - JDK-8295894: Remove SECOM certificate that is expiring in September 2023
+  - JDK-8308788: [8u] Remove duplicate HaricaCA.java test
   - JDK-8309122: Bump update version of OpenJDK: 8u392
   - JDK-8309143: [8u] fix archiving inconsistencies in GHA
   - JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
+  - JDK-8314960: Add Certigna Root CA - 2
+  - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
+  - JDK-8317040: Exclude cleaner test failing on older releases
 
 Notes on individual issues:
 ===========================
 
+other-libs/corba:idl:
+
+8303384: Improved communication in CORBA
+========================================
+The JDK's CORBA implementation now provides the option to limit
+serialisation in stub objects to those with the "IOR:" prefix.  For
+ORB constrained stub classes:
+
+* _DynArrayStub
+* _DynEnumStub
+* _DynFixedStub
+* _DynSequenceStub
+* _DynStructStub
+* _DynUnionStub
+* _DynValueStub
+* _DynAnyStub
+* _DynAnyFactoryStub
+
+this is enabled by default and may be disabled by setting the system
+property org.omg.DynamicAny.disableIORCheck to 'true'.
+
+For remote service stub classes:
+
+* _NamingContextStub
+* _BindingIteratorStub
+* _NamingContextExtStub
+* _ServantActivatorStub
+* _ServantLocatorStub
+* _ServerManagerStub
+* _ActivatorStub
+* _RepositoryStub
+* _InitialNameServiceStub
+* _LocatorStub
+* _ServerStub
+
+it is disabled by default and may be enabled by setting the system
+property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
+
+security-libs/org.ietf.jgss:
+
+JDK-6722928: Added a Default Native GSS-API Library on Windows
+==============================================================
+
+A native GSS-API library named `sspi_bridge.dll` has been added to the
+JDK on the Windows platform.  As with native GSS-API library provision
+on other operating systems, it will only be loaded when the
+`sun.security.jgss.native` system property is set to "true". A user
+can still load a third-party native GSS-API library instead by setting
+the `sun.security.jgss.lib` system property to the appropriate path.
+
+The library is client-side only and uses the default credentials.
+Native GSS support automatically uses cached credentials from the
+underlying operating system, so the
+`javax.security.auth.useSubjectCredsOnly` system property should be
+set to false.
+
+The `com.sun.security.auth.module.Krb5LoginModule` does not call
+native JGSS and so its use in your JAAS config should be avoided.
+
 security-libs/org.ietf.jgss:krb5:
 
 JDK-8139348: Deprecate 3DES and RC4 in Kerberos
@@ -32,6 +121,34 @@ and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
 encryption types using the `default_tkt_enctypes`,
 `default_tgs_enctypes`, or `permitted_enctypes` settings.
 
+security-libs/java.security:
+
+JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
+==================================================================
+The following root certificate from SECOM Trust System has been
+removed from the `cacerts` keystore:
+
+Alias Name: secomscrootca1 [jdk]
+Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
+
+JDK-8314960: Added Certigna Root CA Certificate
+===============================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
+
+security-libs/javax.security:
+
+JDK-8242330: Arrays should be cloned in several JAAS Callback classes
+=====================================================================
+In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
+were not cloned when passed into a constructor or returned. This
+allowed an external program to get access to the internal fields of
+these classes. The classes have been updated to return cloned arrays.
+
 New in release OpenJDK 8u382 (2023-07-18):
 ===========================================
 Live versions of these release notes can be found at:

java-1.8.0-openjdk-portable.specfile

@@ -267,7 +267,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision jdk8u392-b01
+%global openjdk_revision jdk8u392-b08
 %global shenandoah_revision shenandoah-%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      3.15.0
@@ -597,6 +597,8 @@ Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
 Patch581: jdk8257794-remove_broken_assert.patch
 # JDK-8186464, RH1433262: ZipFile cannot read some InfoZip ZIP64 zip files
 Patch12: jdk8186464-rh1433262-zip64_failure.patch
+# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+Patch2000: jdk8312489-max_sig_default_increase.patch
 
