diff --git a/.gitignore b/.gitignore index c5bbcae..19deb2a 100644 --- a/.gitignore +++ b/.gitignore @@ -285,3 +285,4 @@ /openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b04-4curve.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz diff --git a/NEWS b/NEWS index f8b9f73..305d2cf 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,14 @@ New in release OpenJDK 8u382 (2023-07-18): Live versions of these release notes can be found at: * https://bit.ly/openjdk8u382 +* CVEs + - CVE-2023-22045 + - CVE-2023-22049 +* Security fixes + - JDK-8298676: Enhanced Look and Feel + - JDK-8300596: Enhance Jar Signature validation + - JDK-8304468: Better array usages + - JDK-8305312: Enhanced path handling * Other changes - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace - JDK-8151460: Metaspace counters can have inconsistent values @@ -31,6 +39,7 @@ Live versions of these release notes can be found at: - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 - JDK-8298108: Add a regression test for JDK-8297684 - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8301119: Support for GB18030-2022 - JDK-8301400: Allow additional characters for GB18030-2022 support - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message - JDK-8303028: Update system property for Java SE specification maintenance version @@ -42,6 +51,7 @@ Live versions of these release notes can be found at: - JDK-8307134: Add GTS root CAs - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8 - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow + - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119 Notes on individual issues: =========================== @@ -58,6 +68,15 @@ which is implemented in this release of OpenJDK via the addition of a new UnicodeBlock instance, Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E. +core-libs/java.util.jar: + +8300596: Enhance Jar Signature validation +========================================= +A System property "jdk.jar.maxSignatureFileSize" is introduced to +configure the maximum number of bytes allowed for the +signature-related files in a JAR file during verification. The default +value is 8000000 bytes (8 MB). + security-libs/java.security: JDK-8307134: Added 4 GTS Root CA Certificates diff --git a/java-1.8.0-openjdk-portable.specfile b/java-1.8.0-openjdk-portable.specfile index 0dd1862..caf4cd3 100644 --- a/java-1.8.0-openjdk-portable.specfile +++ b/java-1.8.0-openjdk-portable.specfile @@ -256,9 +256,8 @@ %global stapinstall %{nil} %endif -# Always off in portables %ifarch %{systemtap_arches} -%global with_systemtap 0 +%global with_systemtap 1 %else %global with_systemtap 0 %endif @@ -298,7 +297,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u382-b04 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -319,12 +318,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -395,20 +394,6 @@ %global alternatives_requires %{_sbindir}/alternatives %endif -%if %{with_systemtap} -# Where to install systemtap tapset (links) -# We would like these to be in a package specific sub-dir, -# but currently systemtap doesn't support that, so we have to -# use the root tapset dir for now. To distinguish between 64 -# and 32 bit architectures we place the tapsets under the arch -# specific dir (note that systemtap will only pickup the tapset -# for the primary arch for now). Systemtap uses the machine name -# aka target_cpu as architecture specific directory name. -%global tapsetroot /usr/share/systemtap -%global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{stapinstall} -%endif - # Prevent brp-java-repack-jars from being run. %global __jar_repack 0 @@ -465,8 +450,7 @@ Source7: NEWS # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). # Systemtap tapsets. Zipped up to keep it small. -# Disabled in portables -#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea # Disabled in portables @@ -913,17 +897,7 @@ cp -r tapset tapset%{fastdebug_suffix} for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1 -# TODO find out which architectures other than i686 have a client vm -%ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/client/libjvm.so:g" $file.1 > $OUTPUT_FILE -%else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE -%endif - sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE - sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file done done # systemtap tapsets ends @@ -1134,6 +1108,7 @@ function packagejdk() { local bundledir=$(pwd)/${1}/bundles local packagesdir=$(pwd)/${2} local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset echo "Packaging build from ${imagesdir} to ${packagesdir}..." mkdir -p ${packagesdir} @@ -1195,6 +1170,9 @@ function packagejdk() { for s in 16 24 32 48 ; do cp -av ${srcdir}/jdk/src/solaris/classes/sun/awt/X11/java-icon${s}.png ${miscname} done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif tar -cJf ${miscarchive} ${miscname} genchecksum ${miscarchive} fi @@ -1522,6 +1500,16 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-2 +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation + +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-1 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** + * Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea - Update to shenandoah-jdk8u382-b04 (EA) - Update release notes for shenandoah-8u382-b04. diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 381e937..d111a6a 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -1,3 +1,8 @@ +# To rebuild this RPM, you must first rebuild the portable +# RPM using the java-1.8.0-openjdk-portable.specfile, install +# it and then adjust portablerelease and portablesuffix +# to match the new portable. + # RPM conditionals so as to be able to dynamically produce # slowdebug/release builds. See: # http://rpm.org/user_doc/conditional_builds.html @@ -338,7 +343,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u382-b04 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -354,9 +359,9 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 %global portablesuffix el8 %global portablebuilddir /builddir/build/BUILD @@ -364,7 +369,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -1366,7 +1371,7 @@ Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # Equivalent for the portable build -%global prelease %{?eaprefix}%{rpmrelease}%{?extraver} +%global prelease %{?eaprefix}%{portablerelease}%{?extraver} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2001,6 +2006,8 @@ popd # Shenandoah patches +%ifnarch %{portable_build_arches} + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2011,7 +2018,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -2030,6 +2036,9 @@ done # systemtap tapsets ends %endif +# non-portable_build only section ends +%endif + # Prepare desktop files # The _X_ syntax indicates variables that are replaced by make upstream # The @X@ syntax indicates variables that are replaced by configure upstream @@ -2252,6 +2261,20 @@ function customisejdk() { fi } +%ifarch %{portable_build_arches} + +mkdir -p $(dirname %{installoutputdir}) + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv %{name}*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv %{name}*.misc.* ${miscdir} + +%endif + for suffix in %{build_loop} ; do %ifarch %{portable_build_arches} @@ -2270,7 +2293,6 @@ for suffix in %{build_loop} ; do # TODO: should verify checksums when using packages from buildroot tar -xJf ${jdkzip} - mkdir -p $(dirname ${installdir}) mv %{name}* ${installdir} # Fix build paths in ELF files so it looks like we built them portablenvr="%{name}-portable-%{version}-%{prelease}.%{portablesuffix}.%{_arch}" @@ -2280,6 +2302,22 @@ for suffix in %{build_loop} ; do fi done + # Set tapset variables to match this build +%if %{with_systemtap} + for file in ${miscdir}/tapset${suffix}/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > ${OUTPUT_FILE} +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE} +%else + sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE} +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +%endif + %else if [ "x$suffix" = "x" ] ; then @@ -2329,18 +2367,6 @@ for suffix in %{build_loop} ; do # build cycles done -%ifarch %{portable_build_arches} - -docdir=%{installoutputdir -- "-docs"} -tar -xJf %{docszip} -mv %{name}*.docs.* ${docdir} - -miscdir=%{installoutputdir -- "-misc"} -tar -xJf %{misczip} -mv %{name}*.misc.* ${miscdir} - -%endif - %check # We test debug first as it will give better diagnostics on a crash @@ -2478,7 +2504,7 @@ for suffix in %{build_loop} ; do %ifarch %{portable_build_arches} jdk_image=%{installoutputdir -- $suffix} docdir=$(pwd)/%{installoutputdir -- "-docs"} - miscdir=%{installoutputdir -- "-misc"} + miscdir=$(pwd)/%{installoutputdir -- "-misc"} %else jdk_image=%{installoutputdir -- $suffix}/images/%{jdkimage} docdir=%{installoutputdir -- $suffix} @@ -2496,23 +2522,20 @@ for suffix in %{build_loop} ; do cp -a %{SOURCE19} %{SOURCE20} ${commondocdir} # Install the jdk - pushd ${jdk_image} - # Install jsa directories so we can owe them + # Install jsa directories so we can own them mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/client/ - # Install main files. - install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} - cp -a bin include lib src.zip {ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} - install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} - cp -a jre/bin jre/lib jre/{ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} - %if %{with_systemtap} # Install systemtap support files install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset +%ifarch %{portable_build_arches} + cp -a ${miscdir}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ +%else # note, that uniquesuffix is in BUILD dir in this case cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ +%endif pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ tapsetFiles=`ls *.stp` popd @@ -2528,6 +2551,14 @@ for suffix in %{build_loop} ; do ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} popd + pushd ${jdk_image} + + # Install main files. + install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} + cp -a bin include lib src.zip {ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} + install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} + cp -a jre/bin jre/lib jre/{ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} + # Remove javaws man page rm -f man/man1/javaws* @@ -2551,7 +2582,7 @@ for suffix in %{build_loop} ; do fi cp -a sample $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -popd + popd if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation @@ -2851,6 +2882,19 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jul 19 2023 Andrew Hughes - 1:1.8.0.382.b05-2 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- Sync the copy of the portable specfile with the latest update +- Add note at top of spec file about rebuilding +- Use tapsets from the misc tarball on portable builds +- Make sure root installation directory is created first +- Use in-place substitution for all but the first of the tapset changes +- The 'prelease' variable should refer to 'portablerelease', not 'rpmrelease' +- Bump release number so we are newer than 9.0 +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** +- Resolves: rhbz#2221106 + * Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea - Update to shenandoah-jdk8u382-b04 (EA) - Update release notes for shenandoah-8u382-b04. diff --git a/sources b/sources index 9214eee..024a7f3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b04-4curve.tar.xz) = 225cc8290d33d72903bc0fc1d72c60f99a80315c28b6e4e0ab362ccf178c3cf32d9b56612167e5d4be5e0166a161eb00c9b0561550740f2940d19763aea28a76 +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz) = 630471974a292884f8ce59dc068379ff5e3012d93fa1d8edc3e3712e78f4daf277c2a2f47db354f381d0a2ec741fd0d08127a78120de35ae32c3b6597e972df3