import java-11-openjdk-11.0.12.0.1-0.1.ea.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+SOURCES/jdk-updates-jdk11u-jdk-11.0.12+1-4curve.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-11-openjdk.metadata

@@ -1,2 +1,2 @@
-a339f6e108c16a23c47504565b602a6fc395bf2e SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+127a825852d1f05099a01f088fad3f4ba4b9995c SOURCES/jdk-updates-jdk11u-jdk-11.0.12+1-4curve.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/NEWS

@@ -3,6 +3,311 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 11.0.12 (2021-07-20):
+=============================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk11012
+  * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt
+
+* Other changes
+  - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
+  - JDK-7106851: Test should not use System.exit
+  - JDK-8073446: TimeZone getOffset API does not  return a dst offset between years 2038-2137
+  - JDK-8076190: Customizing the generation of a PKCS12 keystore
+  - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux
+  - JDK-8177068: incomplete classpath causes NPE in Flow
+  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
+  - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
+  - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen
+  - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException
+  - JDK-8206925: Support the certificate_authorities extension
+  - JDK-8207247: AARCH64: Enable Minimal and Client VM builds
+  - JDK-8207404: MulticastSocket tests failing on AIX
+  - JDK-8207779: Method::is_valid_method() compares 'this' with NULL
+  - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode.
+  - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64
+  - JDK-8210443: Migrate Locale matching tests to JDK Repo.
+  - JDK-8213231: ThreadSnapshot::_threadObj can become stale
+  - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail
+  - JDK-8213725: JShell NullPointerException due to class file with unexpected package
+  - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32
+  - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls
+  - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames
+  - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM
+  - JDK-8214922: Add vectorization support for fmin/fmax
+  - JDK-8216259: AArch64: Vectorize Adler32 intrinsics
+  - JDK-8216314: SIGILL in CodeHeapState::print_names()
+  - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
+  - JDK-8217465: [REDO] - Optimize CodeHeap Analytics
+  - JDK-8217561: X86: Add floating-point Math.min/max intrinsics
+  - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken
+  - JDK-8219586: CodeHeap State Analytics processes dead nmethods
+  - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout
+  - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU
+  - JDK-8222412: AARCH64: multiple instructions encoding issues
+  - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions
+  - JDK-8223444: Improve CodeHeap Free Space Management
+  - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods
+  - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021
+  - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails
+  - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out
+  - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay
+  - JDK-8226374: Restrict TLS signature schemes and named groups
+  - JDK-8226627: assert(t->singleton()) failed: must be a constant
+  - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15
+  - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
+  - JDK-8231460: Performance issue (CodeHeap) with large free blocks
+  - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
+  - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl
+  - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread
+  - JDK-8233787: Break cycle in vm_version* includes
+  - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register
+  - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes
+  - JDK-8235368: Update BCEL to Version 6.4.1
+  - JDK-8236859: WebSocket over authenticating proxy fails with NPE
+  - JDK-8236992: AArch64: remove redundant load_klass in itable stub
+  - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: []
+  - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
+  - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
+  - JDK-8238812: assert(false) failed: bad AD file
+  - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
+  - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64
+  - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List`
+  - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
+  - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
+  - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
+  - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
+  - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset
+  - JDK-8241475: AArch64: Add missing support for PopCountVI node
+  - JDK-8241829: Cleanup the code for PrinterJob on windows
+  - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned
+  - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
+  - JDK-8242429: Better implementation for sign extract
+  - JDK-8242557: Add length limit for strings in PNGImageWriter
+  - JDK-8243240: AArch64: Add support for MulVB
+  - JDK-8243559: Remove root certificates with 1024-bit keys
+  - JDK-8243597: AArch64: Add support for integer vector abs
+  - JDK-8244031: HttpClient should have more tests for HEAD requests
+  - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected
+  - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails
+  - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
+  - JDK-8246274: G1 old gen allocation tracking is not in a separate class
+  - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop
+  - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29
+  - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
+  - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+  - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
+  - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
+  - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
+  - JDK-8251525: AARCH64: Faster Math.signum(fp)
+  - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
+  - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525
+  - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
+  - JDK-8253167: ARM32 builds fail after JDK-8247910
+  - JDK-8253572: [windows] CDS archive may fail to open with long file names
+  - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
+  - JDK-8253948: Memory leak in ImageFileReader
+  - JDK-8254631: Better support ALPN byte wire values in SunJSSE
+  - JDK-8255086: Update the root locale display names
+  - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
+  - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
+  - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small
+  - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1
+  - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
+  - JDK-8256523: Streamline Java SHA2 implementation
+  - JDK-8257414: Drag n Drop target area is wrong on high DPI systems
+  - JDK-8257569: Failure observed with JfrVirtualMemory::initialize
+  - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure
+  - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12
+  - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist
+  - JDK-8257621: JFR StringPool misses cached items across consecutive recordings
+  - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32
+  - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8258414: OldObjectSample events too expensive
+  - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions
+  - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
+  - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
+  - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
+  - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
+  - JDK-8259710: Inlining trace leaks memory
+  - JDK-8259777: Incorrect predication condition generated by ADLC