 #############################################
 #
@@ -704,7 +706,7 @@ Provides: bundled(lcms2) = 2.10.0
 # Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in jdk/src/share/native/sun/awt/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.39
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
 %endif
@@ -867,6 +869,8 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # system cacerts support
 %patch539 -p1
+# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381
+%patch2000 -p1
 popd
 
 # RPM-only fixes
@@ -1496,6 +1500,14 @@ done
 %{_jvmdir}/%{miscportablearchive}.sha256sum
 
 %changelog
+* Wed Oct 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-1
+- Update to shenandoah-jdk8u392-b08 (GA)
+- Update release notes for shenandoah-8u392-b08.
+- Regenerate PR2462 patch following JDK-8315135
+- Bump version of bundled libpng to 1.6.39
+- Add backport of JDK-8312489 heading upstream for 8u402 (see OPENJDK-2095)
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+
 * Fri Sep 29 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b01-1
 - Update to shenandoah-jdk8u392-b01 (GA)
 - Update release notes for shenandoah-8u392-b01.

java-1.8.0-openjdk.spec

@@ -102,8 +102,7 @@
 # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
 %define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
 
-# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
-# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+# Indicates whether this is the default JDK on this version of RHEL
 %global is_system_jdk 0
 
 %global aarch64         aarch64 arm64 armv8
@@ -306,9 +305,9 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision jdk8u392-b01
+%global openjdk_revision jdk8u392-b08
 %global shenandoah_revision shenandoah-%{openjdk_revision}
-# Define IcedTea version used for SystemTap tapsets and desktop file
+# Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
 # Define current Git revision for the FIPS support patches
 %global fipsver 6d1aade0648
@@ -352,7 +351,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      1
+%global rpmrelease      2
 # Settings used by the portable build
 %global portablerelease 1
 %global portablesuffix el8
@@ -525,6 +524,7 @@ alternatives \\
   --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
   --slave %{_jvmdir}/jre jre %{_jvmdir}/%{jredir -- %{?1}} \\
   --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/jcmd jcmd %{jrebindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
   --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
   --slave %{_bindir}/orbd orbd %{jrebindir -- %{?1}}/orbd \\
@@ -539,6 +539,8 @@ alternatives \\
   %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
   %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\
   %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
@@ -642,7 +644,6 @@ alternatives \\
   --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
   --slave %{_bindir}/javah javah %{sdkbindir -- %{?1}}/javah \\
   --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
-  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
   --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
   --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
   --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
@@ -683,8 +684,6 @@ alternatives \\
   %{_mandir}/man1/javah-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
   %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
-  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
   %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
   --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
@@ -851,6 +850,7 @@ exit 0
 %dir %{_jvmdir}/%{jredir -- %{?1}}/lib
 %{_jvmdir}/%{jredir -- %{?1}}/bin/java
 %{_jvmdir}/%{jredir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{jredir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{jredir -- %{?1}}/bin/jjs
 %{_jvmdir}/%{jredir -- %{?1}}/bin/keytool
 %{_jvmdir}/%{jredir -- %{?1}}/bin/orbd
@@ -883,6 +883,7 @@ exit 0
 %{_jvmdir}/%{jredir -- %{?1}}/lib/calendars.properties
 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/orbd-%{uniquesuffix -- %{?1}}.1*
@@ -1002,11 +1003,13 @@ exit 0
 %ifarch %{jfr_arches}
 %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/jfr
 %endif
+# RHEL-11313; alternatives not owned by packages
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
 %ghost %{_bindir}/java
 %ghost %{_jvmdir}/jre
-# https://bugzilla.redhat.com/show_bug.cgi?id=1312019
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/jjs
 %ghost %{_bindir}/keytool
 %ghost %{_bindir}/orbd
@@ -1016,6 +1019,9 @@ exit 0
 %ghost %{_bindir}/servertool
 %ghost %{_bindir}/tnameserv
 %ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
 %endif
 %endif
 }
@@ -1042,7 +1048,6 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javah
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java-rmi.cgi
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
@@ -1103,7 +1108,6 @@ exit 0
 %{_mandir}/man1/javah-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/jhat-%{uniquesuffix -- %{?1}}.1*
@@ -1128,8 +1132,10 @@ exit 0
 %dir %{tapsetdir}
 %{tapsetdir}/*%{_arch}%{?1}.stp
 %endif
+# RHEL-11313; alternatives not owned by packages
 %if %is_system_jdk
 %if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
 %ghost %{_jvmdir}/java
 %ghost %{_bindir}/appletviewer
 %ghost %{_bindir}/clhsdb
@@ -1138,16 +1144,13 @@ exit 0
 %ghost %{_bindir}/idlj
 %ghost %{_bindir}/jar
 %ghost %{_bindir}/jarsigner
-%ghost %{_bindir}/java
-%ghost %{_bindir}/java-rmi.cgi
-%ghost %{_bindir}/javac
 %ghost %{_bindir}/javadoc
 %ghost %{_bindir}/javah
 %ghost %{_bindir}/javap
-%ghost %{_bindir}/jcmd
 %ghost %{_bindir}/jconsole
 %ghost %{_bindir}/jdb
 %ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jfr
 %ghost %{_bindir}/jhat
 %ghost %{_bindir}/jinfo
 %ghost %{_bindir}/jjs
@@ -1158,22 +1161,16 @@ exit 0
 %ghost %{_bindir}/jstack
 %ghost %{_bindir}/jstat
 %ghost %{_bindir}/jstatd
-%ghost %{_bindir}/keytool
 %ghost %{_bindir}/native2ascii
-%ghost %{_bindir}/orbd
-%ghost %{_bindir}/pack200
-%ghost %{_bindir}/policytool
 %ghost %{_bindir}/rmic
-%ghost %{_bindir}/rmid
-%ghost %{_bindir}/rmiregistry
 %ghost %{_bindir}/schemagen
 %ghost %{_bindir}/serialver
-%ghost %{_bindir}/servertool
-%ghost %{_bindir}/tnameserv
-%ghost %{_bindir}/unpack200
 %ghost %{_bindir}/wsgen
 %ghost %{_bindir}/wsimport
 %ghost %{_bindir}/xjc
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
 %endif
 %endif
 }
@@ -1565,6 +1562,8 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
 Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
 # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
 Patch581: jdk8257794-remove_broken_assert.patch
+# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+Patch2000: jdk8312489-max_sig_default_increase.patch
 
