import java-11-openjdk-11.0.12.0.7-4.el8
This commit is contained in:
parent
df3686af15
commit
75536b7803
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
73e3ecc340440bd249c7c0bd815544d63918aebb SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz
|
||||
7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
69
SOURCES/NEWS
69
SOURCES/NEWS
@ -9,6 +9,21 @@ Live versions of these release notes can be found at:
|
||||
* https://bitly.com/openjdk11012
|
||||
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt
|
||||
|
||||
* Security fixes
|
||||
- JDK-8256157: Improve bytecode assembly
|
||||
- JDK-8256491: Better HTTP transport
|
||||
- JDK-8258432, CVE-2021-2341: Improve file transfers
|
||||
- JDK-8260453: Improve Font Bounding
|
||||
- JDK-8260960: Signs of jarsigner signing
|
||||
- JDK-8260967, CVE-2021-2369: Better jar file validation
|
||||
- JDK-8262380: Enhance XML processing passes
|
||||
- JDK-8262403: Enhanced data transfer
|
||||
- JDK-8262410: Enhanced rules for zones
|
||||
- JDK-8262477: Enhance String Conclusions
|
||||
- JDK-8262967: Improve Zip file support
|
||||
- JDK-8264066, CVE-2021-2388: Enhance compiler validation
|
||||
- JDK-8264079: Improve abstractions
|
||||
- JDK-8264460: Improve NTLM support
|
||||
* Other changes
|
||||
- JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
|
||||
- JDK-7106851: Test should not use System.exit
|
||||
@ -17,11 +32,14 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms
|
||||
- JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux
|
||||
- JDK-8177068: incomplete classpath causes NPE in Flow
|
||||
- JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution
|
||||
- JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
|
||||
- JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
|
||||
- JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen
|
||||
- JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails
|
||||
- JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException
|
||||
- JDK-8206925: Support the certificate_authorities extension
|
||||
- JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty
|
||||
- JDK-8207247: AARCH64: Enable Minimal and Client VM builds
|
||||
- JDK-8207404: MulticastSocket tests failing on AIX
|
||||
- JDK-8207779: Method::is_valid_method() compares 'this' with NULL
|
||||
@ -38,6 +56,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8214854: JDWP: Unforseen output truncation in logging
|
||||
- JDK-8214922: Add vectorization support for fmin/fmax
|
||||
- JDK-8215009: GCC 8 compilation error in libjli
|
||||
- JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file
|
||||
- JDK-8216259: AArch64: Vectorize Adler32 intrinsics
|
||||
- JDK-8216314: SIGILL in CodeHeapState::print_names()
|
||||
- JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
|
||||
@ -47,6 +66,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output
|
||||
- JDK-8219142: Remove unused JIMAGE_ResourcePath
|
||||
- JDK-8219586: CodeHeap State Analytics processes dead nmethods
|
||||
- JDK-8220074: Clean up GCC 8.3 errors in LittleCMS
|
||||
- JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout
|
||||
- JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU
|
||||
- JDK-8222412: AARCH64: multiple instructions encoding issues
|
||||
@ -61,11 +81,14 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8226374: Restrict TLS signature schemes and named groups
|
||||
- JDK-8226627: assert(t->singleton()) failed: must be a constant
|
||||
- JDK-8226721: Missing intrinsics for Math.ceil, floor, rint
|
||||
- JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow
|
||||
- JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15
|
||||
- JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size
|
||||
- JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
|
||||
- JDK-8231460: Performance issue (CodeHeap) with large free blocks
|
||||
- JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint)
|
||||
- JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
|
||||
- JDK-8232084: HotSpot build failed with GCC 9.2.1
|
||||
- JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl
|
||||
- JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread
|
||||
- JDK-8233787: Break cycle in vm_version* includes
|
||||
@ -75,6 +98,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8236859: WebSocket over authenticating proxy fails with NPE
|
||||
- JDK-8236992: AArch64: remove redundant load_klass in itable stub
|
||||
- JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: []
|
||||
- JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias <nnnnnn> already exists"
|
||||
- JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
|
||||
- JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
|
||||
- JDK-8238812: assert(false) failed: bad AD file
|
||||
@ -84,7 +108,9 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
|
||||
- JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
|
||||
- JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
|
||||
- JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
|
||||
- JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
|
||||
- JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
|
||||
- JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset
|
||||
- JDK-8241475: AArch64: Add missing support for PopCountVI node
|
||||
- JDK-8241829: Cleanup the code for PrinterJob on windows
|
||||
@ -92,8 +118,10 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
|
||||
- JDK-8242429: Better implementation for sign extract
|
||||
- JDK-8242557: Add length limit for strings in PNGImageWriter
|
||||
- JDK-8242919: Paste locks up jshell
|
||||
- JDK-8243155: AArch64: Add support for SqrtVF
|
||||
- JDK-8243240: AArch64: Add support for MulVB
|
||||
- JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings
|
||||
- JDK-8243559: Remove root certificates with 1024-bit keys
|
||||
- JDK-8243597: AArch64: Add support for integer vector abs
|
||||
- JDK-8244031: HttpClient should have more tests for HEAD requests
|
||||
@ -111,11 +139,15 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr
|
||||
- JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values
|
||||
- JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
|
||||
- JDK-8249189: AARCH64: more L2I conversions can be skipped
|
||||
- JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
|
||||
- JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
|
||||
- JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
|
||||
- JDK-8250876: Fix issues with cross-compile on macos
|
||||
- JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits
|
||||
- JDK-8251525: AARCH64: Faster Math.signum(fp)
|
||||
- JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
|
||||
- JDK-8252311: AArch64: save two words in itable lookup stub
|
||||
- JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525
|
||||
- JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
|
||||
- JDK-8253167: ARM32 builds fail after JDK-8247910
|
||||
@ -123,9 +155,11 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
|
||||
- JDK-8253948: Memory leak in ImageFileReader
|
||||
- JDK-8254631: Better support ALPN byte wire values in SunJSSE
|
||||
- JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
|
||||
- JDK-8255086: Update the root locale display names
|
||||
- JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
|
||||
- JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
|
||||
- JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0
|
||||
- JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small
|
||||
- JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1
|
||||
- JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
|
||||
@ -138,19 +172,31 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8257621: JFR StringPool misses cached items across consecutive recordings
|
||||
- JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32
|
||||
- JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
|
||||
- JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads
|
||||
- JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code
|
||||
- JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m
|
||||
- JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m
|
||||
- JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m
|
||||
- JDK-8258414: OldObjectSample events too expensive
|
||||
- JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions
|
||||
- JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
|
||||
- JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
|
||||
- JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
|
||||
- JDK-8259232: Bad JNI lookup during printing
|
||||
- JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
|
||||
- JDK-8259343: [macOS] Update JNI error handling in Cocoa code.
|
||||
- JDK-8259585: Accessible actions do not work on mac os x
|
||||
- JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros
|
||||
- JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
|
||||
- JDK-8259710: Inlining trace leaks memory
|
||||
- JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion
|
||||
- JDK-8259777: Incorrect predication condition generated by ADLC
|
||||
- JDK-8259786: initialize last parameter of getpwuid_r
|
||||
- JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
|
||||
- JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs
|
||||
- JDK-8259886: Improve SSL session cache performance and scalability
|
||||
- JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
|
||||
- JDK-8260030: Improve stringStream buffer handling
|
||||
- JDK-8260236: better init AnnotationCollector _contended_group
|
||||
- JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
|
||||
- JDK-8260284: C2: assert(_base == Int) failed: Not an Int
|
||||
@ -158,6 +204,8 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
|
||||
- JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
|
||||
- JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
|
||||
- JDK-8260616: Removing remaining JNF dependencies in the java.desktop module
|
||||
- JDK-8260653: Unreachable nodes keep speculative types alive
|
||||
- JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out
|
||||
- JDK-8260925: HttpsURLConnection does not work with other JSSE provider.
