From 2d12046b988078c27f6c47d00d44c35d2c077726 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 17 Jan 2024 20:44:37 +0000 Subject: [PATCH] import UBI java-1.8.0-openjdk-1.8.0.402.b06-2.el9 --- .gitignore | 2 +- .java-1.8.0-openjdk.metadata | 2 +- SOURCES/NEWS | 144 ++++++++++++++++-- SOURCES/java-1.8.0-openjdk-portable.specfile | 19 ++- .../jdk8312489-max_sig_default_increase.patch | 48 ------ SPECS/java-1.8.0-openjdk.spec | 18 ++- 6 files changed, 156 insertions(+), 77 deletions(-) delete mode 100644 SOURCES/jdk8312489-max_sig_default_increase.patch diff --git a/.gitignore b/.gitignore index 00e22cb..c5c84f7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 53c78a9..7711961 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -2ca27b0d535c9dcf71679cad14be5660d0554f82 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u392-b08.tar.xz +0ca0a2433bfd7aa62a21fc37c8079f540e672a9c SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u402-b06.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 84da7f8..d984469 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,131 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u402 (2024-01-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u402 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20926 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8308204: Enhanced certificate processing + - JDK-8314284: Enhance Nashorn performance + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion + - JDK-8029995: accept yes/no for boolean krb5.conf settings + - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix. + - JDK-8176509: Use pandoc for converting build readme to html + - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + - JDK-8207404: MulticastSocket tests failing on AIX + - JDK-8212677: X11 default visual support for IM status window on VNC + - JDK-8239365: ProcessBuilder test modifications for AIX execution + - JDK-8271838: AmazonCA.java interop test fails + - JDK-8285398: Cache the results of constraint checks + - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8305329: [8u] Unify test libraries into single test library - step 1 + - JDK-8307837: [8u] Check step in GHA should also print errors + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8315280: Bump update version of OpenJDK: 8u402 + - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher + - JDK-8317291: Missing null check for nmethod::is_native_method() + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8318759: Add four DigiCert root certificates + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + +Notes on individual issues: +=========================== + +security-libs/org.ietf.jgss:krb5: + +JDK-8029995: accept yes/no for boolean krb5.conf settings +========================================================= +The krb5.conf configuration file now also accepts "yes" and "no", as +alternatives to the existing "true" and "false" support, when using +settings that take boolean values. + +security-libs/java.security: + +JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar +=============================================================================================================================== +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a +default of 8MB. This default proved to be too small for some JAR +files. This release, 8u402, increases it to 16MB. + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + New in release OpenJDK 8u392 (2023-10-17): =========================================== Live versions of these release notes can be found at: @@ -52,8 +177,8 @@ Notes on individual issues: other-libs/corba:idl: -8303384: Improved communication in CORBA -======================================== +JDK-8303384: Improved communication in CORBA +============================================ The JDK's CORBA implementation now provides the option to limit serialisation in stub objects to those with the "IOR:" prefix. For ORB constrained stub classes: @@ -762,19 +887,6 @@ the current count of established connections and, if the configured limit has been reached, then the newly accepted connection will be closed immediately. -core-libs/java.net: - -JDK-8286918: Better HttpServer service -====================================== -The HttpServer can be optionally configured with a maximum connection -limit by setting the jdk.httpserver.maxConnections system property. A -value of 0 or a negative integer is ignored and considered to -represent no connection limit. In the case of a positive integer -value, any newly accepted connections will be first checked against -the current count of established connections and, if the configured -limit has been reached, then the newly accepted connection will be -closed immediately. - security-libs/javax.net.ssl: JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles @@ -972,7 +1084,7 @@ device paths such as `NUL:` are *not* used. New in release OpenJDK 8u332 (2022-04-22): =========================================== Live versions of these release notes can be found at: - * https://bit.ly/openjdk8u332 + * https://bitly.com/openjdk8u332 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt * Security fixes diff --git a/SOURCES/java-1.8.0-openjdk-portable.specfile b/SOURCES/java-1.8.0-openjdk-portable.specfile index eaa8267..1231da3 100644 --- a/SOURCES/java-1.8.0-openjdk-portable.specfile +++ b/SOURCES/java-1.8.0-openjdk-portable.specfile @@ -267,7 +267,7 @@ # Define version of OpenJDK 8 used %global project openjdk %global repo shenandoah-jdk8u -%global openjdk_revision jdk8u392-b08 +%global openjdk_revision jdk8u402-b06 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 @@ -597,8 +597,6 @@ Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch Patch581: jdk8257794-remove_broken_assert.patch # JDK-8186464, RH1433262: ZipFile cannot read some InfoZip ZIP64 zip files Patch12: jdk8186464-rh1433262-zip64_failure.patch -# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar -Patch2000: jdk8312489-max_sig_default_increase.patch ############################################# # @@ -869,8 +867,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # system cacerts support %patch539 -p1 -# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381 -%patch2000 -p1 popd # RPM-only fixes @@ -1500,6 +1496,19 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Thu Jan 11 2024 Andrew Hughes - 1:1.8.0.402.b06-0.1.ea +- Update to shenandoah-jdk8u402-b06 (GA) +- Update release notes for shenandoah-8u402-b06. +- Drop local copy of JDK-8312489 which is now included upstream +- Switch to GA mode. +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Tue Dec 05 2023 Andrew Hughes - 1:1.8.0.402.b01-0.1.ea +- Update to shenandoah-jdk8u402-b01 (EA) +- Update release notes for shenandoah-8u402-b01. +- Switch to EA mode. +- Sync NEWS with vanilla branch version. + * Wed Oct 11 2023 Andrew Hughes - 1:1.8.0.392.b08-1 - Update to shenandoah-jdk8u392-b08 (GA) - Update release notes for shenandoah-8u392-b08. diff --git a/SOURCES/jdk8312489-max_sig_default_increase.patch b/SOURCES/jdk8312489-max_sig_default_increase.patch deleted file mode 100644 index adf9e09..0000000 --- a/SOURCES/jdk8312489-max_sig_default_increase.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit c38a36f124a7eb28920cc367cb01b67d973a55c0 -Author: Andrew John Hughes -Date: Wed Oct 11 01:42:03 2023 +0100 - - Backport e47a84f23dd2608c6f5748093eefe301fb5bf750 - -diff --git a/jdk/src/share/classes/java/util/jar/JarFile.java b/jdk/src/share/classes/java/util/jar/JarFile.java -index a26dcc4a1c7..ac2e1c9d6a8 100644 ---- a/jdk/src/share/classes/java/util/jar/JarFile.java -+++ b/jdk/src/share/classes/java/util/jar/JarFile.java -@@ -436,7 +436,9 @@ class JarFile extends ZipFile { - throw new IOException("Unsupported size: " + uncompressedSize + - " for JarEntry " + ze.getName() + - ". Allowed max size: " + -- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes"); -+ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " + -+ "You can use the jdk.jar.maxSignatureFileSize " + -+ "system property to increase the default value."); - } - int len = (int)uncompressedSize; - byte[] b = IOUtils.readAllBytes(is); -diff --git a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java -index c335e964f63..afdfa406b92 100644 ---- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java -+++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java -@@ -855,16 +855,16 @@ public class SignatureFileVerifier { - * the maximum allowed number of bytes for the signature-related files - * in a JAR file. - */ -- Integer tmp = AccessController.doPrivileged(new GetIntegerAction( -- "jdk.jar.maxSignatureFileSize", 8000000)); -+ int tmp = AccessController.doPrivileged(new GetIntegerAction( -+ "jdk.jar.maxSignatureFileSize", 16000000)); - if (tmp < 0 || tmp > MAX_ARRAY_SIZE) { - if (debug != null) { -- debug.println("Default signature file size 8000000 bytes " + -- "is used as the specified size for the " + -- "jdk.jar.maxSignatureFileSize system property " + -+ debug.println("The default signature file size of 16000000 bytes " + -+ "will be used for the jdk.jar.maxSignatureFileSize " + -+ "system property since the specified value " + - "is out of range: " + tmp); - } -- tmp = 8000000; -+ tmp = 16000000; - } - return tmp; - } diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 161229c..8d3ffd2 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -305,7 +305,7 @@ # Define version of OpenJDK 8 used %global project openjdk %global repo shenandoah-jdk8u -%global openjdk_revision jdk8u392-b08 +%global openjdk_revision jdk8u402-b06 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define IcedTea version used for SystemTap tapsets and desktop files %global icedteaver 3.15.0 @@ -351,7 +351,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 3 +%global rpmrelease 2 # Settings used by the portable build %global portablerelease 1 %global portablesuffix el8 @@ -1562,8 +1562,6 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 Patch581: jdk8257794-remove_broken_assert.patch -# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar -Patch2000: jdk8312489-max_sig_default_increase.patch ############################################# # @@ -1986,8 +1984,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # cacerts patch; must follow FIPS patch as it also alters java.security %patch539 -p1 -# JDK-8312489 backport, proposed for 8u402: https://github.com/openjdk/jdk8u-dev/pull/381 -%patch2000 -p1 popd # RPM-only fixes @@ -2877,6 +2873,16 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jan 11 2024 Andrew Hughes - 1:1.8.0.402.b06-0.2.ea +- Update to shenandoah-jdk8u402-b06 (GA) +- Update release notes for shenandoah-8u402-b06. +- Sync NEWS with vanilla branch version. +- Sync the copy of the portable specfile with the latest update +- Drop local copy of JDK-8312489 which is now included upstream +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** +- Resolves: RHEL-17918 +- Resolves: RHEL-20987 + * Mon Oct 16 2023 Andrew Hughes - 1:1.8.0.392.b08-3 - Revert jcmd move as jcmd will not operate without tools.jar - Related: RHEL-13605