Update to shenandoah-jdk8u432-b06 (GA)

- Update release notes for shenandoah-8u432-b06. - Switch to GA mode. ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** Resolves: RHEL-61281
2024-10-11 01:36:15 +01:00 · 2024-10-11 01:36:15 +01:00 · f96a25e277
commit f96a25e277
parent e72e4df309
4 changed files with 84 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -306,3 +306,4 @@
 /shenandoah8u422-b01.tar.xz
 /shenandoah8u422-b05.tar.xz
 /shenandoah8u432-b05.tar.xz
+/shenandoah8u432-b06.tar.xz
--- a/78
+++ b/78
@ -8,6 +8,20 @@ New in release OpenJDK 8u432 (2024-10-15):
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u432

+* CVEs
+  - CVE-2024-21208
+  - CVE-2024-21210
+  - CVE-2024-21217
+  - CVE-2024-21235
+* Security fixes
+  - JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
+  - JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
+  - JDK-8328286: Enhance HTTP client
+  - JDK-8328544: Improve handling of vectorization
+  - JDK-8328726: Better Kerberos support
+  - JDK-8331446: Improve deserialization support
+  - JDK-8332644: Improve graph optimizations
+  - JDK-8335713: Enhance vectorization analysis
 * Other changes
  - JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
  - JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
@ -21,8 +35,11 @@ Live versions of these release notes can be found at:
  - JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
  - JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
  - JDK-8193682: Infinite loop in ZipOutputStream.close()
+  - JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
  - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
+  - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
  - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
+  - JDK-8251188: Update LDAP tests not to use wildcard addresses
  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
  - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
  - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
@ -63,6 +80,8 @@ Live versions of these release notes can be found at:
  - JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
  - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
  - JDK-8338144: [8u] Remove duplicate license files
+  - JDK-8341057: Add 2 SSL.com TLS roots
+  - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024

 Notes on individual issues:
 ===========================
@ -88,21 +107,22 @@ This change has no effect on TLS_ECDHE cipher suites, which remain
 enabled by default.

 JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
+JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
 ====================================================================================================
 In accordance with similar plans recently announced by Google and
 Mozilla, the JDK will not trust Transport Layer Security (TLS)
-certificates issued after the 31st of October 2024 which are anchored
+certificates issued after the 11th of November 2024 which are anchored
 by Entrust root certificates.  This includes certificates branded as
 AffirmTrust, which are managed by Entrust.

-Certificates issued on or before October 31st, 2024 will continue to
+Certificates issued on or before November 11th, 2024 will continue to
 be trusted until they expire.

 If a server's certificate chain is anchored by an affected
 certificate, attempts to negotiate a TLS session will fail with an
 Exception that indicates the trust anchor is not trusted. For example,

-"TLS server certificate issued after 2024-10-31 and anchored by a
+"TLS server certificate issued after 2024-11-11 and anchored by a
 distrusted legacy Entrust root CA: CN=Entrust.net Certification
 Authority (2048), OU=(c) 1999 Entrust.net Limited,
 OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
@ -189,6 +209,21 @@ the `java.security` configuration file (or override it by using the
 longer listed in the `jdk.security.caDistrustPolicies` security
 property.

+security-libs/java.security:
+
+JDK-8341057: Add 2 SSL.com TLS roots
+====================================
+The following root certificates have been added to the cacerts
+truststore:
+
+Name: SSL.com
+Alias Name: ssltlsrootecc2022
+Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+
+Name: SSL.com
+Alias Name: ssltlsrootrsa2022
+Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
+
 client-libs:

 JDK-8307779: Relax the java.awt.Robot specification
@ -200,6 +235,43 @@ methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
 allow these methods to fail when the desktop environment does not
 permit moving the mouse pointer or capturing screen content.

+core-libs/javax.naming:
+
+JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
+===============================================================================================================================
+With this OpenJDK release, the JDK implementation of the LDAP provider
+no longer supports the deserialisation of Java objects by
+default. This is achieved by the system property
+`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
+default.
+
+Note that this release also increases the scope of the
+`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
+of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
+
+The result of this change is that transparent deserialisation of Java
+objects will require an explicit opt-in. Applications that wish to
+reconstruct Java objects and RMI stubs from LDAP attributes will need
+to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
+
+core-libs/java.net:
+
+JDK-8328286: Enhance HTTP client
+================================
+This OpenJDK release limits the maximum header field size accepted by
+the HTTP client within the JDK for all supported versions of the HTTP
+protocol. The header field size is computed as the sum of the size of
+the uncompressed header name, the size of the uncompressed header
+value and a overhead of 32 bytes for each field section line. If a
+peer sends a field section that exceeds this limit, a
+`java.net.ProtocolException` will be raised.
+
+This release also introduces a new system property,
+`jdk.http.maxHeaderSize`. This property can be used to alter the
+maximum header field size (in bytes) or disable it by setting the
+value to zero or a negative value. The default value is 393,216 bytes
+or 384kB.
+
 core-libs/java.util.jar:

 JDK-8193682: Infinite loop in ZipOutputStream.close()
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@ -299,7 +299,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision 8u432-b05
+%global openjdk_revision 8u432-b06
 %global shenandoah_revision shenandoah%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
@ -356,7 +356,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global milestone          fcs
 %global milestone_version  %{nil}
@ -2684,10 +2684,9 @@ cjc.mainProgram(args)
 %endif

 %changelog
-* Thu Oct 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.432.b05-0.2.ea
- Update to shenandoah-jdk8u432-b05 (EA)
- Update release notes for shenandoah-8u432-b05.
- Switch to EA mode.
+* Fri Oct 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.432.b06-2
+- Update to shenandoah-jdk8u432-b06 (GA)
+- Update release notes for shenandoah-8u432-b06.
 - Drop JDK-828109{6,7,8}/PR3836 patch following integration of upstream version
 - Regenerate JDK-8199936/PR3533 patch following JDK-828109{6,7,8} integration
 - Bump version of bundled zlib to 1.3.1 following JDK-8324632
@ -2696,6 +2695,8 @@ cjc.mainProgram(args)
 - Add build scripts to repository to ease remembering all CentOS & RHEL targets and options
 - Resolves: RHEL-58792
 - Resolves: RHEL-17183
+- Resolves: RHEL-61281
+- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **

 * Wed Jul 10 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.422.b05-3
 - Bump rpmrelease for CentOS build
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (shenandoah8u432-b05.tar.xz) = c6d7389d1beeabe423b29fbf9505d72a15859cccda7732d5648573a85ba02506b3dcda05bae8cf8924a641af9459e6fbcc4c0328cd5d15c65eff8cef5699d5b8
+SHA512 (shenandoah8u432-b06.tar.xz) = ad40b6bd076508cb5702955e25a4f797dde4c2050b0833992b8713d0e1f80a8604367e887562e24ef8a7615603ebc833847eb1c06634aca658610914b92d78f6