diff --git a/.gitignore b/.gitignore index 873588f..529115c 100644 --- a/.gitignore +++ b/.gitignore @@ -258,3 +258,4 @@ /openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b06-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b07-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b07-4curve.tar.xz diff --git a/NEWS b/NEWS index a45c520..8376ed3 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,152 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u352 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u352 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt + +* Other changes + - JDK-7131823: bug in GIFImageReader + - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] + - JDK-8049228: Improve multithreaded scalability of InetAddress cache + - JDK-8071507: (ref) Clear phantom reference as soft and weak references do + - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation + - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 + - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script + - JDK-8139668: Generate README-build.html from markdown + - JDK-8143847: Remove REF_CLEANER reference category + - JDK-8150669: C1 intrinsic for Class.isPrimitive + - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows + - JDK-8173339: AArch64: Fix minimum stack size computations + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing + - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored + - JDK-8183107: PKCS11 regression regarding checkKeySize + - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property + - JDK-8194873: right ALT key hotkeys no longer work in Swing components + - JDK-8201793: (ref) Reference object should not support cloning + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235385: Crash on aarch64 JDK due to long offset + - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8280963: Incorrect PrintFlags formatting on Windows + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 + - JDK-8285497: Add system property for Java SE specification maintenance version + - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE + - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 + - JDK-8287521: Bump update version of OpenJDK: 8u352 + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8292688: Support Security properties in security.testlibrary.Proc + +Notes on individual issues: +=========================== + +core-libs/java.lang: + +JDK-8201793: (ref) Reference object should not support cloning +============================================================== +`java.lang.ref.Reference::clone` method always throws +`CloneNotSupportedException`. `Reference` objects cannot be +meaningfully cloned. To create a new Reference object, call the +constructor to create a `Reference` object with the same referent and +reference queue instead. + +JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing +=============================================================================================== +`java.lang.ref.Reference.enqueue` method clears the reference object +before it is added to the registered queue. When the `enqueue` method +is called, the reference object is cleared and `get()` method will +return null in OpenJDK 8u352. + +Typically when a reference object is enqueued, it is expected that the +reference object is cleared explicitly via the `clear` method to avoid +memory leak because its referent is no longer referenced. In other +words the `get` method is expected not to be called in common cases +once the `enqueue`method is called. In the case when the `get` method +from an enqueued reference object and existing code attempts to access +members of the referent, `NullPointerException` may be thrown. Such +code will need to be updated. + +JDK-8071507: (ref) Clear phantom reference as soft and weak references do +========================================================================= +This enhancement changes phantom references to be automatically +cleared by the garbage collector as soft and weak references. + +An object becomes phantom reachable after it has been finalized. This +change may cause the phantom reachable objects to be GC'ed earlier - +previously the referent is kept alive until PhantomReference objects +are GC'ed or cleared by the application. This potential behavioral +change might only impact existing code that would depend on +PhantomReference being enqueued rather than when the referent be freed +from the heap. + +security-libs/javax.net.ssl: + +JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles +================================================================ +The TLSv1.3 implementation is now enabled by default for client roles +in 8u352. It has been enabled by default for server roles since 8u272. + +Note that TLS 1.3 is not directly compatible with previous +versions. Enabling it on the client may introduce compatibility issues +on either the server or the client side. Here are some more details on +potential compatibility issues that you should be aware of: + +* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions + use a duplex-close policy. For applications that depend on the + duplex-close policy, there may be compatibility issues when + upgrading to TLS 1.3. + +* The signature_algorithms_cert extension requires that pre-defined + signature algorithms are used for certificate authentication. In + practice, however, an application may use non-supported signature + algorithms. + +* The DSA signature algorithm is not supported in TLS 1.3. If a server + is configured to only use DSA certificates, it cannot upgrade to TLS + 1.3. + +* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 + and prior versions. If an application