|
||||
- JDK-8260926: Trace resource exhausted events unconditionally
|
||||
@ -165,11 +213,14 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
|
||||
- JDK-8261167: print_process_memory_info add a close call after fopen
|
||||
- JDK-8261170: Upgrade to freetype 2.10.4
|
||||
- JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code
|
||||
- JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
|
||||
- JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
|
||||
- JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
|
||||
- JDK-8261354: SIGSEGV at MethodIteratorHost
|
||||
- JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
|
||||
- JDK-8261397: try catch Method failing to work when dividing an integer by 0
|
||||
- JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage
|
||||
- JDK-8261447: MethodInvocationCounters frequently run into overflow
|
||||
- JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
|
||||
- JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer
|
||||
@ -197,6 +248,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8263260: [s390] Support latest hardware (z14 and z15)
|
||||
- JDK-8263311: Watch registry changes for remote printers update instead of polling
|
||||
- JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
|
||||
- JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
|
||||
- JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
|
||||
- JDK-8263448: CTW: fatal error: meet not symmetric
|
||||
- JDK-8263504: Some OutputMachOpcodes fields are uninitialized
|
||||
@ -204,6 +256,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
|
||||
- JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
|
||||
- JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
|
||||
- JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
|
||||
- JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
|
||||
- JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
|
||||
- JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
|
||||
@ -216,7 +269,7 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8264640: CMS ParScanClosure misses a barrier
|
||||
- JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
|
||||
- JDK-8264821: DirectIOTest fails on a system with large block size
|
||||
- JDK-8264846: [macos] libjvm.dylib linker warning due to macOS version mismatch
|
||||
- JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch
|
||||
- JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
|
||||
- JDK-8264958: C2 compilation fails with assert "n is later than its clone"
|
||||
- JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
|
||||
@ -224,13 +277,27 @@ Live versions of these release notes can be found at:
|
||||
- JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
|
||||
- JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
|
||||
- JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement
|
||||
- JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
|
||||
- JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
|
||||
- JDK-8265666: Enable AIX build platform to make external debug symbols
|
||||
- JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
|
||||
- JDK-8265690: Use the latest Ubuntu base image version in Docker testing
|
||||
- JDK-8265718: Build failure after JDK-8258414 11u backport
|
||||
- JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
|
||||
- JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind
|
||||
- JDK-8265938: C2's conditional move optimization does not handle top Phi
|
||||
- JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
|
||||
- JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
|
||||
- JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753
|
||||
- JDK-8266802: Shenandoah: Round up region size to page size unconditionally
|
||||
- JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x
|
||||
- JDK-8266929: Unable to use algorithms from 3p providers
|
||||
- JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
|
||||
- JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
|
||||
- JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
|
||||
- JDK-8267641: [11u] 8227609 backport typo
|
||||
- JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64
|
||||
- JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
|
||||
|
||||
Notes on individual issues:
|
||||
===========================
|
||||
|
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
|
||||
From: Severin Gehwolf <sgehwolf@redhat.com>
|
||||
Date: Wed, 14 Jul 2021 12:06:39 +0200
|
||||
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
|
||||
|
||||
---
|
||||
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
|
||||
index e8baf704e3a..12b75b733b5 100644
|
||||
--- a/src/hotspot/os/linux/os_linux.cpp
|
||||
+++ b/src/hotspot/os/linux/os_linux.cpp
|
||||
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
|
||||
// 7: The default directories, normally /lib and /usr/lib.
|
||||
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
|
||||
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
|
||||
+#else
|
||||
+#if defined(AARCH64)
|
||||
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
|
||||
+ // might not adhere to the FHS and it would be a change in behaviour if we used
|
||||
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
|
||||
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
|
||||
#else
|
||||
#define DEFAULT_LIBPATH "/lib:/usr/lib"
|
||||
+#endif // AARCH64
|
||||
#endif
|
||||
|
||||
// Base path of extensions installed on the system.
|
||||
--
|
||||
2.31.1
|
||||
|
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
@ -0,0 +1,18 @@
|
||||
commit 598fe421216b0a437fa36ee91a29966599867aa3
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Mon Aug 30 16:12:52 2021 +0100
|
||||
|
||||
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
|
||||
index ab59a334cd..5db744ff17 100644
|
||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy
|
||||
+++ openjdk/src/java.base/share/lib/security/default.policy
|
||||
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
|
||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.com.sun.crypto.provider";
|
||||
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,66 @@
|
||||
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
||||
Author: Martin Balao <mbalao@redhat.com>
|
||||
Date: Fri Aug 27 19:42:07 2021 +0100
|
||||
|
||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||
index 0cf61732d7..2cd851587c 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||
@@ -182,6 +182,7 @@ module java.base {
|
||||
java.security.jgss,
|
||||
java.sql,
|
||||
java.xml,
|
||||
+ jdk.crypto.cryptoki,
|
||||
jdk.jartool,
|
||||
jdk.attach,
|
||||
jdk.charsets,
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index b00b738b85..1eca1f8f0a 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.auth.callback.TextOutputCallback;
|
||||
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
+
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.ResourcesMgr;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
*/
|
||||
public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||
+
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (nssModule != null) {
|
||||
nssModule.setProvider(this);
|
||||
}
|
||||
+ if (systemFipsEnabled) {
|
||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||
+ // (/etc/pki/nssdb) PIN is empty.
