rpms/java-1.8.0-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:a8-portable
rpms:c10s
rpms:c9s
rpms:c9-bootstrap
rpms:a9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.432.b06-3.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.432.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.432.b06-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.422.b05-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.422.b05-2.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.412.b08-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.412.b08-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.402.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.402.b06-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.392.b08-4.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.392.b08-3.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.382.b05-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.382.b05-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.372.b07-4.el8
rpms:changed/a9/java-1.8.0-openjdk-1.8.0.372.b07-2.el9.alma
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.372.b07-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.372.b07-1.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.372.b07-1.el9_1
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.362.b08-3.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.362.b08-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b09-4.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b09-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b08-3.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b01-0.3.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_1
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.345.b01-5.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.345.b01-5.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_0
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.345.b01-2.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.345.b01-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.345.b01-1.el9_0
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.345.b01-1.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.342.b07-1.el9_0
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.342.b07-2.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.322.b06-9.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.332.b09-2.el8_6
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.322.b06-9.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.322.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.322.b06-2.el8_5
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.312.b01-0.1.ea.el9
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.302.b08-3.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.302.b08-3.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.302.b08-3.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.282.b08-1.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.262.b03-0.2.ea.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.232.b09-3.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.212.b04-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.312.b02-0.1.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b05-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b04-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b03-0.3.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b03-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b02-0.0.ea.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.282.b08-4.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.282.b08-2.el8_3
...
pull from: rpms:c9-bootstrap
Branches Tags
rpms:c9
rpms:a8-portable
rpms:c8
rpms:c10s
rpms:c9s
rpms:c9-bootstrap
rpms:a9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.432.b06-3.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.432.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.432.b06-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.422.b05-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.422.b05-2.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.412.b08-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.412.b08-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.402.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.402.b06-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.392.b08-4.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.392.b08-3.el9
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.382.b05-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.382.b05-2.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.372.b07-4.el8
rpms:changed/a9/java-1.8.0-openjdk-1.8.0.372.b07-2.el9.alma
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.372.b07-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.372.b07-1.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.372.b07-1.el9_1
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.362.b08-3.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.362.b08-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b09-4.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b09-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b08-3.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.362.b01-0.3.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_1
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.345.b01-5.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.345.b01-5.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_0
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.345.b01-2.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.345.b01-2.el8
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.345.b01-1.el9_0
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.345.b01-1.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.342.b07-1.el9_0
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.342.b07-2.el8_6
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0
rpms:imports/c9/java-1.8.0-openjdk-1.8.0.322.b06-9.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.332.b09-2.el8_6
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.322.b06-9.el9
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.322.b06-11.el8
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.322.b06-2.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.322.b06-2.el8_5
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.312.b01-0.1.ea.el9
rpms:imports/c9-beta/java-1.8.0-openjdk-1.8.0.302.b08-3.el9
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.302.b08-3.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.302.b08-3.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.282.b08-1.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.262.b03-0.2.ea.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.232.b09-3.el8
rpms:imports/c8-beta/java-1.8.0-openjdk-1.8.0.212.b04-3.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.312.b02-0.1.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b05-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b04-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b03-0.3.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b03-0.0.ea.el8
rpms:imports/c8s/java-1.8.0-openjdk-1.8.0.302.b02-0.0.ea.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.282.b08-4.el8
rpms:imports/c8/java-1.8.0-openjdk-1.8.0.282.b08-2.el8_3

No commits in common. "c8" and "c9-bootstrap" have entirely different histories.
c8 ... c9-bootstr

14 changed files with 1500 additions and 10248 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/shenandoah8u432-b06.tar.xz
SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

2
.java-1.8.0-openjdk.metadata
View File

@ -1,2 +1,2 @@
af2d3b85c48ecc8c22188ac687e6160658ef6aca SOURCES/shenandoah8u432-b06.tar.xz
3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

