From 4a2d0e432ae646539bee19d37200bcc9d4a521ba Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 14 Jul 2023 08:45:58 +0100 Subject: [PATCH] Update to shenandoah-jdk8u372-b05 (GA) Update release notes for shenandoah-8u372-b05. Sync the copy of the portable specfile with the latest update Add note at top of spec file about rebuilding Use tapsets from the misc tarball on portable builds Make sure root installation directory is created first Use in-place substitution for all but the first of the tapset changes The 'prelease' variable should refer to 'portablerelease', not 'rpmrelease' Bump release number so we are newer than 9.0 ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** Resolves: rhbz#2221106 --- .gitignore | 1 + NEWS | 19 +++++ java-1.8.0-openjdk-portable.specfile | 52 ++++++-------- java-1.8.0-openjdk.spec | 102 +++++++++++++++++++-------- sources | 2 +- 5 files changed, 114 insertions(+), 62 deletions(-) diff --git a/.gitignore b/.gitignore index c5bbcae..19deb2a 100644 --- a/.gitignore +++ b/.gitignore @@ -285,3 +285,4 @@ /openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b04-4curve.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz diff --git a/NEWS b/NEWS index f8b9f73..305d2cf 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,14 @@ New in release OpenJDK 8u382 (2023-07-18): Live versions of these release notes can be found at: * https://bit.ly/openjdk8u382 +* CVEs + - CVE-2023-22045 + - CVE-2023-22049 +* Security fixes + - JDK-8298676: Enhanced Look and Feel + - JDK-8300596: Enhance Jar Signature validation + - JDK-8304468: Better array usages + - JDK-8305312: Enhanced path handling * Other changes - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace - JDK-8151460: Metaspace counters can have inconsistent values @@ -31,6 +39,7 @@ Live versions of these release notes can be found at: - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 - JDK-8298108: Add a regression test for JDK-8297684 - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8301119: Support for GB18030-2022 - JDK-8301400: Allow additional characters for GB18030-2022 support - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message - JDK-8303028: Update system property for Java SE specification maintenance version @@ -42,6 +51,7 @@ Live versions of these release notes can be found at: - JDK-8307134: Add GTS root CAs - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8 - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow + - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119 Notes on individual issues: =========================== @@ -58,6 +68,15 @@ which is implemented in this release of OpenJDK via the addition of a new UnicodeBlock instance, Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E. +core-libs/java.util.jar: + +8300596: Enhance Jar Signature validation +========================================= +A System property "jdk.jar.maxSignatureFileSize" is introduced to +configure the maximum number of bytes allowed for the +signature-related files in a JAR file during verification. The default +value is 8000000 bytes (8 MB). + security-libs/java.security: JDK-8307134: Added 4 GTS Root CA Certificates diff --git a/java-1.8.0-openjdk-portable.specfile b/java-1.8.0-openjdk-portable.specfile index 0dd1862..caf4cd3 100644 --- a/java-1.8.0-openjdk-portable.specfile +++ b/java-1.8.0-openjdk-portable.specfile @@ -256,9 +256,8 @@ %global stapinstall %{nil} %endif -# Always off in portables %ifarch %{systemtap_arches} -%global with_systemtap 0 +%global with_systemtap 1 %else %global with_systemtap 0 %endif @@ -298,7 +297,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u382-b04 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -319,12 +318,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -395,20 +394,6 @@ %global alternatives_requires %{_sbindir}/alternatives %endif -%if %{with_systemtap} -# Where to install systemtap tapset (links) -# We would like these to be in a package specific sub-dir, -# but currently systemtap doesn't support that, so we have to -# use the root tapset dir for now. To distinguish between 64 -# and 32 bit architectures we place the tapsets under the arch -# specific dir (note that systemtap will only pickup the tapset -# for the primary arch for now). Systemtap uses the machine name -# aka target_cpu as architecture specific directory name. -%global tapsetroot /usr/share/systemtap -%global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{stapinstall} -%endif - # Prevent brp-java-repack-jars from being run. %global __jar_repack 0 @@ -465,8 +450,7 @@ Source7: NEWS # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). # Systemtap tapsets. Zipped up to keep it small. -# Disabled in portables -#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea # Disabled in portables @@ -913,17 +897,7 @@ cp -r tapset tapset%{fastdebug_suffix} for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1 -# TODO find out which architectures other than i686 have a client vm -%ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/client/libjvm.so:g" $file.1 > $OUTPUT_FILE -%else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE -%endif - sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE - sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file done done # systemtap tapsets ends @@ -1134,6 +1108,7 @@ function packagejdk() { local bundledir=$(pwd)/${1}/bundles local packagesdir=$(pwd)/${2} local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset echo "Packaging build from ${imagesdir} to ${packagesdir}..." mkdir -p ${packagesdir} @@ -1195,6 +1170,9 @@ function packagejdk() { for s in 16 24 32 48 ; do cp -av ${srcdir}/jdk/src/solaris/classes/sun/awt/X11/java-icon${s}.png ${miscname} done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif tar -cJf ${miscarchive} ${miscname} genchecksum ${miscarchive} fi @@ -1522,6 +1500,16 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-2 +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation + +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-1 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** + * Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea - Update to shenandoah-jdk8u382-b04 (EA) - Update release notes for shenandoah-8u382-b04. diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 381e937..d111a6a 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -1,3 +1,8 @@ +# To rebuild this RPM, you must first