 #############################################
 #
@@ -1686,7 +1685,7 @@ Provides: bundled(lcms2) = 2.10.0
 # Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in jdk/src/share/native/sun/awt/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
+Provides: bundled(libpng) = 1.6.39
 %ifnarch %{portable_build_arches}
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
@@ -1987,6 +1986,8 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # cacerts patch; must follow FIPS patch as it also alters java.security
 %patch539 -p1
+# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381
+%patch2000 -p1
 popd
 
 # RPM-only fixes
@@ -2218,6 +2219,9 @@ function installjdk() {
         cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
         popd
 
+        # Move jcmd into the jre image (RHEL-12344)
+        mv ${imagepath}/bin/jcmd ${imagepath}/jre/bin
+
         # Print release information
         cat ${imagepath}/release
 
@@ -2876,6 +2880,27 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Oct 10 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-2
+- Update to shenandoah-jdk8u392-b08 (GA)
+- Update release notes for shenandoah-8u392-b08.
+- Sync the copy of the portable specfile with the latest update
+- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Regenerate PR2462 patch following JDK-8315135
+- Bump version of bundled libpng to 1.6.39
+- Add backport of JDK-8312489 heading upstream for 8u402 (see OPENJDK-2095)
+- Add missing JFR, alt-java, jre-* and java-* alternative ghosts
+- Move jcmd to the headless package
+- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
+- Resolves: RHEL-12210
+- Resolves: RHEL-13579
+- Resolves: RHEL-13580
+- Resolves: RHEL-13581
+- Resolves: RHEL-11315
+- Resolves: RHEL-13585
+- Resolves: RHEL-2381
+
 * Fri Sep 29 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b01-1
 - Update to shenandoah-jdk8u392-b01 (GA)
 - Update release notes for shenandoah-8u392-b01.