898
SOURCES/NEWS
View File

@ -3,889 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 8u432 (2024-10-15):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u432
* CVEs
- CVE-2024-21208
- CVE-2024-21210
- CVE-2024-21217
- CVE-2024-21235
* Security fixes
- JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
- JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
- JDK-8328286: Enhance HTTP client
- JDK-8328544: Improve handling of vectorization
- JDK-8328726: Better Kerberos support
- JDK-8331446: Improve deserialization support
- JDK-8332644: Improve graph optimizations
- JDK-8335713: Enhance vectorization analysis
* Other changes
- JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
- JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
- JDK-8021775: compiler/8009761/Test8009761.java "Failed: init recursive calls: 51. After deopt 50"
- JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
- JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option
- JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use
- JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
- JDK-8137329: [windows] Build broken on VS2010 after "8046148: JEP 158: Unified JVM Logging"
- JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
- JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
- JDK-8193682: Infinite loop in ZipOutputStream.close()
- JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
- JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
- JDK-8251188: Update LDAP tests not to use wildcard addresses
- JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
- JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
- JDK-8279164: Disable TLS_ECDH_* cipher suites
- JDK-8281096: Flags introduced by configure script are not passed to ADLC build
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
- JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
- JDK-8299677: Formatter.format might take a long time to format an integer or floating-point
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
- JDK-8307779: Relax the java.awt.Robot specification
- JDK-8309138: Fix container tests for jdks with symlinked conf dir
- JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
- JDK-8315117: Update Zlib Data Compression Library to Version 1.3
- JDK-8315863: [GHA] Update checkout action to use v4
- JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes
- JDK-8318039: GHA: Bump macOS and Xcode versions
- JDK-8318951: Additional negative value check in JPEG decoding
- JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese
- JDK-8321480: ISO 4217 Amendment 176 Update
- JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1
- JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16
- JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1
- JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
- JDK-8326529: JFR: Test for CompilerCompile events fails due to time out
- JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
- JDK-8330415: Update system property for Java SE specification maintenance version
- JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
- JDK-8333126: Bump update version of OpenJDK: 8u432
- JDK-8333669: [8u] GHA: Dead VS2010 download link
- JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
- JDK-8334653: ISO 4217 Amendment 177 Update
- JDK-8334905: [8u] The test java/awt/Mixing/AWT_Mixing/JButtonOverlapping.java started to fail after 8159690
- JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
- JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
- JDK-8336928: GHA: Bundle artifacts removal broken
- JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory
- JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
- JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
- JDK-8338144: [8u] Remove duplicate license files
- JDK-8341057: Add 2 SSL.com TLS roots
- JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
Notes on individual issues:
===========================
security-libs/javax.net.ssl:
JDK-8279164: Disable TLS_ECDH_* cipher suites
=============================================
The TLS_ECDH cipher suites do not preserve forward secrecy and are
rarely used in practice. With this release, they are disabled by
adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in
the `java.security` configuration file. Attempts to use these suites
with this release will result in a `SSLHandshakeException` being
thrown. Note that ECDH cipher suites which use RC4 were already
disabled prior to this change.
Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "ECDH" is no longer
listed in the `jdk.tls.disabledAlgorithms` security property.
This change has no effect on TLS_ECDHE cipher suites, which remain
enabled by default.
JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
====================================================================================================
In accordance with similar plans recently announced by Google and
Mozilla, the JDK will not trust Transport Layer Security (TLS)
certificates issued after the 11th of November 2024 which are anchored
by Entrust root certificates. This includes certificates branded as
AffirmTrust, which are managed by Entrust.
Certificates issued on or before November 11th, 2024 will continue to
be trusted until they expire.
If a server's certificate chain is anchored by an affected
certificate, attempts to negotiate a TLS session will fail with an
Exception that indicates the trust anchor is not trusted. For example,
"TLS server certificate issued after 2024-11-11 and anchored by a
distrusted legacy Entrust root CA: CN=Entrust.net Certification
Authority (2048), OU=(c) 1999 Entrust.net Limited,
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
O=Entrust.net"
To check whether a certificate in a JDK keystore is affected by this
change, you can the `keytool` utility:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are affected by this change,
then you will need to update the certificate or contact the
organisation responsible for managing the certificate.
These restrictions apply to the following Entrust root certificates
included in the JDK:
Alias name: entrustevca [jdk]
CN=Entrust Root Certification Authority
OU=(c) 2006 Entrust, Inc.
OU=www.entrust.net/CPS is incorporated by reference
O=Entrust, Inc.
C=US
SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
Alias name: entrustrootcaec1 [jdk]
CN=Entrust Root Certification Authority - EC1
OU=(c) 2012 Entrust, Inc. - for authorized use only
OU=See www.entrust.net/legal-terms
O=Entrust, Inc.
C=US
SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
Alias name: entrustrootcag2 [jdk]
CN=Entrust Root Certification Authority - G2
OU=(c) 2009 Entrust, Inc. - for authorized use only
OU=See www.entrust.net/legal-terms
O=Entrust, Inc.
C=US
SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
Alias name: entrustrootcag4 [jdk]
CN=Entrust Root Certification Authority - G4
OU=(c) 2015 Entrust, Inc. - for authorized use only
OU=See www.entrust.net/legal-terms
O=Entrust, Inc.
C=US
SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
Alias name: entrust2048ca [jdk]
CN=Entrust.net Certification Authority (2048)
OU=(c) 1999 Entrust.net Limited
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
O=Entrust.net
SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
Alias name: affirmtrustcommercialca [jdk]
CN=AffirmTrust Commercial
O=AffirmTrust
C=US
SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
Alias name: affirmtrustnetworkingca [jdk]
CN=AffirmTrust Networking
O=AffirmTrust
C=US
SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
Alias name: affirmtrustpremiumca [jdk]
CN=AffirmTrust Premium
O=AffirmTrust
C=US
SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
Alias name: affirmtrustpremiumeccca [jdk]
CN=AffirmTrust Premium ECC
O=AffirmTrust
C=US
SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "ENTRUST_TLS" is no
longer listed in the `jdk.security.caDistrustPolicies` security
property.
security-libs/java.security:
JDK-8341057: Add 2 SSL.com TLS roots
====================================
The following root certificates have been added to the cacerts
truststore:
Name: SSL.com
Alias Name: ssltlsrootecc2022
Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
Name: SSL.com
Alias Name: ssltlsrootrsa2022
Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
client-libs:
JDK-8307779: Relax the java.awt.Robot specification
===================================================
This release of OpenJDK 8 updates to the latest maintenance release of
the Java 8 specification. This relaxes the specification of three
methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
`getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to