+  - JDK-8259786: initialize last parameter of getpwuid_r
+  - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
+  - JDK-8259886: Improve SSL session cache performance and scalability
+  - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
+  - JDK-8260236: better init AnnotationCollector _contended_group
+  - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
+  - JDK-8260284: C2: assert(_base == Int) failed: Not an Int
+  - JDK-8260380: Upgrade to LittleCMS 2.12
+  - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
+  - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
+  - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
+  - JDK-8260925: HttpsURLConnection does not work  with other JSSE provider.
+  - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
+  - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
+  - JDK-8261167: print_process_memory_info add a close call after fopen
+  - JDK-8261170: Upgrade to freetype 2.10.4
+  - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
+  - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
+  - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
+  - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
+  - JDK-8261397: try catch Method failing to work when dividing an integer by 0
+  - JDK-8261447: MethodInvocationCounters frequently run into overflow
+  - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
+  - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer
+  - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0
+  - JDK-8261649: AArch64: Optimize LSE atomics in C++ code
+  - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
+  - JDK-8261752: Multiple GC test are missing memory requirements
+  - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks
+  - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance
+  - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
+  - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node"
+  - JDK-8262110: DST starts from incorrect time in 2038
+  - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0
+  - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source
+  - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
+  - JDK-8262446: DragAndDrop hangs on Windows
+  - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c
+  - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds
+  - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
+  - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies
+  - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
+  - JDK-8262837: handle split_USE correctly
+  - JDK-8262900: ToolBasicTest fails to access HTTP server it starts
+  - JDK-8263260: [s390] Support latest hardware (z14 and z15)
+  - JDK-8263311: Watch registry changes for remote printers update instead of polling
+  - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
+  - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
+  - JDK-8263448: CTW: fatal error: meet not symmetric
+  - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
+  - JDK-8263557: Possible NULL dereference in Arena::destruct_contents()
+  - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
+  - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
+  - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
+  - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
+  - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
+  - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
+  - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting
+  - JDK-8264190: Harden TLS interop tests
+  - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test
+  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
+  - JDK-8264360: Loop strip mining verification fails with "should be on the backedge"
+  - JDK-8264626: C1 should be able to inline excluded methods
+  - JDK-8264640: CMS ParScanClosure misses a barrier
+  - JDK-8264821: DirectIOTest fails on a system with large block size
+  - JDK-8264846: [macos] libjvm.dylib linker warning due to macOS version mismatch
+  - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
+  - JDK-8264958: C2 compilation fails with assert "n is later than its clone"
+  - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
+  - JDK-8265154: vinserti128 operand mix up for KNL platforms
+  - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
+  - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement
+  - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
+  - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
+  - JDK-8265690: Use the latest Ubuntu base image version in Docker testing
+  - JDK-8265718: Build failure after JDK-8258414 11u backport
+  - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+JDK-8256902: Removed Root Certificates with 1024-bit Keys
+=========================================================
+The following root certificates with weak 1024-bit RSA public keys
+have been removed from the `cacerts` keystore:
+
+Alias Name: thawtepremiumserverca [jdk]
+Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+
+Alias Name: verisignclass2g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3ca [jdk]
+Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisigntsaca [jdk]
+Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+
+JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate
+=================================================================
+
+The following root certificate have been removed from the cacerts truststore:
+
+Alias Name: soneraclass2ca
+Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI
+
+security-libs/javax.net.ssl:
+
+JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
+=========================================================================================
+Certain TLS ALPN values couldn't be properly read or written by the
+SunJSSE provider. This is due to the choice of Strings as the API
+interface and the undocumented internal use of the UTF-8 Character Set
+which converts characters larger than U+00007F (7-bit ASCII) into
+multi-byte arrays that may not be expected by a peer.
+
+ALPN values are now represented using the network byte representation
+expected by the peer, which should require no modification for
+standard 7-bit ASCII-based character Strings. However, SunJSSE now
+encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
+characters.  This means applications that used characters above
+U+000007F that were previously encoded using UTF-8 may need to either
+be modified to perform the UTF-8 conversion, or set the Java security
+property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
+
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
+JDK-8244460: Support for certificate_authorities Extension
+==========================================================
+The "certificate_authorities" extension is an optional extension
+introduced in TLS 1.3. It is used to indicate the certificate
+authorities (CAs) that an endpoint supports and should be used by the
+receiving endpoint to guide certificate selection.
+
+With this JDK release, the "certificate_authorities" extension is
+supported for TLS 1.3 in both the client and the server sides.  This
+extension is always present for client certificate selection, while it
+is optional for server certificate selection.
+
+Applications can enable this extension for server certificate
+selection by setting the `jdk.tls.client.enableCAExtension` system
+property to `true`.  The default value of the property is `false`.
+
+Note that if the client trusts more CAs than the size limit of the
+extension (less than 2^16 bytes), the extension is not enabled.  Also,
+some server implementations do not allow handshake messages to exceed
+2^14 bytes.  Consequently, there may be interoperability issues when
+`jdk.tls.client.enableCAExtension` is set to `true` and the client
+trusts more CAs than the server implementation limit.
+
 New in release OpenJDK 11.0.11 (2021-04-20):
 =============================================
 Live versions of these release notes can be found at:

