import UBI java-1.8.0-openjdk-1.8.0.402.b06-2.el9

2024-01-17 20:44:37 +00:00 · 2024-01-17 20:44:37 +00:00 · 2d12046b98
parent 831e45ebab
commit 2d12046b98
6 changed files with 156 additions and 77 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@ -1,2 +1,2 @@
-2ca27b0d535c9dcf71679cad14be5660d0554f82 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz
+0ca0a2433bfd7aa62a21fc37c8079f540e672a9c SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@ -3,6 +3,131 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

+New in release OpenJDK 8u402 (2024-01-16):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u402
+
+* CVEs
+  - CVE-2024-20918
+  - CVE-2024-20919
+  - CVE-2024-20921
+  - CVE-2024-20926
+  - CVE-2024-20945
+  - CVE-2024-20952
+* Security fixes
+  - JDK-8308204: Enhanced certificate processing
+  - JDK-8314284: Enhance Nashorn performance
+  - JDK-8314295: Enhance verification of verifier
+  - JDK-8314307: Improve loop handling
+  - JDK-8314468: Improve Compiler loops
+  - JDK-8316976: Improve signature handling
+  - JDK-8317547: Enhance TLS connection support
+* Other changes
+  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+  - JDK-8029995: accept yes/no for boolean krb5.conf settings
+  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
+  - JDK-8176509: Use pandoc for converting build readme to html
+  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
+  - JDK-8207404: MulticastSocket tests failing on AIX
+  - JDK-8212677: X11 default visual support for IM status window on VNC
+  - JDK-8239365: ProcessBuilder test modifications for AIX execution
+  - JDK-8271838: AmazonCA.java interop test fails
+  - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
+  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
+  - JDK-8307837: [8u] Check step in GHA should also print errors
+  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
+  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
+  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
+  - JDK-8315280: Bump update version of OpenJDK: 8u402
+  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
+  - JDK-8317291: Missing null check for nmethod::is_native_method()
+  - JDK-8317373: Add Telia Root CA v2
+  - JDK-8317374: Add Let's Encrypt ISRG Root X2
+  - JDK-8318759: Add four DigiCert root certificates
+  - JDK-8319187: Add three eMudhra emSign roots
+  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
+  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
+
+Notes on individual issues:
+===========================
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8029995: accept yes/no for boolean krb5.conf settings
+=========================================================
+The krb5.conf configuration file now also accepts "yes" and "no", as
+alternatives to the existing "true" and "false" support, when using
+settings that take boolean values.
+
+security-libs/java.security:
+
+JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
+===============================================================================================================================
+A maximum signature file size property, jdk.jar.maxSignatureFileSize,
+was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
+default of 8MB. This default proved to be too small for some JAR
+files. This release, 8u402, increases it to 16MB.
+
+JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
+=================================================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Let's Encrypt
+Alias Name: letsencryptisrgx2
+Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
+
+JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
+=============================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: DigiCert, Inc.
+Alias Name: digicertcseccrootg5
+Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicertcsrsarootg5
+Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlseccrootg5
+Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+
+Name: DigiCert, Inc.
+Alias Name: digicerttlsrsarootg5
+Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+
+JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
+============================================================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag1
+Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsigneccrootcag3
+Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+Name: eMudhra Technologies Limited
+Alias Name: emsignrootcag2
+Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+
+JDK-8317373: Added Telia Root CA v2 Certificate
+===============================================
+The following root certificate has been added to the cacerts
+truststore:
+
+Name: Telia Root CA v2
+Alias Name: teliarootcav2
+Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
+
 New in release OpenJDK 8u392 (2023-10-17):
 ===========================================
 Live versions of these release notes can be found at:
@ -52,8 +177,8 @@ Notes on individual issues:

 other-libs/corba:idl:

-8303384: Improved communication in CORBA
-========================================
+JDK-8303384: Improved communication in CORBA
+============================================
 The JDK's CORBA implementation now provides the option to limit
 serialisation in stub objects to those with the "IOR:" prefix.  For
 ORB constrained stub classes:
@ -762,19 +887,6 @@ the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.

-core-libs/java.net:
-
-JDK-8286918: Better HttpServer service
-======================================
-The HttpServer can be optionally configured with a maximum connection
-limit by setting the jdk.httpserver.maxConnections system property. A
-value of 0 or a negative integer is ignored and considered to
-represent no connection limit. In the case of a positive integer
-value, any newly accepted connections will be first checked against
-the current count of established connections and, if the configured
-limit has been reached, then the newly accepted connection will be
-closed immediately.
-
 security-libs/javax.net.ssl:

 JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@ -972,7 +1084,7 @@ device paths such as `NUL:` are *not* used.
 New in release OpenJDK 8u332 (2022-04-22):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bit.ly/openjdk8u332
+  * https://bitly.com/openjdk8u332
  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt

