From ed2bf7b0bc90c781a248583d0bef1ce3f978d229 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 11 Oct 2024 01:36:15 +0100 Subject: [PATCH] Update to shenandoah-jdk8u432-b06 (GA) - Update release notes for shenandoah-8u432-b06. - Switch to GA mode. ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** Resolves: RHEL-58786 --- .gitignore | 1 + NEWS | 78 +++++++++++++++++++++++++++++++++++++++-- java-1.8.0-openjdk.spec | 12 +++---- sources | 2 +- 4 files changed, 83 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index a7490a9..8db5a24 100644 --- a/.gitignore +++ b/.gitignore @@ -299,3 +299,4 @@ /shenandoah8u422-b01.tar.xz /shenandoah8u422-b05.tar.xz /shenandoah8u432-b05.tar.xz +/shenandoah8u432-b06.tar.xz diff --git a/NEWS b/NEWS index caa3a98..65a62a5 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,20 @@ New in release OpenJDK 8u432 (2024-10-15): Live versions of these release notes can be found at: * https://bit.ly/openjdk8u432 +* CVEs + - CVE-2024-21208 + - CVE-2024-21210 + - CVE-2024-21217 + - CVE-2024-21235 +* Security fixes + - JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property + - JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow + - JDK-8328286: Enhance HTTP client + - JDK-8328544: Improve handling of vectorization + - JDK-8328726: Better Kerberos support + - JDK-8331446: Improve deserialization support + - JDK-8332644: Improve graph optimizations + - JDK-8335713: Enhance vectorization analysis * Other changes - JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command - JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows. @@ -21,8 +35,11 @@ Live versions of these release notes can be found at: - JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials - JDK-8152207: Perform array bound checks while getting a length of bytecode instructions - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 + - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel + - JDK-8251188: Update LDAP tests not to use wildcard addresses - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() @@ -63,6 +80,8 @@ Live versions of these release notes can be found at: - JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097 - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs - JDK-8338144: [8u] Remove duplicate license files + - JDK-8341057: Add 2 SSL.com TLS roots + - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 Notes on individual issues: =========================== @@ -88,21 +107,22 @@ This change has no effect on TLS_ECDHE cipher suites, which remain enabled by default. JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs +JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 ==================================================================================================== In accordance with similar plans recently announced by Google and Mozilla, the JDK will not trust Transport Layer Security (TLS) -certificates issued after the 31st of October 2024 which are anchored +certificates issued after the 11th of November 2024 which are anchored by Entrust root certificates. This includes certificates branded as AffirmTrust, which are managed by Entrust. -Certificates issued on or before October 31st, 2024 will continue to +Certificates issued on or before November 11th, 2024 will continue to be trusted until they expire. If a server's certificate chain is anchored by an affected certificate, attempts to negotiate a TLS session will fail with an Exception that indicates the trust anchor is not trusted. For example, -"TLS server certificate issued after 2024-10-31 and anchored by a +"TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), @@ -189,6 +209,21 @@ the `java.security` configuration file (or override it by using the longer listed in the `jdk.security.caDistrustPolicies` security property. +security-libs/java.security: + +JDK-8341057: Add 2 SSL.com TLS roots +==================================== +The following root certificates have been added to the cacerts +truststore: + +Name: SSL.com +Alias Name: ssltlsrootecc2022 +Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US + +Name: SSL.com +Alias Name: ssltlsrootrsa2022 +Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US + client-libs: JDK-8307779: Relax the java.awt.Robot specification @@ -200,6 +235,43 @@ methods in the `java.awt.Robot` class - `mouseMove(int,int)`, allow these methods to fail when the desktop environment does not permit moving the mouse pointer or capturing screen content. +core-libs/javax.naming: + +JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property +=============================================================================================================================== +With this OpenJDK release, the JDK implementation of the LDAP provider +no longer supports the deserialisation of Java objects by +default. This is achieved by the system property +`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by +default. + +Note that this release also increases the scope of the +`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction +of RMI remote objects from the `javaRemoteLocation` LDAP attribute. + +The result of this change is that transparent deserialisation of Java +objects will require an explicit opt-in. Applications that wish to +reconstruct Java objects and RMI stubs from LDAP attributes will need +to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`. + +core-libs/java.net: + +JDK-8328286: Enhance HTTP client +================================ +This OpenJDK release limits the maximum header field size accepted by +the HTTP client within the JDK for all supported versions of the HTTP +protocol. The header field size is computed as the sum of the size of +the uncompressed header name, the size of the uncompressed header +value and a overhead of 32 bytes for each field section line. If a +peer sends a field section that exceeds this limit, a +`java.net.ProtocolException` will be raised. + +This release also introduces a new system property, +`jdk.http.maxHeaderSize`. This property can be used to alter the +maximum header field size (in bytes) or disable it by setting the +value to zero or a negative value. The default value is 393,216 bytes +or 384kB. + core-libs/java.util.jar: JDK-8193682: Infinite loop in ZipOutputStream.close() diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 40bb681..34f0197 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -316,7 +316,7 @@ # Define version of OpenJDK 8 used %global project openjdk %global repo shenandoah-jdk8u -%global openjdk_revision 8u432-b05 +%global openjdk_revision 8u432-b06 %global shenandoah_revision shenandoah%{openjdk_revision} # Define IcedTea version used for SystemTap tapsets and desktop files %global icedteaver 3.15.0 @@ -378,7 +378,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -2939,10 +2939,9 @@ cjc.mainProgram(args) %endif %changelog -* Thu Oct 10 2024 Andrew Hughes - 1:1.8.0.432.b05-0.2.ea -- Update to shenandoah-jdk8u432-b05 (EA) -- Update release notes for shenandoah-8u432-b05. -- Switch to EA mode. +* Fri Oct 11 2024 Andrew Hughes - 1:1.8.0.432.b06-2 +- Update to shenandoah-jdk8u432-b06 (GA) +- Update release notes for shenandoah-8u432-b06. - Drop JDK-828109{6,7,8}/PR3836 patch following integration of upstream version - Regenerate JDK-8199936/PR3533 patch following JDK-828109{6,7,8} integration - Bump version of bundled zlib to 1.3.1 following JDK-8324632 @@ -2951,6 +2950,7 @@ cjc.mainProgram(args) - Add build scripts to repository to ease remembering all CentOS & RHEL targets and options - Resolves: RHEL-58786 - Resolves: RHEL-17187 +- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** * Wed Jul 10 2024 Andrew Hughes - 1:1.8.0.422.b05-3 - Bump rpmrelease for CentOS build and update RHEL version hack following July 2025 update diff --git a/sources b/sources index 92cfded..e9d774d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (shenandoah8u432-b05.tar.xz) = c6d7389d1beeabe423b29fbf9505d72a15859cccda7732d5648573a85ba02506b3dcda05bae8cf8924a641af9459e6fbcc4c0328cd5d15c65eff8cef5699d5b8 +SHA512 (shenandoah8u432-b06.tar.xz) = ad40b6bd076508cb5702955e25a4f797dde4c2050b0833992b8713d0e1f80a8604367e887562e24ef8a7615603ebc833847eb1c06634aca658610914b92d78f6