allow these methods to fail when the desktop environment does not
permit moving the mouse pointer or capturing screen content.
core-libs/javax.naming:
JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
===============================================================================================================================
With this OpenJDK release, the JDK implementation of the LDAP provider
no longer supports the deserialisation of Java objects by
default. This is achieved by the system property
`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
default.
Note that this release also increases the scope of the
`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
The result of this change is that transparent deserialisation of Java
objects will require an explicit opt-in. Applications that wish to
reconstruct Java objects and RMI stubs from LDAP attributes will need
to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
core-libs/java.net:
JDK-8328286: Enhance HTTP client
================================
This OpenJDK release limits the maximum header field size accepted by
the HTTP client within the JDK for all supported versions of the HTTP
protocol. The header field size is computed as the sum of the size of
the uncompressed header name, the size of the uncompressed header
value and a overhead of 32 bytes for each field section line. If a
peer sends a field section that exceeds this limit, a
`java.net.ProtocolException` will be raised.
This release also introduces a new system property,
`jdk.http.maxHeaderSize`. This property can be used to alter the
maximum header field size (in bytes) or disable it by setting the
value to zero or a negative value. The default value is 393,216 bytes
or 384kB.
core-libs/java.util.jar:
JDK-8193682: Infinite loop in ZipOutputStream.close()
=====================================================
In previous releases, the `DeflaterOutputStream.close()`,
`GZIPOutputStream.finish()` and `ZipOutputStream.closeEntry()` methods
did not close the associated default JDK compressor when an exception
was thrown during closure. With this release, the default compressor
is closed before propogating the Throwable up the stack. In the case
of `ZipOutputStream`, this only happens when the exception is not a
`ZipException`.
New in release OpenJDK 8u422 (2024-07-16):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u422
* CVEs
- CVE-2024-21131
- CVE-2024-21138
- CVE-2024-21140
- CVE-2024-21144
- CVE-2024-21145
- CVE-2024-21147
* Security fixes
- JDK-8314794: Improve UTF8 String supports
- JDK-8319859: Better symbol storage
- JDK-8320097: Improve Image transformations
- JDK-8320548: Improved loop handling
- JDK-8322106: Enhance Pack 200 loading
- JDK-8323231: Improve array management
- JDK-8323390: Enhance mask blit functionality
- JDK-8324559: Improve 2D image handling
- JDK-8325600: Better symbol storage
* Other changes
- JDK-8025439: [TEST BUG] [macosx] PrintServiceLookup.lookupPrintServices doesn't work properly since jdk8b105
- JDK-8069389: CompilerOracle prefix wildcarding is broken for long strings
- JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/bug7123767.java: number of checked graphics configurations should be limited
- JDK-8159690: [TESTBUG] Mark headful tests with @key headful.
- JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
- JDK-8203691: [TESTBUG] Test /runtime/containers/cgroup/PlainRead.java fails
- JDK-8205407: [windows, vs<2017] C4800 after 8203197
- JDK-8235834: IBM-943 charset encoder needs updating
- JDK-8239965: XMLEncoder/Test4625418.java fails due to "Error: Cp943 - can't read properly"
- JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
- JDK-8256152: tests fail because of ambiguous method resolution
- JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8268916: Tests for AffirmTrust roots
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
- JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
- JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
- JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL
- JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM
- JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074
- JDK-8315020: The macro definition for LoongArch64 zero build is not accurate.
- JDK-8316138: Add GlobalSign 2 TLS root certificates
- JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows
- JDK-8320005: Allow loading of shared objects with .a extension on AIX
- JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
- JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing
- JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
- JDK-8326686: Bump update version of OpenJDK: 8u422
- JDK-8327440: Fix "bad source file" error during beaninfo generation
- JDK-8328809: [8u] Problem list some CA tests
- JDK-8328825: Google CAInterop test failures
- JDK-8329544: [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
- JDK-8331791: [8u] AIX build break from JDK-8320005 backport
- JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
- JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3 ::Identity signature fixes
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
===========================================================================
Two system properties have been added which control the keep alive
behavior of HttpURLConnection in the case where the server does not
specify a keep alive time. These are:
* `http.keepAlive.time.server`
* `http.keepAlive.time.proxy`
which control the number of seconds before an idle connection to a
server or proxy will be closed, respectively. If the server or proxy
specifies a keep alive time in a "Keep-Alive" response header, this
will take precedence over the values of these properties.
security-libs/java.security:
JDK-8316138: Add GlobalSign 2 TLS root certificates
===================================================
The following root certificates have been added to the cacerts
truststore:
Name: GlobalSign
Alias Name: globalsignr46
Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
Name: GlobalSign
Alias Name: globalsigne46
Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
New in release OpenJDK 8u412 (2024-04-16):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u412
* CVEs
- CVE-2024-21011
- CVE-2024-21085
- CVE-2024-21068
- CVE-2024-21094
* Security fixes
- JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
- JDK-8318340: Improve RSA key implementations
- JDK-8319851: Improve exception logging
- JDK-8322114: Improve Pack 200 handling
- JDK-8322122: Enhance generation of addresses
* Other changes
- JDK-8011180: Delete obsolete scripts
- JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
- JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
- JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
- JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
- JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
- JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
- JDK-8168518: rcache interop with krb5-1.15
- JDK-8183503: Update hotspot tests to allow for unique test classes directory
- JDK-8186095: upgrade to jtreg 4.2 b08
- JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
- JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
- JDK-8208655: use JTreg skipped status in hotspot tests
- JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
- JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
- JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
- JDK-8224768: Test ActalisCA.java fails
- JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
- JDK-8251551: Use .md filename extension for README
- JDK-8268678: LetsEncryptCA.java test fails as Lets Encrypt Authority X3 is retired
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- JDK-8270517: Add Zero support for LoongArch
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- JDK-8288132: Update test artifacts in QuoVadis CA interop tests
- JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
- JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
- JDK-8308592: Framework for CA interoperability testing
- JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
- JDK-8315042: NPE in PKCS7.parseOldSignedData
- JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
- JDK-8320713: Bump update version of OpenJDK: 8u412
- JDK-8321060: [8u] hotspot needs to recognise VS2022
- JDK-8321408: Add Certainly roots R1 and E1
- JDK-8322725: (tz) Update Timezone Data to 2023d
- JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
- JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
- JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
- JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