hard-codes cipher suites which + are no longer supported, it may not be able to use TLS 1.3 without + modifying the application code. + +* The TLS 1.3 session resumption and key update behaviors are + different from TLS 1.2 and prior versions. The compatibility should + be minimal, but it could be a risk if an application depends on the + handshake details of the TLS protocols. + +The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols +system property: + +java -Djdk.tls.client.protocols="TLSv1.2" ... + +Alternatively, an application can explicitly set the enabled protocols +with the javax.net.ssl APIs e.g. + +sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + +or: + +SSLParameters params = sslSocket.getSSLParameters(); +params.setProtocols(new String[] {"TLSv1.2"}); +slsSocket.setSSLParameters(params); + New in release OpenJDK 8u345 (2022-08-01): =========================================== Live versions of these release notes can be found at: diff --git a/fips-8u-8e8bbf0ff74.patch b/fips-8u-6d1aade0648.patch similarity index 99% rename from fips-8u-8e8bbf0ff74.patch rename to fips-8u-6d1aade0648.patch index 2379d45..58ab6e5 100644 --- a/fips-8u-8e8bbf0ff74.patch +++ b/fips-8u-6d1aade0648.patch @@ -11,7 +11,7 @@ index 151e5a109f8..a8761b500e0 100644 LIB_SETUP_ON_WINDOWS diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index e77ce854dc5..ec6e9b27ca5 100644 +index 71fabf4dbb3..17f4f50673d 100644 --- a/common/autoconf/generated-configure.sh +++ b/common/autoconf/generated-configure.sh @@ -651,6 +651,9 @@ LLVM_CONFIG @@ -124,7 +124,7 @@ index e77ce854dc5..ec6e9b27ca5 100644 # # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -49290,6 +49351,157 @@ fi +@@ -49304,6 +49365,157 @@ fi LIBS="$save_LIBS" @@ -1532,7 +1532,7 @@ index ffee2c1603b..98119479823 100644 "FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -index cd0e9e98df9..fba760187c0 100644 +index 820e10164fc..6fe2c29389f 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java @@ -31,6 +31,7 @@ import java.security.*; @@ -1627,8 +1627,8 @@ index cd0e9e98df9..fba760187c0 100644 + }; + } return new ProtocolVersion[]{ + ProtocolVersion.TLS13, ProtocolVersion.TLS12, - ProtocolVersion.TLS11, diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java index 2845dc37938..52337a7b6cf 100644 --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java @@ -1659,7 +1659,7 @@ index 2845dc37938..52337a7b6cf 100644 "sun.security.ssl.SSLContextImpl$TLSContext"); if (isfips == false) { diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index d3d64b3facd..bfe0c593adb 100644 +index 7a93d4e6b59..681a24b905d 100644 --- a/jdk/src/share/lib/security/java.security-aix +++ b/jdk/src/share/lib/security/java.security-aix @@ -287,6 +287,13 @@ package.definition=sun.,\ @@ -1677,7 +1677,7 @@ index d3d64b3facd..bfe0c593adb 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index db610d4bfbb..9d1c8fe8a8e 100644 +index 145a84f94cf..789c19a8cba 100644 --- a/jdk/src/share/lib/security/java.security-linux +++ b/jdk/src/share/lib/security/java.security-linux @@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider @@ -1722,7 +1722,7 @@ index db610d4bfbb..9d1c8fe8a8e 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index a919ba3d5cd..19047c61097 100644 +index 35fa140d7a5..d4da666af3b 100644 --- a/jdk/src/share/lib/security/java.security-macosx +++ b/jdk/src/share/lib/security/java.security-macosx @@ -290,6 +290,13 @@ package.definition=sun.,\ @@ -1740,7 +1740,7 @@ index a919ba3d5cd..19047c61097 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 86265ba5fb6..7eda556ae13 100644 +index f79ba37ddb9..300132384a1 100644 --- a/jdk/src/share/lib/security/java.security-solaris +++ b/jdk/src/share/lib/security/java.security-solaris @@ -288,6 +288,13 @@ package.definition=sun.,\ @@ -1758,7 +1758,7 @@ index 86265ba5fb6..7eda556ae13 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index 9b4bda23cbe..dfa1a669aa9 100644 +index d70503ce95f..64db5a5cd1e 100644 --- a/jdk/src/share/lib/security/java.security-windows +++ b/jdk/src/share/lib/security/java.security-windows @@ -290,6 +290,13 @@ package.definition=sun.,\ diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index febb3c4..35ed62c 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -297,7 +297,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches -%global fipsver 8e8bbf0ff74 +%global fipsver 6d1aade0648 # Standard JPackage naming and versioning defines %global origin openjdk @@ -331,7 +331,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u345-b01 +%global openjdk_revision jdk8u352-b07 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -347,12 +347,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 5 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -2719,6 +2719,13 @@ cjc.mainProgram(args) %endif %changelog +* Wed Oct 12 2022 Andrew Hughes - 1:1.8.0.352.b07-0.1.ea +- Update to shenandoah-jdk8u352-b07 (EA) +- Update release notes for shenandoah-8u352-b07. +- Switch to EA mode for 8u352 pre-release builds. +- Rebase FIPS patch against 8u352-b07 +- Resolves: rhbz#2130623 + * Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 - Allow the default keystore to be configured using security.systemCACerts - Use of the property can now be disabled using -Dsecurity.systemCACerts= diff --git a/sources b/sources index 13743ce..44fb427 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz) = 6fa848faa201a01516c8bc616e0cb980fc012c6f54493138fdd38962c8d706382567467b380eaa34a52ffae3657a13f3f136163c1185f38dc0b5dc0e2151f49d +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b07-4curve.tar.xz) = 9525cdd009037328e061965c751fae7fb61887d87efadfbc8b361aeee74a3cbb0bc2405f0bd33d3c943862a2eab5d30576e071063a87ec326b1781d29e7974ea