diff --git a/.gitignore b/.gitignore index d001145..deb76bd 100644 --- a/.gitignore +++ b/.gitignore @@ -283,3 +283,4 @@ /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz diff --git a/NEWS b/NEWS index 51e3859..643f359 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,33 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u382 (2023-07-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u382 + +* Other changes + - JDK-8151460: Metaspace counters can have inconsistent values + - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode + - JDK-8185736: missing default exception handler in calls to rethrow_Stub + - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + - JDK-8276841: Add support for Visual Studio 2022 + - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary + - JDK-8289301: P11Cipher should not throw out of bounds exception during padding + - JDK-8293232: Fix race condition in pkcs11 SessionManager + - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation + - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 + - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message + - JDK-8303462: Bump update version of OpenJDK: 8u382 + - JDK-8305113: (tz) Update Timezone Data to 2023c + - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue + New in release OpenJDK 8u372 (2023-04-18): =========================================== Live versions of these release notes can be found at: diff --git a/java-1.8.0-openjdk-portable.specfile b/java-1.8.0-openjdk-portable.specfile index 9197600..d4ec700 100644 --- a/java-1.8.0-openjdk-portable.specfile +++ b/java-1.8.0-openjdk-portable.specfile @@ -298,7 +298,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b01 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -319,12 +319,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -628,8 +628,6 @@ Patch12: jdk8186464-rh1433262-zip64_failure.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -718,6 +716,8 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else +# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h +Provides: bundled(zlib) = 1.2.13 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h @@ -887,8 +887,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # system cacerts support %patch539 -p1 -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -1524,6 +1522,13 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Wed Jun 28 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Update release notes for shenandoah-8u382-b01. +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) + * Thu Apr 27 2023 Andrew Hughes - 1:1.8.0.372.b07-2 - Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 - Fix debug symbols flag to newboot and package naming diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index adc805d..77a895c 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -338,7 +338,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b01 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -354,9 +354,9 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 1 # Settings used by the portable build -%global portablerelease 2 +%global portablerelease 1 %global portablesuffix el8 %global portablebuilddir /builddir/build/BUILD @@ -364,7 +364,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -1365,6 +1365,8 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# Equivalent for the portable build +%global prelease %{?eaprefix}%{rpmrelease}%{?extraver} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1448,11 +1450,11 @@ Source19: README.md Source20: java-1.%{majorver}.0-openjdk-portable.specfile # Setup variables to reference correct sources -%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz -%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.docs.%{_arch}.tar.xz -%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.misc.%{_arch}.tar.xz -%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.slowdebug.jdk.%{_arch}.tar.xz -%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.fastdebug.jdk.%{_arch}.tar.xz +%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz ############################################ # @@ -1575,8 +1577,7 @@ Patch581: jdk8257794-remove_broken_assert.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch + ############################################# # @@ -1644,16 +1645,16 @@ BuildRequires: unzip BuildRequires: javapackages-filesystem %ifarch %{portable_build_arches} %if %{include_normal_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif %if %{include_fastdebug_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif %if %{include_debug_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif -BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %else # Require a boot JDK which doesn't fail due to RH1482244 BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 @@ -1678,6 +1679,8 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else +# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h +Provides: bundled(zlib) = 1.2.13 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h @@ -1985,8 +1988,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # cacerts patch; must follow FIPS patch as it also alters java.security %patch539 -p1 -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -2272,7 +2273,7 @@ for suffix in %{build_loop} ; do mkdir -p $(dirname ${installdir}) mv %{name}* ${installdir} # Fix build paths in ELF files so it looks like we built them - portablenvr="%{name}-portable-%{version}-%{portablerelease}.%{portablesuffix}.%{_arch}" + portablenvr="%{name}-portable-%{version}-%{prelease}.%{portablesuffix}.