- JDK-8324530: Build error with gcc 10
- JDK-8325150: (tz) Update Timezone Data to 2024a
Notes on individual issues:
===========================
security-libs/org.ietf.jgss:krb5:
JDK-8168518: rcache interop with krb5-1.15
==========================================
The hash algorithm used in the Kerberos 5 replay cache file (rcache)
has been changed from MD5 to SHA256. This is the same algorithm used
by MIT krb5-1.15 and is interoperable with earlier releases of MIT
krb5.
The MD5 algorithm can still be used by setting the new
jdk.krb5.rcache.useMD5 property to 'true':
java -Djdk.krb5.rcache.useMD5=true ...
This is useful where either the system has a coarse clock and has to
depend on hash values in replay attack detection, or interoperability
with the rcache files in older versions of OpenJDK is required.
client-libs/java.awt:
JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
=======================================================================
The java.awt.SystemTray API is used to interact with the system's
desktop taskbar to provide notifications and may include an icon
representing an application. The GNOME desktop's support for taskbar
icons has not worked properly for several years, due to a platform
bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
desktops.
Therefore, in accordance with the SystemTray API specification,
java.awt.SystemTray.isSupported() will now return false on systems
that exhibit this bug, which is assumed to be those running a version
of GNOME Shell below 45.
The impact of this change is likely to be minimal, as users of the
SystemTray API should already be able to handle isSupported()
returning false and the system tray on such platforms has already been
unsupported for a number of years for all applications.
security-libs/java.security:
JDK-8321408: Added Certainly R1 and E1 Root Certificates
========================================================
The following root certificate has been added to the cacerts
truststore:
Name: Certainly
Alias Name: certainlyrootr1
Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US
Name: Certainly
Alias Name: certainlyroote1
Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US
New in release OpenJDK 8u402 (2024-01-16):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u402
* CVEs
- CVE-2024-20918
- CVE-2024-20919
- CVE-2024-20921
- CVE-2024-20926
- CVE-2024-20945
- CVE-2024-20952
* Security fixes
- JDK-8308204: Enhanced certificate processing
- JDK-8314284: Enhance Nashorn performance
- JDK-8314295: Enhance verification of verifier
- JDK-8314307: Improve loop handling
- JDK-8314468: Improve Compiler loops
- JDK-8316976: Improve signature handling
- JDK-8317547: Enhance TLS connection support
* Other changes
- JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
- JDK-8029995: accept yes/no for boolean krb5.conf settings
- JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
- JDK-8176509: Use pandoc for converting build readme to html
- JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
- JDK-8207404: MulticastSocket tests failing on AIX
- JDK-8212677: X11 default visual support for IM status window on VNC
- JDK-8239365: ProcessBuilder test modifications for AIX execution
- JDK-8271838: AmazonCA.java interop test fails
- JDK-8285398: Cache the results of constraint checks
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
- JDK-8302017: Allocate BadPaddingException only if it will be thrown
- JDK-8305329: [8u] Unify test libraries into single test library - step 1
- JDK-8307837: [8u] Check step in GHA should also print errors
- JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
- JDK-8311813: C1: Uninitialized PhiResolver::_loop field
- JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
- JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
- JDK-8315280: Bump update version of OpenJDK: 8u402
- JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
- JDK-8317291: Missing null check for nmethod::is_native_method()
- JDK-8317373: Add Telia Root CA v2
- JDK-8317374: Add Let's Encrypt ISRG Root X2
- JDK-8318759: Add four DigiCert root certificates
- JDK-8319187: Add three eMudhra emSign roots
- JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
- JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
Notes on individual issues:
===========================
security-libs/org.ietf.jgss:krb5:
JDK-8029995: accept yes/no for boolean krb5.conf settings
=========================================================
The krb5.conf configuration file now also accepts "yes" and "no", as
alternatives to the existing "true" and "false" support, when using
settings that take boolean values.
security-libs/java.security:
JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
===============================================================================================================================
A maximum signature file size property, jdk.jar.maxSignatureFileSize,
was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
default of 8MB. This default proved to be too small for some JAR
files. This release, 8u402, increases it to 16MB.
JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
=================================================================
The following root certificate has been added to the cacerts
truststore:
Name: Let's Encrypt
Alias Name: letsencryptisrgx2
Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
=============================================================
The following root certificates have been added to the cacerts
truststore:
Name: DigiCert, Inc.
Alias Name: digicertcseccrootg5
Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
Name: DigiCert, Inc.
Alias Name: digicertcsrsarootg5
Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
Name: DigiCert, Inc.
Alias Name: digicerttlseccrootg5
Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
Name: DigiCert, Inc.
Alias Name: digicerttlsrsarootg5
Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
============================================================================
The following root certificates have been added to the cacerts
truststore:
Name: eMudhra Technologies Limited
Alias Name: emsignrootcag1
Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
Name: eMudhra Technologies Limited
Alias Name: emsigneccrootcag3
Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
Name: eMudhra Technologies Limited
Alias Name: emsignrootcag2
Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
JDK-8317373: Added Telia Root CA v2 Certificate
===============================================
The following root certificate has been added to the cacerts
truststore:
Name: Telia Root CA v2
Alias Name: teliarootcav2
Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
New in release OpenJDK 8u392 (2023-10-17):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u392
* CVEs
- CVE-2023-22067
- CVE-2023-22081
* Security fixes
- JDK-8286503, JDK-8312367: Enhance security classes
- JDK-8297856: Improve handling of Bidi characters
- JDK-8303384: Improved communication in CORBA
- JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
- JDK-8309966: Enhanced TLS connections
* Other changes
- JDK-6722928: Provide a default native GSS-API library on Windows
- JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
- JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
- JDK-8139348: Deprecate 3DES and RC4 in Kerberos
- JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
- JDK-8200468: Port the native GSS-API bridge to Windows
- JDK-8202952: C2: Unexpected dead nodes after matching
- JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
- JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
- JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
- JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
- JDK-8232225: Rework the fix for JDK-8071483
- JDK-8242330: Arrays should be cloned in several JAAS Callback classes
- JDK-8253269: The CheckCommonColors test should provide more info on failure
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
- JDK-8284910: Buffer clean in PasswordCallback
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
- JDK-8287663: Add a regression test for JDK-8287073
- JDK-8295685: Update Libpng to 1.6.38
- JDK-8295894: Remove SECOM certificate that is expiring in September 2023
- JDK-8308788: [8u] Remove duplicate HaricaCA.java test
- JDK-8309122: Bump update version of OpenJDK: 8u392
- JDK-8309143: [8u] fix archiving inconsistencies in GHA
- JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
- JDK-8314960: Add Certigna Root CA - 2
- JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
- JDK-8317040: Exclude cleaner test failing on older releases