|
||||
+ Session session = null;
|
||||
+ try {
|
||||
+ session = token.getOpSession();
|
||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||
+ } catch (PKCS11Exception p11e) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Error during token login: " +
|
||||
+ p11e.getMessage());
|
||||
+ }
|
||||
+ throw p11e;
|
||||
+ } finally {
|
||||
+ token.releaseSession(session);
|
||||
+ }
|
||||
+ }
|
||||
} catch (Exception e) {
|
||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||
throw new UnsupportedOperationException
|
@ -173,10 +173,8 @@
|
||||
%endif
|
||||
|
||||
# If you disable both builds, then the build fails
|
||||
# Note that the debug build requires the normal build for docs
|
||||
%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
|
||||
# Test slowdebug first as it provides the best diagnostics
|
||||
%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
|
||||
# Build and test slowdebug first as it provides the best diagnostics
|
||||
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
|
||||
|
||||
%if %{include_staticlibs}
|
||||
%global staticlibs_loop %{staticlibs_suffix}
|
||||
@ -338,8 +336,8 @@
|
||||
%global origin_nice OpenJDK
|
||||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 2
|
||||
%global rpmrelease 0
|
||||
%global buildver 7
|
||||
%global rpmrelease 4
|
||||
#%%global tagsuffix %%{nil}
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
@ -368,7 +366,7 @@
|
||||
# Release will be (where N is usually a number starting at 1):
|
||||
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
||||
# - N%%{?extraver}{?dist} for GA releases
|
||||
%global is_ga 0
|
||||
%global is_ga 1
|
||||
%if %{is_ga}
|
||||
%global ea_designator ""
|
||||
%global ea_designator_zip ""
|
||||
@ -1235,6 +1233,9 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
|
||||
Patch1007: rh1915071-always_initialise_configurator_access.patch
|
||||
# RH1929465: Improve system FIPS detection
|
||||
Patch1008: rh1929465-improve_system_FIPS_detection.patch
|
||||
# RH1996182: Login to the NSS software token in FIPS mode
|
||||
Patch1009: rh1996182-login_to_nss_software_token.patch
|
||||
Patch1010: rh1996182-extend_security_policy.patch
|
||||
|
||||
#############################################
|
||||
#
|
||||
@ -1261,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
|
||||
|
||||
#############################################
|
||||
#
|
||||
# Patches appearing in 11.0.10
|
||||
# Patches appearing in 11.0.13
|
||||
#
|
||||
# This section includes patches which are present
|
||||
# in the listed OpenJDK 11u release and should be
|
||||
# able to be removed once that release is out
|
||||
# and used by this RPM.
|
||||
#############################################
|
||||
# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64
|
||||
Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -1612,10 +1615,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ
|
||||
echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
|
||||
exit 14
|
||||
fi
|
||||
if [ %{include_normal_build} -eq 0 ] ; then
|
||||
echo "You have disabled the normal build, but this is required to provide docs for the debug build."
|
||||
exit 15
|
||||
fi
|
||||
%setup -q -c -n %{uniquesuffix ""} -T -a 0
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
|
||||
prioritylength=`expr length %{priority}`
|
||||
@ -1635,6 +1634,7 @@ pushd %{top_level_dir_name}
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
popd # openjdk
|
||||
|
||||
%patch1000
|
||||
@ -1645,6 +1645,8 @@ popd # openjdk
|
||||
%patch1004
|
||||
%patch1007
|
||||
%patch1008
|
||||
%patch1009
|
||||
%patch1010
|
||||
|
||||
# Extract systemtap tapsets
|
||||
%if %{with_systemtap}
|
||||
@ -1854,7 +1856,7 @@ done # end of release / debug cycle loop
|
||||
%check
|
||||
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{rev_build_loop} ; do
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
%if %{include_staticlibs}
|
||||
@ -2361,6 +2363,46 @@ end
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
|
||||
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
|
||||
- Resolves: rhbz#1997357
|
||||
|
||||
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-3
|
||||
- Add patch to login to the NSS software token when in FIPS mode.
|
||||
- Resolves: rhbz#1997357
|
||||
|
||||
* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.7-2
|
||||
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
|
||||
- Resolves: rhbz#1994104
|
||||
|
||||
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
|
||||
- Update to jdk-11.0.12.0+7
|
||||
- Update release notes to 11.0.12.0+7
|
||||
- Switch to GA mode for final release.
|
||||
- Resolves: rhbz#1972395
|
||||
|
||||
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
|
||||
- Update to jdk-11.0.12.0+6
|
||||
- Update release notes to 11.0.12.0+6
|
||||
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.4-0.0.ea
|
||||
- Update to jdk-11.0.12.0+4
|
||||
- Update release notes to 11.0.12.0+4
|
||||
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.3-0.0.ea
|
||||
- Update to jdk-11.0.12.0+3
|
||||
- Update release notes to 11.0.12.0+3
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.1.ea
|
||||
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
|
||||
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
|
||||
- Resolves: rhbz#1966234
|
||||
|
||||
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.0.ea
|
||||
- Update to jdk-11.0.12.0+2
|
||||
- Update release notes to 11.0.12.0+2
|
||||
|
Loading…
Reference in New Issue
Block a user