%{_arch}" for file in $(find ${installdir} -type f) ; do if file ${file} | grep -q 'ELF'; then %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} @@ -2850,6 +2851,19 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jul 05 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Introduce 'prelease' for the portable release versioning, to handle EA builds +- Sync the copy of the portable specfile with the latest update +- Related: rhbz#2217711 + +* Wed Jun 28 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Update release notes for shenandoah-8u382-b01. +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) +- Related: rhbz#2217711 + * Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.372.b07-2 - Update to shenandoah-jdk8u372-b07 (GA) - Update release notes for shenandoah-8u372-b07. diff --git a/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch deleted file mode 100644 index 42ac516..0000000 --- a/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch +++ /dev/null @@ -1,167 +0,0 @@ -commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 -Author: Alexey Bakhtin -Date: Tue Apr 4 10:29:11 2023 +0000 - - 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - Reviewed-by: andrew, mbalao - Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 - -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -index a79e97d7c74..5378446b97b 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitVerify(PublicKey publicKey) - throws InvalidKeyException { -- if (!(publicKey instanceof RSAPublicKey)) { -+ if (publicKey instanceof RSAPublicKey) { -+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; -+ isPublicKeyValid(rsaPubKey); -+ this.pubKey = rsaPubKey; -+ this.privKey = null; -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPublicKey"); - } -- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); -- this.privKey = null; -- resetDigest(); - } - - // initialize for signing. See JCA doc -@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitSign(PrivateKey privateKey, SecureRandom random) - throws InvalidKeyException { -- if (!(privateKey instanceof RSAPrivateKey)) { -+ if (privateKey instanceof RSAPrivateKey) { -+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; -+ isPrivateKeyValid(rsaPrivateKey); -+ this.privKey = rsaPrivateKey; -+ this.pubKey = null; -+ this.random = -+ (random == null ? JCAUtil.getSecureRandom() : random); -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPrivateKey"); - } -- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); -- this.pubKey = null; -- this.random = -- (random == null? JCAUtil.getSecureRandom() : random); -- resetDigest(); - } - - /** -@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { - } - } - -+ /** -+ * Validate the specified RSAPrivateKey -+ */ -+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { -+ try { -+ if (prKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; -+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ crtKey.getModulus().bitLength(), -+ crtKey.getPublicExponent()); -+ } else { -+ throw new InvalidKeyException( -+ "Some of the CRT-specific components are not available"); -+ } -+ } else { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ prKey.getModulus().bitLength(), -+ null); -+ } -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access private key components", e); -+ } -+ isValid(prKey); -+ } -+ -+ /** -+ * Validate the specified RSAPublicKey -+ */ -+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { -+ try { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ pKey.getModulus().bitLength(), -+ pKey.getPublicExponent()); -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access public key components", e); -+ } -+ isValid(pKey); -+ } -+ - /** - * Validate the specified RSAKey and its associated parameters against - * internal signature parameters. - */ -- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { -+ private void isValid(RSAKey rsaKey) throws InvalidKeyException { - try { - AlgorithmParameterSpec keyParams = rsaKey.getParams(); - // validate key parameters -@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { - } - checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); - } -- return rsaKey; - } catch (SignatureException e) { - throw new InvalidKeyException(e); - } -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -index 6b219937981..b3c1fae9672 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl - RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); - // check all CRT-specific components are available, if any one - // missing, return a non-CRT key instead -- if ((key.getPublicExponent().signum() == 0) || -- (key.getPrimeExponentP().signum() == 0) || -- (key.getPrimeExponentQ().signum() == 0) || -- (key.getPrimeP().signum() == 0) || -- (key.getPrimeQ().signum() == 0) || -- (key.getCrtCoefficient().signum() == 0)) { -+ if (checkComponents(key)) { -+ return key; -+ } else { - return new RSAPrivateKeyImpl( - key.algid, - key.getModulus(), -- key.getPrivateExponent() -- ); -- } else { -- return key; -+ key.getPrivateExponent()); - } - } - -+ /** -+ * Validate if all CRT-specific components are available. -+ */ -+ static boolean checkComponents(RSAPrivateCrtKey key) { -+ return !((key.getPublicExponent().signum() == 0) || -+ (key.getPrimeExponentP().signum() == 0) || -+ (key.getPrimeExponentQ().signum() == 0) || -+ (key.getPrimeP().signum() == 0) || -+ (key.getPrimeQ().signum() == 0) || -+ (key.getCrtCoefficient().signum() == 0)); -+ } -+ - /** - * Generate a new key from the specified type and components. - * Returns a CRT key if possible and a non-CRT key otherwise. diff --git a/sources b/sources index 808ed42..3b9cfac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz) = afc1324463883404f22cea3c37177d7b6164fc4cf285d958e7ec21aba976dc306045296eadaa296a31795be6b543ca0b742e0ba074689c3e5a50b9956383934b +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz) = e6219684046922a4fcfc577fe3457d28a48e79f3bb57b575b0195273b559293a8a8990197d5a37ca63d6a9d9c50ebf41b7d7630b1b16841df6396eb58b72f404