Notes on individual issues:
===========================
other-libs/corba:idl:
JDK-8303384: Improved communication in CORBA
============================================
The JDK's CORBA implementation now provides the option to limit
serialisation in stub objects to those with the "IOR:" prefix. For
ORB constrained stub classes:
* _DynArrayStub
* _DynEnumStub
* _DynFixedStub
* _DynSequenceStub
* _DynStructStub
* _DynUnionStub
* _DynValueStub
* _DynAnyStub
* _DynAnyFactoryStub
this is enabled by default and may be disabled by setting the system
property org.omg.DynamicAny.disableIORCheck to 'true'.
For remote service stub classes:
* _NamingContextStub
* _BindingIteratorStub
* _NamingContextExtStub
* _ServantActivatorStub
* _ServantLocatorStub
* _ServerManagerStub
* _ActivatorStub
* _RepositoryStub
* _InitialNameServiceStub
* _LocatorStub
* _ServerStub
it is disabled by default and may be enabled by setting the system
property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
security-libs/org.ietf.jgss:
JDK-6722928: Added a Default Native GSS-API Library on Windows
==============================================================
A native GSS-API library named `sspi_bridge.dll` has been added to the
JDK on the Windows platform. As with native GSS-API library provision
on other operating systems, it will only be loaded when the
`sun.security.jgss.native` system property is set to "true". A user
can still load a third-party native GSS-API library instead by setting
the `sun.security.jgss.lib` system property to the appropriate path.
The library is client-side only and uses the default credentials.
Native GSS support automatically uses cached credentials from the
underlying operating system, so the
`javax.security.auth.useSubjectCredsOnly` system property should be
set to false.
The `com.sun.security.auth.module.Krb5LoginModule` does not call
native JGSS and so its use in your JAAS config should be avoided.
security-libs/org.ietf.jgss:krb5:
JDK-8139348: Deprecate 3DES and RC4 in Kerberos
===============================================
The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
are now deprecated and disabled by default. To re-enable them, you
can either enable all weak crypto (which also includes `des-cbc-crc`
and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
`krb5.conf` configuration file or explicitly list all the preferred
encryption types using the `default_tkt_enctypes`,
`default_tgs_enctypes`, or `permitted_enctypes` settings.
security-libs/java.security:
JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
==================================================================
The following root certificate from SECOM Trust System has been
removed from the `cacerts` keystore:
Alias Name: secomscrootca1 [jdk]
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
JDK-8314960: Added Certigna Root CA Certificate
===============================================
The following root certificate has been added to the cacerts
truststore:
Name: Certigna (Dhimyotis)
Alias Name: certignarootca
Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
security-libs/javax.security:
JDK-8242330: Arrays should be cloned in several JAAS Callback classes
=====================================================================
In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
were not cloned when passed into a constructor or returned. This
allowed an external program to get access to the internal fields of
these classes. The classes have been updated to return cloned arrays.
New in release OpenJDK 8u382 (2023-07-18):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u382
* CVEs
- CVE-2023-22045
- CVE-2023-22049
* Security fixes
- JDK-8298676: Enhanced Look and Feel
- JDK-8300596: Enhance Jar Signature validation
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
* Other changes
- JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
- JDK-8151460: Metaspace counters can have inconsistent values
- JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
- JDK-8185736: missing default exception handler in calls to rethrow_Stub
- JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
- JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
- JDK-8241311: Move some charset mapping tests from closed to open
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
- JDK-8276841: Add support for Visual Studio 2022
- JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
- JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
- JDK-8282345: handle latest VS2022 in abstract_vm_version
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
- JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
- JDK-8293232: Fix race condition in pkcs11 SessionManager
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
- JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
- JDK-8298108: Add a regression test for JDK-8297684
- JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
- JDK-8301119: Support for GB18030-2022
- JDK-8301400: Allow additional characters for GB18030-2022 support
- JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
- JDK-8303028: Update system property for Java SE specification maintenance version
- JDK-8303462: Bump update version of OpenJDK: 8u382
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
- JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
- JDK-8305975: Add TWCA Global Root CA
- JDK-8307134: Add GTS root CAs
- JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
- JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
- JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119
Notes on individual issues:
===========================
core-libs/java.lang:
JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
===========================================================================
In order to support "Implementation Level 2" of the GB18030-2022
standard, the JDK must be able to use characters from the CJK Unified
Ideographs Extension E block of Unicode 8.0. The addition of these
characters forms Maintenance Release 5 of the Java SE 8 specification,
which is implemented in this release of OpenJDK via the addition of a
new UnicodeBlock instance,
Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.
core-libs/java.util.jar:
8300596: Enhance Jar Signature validation
=========================================
A System property "jdk.jar.maxSignatureFileSize" is introduced to
configure the maximum number of bytes allowed for the
signature-related files in a JAR file during verification. The default
value is 8000000 bytes (8 MB).
security-libs/java.security:
JDK-8307134: Added 4 GTS Root CA Certificates
=============================================
The following root certificates have been added to the cacerts
truststore:
Name: Google Trust Services LLC
Alias Name: gtsrootcar1
Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar2
Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar3
Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar4
Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
=====================================================================
The following root certificates has been added to the cacerts
truststore:
Name: Microsoft Corporation
Alias Name: microsoftecc2017
Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
Name: Microsoft Corporation
Alias Name: microsoftrsa2017
Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
JDK-8305975: Added TWCA Root CA Certificate
===========================================
The following root certificate has been added to the cacerts
truststore:
Name: TWCA
Alias Name: twcaglobalrootca
Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
New in release OpenJDK 8u372 (2023-04-18):
===========================================
Live versions of these release notes can be found at:
@ -1380,6 +497,19 @@ the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
core-libs/java.net:
JDK-8286918: Better HttpServer service
======================================
The HttpServer can be optionally configured with a maximum connection
limit by setting the jdk.httpserver.maxConnections system property. A
value of 0 or a negative integer is ignored and considered to
represent no connection limit. In the case of a positive integer
value, any newly accepted connections will be first checked against
the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
security-libs/javax.net.ssl:
JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@ -1577,7 +707,7 @@ device paths such as `NUL:` are *not* used.
New in release OpenJDK 8u332 (2022-04-22):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u332
* https://bit.ly/openjdk8u332
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
* Security fixes