jdk8312489-max_sig_default_increase.patch

@@ -0,0 +1,48 @@
+commit c38a36f124a7eb28920cc367cb01b67d973a55c0
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Wed Oct 11 01:42:03 2023 +0100
+
+    Backport e47a84f23dd2608c6f5748093eefe301fb5bf750
+
+diff --git a/jdk/src/share/classes/java/util/jar/JarFile.java b/jdk/src/share/classes/java/util/jar/JarFile.java
+index a26dcc4a1c7..ac2e1c9d6a8 100644
+--- a/jdk/src/share/classes/java/util/jar/JarFile.java
++++ b/jdk/src/share/classes/java/util/jar/JarFile.java
+@@ -436,7 +436,9 @@ class JarFile extends ZipFile {
+                 throw new IOException("Unsupported size: " + uncompressedSize +
+                         " for JarEntry " + ze.getName() +
+                         ". Allowed max size: " +
+-                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
++                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
++                        "You can use the jdk.jar.maxSignatureFileSize " +
++                        "system property to increase the default value.");
+             }
+             int len = (int)uncompressedSize;
+             byte[] b = IOUtils.readAllBytes(is);
+diff --git a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
+index c335e964f63..afdfa406b92 100644
+--- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
++++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
+@@ -855,16 +855,16 @@ public class SignatureFileVerifier {
+          * the maximum allowed number of bytes for the signature-related files
+          * in a JAR file.
+          */
+-        Integer tmp = AccessController.doPrivileged(new GetIntegerAction(
+-                "jdk.jar.maxSignatureFileSize", 8000000));
++        int tmp = AccessController.doPrivileged(new GetIntegerAction(
++                "jdk.jar.maxSignatureFileSize", 16000000));
+         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
+             if (debug != null) {
+-                debug.println("Default signature file size 8000000 bytes " +
+-                        "is used as the specified size for the " +
+-                        "jdk.jar.maxSignatureFileSize system property " +
++                debug.println("The default signature file size of 16000000 bytes " +
++                        "will be used for the jdk.jar.maxSignatureFileSize " +
++                        "system property since the specified value " +
+                         "is out of range: " + tmp);
+             }
+-            tmp = 8000000;
++            tmp = 16000000;
+         }
+         return tmp;
+     }

pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch

@@ -7,10 +7,11 @@
 8074839: Resolve disabled warnings for libunpack and the unpack200 binary
 Reviewed-by: dholmes, ksrini
 
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+index bdaf95a2f6a..60c5b4f2a69 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-@@ -63,7 +63,7 @@
+@@ -63,7 +63,7 @@ struct bytes {
      bytes res;
      res.ptr = ptr + beg;
      res.len = end - beg;
@@ -19,10 +20,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openj
      return res;
    }
    // building C strings inside byte buffers:
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+index 5fbc7261fb3..4c002e779d8 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-@@ -292,7 +292,7 @@
+@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
  
    if (uPtr->aborting()) {
      THROW_IOE(uPtr->get_abort_message());
@@ -31,16 +33,16 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openj
    }
  
    // We have fetched all the files.
-@@ -310,7 +310,7 @@
- JNIEXPORT jlong JNICALL
- Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
-   unpacker* uPtr = get_unpacker(env, pObj, false);
+@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
+   // There's no need to create a new unpacker here if we don't already have one
+   // just to immediatly free it afterwards.
+   unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
 -  CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
 +  CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
    size_t consumed = uPtr->input_consumed();
+   // free_unpacker() will set the unpacker field on 'pObj' to null
    free_unpacker(env, pObj, uPtr);
-   return consumed;
-@@ -320,6 +320,7 @@
+@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
  Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
                                         jstring pProp, jstring pValue) {
    unpacker*   uPtr  = get_unpacker(env, pObj);
@@ -48,10 +50,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openj
    const char* prop  = env->GetStringUTFChars(pProp, JNI_FALSE);
    CHECK_EXCEPTION_RETURN_VALUE(prop, false);
    const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+index 6fbc43a18ae..722c8baaff0 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-@@ -142,31 +142,28 @@
+@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
    return progname;
  }
  
@@ -101,10 +104,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp open
    }
  }
  