SOURCES/TestSecurityProperties.java

@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+    // JDK 11
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+    // JDK 8
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+    public static void main(String[] args) {
+        Properties jdkProps = new Properties();
+        loadProperties(jdkProps);
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
+            String securityVal = Security.getProperty(sKey);
+            String jdkSecVal = jdkProps.getProperty(sKey);
+            if (!securityVal.equals(jdkSecVal)) {
+                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
+                             sKey + "'" + " but got value '" + securityVal + "'";
+                throw new RuntimeException("Test failed! " + msg);
+            } else {
+                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+            }
+        }
+        System.out.println("TestSecurityProperties PASSED!");
+    }
+    
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
+        System.out.println("Debug: Java version is " + javaVersion);
+        String propsFile = JDK_PROPS_FILE_JDK_11;
+        if (javaVersion.startsWith("1.8.0")) {
+            propsFile = JDK_PROPS_FILE_JDK_8;
+        }
+        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
+        }
+    }
+}

SPECS/java-11-openjdk.spec

@@ -291,7 +291,7 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 11
+%global updatever 12
 %global patchver 0
 # If you bump featurever, you must bump also vendor_version_string
 # Used via new version scheme. JDK 11 was
@@ -338,8 +338,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        1
-%global rpmrelease      5
+%global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -368,7 +368,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global ea_designator ""
 %global ea_designator_zip ""
@@ -1198,12 +1198,15 @@ Source13: TestCryptoLevel.java
 # Ensure ECDSA is working
 Source14: TestECDSA.java
 
-# nss fips configuration file
+# Verify system crypto (policy) can be disabled via a property
-Source15: nss.fips.cfg.in
+Source15: TestSecurityProperties.java
 
 # Ensure vendor settings are correct
 Source16: CheckVendor.java
 
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
 ############################################
 #
 # RPM/distribution specific patches
@@ -1694,7 +1697,7 @@ done
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 
 # Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
 
 %build
@@ -1874,6 +1877,10 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
 $JAVA_HOME/bin/javac -d . %{SOURCE14}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
 
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
 # Check correct vendor values have been set
 $JAVA_HOME/bin/javac -d . %{SOURCE16}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
@@ -2355,6 +2362,21 @@ end
 %endif
 
 %changelog
+* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.1.ea
+- Re-order source files to sync with Fedora.
+- Resolves: rhbz#1966234
+
+* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.1-0.1.ea
+- Add a test verifying system crypto policies can be disabled
+- Resolves: rhbz#1966234
+
+* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.0.ea
+- Update to jdk-11.0.12.0+1
+- Update release notes to 11.0.12.0+1
+- Switch to EA mode for 11.0.12 pre-release builds.
+- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
+- Resolves: rhbz#1967374
+
 * Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.11.0.9-5
 - adapted to newst cjc to fix issue with rpm 4.17
 - Disable copy-jdk-configs for Flatpak builds