2582
SOURCES/java-1.8.0-openjdk-portable.specfile
View File

File diff suppressed because it is too large Load Diff

131
SOURCES/java-1.8.0-openjdk-remove-intree-libraries.sh Normal file
View File

@ -0,0 +1,131 @@
#!/bin/sh
ZIP_SRC=openjdk/jdk/src/share/native/java/util/zip/zlib
JPEG_SRC=openjdk/jdk/src/share/native/sun/awt/image/jpeg
GIF_SRC=openjdk/jdk/src/share/native/sun/awt/giflib
PNG_SRC=openjdk/jdk/src/share/native/sun/awt/libpng
LCMS_SRC=openjdk/jdk/src/share/native/sun/java2d/cmm/lcms
echo "Removing built-in libs (they will be linked)"
echo "Removing zlib"
if [ ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
echo "Removing libjpeg"
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
exit 1
fi
rm -vf ${JPEG_SRC}/jcomapi.c
rm -vf ${JPEG_SRC}/jdapimin.c
rm -vf ${JPEG_SRC}/jdapistd.c
rm -vf ${JPEG_SRC}/jdcoefct.c
rm -vf ${JPEG_SRC}/jdcolor.c
rm -vf ${JPEG_SRC}/jdct.h
rm -vf ${JPEG_SRC}/jddctmgr.c
rm -vf ${JPEG_SRC}/jdhuff.c
rm -vf ${JPEG_SRC}/jdhuff.h
rm -vf ${JPEG_SRC}/jdinput.c
rm -vf ${JPEG_SRC}/jdmainct.c
rm -vf ${JPEG_SRC}/jdmarker.c
rm -vf ${JPEG_SRC}/jdmaster.c
rm -vf ${JPEG_SRC}/jdmerge.c
rm -vf ${JPEG_SRC}/jdphuff.c
rm -vf ${JPEG_SRC}/jdpostct.c
rm -vf ${JPEG_SRC}/jdsample.c
rm -vf ${JPEG_SRC}/jerror.c
rm -vf ${JPEG_SRC}/jerror.h
rm -vf ${JPEG_SRC}/jidctflt.c
rm -vf ${JPEG_SRC}/jidctfst.c
rm -vf ${JPEG_SRC}/jidctint.c
rm -vf ${JPEG_SRC}/jidctred.c
rm -vf ${JPEG_SRC}/jinclude.h
rm -vf ${JPEG_SRC}/jmemmgr.c
rm -vf ${JPEG_SRC}/jmemsys.h
rm -vf ${JPEG_SRC}/jmemnobs.c
rm -vf ${JPEG_SRC}/jmorecfg.h
rm -vf ${JPEG_SRC}/jpegint.h
rm -vf ${JPEG_SRC}/jpeglib.h
rm -vf ${JPEG_SRC}/jquant1.c
rm -vf ${JPEG_SRC}/jquant2.c
rm -vf ${JPEG_SRC}/jutils.c
rm -vf ${JPEG_SRC}/jcapimin.c
rm -vf ${JPEG_SRC}/jcapistd.c
rm -vf ${JPEG_SRC}/jccoefct.c
rm -vf ${JPEG_SRC}/jccolor.c
rm -vf ${JPEG_SRC}/jcdctmgr.c
rm -vf ${JPEG_SRC}/jchuff.c
rm -vf ${JPEG_SRC}/jchuff.h
rm -vf ${JPEG_SRC}/jcinit.c
rm -vf ${JPEG_SRC}/jconfig.h
rm -vf ${JPEG_SRC}/jcmainct.c
rm -vf ${JPEG_SRC}/jcmarker.c
rm -vf ${JPEG_SRC}/jcmaster.c
rm -vf ${JPEG_SRC}/jcparam.c
rm -vf ${JPEG_SRC}/jcphuff.c
rm -vf ${JPEG_SRC}/jcprepct.c
rm -vf ${JPEG_SRC}/jcsample.c
rm -vf ${JPEG_SRC}/jctrans.c
rm -vf ${JPEG_SRC}/jdtrans.c
rm -vf ${JPEG_SRC}/jfdctflt.c
rm -vf ${JPEG_SRC}/jfdctfst.c
rm -vf ${JPEG_SRC}/jfdctint.c
rm -vf ${JPEG_SRC}/jversion.h
rm -vf ${JPEG_SRC}/README
echo "Removing giflib"
if [ ! -d ${GIF_SRC} ]; then
echo "${GIF_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${GIF_SRC}
echo "Removing libpng"
if [ ! -d ${PNG_SRC} ]; then
echo "${PNG_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${PNG_SRC}
echo "Removing lcms"
if [ ! -d ${LCMS_SRC} ]; then
echo "${LCMS_SRC} does not exist. Refusing to proceed."
exit 1
fi
# temporary change to move bundled LCMS
if [ ! true ]; then
rm -vf ${LCMS_SRC}/cmsalpha.c
rm -vf ${LCMS_SRC}/cmscam02.c
rm -vf ${LCMS_SRC}/cmscgats.c
rm -vf ${LCMS_SRC}/cmscnvrt.c
rm -vf ${LCMS_SRC}/cmserr.c
rm -vf ${LCMS_SRC}/cmsgamma.c
rm -vf ${LCMS_SRC}/cmsgmt.c
rm -vf ${LCMS_SRC}/cmshalf.c
rm -vf ${LCMS_SRC}/cmsintrp.c
rm -vf ${LCMS_SRC}/cmsio0.c
rm -vf ${LCMS_SRC}/cmsio1.c
rm -vf ${LCMS_SRC}/cmslut.c
rm -vf ${LCMS_SRC}/cmsmd5.c
rm -vf ${LCMS_SRC}/cmsmtrx.c
rm -vf ${LCMS_SRC}/cmsnamed.c
rm -vf ${LCMS_SRC}/cmsopt.c
rm -vf ${LCMS_SRC}/cmspack.c
rm -vf ${LCMS_SRC}/cmspcs.c
rm -vf ${LCMS_SRC}/cmsplugin.c
rm -vf ${LCMS_SRC}/cmsps2.c
rm -vf ${LCMS_SRC}/cmssamp.c
rm -vf ${LCMS_SRC}/cmssm.c
rm -vf ${LCMS_SRC}/cmstypes.c
rm -vf ${LCMS_SRC}/cmsvirt.c
rm -vf ${LCMS_SRC}/cmswtpnt.c
rm -vf ${LCMS_SRC}/cmsxform.c
rm -vf ${LCMS_SRC}/lcms2.h
rm -vf ${LCMS_SRC}/lcms2_internal.h
rm -vf ${LCMS_SRC}/lcms2_plugin.h
fi

54
SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
View File

@ -7,11 +7,10 @@
PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4
index 113bf367e2..bed030e8d1 100644
--- a/common/autoconf/flags.m4
+++ b/common/autoconf/flags.m4
@@ -451,6 +451,21 @@ AC_DEFUN_ONCE([FLAGS_SETUP_COMPILER_FLAGS_FOR_JDK],
diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
--- openjdk.orig///common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
@@ -402,6 +402,21 @@
AC_SUBST($2CXXSTD_CXXFLAG)
fi
@ -23,7 +22,7 @@ index 113bf367e2..bed030e8d1 100644
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
+ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+ REALIGN_CFLAG="-mstackrealign"
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
+ )
@ -33,32 +32,23 @@ index 113bf367e2..bed030e8d1 100644
if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
fi
diff --git a/common/autoconf/hotspot-spec.gmk.in b/common/autoconf/hotspot-spec.gmk.in
index 3f86751d2b..f8a271383f 100644
--- a/common/autoconf/hotspot-spec.gmk.in
+++ b/common/autoconf/hotspot-spec.gmk.in
@@ -114,13 +114,14 @@ RC:=@HOTSPOT_RC@
# Retain EXTRA_{CFLAGS,CXXFLAGS,LDFLAGS,ASFLAGS} for the target flags to
# maintain compatibility with the existing Makefiles
EXTRA_CFLAGS=@LEGACY_TARGET_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+ $(REALIGN_CFLAG)
EXTRA_CXXFLAGS=@LEGACY_TARGET_CXXFLAGS@
EXTRA_LDFLAGS=@LEGACY_TARGET_LDFLAGS@
EXTRA_ASFLAGS=@LEGACY_TARGET_ASFLAGS@
# Define an equivalent set for the host flags (i.e. without sysroot options)
HOST_CFLAGS=@LEGACY_HOST_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
HOST_CXXFLAGS=@LEGACY_HOST_CXXFLAGS@
HOST_LDFLAGS=@LEGACY_HOST_LDFLAGS@
HOST_ASFLAGS=@LEGACY_HOST_ASFLAGS@
diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
index 9573bb2cbd..fe7efc130c 100644
--- a/common/autoconf/spec.gmk.in
+++ b/common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@ CXXFLAGS_JDKEXE:=@CXXFLAGS_JDKEXE@
diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
@@ -112,7 +112,8 @@
RC:=@HOTSPOT_RC@
EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+ $(REALIGN_CFLAG)
EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
--- openjdk.orig///common/autoconf/spec.gmk.in
+++ openjdk///common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@
NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@

