From bb7474becdaca667371f0e0a3a0e0c10528c1d54 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 27 Jan 2022 08:48:23 -0500 Subject: [PATCH] import java-1.8.0-openjdk-1.8.0.322.b06-2.el8_5 --- .gitignore | 2 +- .java-1.8.0-openjdk.metadata | 2 +- SOURCES/NEWS | 126 ++++++++++++++++++ ...k8279077-missing_crash_protector_ppc.patch | 23 ++++ ...263-fips_ensure_security_initialised.patch | 28 ++++ ...h2021263-fips_missing_native_returns.patch | 24 ++++ SPECS/java-1.8.0-openjdk.spec | 79 ++++++++--- 7 files changed, 262 insertions(+), 22 deletions(-) create mode 100644 SOURCES/jdk8279077-missing_crash_protector_ppc.patch create mode 100644 SOURCES/rh2021263-fips_ensure_security_initialised.patch create mode 100644 SOURCES/rh2021263-fips_missing_native_returns.patch diff --git a/.gitignore b/.gitignore index 75a0702..5f70416 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index a2cebb3..dd9d11c 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -097b9b3d7dc423db2c9a6ef554370fb77d614952 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz +c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index ef9db68..e911b13 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,132 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u322 (2022-01-18): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk8u322 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt + +* Security fixes + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing +* Other changes + - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken + - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03 + - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108 + - JDK-8041928: MouseEvent.getModifiersEx gives wrong result + - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402 + - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + - JDK-8048021: Remove @version tag in jaxp repo + - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage + - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java + - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile + - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS + - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure + - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade + - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank + - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated + - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind + - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator + - JDK-8148915: Intermittent failures of bug6400879.java + - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism + - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black + - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests + - JDK-8182036: Load from initializing arraycopy uses wrong memory state + - JDK-8183369: RFC unconformity of HttpURLConnection with proxy + - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check" + - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll + - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar + - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride + - JDK-8190793: Httpserver does not detect truncated request body + - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail + - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit + - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing + - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8225083: Remove Google certificate that is expiring in December 2021 + - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread + - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software + - JDK-8231438: [macOS] Dark mode for the desktop is not supported + - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina + - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail + - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails + - JDK-8236897: Fix the copyright header for pkcs11gcm2.h + - JDK-8237499: JFR: Include stack trace in the ThreadStart event + - JDK-8239886: Minimal VM build fails after JDK-8237499 + - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0 + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + New in release OpenJDK 8u312 (2021-10-19): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch new file mode 100644 index 0000000..0ab462e --- /dev/null +++ b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch @@ -0,0 +1,23 @@ +# HG changeset patch +# User zgu +# Date 1641313782 0 +# Tue Jan 04 16:29:42 2022 +0000 +# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409 +# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7 +8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler +Reviewed-by: phh + +diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp +--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp ++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp +@@ -176,6 +176,10 @@ + + Thread* t = ThreadLocalStorage::get_thread_slow(); + ++ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away ++ // (no destructors can be run) ++ os::ThreadCrashProtection::check_crash_protection(sig, t); ++ + SignalHandlerMark shm(t); + + // Note: it's not uncommon that JNI code uses signal/sigset to install diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..5aa9ec7 --- /dev/null +++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 06c2decab204fcce5aca2d285953fcac1820b1ae +Author: Andrew John Hughes +Date: Mon Jan 24 01:23:28 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java +index 40ca609e02..0dafe6f59c 100644 +--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java ++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java +@@ -31,6 +31,7 @@ import java.io.Console; + import java.io.FileDescriptor; + import java.io.ObjectInputStream; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + import java.security.AccessController; +@@ -255,6 +256,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..90cc44e --- /dev/null +++ b/SOURCES/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073 +Author: Fridrich Strba +Date: Mon Jan 24 01:10:57 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c +index 6f4656bfcb..34d0ff0ce9 100644 +--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c ++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c +@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 1c14733..40fb8c9 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -70,8 +70,10 @@ %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler %global jit_arches %{debug_arches} +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches %{arm} ppc s390 s390x # Set of architectures which run a full bootstrap cycle -%global bootstrap_arches %{jit_arches} +%global bootstrap_arches %{jit_arches} %{zero_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures which support the serviceability agent @@ -124,9 +126,9 @@ %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif %global bootstrap_targets images @@ -263,9 +265,9 @@ %endif # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. -%global shenandoah_project aarch64-port -%global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u312-b07 +%global shenandoah_project openjdk +%global shenandoah_repo shenandoah-jdk8u +%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -968,8 +970,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ Requires: javapackages-filesystem # Require zoneinfo data provided by tzdata-java subpackage. -# 2021a required as of JDK-8260356 in April CPU -Requires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +Requires: tzdata-java >= 2021e # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} %if ! 0%{?flatpak} @@ -1204,6 +1206,9 @@ Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch Patch1008: rh1996182-login_to_nss_software_token.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false Patch1011: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch ############################################# # @@ -1279,13 +1284,14 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch ############################################# # -# Patches appearing in 8u282 +# Patches appearing in 8u332 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +Patch700: jdk8279077-missing_crash_protector_ppc.patch ############################################# # @@ -1362,8 +1368,8 @@ BuildRequires: java-1.8.0-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -# 2021a required as of JDK-8260356 in April CPU -BuildRequires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +BuildRequires: tzdata-java >= 2021e # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1696,6 +1702,9 @@ sh %{SOURCE12} %patch580 %patch539 +# Upstreamed fixes +%patch700 + # RPM-only fixes %patch600 %patch1000 @@ -1708,6 +1717,8 @@ sh %{SOURCE12} %patch1007 %patch1008 %patch1011 +%patch1014 +%patch1015 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1916,19 +1927,23 @@ installdir=%{installoutputdir -- $suffix} bootinstalldir=boot${installdir} # Debug builds don't need same targets as release for -# build speed-up -maketargets="%{release_targets}" +# build speed-up. We also avoid bootstrapping these +# slower builds. if echo $debugbuild | grep -q "debug" ; then maketargets="%{debug_targets}" + run_bootstrap=false +else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} fi -%if %{bootstrap_build} -buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} -buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} -%{!?with_artifacts:rm -rf ${bootinstalldir}} -%else -buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} -%endif +if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} + buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + %{!?with_artifacts:rm -rf ${bootinstalldir}} +else + buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} +fi # Install nss.cfg right away as we will be using the JRE above export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} @@ -2450,6 +2465,30 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Fri Jan 21 2022 Andrew Hughes - 1:1.8.0.322.b06-1 +- Update to aarch64-shenandoah-jdk8u322-b06 (EA) +- Update release notes for 8u322-b06. +- Switch to GA mode for final release. +- Require tzdata 2021e as of JDK-8275766. +- Update tarball generation script to use git following shenandoah-jdk8u's move to github +- Resolves: rhbz#2039366 + +* Tue Jan 18 2022 Andrew Hughes - 1:1.8.0.322.b04-0.2.ea +- Add backport of JDK-8279077 to fix crash on ppc64 +- Resolves: rhbz#2030399 + +* Mon Jan 10 2022 Andrew Hughes - 1:1.8.0.322.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b04 (EA) +- Update release notes for 8u322-b04. +- Require tzdata 2021c as of JDK-8274407. +- Switch to EA mode. +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2039366 + * Fri Oct 15 2021 Andrew Hughes - 1:1.8.0.312.b07-2 - Update to aarch64-shenandoah-jdk8u312-b07 (EA) - Update release notes for 8u312-b07.