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+index 56f391b1e87..f0a25f8cd20 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-@@ -222,9 +222,9 @@
+@@ -225,9 +225,9 @@ struct entry {
    }
  
  #ifdef PRODUCT
@@ -116,7 +120,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  #endif
  };
  
-@@ -715,13 +715,13 @@
+@@ -718,13 +718,13 @@ void unpacker::read_file_header() {
    // Now we can size the whole archive.
    // Read everything else into a mega-buffer.
    rp = hdr.rp;
@@ -134,7 +138,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
        abort("EOF reading fixed input buffer");
        return;
      }
-@@ -735,7 +735,7 @@
+@@ -738,7 +738,7 @@ void unpacker::read_file_header() {
        return;
      }
      input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@@ -143,7 +147,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
      CHECK;
      assert(input.limit()[0] == 0);
      // Move all the bytes we read initially into the real buffer.
-@@ -958,13 +958,13 @@
+@@ -961,13 +961,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
    nentries = next_entry;
  
    // place a limit on future CP growth:
@@ -159,7 +163,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  
    // Note that this CP does not include "empty" entries
    // for longs and doubles.  Those are introduced when
-@@ -982,8 +982,9 @@
+@@ -985,8 +985,9 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
    }
  
    // Initialize *all* our entries once
@@ -170,7 +174,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  
    initGroupIndexes();
    // Initialize hashTab to a generous power-of-two size.
-@@ -3677,21 +3678,22 @@
+@@ -3681,21 +3682,22 @@ void cpool::computeOutputIndexes() {
  
  unpacker* debug_u;
  
@@ -197,7 +201,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
    case CONSTANT_Signature:
      if (value.b.ptr == null)
        return ref(0)->string();
-@@ -3711,26 +3713,28 @@
+@@ -3715,26 +3717,28 @@ char* entry::string() {
      break;
    default:
      if (nrefs == 0) {
@@ -235,10 +239,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp op
  }
  
  void print_cp_entries(int beg, int end) {
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+index cec7a88b24e..ed5f3336a59 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-@@ -209,7 +209,7 @@
+@@ -209,7 +209,7 @@ struct unpacker {
    byte*     rp;          // read pointer (< rplimit <= input.limit())
    byte*     rplimit;     // how much of the input block has been read?
    julong    bytes_read;
@@ -247,10 +252,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h open
  
    // callback to read at least one byte, up to available input
    typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+index e5197e1a3f1..40a10055ea5 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-@@ -81,7 +81,7 @@
+@@ -81,7 +81,7 @@ void breakpoint() { }  // hook for debugger
  int assert_failed(const char* p) {
    char message[1<<12];
    sprintf(message, "@assert failed: %s\n", p);
@@ -259,10 +265,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp ope
    breakpoint();
    unpack_abort(message);
    return 0;
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+index f58c94956c0..343da3e183b 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-@@ -84,7 +84,7 @@
+@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
  }
  
  // Write data to the ZIP output stream.
@@ -271,7 +278,7 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openj
    while (len > 0) {
      int rc = (int)fwrite(buff, 1, len, jarfp);
      if (rc <= 0) {
-@@ -323,12 +323,12 @@
+@@ -323,12 +323,12 @@ void jar::write_central_directory() {
      // Total number of disks (int)
      header64[36] = (ushort)SWAP_BYTES(1);
      header64[37] = 0;
@@ -286,10 +293,11 @@ diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openj
  
    PRINTCR((2, "writing zip comment\n"));
    // Write the comment.
-diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
---- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+diff --git openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+index 14ffc9d65bd..9877f6f68ca 100644
+--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-@@ -68,8 +68,8 @@
+@@ -68,8 +68,8 @@ struct jar {
    }
  
    // Private Methods

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b01.tar.xz) = 447231b0b20d12db0509a8654742fef5cd85e6fc896e6d77edbc56f1b8bfacb9fad16fc06b12b8db397fb0c3f0ed92643ce9f785b3e59fa2a2dd23bebc4755b3
+SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz) = 0826958c414bcc7a23707fc9c1e832eed15e3e762ce35e0dfe4a4c6f44f057423b754092a1532a39dde6cd6f83f97208a857afd779ef7ba275f0bb46d84da102