12
SOURCES/jdk8218811-perfMemory_linux.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
--- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
+++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
@@ -878,7 +878,7 @@
// open the file
int result;
- RESTARTABLE(::open(filename, oflags), result);
+ RESTARTABLE(::open(filename, oflags, 0), result);
if (result == OS_ERR) {
if (errno == ENOENT) {
THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),

167
SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch Normal file
View File

@ -0,0 +1,167 @@
commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
Author: Alexey Bakhtin <abakhtin@openjdk.org>
Date: Tue Apr 4 10:29:11 2023 +0000
8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
Reviewed-by: andrew, mbalao
Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
index a79e97d7c74..5378446b97b 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
@Override
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException {
- if (!(publicKey instanceof RSAPublicKey)) {
+ if (publicKey instanceof RSAPublicKey) {
+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
+ isPublicKeyValid(rsaPubKey);
+ this.pubKey = rsaPubKey;
+ this.privKey = null;
+ resetDigest();
+ } else {
throw new InvalidKeyException("key must be RSAPublicKey");
}
- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
- this.privKey = null;
- resetDigest();
}
// initialize for signing. See JCA doc
@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
@Override
protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
throws InvalidKeyException {
- if (!(privateKey instanceof RSAPrivateKey)) {
+ if (privateKey instanceof RSAPrivateKey) {
+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
+ isPrivateKeyValid(rsaPrivateKey);
+ this.privKey = rsaPrivateKey;
+ this.pubKey = null;
+ this.random =
+ (random == null ? JCAUtil.getSecureRandom() : random);
+ resetDigest();
+ } else {
throw new InvalidKeyException("key must be RSAPrivateKey");
}
- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
- this.pubKey = null;
- this.random =
- (random == null? JCAUtil.getSecureRandom() : random);
- resetDigest();
}
/**
@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
}
}
+ /**
+ * Validate the specified RSAPrivateKey
+ */
+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException {
+ try {
+ if (prKey instanceof RSAPrivateCrtKey) {
+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ crtKey.getModulus().bitLength(),
+ crtKey.getPublicExponent());
+ } else {
+ throw new InvalidKeyException(
+ "Some of the CRT-specific components are not available");
+ }
+ } else {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ prKey.getModulus().bitLength(),
+ null);
+ }
+ } catch (InvalidKeyException ikEx) {
+ throw ikEx;
+ } catch (Exception e) {
+ throw new InvalidKeyException(
+ "Can not access private key components", e);
+ }
+ isValid(prKey);
+ }
+
+ /**
+ * Validate the specified RSAPublicKey
+ */
+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException {
+ try {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ pKey.getModulus().bitLength(),
+ pKey.getPublicExponent());
+ } catch (InvalidKeyException ikEx) {
+ throw ikEx;
+ } catch (Exception e) {
+ throw new InvalidKeyException(
+ "Can not access public key components", e);
+ }
+ isValid(pKey);
+ }
+
/**
* Validate the specified RSAKey and its associated parameters against
* internal signature parameters.
*/
- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
+ private void isValid(RSAKey rsaKey) throws InvalidKeyException {
try {
AlgorithmParameterSpec keyParams = rsaKey.getParams();
// validate key parameters
@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
}
checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
}
- return rsaKey;
} catch (SignatureException e) {
throw new InvalidKeyException(e);
}
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
index 6b219937981..b3c1fae9672 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
// check all CRT-specific components are available, if any one
// missing, return a non-CRT key instead
- if ((key.getPublicExponent().signum() == 0) ||
- (key.getPrimeExponentP().signum() == 0) ||
- (key.getPrimeExponentQ().signum() == 0) ||
- (key.getPrimeP().signum() == 0) ||
- (key.getPrimeQ().signum() == 0) ||
- (key.getCrtCoefficient().signum() == 0)) {
+ if (checkComponents(key)) {
+ return key;
+ } else {
return new RSAPrivateKeyImpl(
key.algid,
key.getModulus(),
- key.getPrivateExponent()
- );
- } else {
- return key;
+ key.getPrivateExponent());
}
}
+ /**
+ * Validate if all CRT-specific components are available.
+ */
+ static boolean checkComponents(RSAPrivateCrtKey key) {
+ return !((key.getPublicExponent().signum() == 0) ||
+ (key.getPrimeExponentP().signum() == 0) ||
+ (key.getPrimeExponentQ().signum() == 0) ||
+ (key.getPrimeP().signum() == 0) ||
+ (key.getPrimeQ().signum() == 0) ||
+ (key.getCrtCoefficient().signum() == 0));
+ }
+
/**
* Generate a new key from the specified type and components.
* Returns a CRT key if possible and a non-CRT key otherwise.

67
SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch Normal file
View File

@ -0,0 +1,67 @@
# HG changeset patch
# User Andrew John Hughes <gnu_andrew@member.fsf.org>
# Date 1620365804 -3600
# Fri May 07 06:36:44 2021 +0100
# Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
# Parent 723b59ed1afe878c5cd35f080399c8ceec4f776b
PR3836: Extra compiler flags not passed to adlc build
diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
--- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
+++ openjdk/hotspot/make/aix/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = -w
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
--- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
+++ openjdk/hotspot/make/bsd/makefiles/adlc.make
@@ -71,6 +71,11 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
--- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
+++ openjdk/hotspot/make/linux/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
--- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
+++ openjdk/hotspot/make/solaris/makefiles/adlc.make
@@ -85,6 +85,10 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
ifeq ("${Platform_compiler}", "sparcWorks")
# Enable the following CFLAGS addition if you need to compare the
# built ELF objects.