rebuild the portable +# RPM using the java-1.8.0-openjdk-portable.specfile, install +# it and then adjust portablerelease and portablesuffix +# to match the new portable. + # RPM conditionals so as to be able to dynamically produce # slowdebug/release builds. See: # http://rpm.org/user_doc/conditional_builds.html @@ -338,7 +343,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u382-b04 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -354,9 +359,9 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 %global portablesuffix el8 %global portablebuilddir /builddir/build/BUILD @@ -364,7 +369,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -1366,7 +1371,7 @@ Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # Equivalent for the portable build -%global prelease %{?eaprefix}%{rpmrelease}%{?extraver} +%global prelease %{?eaprefix}%{portablerelease}%{?extraver} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2001,6 +2006,8 @@ popd # Shenandoah patches +%ifnarch %{portable_build_arches} + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2011,7 +2018,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -2030,6 +2036,9 @@ done # systemtap tapsets ends %endif +# non-portable_build only section ends +%endif + # Prepare desktop files # The _X_ syntax indicates variables that are replaced by make upstream # The @X@ syntax indicates variables that are replaced by configure upstream @@ -2252,6 +2261,20 @@ function customisejdk() { fi } +%ifarch %{portable_build_arches} + +mkdir -p $(dirname %{installoutputdir}) + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv %{name}*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv %{name}*.misc.* ${miscdir} + +%endif + for suffix in %{build_loop} ; do %ifarch %{portable_build_arches} @@ -2270,7 +2293,6 @@ for suffix in %{build_loop} ; do # TODO: should verify checksums when using packages from buildroot tar -xJf ${jdkzip} - mkdir -p $(dirname ${installdir}) mv %{name}* ${installdir} # Fix build paths in ELF files so it looks like we built them portablenvr="%{name}-portable-%{version}-%{prelease}.%{portablesuffix}.%{_arch}" @@ -2280,6 +2302,22 @@ for suffix in %{build_loop} ; do fi done + # Set tapset variables to match this build +%if %{with_systemtap} + for file in ${miscdir}/tapset${suffix}/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > ${OUTPUT_FILE} +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE} +%else + sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE} +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +%endif + %else if [ "x$suffix" = "x" ] ; then @@ -2329,18 +2367,6 @@ for suffix in %{build_loop} ; do # build cycles done -%ifarch %{portable_build_arches} - -docdir=%{installoutputdir -- "-docs"} -tar -xJf %{docszip} -mv %{name}*.docs.* ${docdir} - -miscdir=%{installoutputdir -- "-misc"} -tar -xJf %{misczip} -mv %{name}*.misc.* ${miscdir} - -%endif - %check # We test debug first as it will give better diagnostics on a crash @@ -2478,7 +2504,7 @@ for suffix in %{build_loop} ; do %ifarch %{portable_build_arches} jdk_image=%{installoutputdir -- $suffix} docdir=$(pwd)/%{installoutputdir -- "-docs"} - miscdir=%{installoutputdir -- "-misc"} + miscdir=$(pwd)/%{installoutputdir -- "-misc"} %else jdk_image=%{installoutputdir -- $suffix}/images/%{jdkimage} docdir=%{installoutputdir -- $suffix} @@ -2496,23 +2522,20 @@ for suffix in %{build_loop} ; do cp -a %{SOURCE19} %{SOURCE20} ${commondocdir} # Install the jdk - pushd ${jdk_image} - # Install jsa directories so we can owe them + # Install jsa directories so we can own them mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/client/ - # Install main files. - install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} - cp -a bin include lib src.zip {ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} - install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} - cp -a jre/bin jre/lib jre/{ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} - %if %{with_systemtap} # Install systemtap support files install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset +%ifarch %{portable_build_arches} + cp -a ${miscdir}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ +%else # note, that uniquesuffix is in BUILD dir in this case cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ +%endif pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ tapsetFiles=`ls *.stp` popd @@ -2528,6 +2551,14 @@ for suffix in %{build_loop} ; do ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} popd + pushd ${jdk_image} + + # Install main files. + install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} + cp -a bin include lib src.zip {ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} + install -d -m 755 $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} + cp -a jre/bin jre/lib jre/{ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README} $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix} + # Remove javaws man page rm -f man/man1/javaws* @@ -2551,7 +2582,7 @@ for suffix in %{build_loop} ; do fi cp -a sample $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -popd + popd if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation @@ -2851,6 +2882,19 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jul 19 2023 Andrew Hughes - 1:1.8.0.382.b05-2 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- Sync the copy of the portable specfile with the latest update +- Add note at top of spec file about rebuilding +- Use tapsets from the misc tarball on portable builds +- Make sure root installation directory is created first +- Use in-place substitution for all but the first of the tapset changes +- The 'prelease' variable should refer to 'portablerelease', not 'rpmrelease' +- Bump release number so we are newer than 9.0 +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** +- Resolves: rhbz#2221106 + * Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea - Update to shenandoah-jdk8u382-b04 (EA) - Update release notes for shenandoah-8u382-b04. diff --git a/sources b/sources index 9214eee..024a7f3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b04-4curve.tar.xz) = 225cc8290d33d72903bc0fc1d72c60f99a80315c28b6e4e0ab362ccf178c3cf32d9b56612167e5d4be5e0166a161eb00c9b0561550740f2940d19763aea28a76 +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz) = 630471974a292884f8ce59dc068379ff5e3012d93fa1d8edc3e3712e78f4daf277c2a2f47db354f381d0a2ec741fd0d08127a78120de35ae32c3b6597e972df3