 * Security fixes
--- a/SOURCES/java-1.8.0-openjdk-portable.specfile
+++ b/SOURCES/java-1.8.0-openjdk-portable.specfile
@ -267,7 +267,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision jdk8u392-b08
+%global openjdk_revision jdk8u402-b06
 %global shenandoah_revision shenandoah-%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      3.15.0
@ -597,8 +597,6 @@ Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
 Patch581: jdk8257794-remove_broken_assert.patch
 # JDK-8186464, RH1433262: ZipFile cannot read some InfoZip ZIP64 zip files
 Patch12: jdk8186464-rh1433262-zip64_failure.patch
-# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-Patch2000: jdk8312489-max_sig_default_increase.patch

 #############################################
 #
@ -869,8 +867,6 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # system cacerts support
 %patch539 -p1
-# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381
-%patch2000 -p1
 popd

 # RPM-only fixes
@ -1500,6 +1496,19 @@ done
 %{_jvmdir}/%{miscportablearchive}.sha256sum

 %changelog
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.402.b06-0.1.ea
+- Update to shenandoah-jdk8u402-b06 (GA)
+- Update release notes for shenandoah-8u402-b06.
+- Drop local copy of JDK-8312489 which is now included upstream
+- Switch to GA mode.
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Tue Dec 05 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.402.b01-0.1.ea
+- Update to shenandoah-jdk8u402-b01 (EA)
+- Update release notes for shenandoah-8u402-b01.
+- Switch to EA mode.
+- Sync NEWS with vanilla branch version.
+
 * Wed Oct 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-1
 - Update to shenandoah-jdk8u392-b08 (GA)
 - Update release notes for shenandoah-8u392-b08.
--- a/SOURCES/jdk8312489-max_sig_default_increase.patch
+++ b/SOURCES/jdk8312489-max_sig_default_increase.patch
@ -1,48 +0,0 @@
-commit c38a36f124a7eb28920cc367cb01b67d973a55c0
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Wed Oct 11 01:42:03 2023 +0100
-
-    Backport e47a84f23dd2608c6f5748093eefe301fb5bf750
-
-diff --git a/jdk/src/share/classes/java/util/jar/JarFile.java b/jdk/src/share/classes/java/util/jar/JarFile.java
-index a26dcc4a1c7..ac2e1c9d6a8 100644
--- a/jdk/src/share/classes/java/util/jar/JarFile.java
-+++ b/jdk/src/share/classes/java/util/jar/JarFile.java
-@@ -436,7 +436,9 @@ class JarFile extends ZipFile {
-                 throw new IOException("Unsupported size: " + uncompressedSize +
-                         " for JarEntry " + ze.getName() +
-                         ". Allowed max size: " +
-                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
-+                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
-+                        "You can use the jdk.jar.maxSignatureFileSize " +
-+                        "system property to increase the default value.");
-             }
-             int len = (int)uncompressedSize;
-             byte[] b = IOUtils.readAllBytes(is);
-diff --git a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-index c335e964f63..afdfa406b92 100644
--- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-+++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
-@@ -855,16 +855,16 @@ public class SignatureFileVerifier {
-          * the maximum allowed number of bytes for the signature-related files
-          * in a JAR file.
-          */
-        Integer tmp = AccessController.doPrivileged(new GetIntegerAction(
-                "jdk.jar.maxSignatureFileSize", 8000000));
-+        int tmp = AccessController.doPrivileged(new GetIntegerAction(
-+                "jdk.jar.maxSignatureFileSize", 16000000));
-         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
-             if (debug != null) {
-                debug.println("Default signature file size 8000000 bytes " +
-                        "is used as the specified size for the " +
-                        "jdk.jar.maxSignatureFileSize system property " +
-+                debug.println("The default signature file size of 16000000 bytes " +
-+                        "will be used for the jdk.jar.maxSignatureFileSize " +
-+                        "system property since the specified value " +
-                         "is out of range: " + tmp);
-             }
-            tmp = 8000000;
-+            tmp = 16000000;
-         }
-         return tmp;
-     }
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@ -305,7 +305,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision jdk8u392-b08
+%global openjdk_revision jdk8u402-b06
 %global shenandoah_revision shenandoah-%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
@ -351,7 +351,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      3
+%global rpmrelease      2
 # Settings used by the portable build
 %global portablerelease 1
 %global portablesuffix el8
@ -1562,8 +1562,6 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
 Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
 # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
 Patch581: jdk8257794-remove_broken_assert.patch
-# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-Patch2000: jdk8312489-max_sig_default_increase.patch

 #############################################
 #
@ -1986,8 +1984,6 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # cacerts patch; must follow FIPS patch as it also alters java.security
 %patch539 -p1
-# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381
-%patch2000 -p1
 popd

 # RPM-only fixes
@ -2877,6 +2873,16 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.402.b06-0.2.ea
+- Update to shenandoah-jdk8u402-b06 (GA)
+- Update release notes for shenandoah-8u402-b06.
+- Sync NEWS with vanilla branch version.
+- Sync the copy of the portable specfile with the latest update
+- Drop local copy of JDK-8312489 which is now included upstream
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-17918
+- Resolves: RHEL-20987
+
 * Mon Oct 16 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.392.b08-3
 - Revert jcmd move as jcmd will not operate without tools.jar
 - Related: RHEL-13605