2596
SOURCES/jdk8328999-update_giflib_5.2.2.patch
View File

File diff suppressed because it is too large Load Diff

107
SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch
View File

@ -7,11 +7,10 @@
8074839: Resolve disabled warnings for libunpack and the unpack200 binary
Reviewed-by: dholmes, ksrini
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
index bdaf95a2f6a..60c5b4f2a69 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
@@ -63,7 +63,7 @@ struct bytes {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
@@ -63,7 +63,7 @@
bytes res;
res.ptr = ptr + beg;
res.len = end - beg;
@ -20,11 +19,10 @@ index bdaf95a2f6a..60c5b4f2a69 100644
return res;
}
// building C strings inside byte buffers:
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
index 5fbc7261fb3..4c002e779d8 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -292,7 +292,7 @@
if (uPtr->aborting()) {
THROW_IOE(uPtr->get_abort_message());
@ -33,16 +31,16 @@ index 5fbc7261fb3..4c002e779d8 100644
}
// We have fetched all the files.
@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
// There's no need to create a new unpacker here if we don't already have one
// just to immediatly free it afterwards.
unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
@@ -310,7 +310,7 @@
JNIEXPORT jlong JNICALL
Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
unpacker* uPtr = get_unpacker(env, pObj, false);
- CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
+ CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
size_t consumed = uPtr->input_consumed();
// free_unpacker() will set the unpacker field on 'pObj' to null
free_unpacker(env, pObj, uPtr);
@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
return consumed;
@@ -320,6 +320,7 @@
Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
jstring pProp, jstring pValue) {
unpacker* uPtr = get_unpacker(env, pObj);
@ -50,11 +48,10 @@ index 5fbc7261fb3..4c002e779d8 100644
const char* prop = env->GetStringUTFChars(pProp, JNI_FALSE);
CHECK_EXCEPTION_RETURN_VALUE(prop, false);
const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
index 6fbc43a18ae..722c8baaff0 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
@@ -142,31 +142,28 @@
return progname;
}
@ -104,11 +101,10 @@ index 6fbc43a18ae..722c8baaff0 100644
}
}
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
index a585535c513..8df3fade499 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -225,9 +225,9 @@ struct entry {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -222,9 +222,9 @@
}
#ifdef PRODUCT
@ -120,7 +116,7 @@ index a585535c513..8df3fade499 100644
#endif
};
@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
@@ -715,13 +715,13 @@
// Now we can size the whole archive.
// Read everything else into a mega-buffer.
rp = hdr.rp;
@ -138,7 +134,7 @@ index a585535c513..8df3fade499 100644
abort("EOF reading fixed input buffer");
return;
}
@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
@@ -735,7 +735,7 @@
return;
}
input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@ -147,7 +143,7 @@ index a585535c513..8df3fade499 100644
CHECK;
assert(input.limit()[0] == 0);
// Move all the bytes we read initially into the real buffer.
@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
@@ -958,13 +958,13 @@
nentries = next_entry;
// place a limit on future CP growth:
@ -163,7 +159,18 @@ index a585535c513..8df3fade499 100644
// Note that this CP does not include "empty" entries
// for longs and doubles. Those are introduced when
@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
@@ -982,8 +982,9 @@
}
// Initialize *all* our entries once
- for (int i = 0 ; i < maxentries ; i++)
+ for (uint i = 0 ; i < maxentries ; i++) {
entries[i].outputIndex = REQUESTED_NONE;
+ }
initGroupIndexes();
// Initialize hashTab to a generous power-of-two size.
@@ -3677,21 +3678,22 @@
unpacker* debug_u;
@ -190,7 +197,7 @@ index a585535c513..8df3fade499 100644
case CONSTANT_Signature:
if (value.b.ptr == null)
return ref(0)->string();
@@ -3728,26 +3729,28 @@ char* entry::string() {
@@ -3711,26 +3713,28 @@
break;
default:
if (nrefs == 0) {
@ -228,11 +235,10 @@ index a585535c513..8df3fade499 100644
}
void print_cp_entries(int beg, int end) {
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
index 4ec595333c4..aad0c971ef2 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
@@ -209,7 +209,7 @@ struct unpacker {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
@@ -209,7 +209,7 @@
byte* rp; // read pointer (< rplimit <= input.limit())
byte* rplimit; // how much of the input block has been read?
julong bytes_read;
@ -241,11 +247,10 @@ index 4ec595333c4..aad0c971ef2 100644
// callback to read at least one byte, up to available input
typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
index da39a589545..1281d8b25c8 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
@@ -81,7 +81,7 @@ void breakpoint() { } // hook for debugger
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
@@ -81,7 +81,7 @@
int assert_failed(const char* p) {
char message[1<<12];
sprintf(message, "@assert failed: %s\n", p);
@ -254,11 +259,10 @@ index da39a589545..1281d8b25c8 100644
breakpoint();
unpack_abort(message);
return 0;
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
index f58c94956c0..343da3e183b 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
@@ -84,7 +84,7 @@
}
// Write data to the ZIP output stream.
@ -267,7 +271,7 @@ index f58c94956c0..343da3e183b 100644
while (len > 0) {
int rc = (int)fwrite(buff, 1, len, jarfp);
if (rc <= 0) {
@@ -323,12 +323,12 @@ void jar::write_central_directory() {
@@ -323,12 +323,12 @@
// Total number of disks (int)
header64[36] = (ushort)SWAP_BYTES(1);
header64[37] = 0;
@ -282,11 +286,10 @@ index f58c94956c0..343da3e183b 100644
PRINTCR((2, "writing zip comment\n"));
// Write the comment.
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
index 14ffc9d65bd..9877f6f68ca 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
@@ -68,8 +68,8 @@ struct jar {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
@@ -68,8 +68,8 @@
}
// Private Methods

0
SOURCES/repack_reproducible_policies.sh → SOURCES/repackReproduciblePolycies.sh
View File

2
SOURCES/s390-8214206_fix.patch
View File

@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
Atomic::add(val, &_sum);
- int mag = log2_intptr(val) + 1;
+ int mag = log2_long(val) + 1;
+ int mag = log2_intptr((uintptr_t)val) + 1;
// Defensively saturate for product bits:
if (mag < 0) {

5128
SPECS/java-1.8.0-openjdk.spec
View File

File diff suppressed because it is too large Load Diff