Update to shenandoah-jdk8u352-b07 (EA)

Update release notes for shenandoah-8u352-b07. Switch to EA mode for 8u352 pre-release builds. Rebase FIPS patch against 8u352-b07 Resolves: rhbz#2130623
2022-10-13 01:41:47 +01:00 · 2022-10-13 01:41:47 +01:00 · 20b95ff808
parent 64ee130bde
commit 20b95ff808
5 changed files with 168 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -258,3 +258,4 @@
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b06-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b07-4curve.tar.xz
 /openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
+/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b07-4curve.tar.xz
--- a/146
+++ b/146
@ -3,6 +3,152 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

+New in release OpenJDK 8u352 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u352
+  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
+
+* Other changes
+  - JDK-7131823: bug in GIFImageReader
+  - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
+  - JDK-8028265: Add legacy tz tests to OpenJDK
+  - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
+  - JDK-8049228: Improve multithreaded scalability of InetAddress cache
+  - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+  - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
+  - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
+  - JDK-8136354: [TEST_BUG] Test  java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
+  - JDK-8139668: Generate README-build.html from markdown
+  - JDK-8143847: Remove REF_CLEANER reference category
+  - JDK-8150669: C1 intrinsic for Class.isPrimitive
+  - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
+  - JDK-8173339: AArch64: Fix minimum stack size computations
+  - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+  - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+  - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
+  - JDK-8183107: PKCS11 regression regarding checkKeySize
+  - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
+  - JDK-8194873: right ALT key hotkeys no longer work in Swing components
+  - JDK-8201793: (ref) Reference object should not support cloning
+  - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+  - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+  - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+  - JDK-8235218: Minimal VM is broken after JDK-8173361
+  - JDK-8235385: Crash on aarch64 JDK due to long offset
+  - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
+  - JDK-8254178: Remove .hgignore
+  - JDK-8254318: Remove .hgtags
+  - JDK-8256722: handle VC++:1927 VS2019 in  abstract_vm_version
+  - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
+  - JDK-8280963: Incorrect PrintFlags formatting on Windows
+  - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+  - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+  - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
+  - JDK-8285497: Add system property for Java SE specification maintenance version
+  - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
+  - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
+  - JDK-8287521: Bump update version of OpenJDK: 8u352
+  - JDK-8288763: Pack200 extraction failure with invalid size
+  - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+  - JDK-8290000: Bump macOS GitHub actions to macOS 11
+  - JDK-8292579: (tz) Update Timezone Data to 2022c
+  - JDK-8292688: Support Security properties in security.testlibrary.Proc
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8201793: (ref) Reference object should not support cloning
+==============================================================
+`java.lang.ref.Reference::clone` method always throws
+`CloneNotSupportedException`. `Reference` objects cannot be
+meaningfully cloned. To create a new Reference object, call the
+constructor to create a `Reference` object with the same referent and
+reference queue instead.
+
+JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+===============================================================================================
+`java.lang.ref.Reference.enqueue` method clears the reference object
+before it is added to the registered queue. When the `enqueue` method
+is called, the reference object is cleared and `get()` method will
+return null in OpenJDK 8u352.
+
+Typically when a reference object is enqueued, it is expected that the
+reference object is cleared explicitly via the `clear` method to avoid
+memory leak because its referent is no longer referenced. In other
+words the `get` method is expected not to be called in common cases
+once the `enqueue`method is called. In the case when the `get` method
+from an enqueued reference object and existing code attempts to access
+members of the referent, `NullPointerException` may be thrown. Such
+code will need to be updated.
+
+JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+=========================================================================
+This enhancement changes phantom references to be automatically
+cleared by the garbage collector as soft and weak references.
+
+An object becomes phantom reachable after it has been finalized. This
+change may cause the phantom reachable objects to be GC'ed earlier -
+previously the referent is kept alive until PhantomReference objects
+are GC'ed or cleared by the application. This potential behavioral
+change might only impact existing code that would depend on
+PhantomReference being enqueued rather than when the referent be freed
+from the heap.
+
+security-libs/javax.net.ssl:
+
+JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
+================================================================
+The TLSv1.3 implementation is now enabled by default for client roles
+in 8u352. It has been enabled by default for server roles since 8u272.
+
+Note that TLS 1.3 is not directly compatible with previous
+versions. Enabling it on the client may introduce compatibility issues
+on either the server or the client side. Here are some more details on
+potential compatibility issues that you should be aware of:
+
+* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
+  use a duplex-close policy. For applications that depend on the
+  duplex-close policy, there may be compatibility issues when
+  upgrading to TLS 1.3.
+
+* The signature_algorithms_cert extension requires that pre-defined
+  signature algorithms are used for certificate authentication. In
+  practice, however, an application may use non-supported signature
+  algorithms.
+
+* The DSA signature algorithm is not supported in TLS 1.3. If a server
+  is configured to only use DSA certificates, it cannot upgrade to TLS
+  1.3.
+
+* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
+  and prior versions. If an application hard-codes cipher suites which
+  are no longer supported, it may not be able to use TLS 1.3 without
+  modifying the application code.
+
+* The TLS 1.3 session resumption and key update behaviors are
+  different from TLS 1.2 and prior versions. The compatibility should
+  be minimal, but it could be a risk if an application depends on the
+  handshake details of the TLS protocols.
+
+The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
+system property:
+
+java -Djdk.tls.client.protocols="TLSv1.2" ...
+
+Alternatively, an application can explicitly set the enabled protocols
+with the javax.net.ssl APIs e.g.
+
+sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
+
+or:
+
+SSLParameters params = sslSocket.getSSLParameters();
+params.setProtocols(new String[] {"TLSv1.2"});
+slsSocket.setSSLParameters(params);
+
 New in release OpenJDK 8u345 (2022-08-01):
 ===========================================
 Live versions of these release notes can be found at:
--- a/fips-8u-6d1aade0648.patch
+++ b/fips-8u-6d1aade0648.patch
@ -11,7 +11,7 @@ index 151e5a109f8..a8761b500e0 100644
 LIB_SETUP_ON_WINDOWS
 
 diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
-index e77ce854dc5..ec6e9b27ca5 100644
+index 71fabf4dbb3..17f4f50673d 100644
 --- a/common/autoconf/generated-configure.sh
 +++ b/common/autoconf/generated-configure.sh
@@ -651,6 +651,9 @@ LLVM_CONFIG
@ -124,7 +124,7 @@ index e77ce854dc5..ec6e9b27ca5 100644
 #
 # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-@@ -49290,6 +49351,157 @@ fi
+@@ -49304,6 +49365,157 @@ fi
   LIBS="$save_LIBS"
 
 
@ -1532,7 +1532,7 @@ index ffee2c1603b..98119479823 100644
                         "FIPS mode: KeyStore must be " +
                         "from provider " + SunJSSE.cryptoProvider.getName());
 diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-index cd0e9e98df9..fba760187c0 100644
+index 820e10164fc..6fe2c29389f 100644
 --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
 +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@ import java.security.*;
@ -1627,8 +1627,8 @@ index cd0e9e98df9..fba760187c0 100644
 +                    };
 +                }
                 return new ProtocolVersion[]{
+                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
-                         ProtocolVersion.TLS11,
 diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
 index 2845dc37938..52337a7b6cf 100644
 --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@ -1659,7 +1659,7 @@ index 2845dc37938..52337a7b6cf 100644
             "sun.security.ssl.SSLContextImpl$TLSContext");
         if (isfips == false) {
 diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index d3d64b3facd..bfe0c593adb 100644
+index 7a93d4e6b59..681a24b905d 100644
 --- a/jdk/src/share/lib/security/java.security-aix
 +++ b/jdk/src/share/lib/security/java.security-aix
@@ -287,6 +287,13 @@ package.definition=sun.,\
@ -1677,7 +1677,7 @@ index d3d64b3facd..bfe0c593adb 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index db610d4bfbb..9d1c8fe8a8e 100644
+index 145a84f94cf..789c19a8cba 100644
 --- a/jdk/src/share/lib/security/java.security-linux
 +++ b/jdk/src/share/lib/security/java.security-linux
@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
@ -1722,7 +1722,7 @@ index db610d4bfbb..9d1c8fe8a8e 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index a919ba3d5cd..19047c61097 100644
+index 35fa140d7a5..d4da666af3b 100644
 --- a/jdk/src/share/lib/security/java.security-macosx
 +++ b/jdk/src/share/lib/security/java.security-macosx
@@ -290,6 +290,13 @@ package.definition=sun.,\
@ -1740,7 +1740,7 @@ index a919ba3d5cd..19047c61097 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index 86265ba5fb6..7eda556ae13 100644
+index f79ba37ddb9..300132384a1 100644
 --- a/jdk/src/share/lib/security/java.security-solaris
 +++ b/jdk/src/share/lib/security/java.security-solaris
@@ -288,6 +288,13 @@ package.definition=sun.,\
@ -1758,7 +1758,7 @@ index 86265ba5fb6..7eda556ae13 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index 9b4bda23cbe..dfa1a669aa9 100644
+index d70503ce95f..64db5a5cd1e 100644
 --- a/jdk/src/share/lib/security/java.security-windows
 +++ b/jdk/src/share/lib/security/java.security-windows
@@ -290,6 +290,13 @@ package.definition=sun.,\
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@ -297,7 +297,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      3.15.0
 # Define current Git revision for the FIPS support patches
-%global fipsver 8e8bbf0ff74
+%global fipsver 6d1aade0648

 # Standard JPackage naming and versioning defines
 %global origin          openjdk
@ -331,7 +331,7 @@
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
 %global shenandoah_project      openjdk
 %global shenandoah_repo         shenandoah-jdk8u
-%global openjdk_revision        jdk8u345-b01
+%global openjdk_revision        jdk8u352-b07
 %global shenandoah_revision     shenandoah-%{openjdk_revision}
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
@ -347,12 +347,12 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      5
+%global rpmrelease      2
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global milestone          fcs
 %global milestone_version  %{nil}
@ -2719,6 +2719,13 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Wed Oct 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b07-0.1.ea
+- Update to shenandoah-jdk8u352-b07 (EA)
+- Update release notes for shenandoah-8u352-b07.
+- Switch to EA mode for 8u352 pre-release builds.
+- Rebase FIPS patch against 8u352-b07
+- Resolves: rhbz#2130623
+
 * Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
 - Allow the default keystore to be configured using security.systemCACerts
 - Use of the property can now be disabled using -Dsecurity.systemCACerts=
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz) = 6fa848faa201a01516c8bc616e0cb980fc012c6f54493138fdd38962c8d706382567467b380eaa34a52ffae3657a13f3f136163c1185f38dc0b5dc0e2151f49d
+SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b07-4curve.tar.xz) = 9525cdd009037328e061965c751fae7fb61887d87efadfbc8b361aeee74a3cbb0bc2405f0bd33d3c943862a2eab5d30576e071063a87ec326b1781d29e7974ea