From cfb881c0402bebb3ab0787574cd341d911890bbe Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 24 Mar 2022 06:33:08 +0000 Subject: [PATCH] import java-11-openjdk-11.0.14.1.1-6.el8 --- .gitignore | 2 +- .java-11-openjdk.metadata | 2 +- SOURCES/NEWS | 514 +++++++++++++++++ SOURCES/jdk8257794-remove_broken_assert.patch | 12 + SOURCES/jdk8275535-rh2053256-ldap_auth.patch | 26 + SOURCES/nss.fips.cfg.in | 2 +- .../rh1996182-extend_security_policy.patch | 18 - ...h1996182-login_to_nss_software_token.patch | 12 +- ...263-fips_ensure_security_initialised.patch | 28 + ...h2021263-fips_missing_native_returns.patch | 24 + ...3-fips_separate_policy_and_fips_init.patch | 99 ++++ ...rh2052829-fips_runtime_nss_detection.patch | 220 ++++++++ SPECS/java-11-openjdk.spec | 520 +++++++++++++----- 13 files changed, 1323 insertions(+), 156 deletions(-) create mode 100644 SOURCES/jdk8257794-remove_broken_assert.patch create mode 100644 SOURCES/jdk8275535-rh2053256-ldap_auth.patch delete mode 100644 SOURCES/rh1996182-extend_security_policy.patch create mode 100644 SOURCES/rh2021263-fips_ensure_security_initialised.patch create mode 100644 SOURCES/rh2021263-fips_missing_native_returns.patch create mode 100644 SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch create mode 100644 SOURCES/rh2052829-fips_runtime_nss_detection.patch diff --git a/.gitignore b/.gitignore index 8a39ad5..00df8f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 78958a2..4c5a915 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -e36bde565834fe738fd222d419cfedc23ab80cee SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz +dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index df6dc0c..8069f37 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,520 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.14.1 (2022-02-08): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk110141 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt + +* Other changes + - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient + - JDK-8280786: Build failure on Solaris after 8262392 + - JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1 + +New in release OpenJDK 11.0.14 (2022-01-18): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11014 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt + +* New features + - JDK-8248238: Implementation: JEP 388: Windows AArch64 Support +* Security fixes + - JDK-8217375: jarsigner breaks old signature with long lines in manifest + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files + - JDK-8279541: Improve HarfBuzz +* Other changes + - JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails + - JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater() + - JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac + - JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead + - JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX + - JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events + - JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked. + - JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception + - JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF + - JDK-8078219: Verify lack of @test tag in files in java/net test directory + - JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely" + - JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently + - JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently + - JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently + - JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails + - JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed + - JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java + - JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails + - JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel + - JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows + - JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed + - JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing + - JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X + - JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8179880: Refactor javax/security shell tests to plain java tests + - JDK-8180568: Refactor javax/crypto shell tests to plain java tests + - JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests + - JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures + - JDK-8180573: Refactor sun/security/tools shell tests to plain java tests + - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' + - JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails + - JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails + - JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows + - JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows + - JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac + - JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac + - JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac + - JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac + - JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac + - JDK-8199138: Add RISC-V support to Zero + - JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows + - JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c + - JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors + - JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception + - JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java + - JDK-8207936: TestZipFile failed with java.lang.AssertionError exception + - JDK-8208242: Add @requires to vmTestbase/gc/g1 tests + - JDK-8209611: use C++ compiler for hotspot tests + - JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti + - JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests + - JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp) + - JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86 + - JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1 + - JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests + - JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8210395: Add doc to SecurityTools.java + - JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests + - JDK-8210481: Remove #ifdef cplusplus from vmTestbase + - JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests + - JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests + - JDK-8210689: Remove the multi-line old C style for string literals + - JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests + - JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665 + - JDK-8210920: Native C++ tests are not using CXXFLAGS + - JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)" + - JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti + - JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]* + - JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11 + - JDK-8211171: move JarUtils to top-level testlibrary + - JDK-8211227: Inconsistent TLS protocol version in debug output + - JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]* + - JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp + - JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]* + - JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E] + - JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M] + - JDK-8211905: Remove multiple casts for EM06 file + - JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) + - JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]* + - JDK-8212083: Handle remaining gc/lock native code and fix two strings + - JDK-8212148: Remove remaining NSK_CPP_STUBs + - JDK-8213110: Remove the use of applets in automatic tests + - JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default + - JDK-8213263: fix legal headers in test/langtools + - JDK-8213296: Fix legal headers in test/jdk/java/net + - JDK-8213301: Fix legal headers in jdk logging tests + - JDK-8213305: Fix legal headers in test/java/math + - JDK-8213306: Fix legal headers in test/java/nio + - JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools + - JDK-8213330: Fix legal headers in i18n tests + - JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name + - JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails + - JDK-8215410: Regression test for JDK-8214994 + - JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher + - JDK-8215624: Add parallel heap iteration for jmap –histo + - JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC + - JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted + - JDK-8216417: cleanup of IPv6 scope-id handling + - JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception + - JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX + - JDK-8217633: Configurable extensions with system properties + - JDK-8217882: java/net/httpclient/MaxStreams.java failed once + - JDK-8217903: java/net/httpclient/Response204.java fails with 404 + - JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" + - JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle + - JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address + - JDK-8221259: New tests for java.net.Socket to exercise long standing behavior + - JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris + - JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu + - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 + - JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ + - JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. + - JDK-8223138: Small clean-up in loop-tree support. + - JDK-8223139: Rename mandatory policy-do routines. + - JDK-8223140: Clean-up in 'ok_to_convert()' + - JDK-8223141: Change (count) suffix _ct into _cnt. + - JDK-8223400: Replace some enums with static const members in hotspot/runtime + - JDK-8223658: Performance regression of XML.validation in 13-b19 + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8224829: AsyncSSLSocketClose.java has timing issue + - JDK-8225083: Remove Google certificate that is expiring in December 2021 + - JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17 + - JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx + - JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine" + - JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7 + - JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text + - JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type" + - JDK-8230067: Add optional automatic retry when running jtreg tests + - JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms + - JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 + - JDK-8233403: Improve verbosity of some httpclient tests + - JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS + - JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS + - JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS + - JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS + - JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS + - JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos + - JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos + - JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos + - JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS + - JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing + - JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS + - JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos + - JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos + - JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos + - JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos + - JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos + - JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos + - JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos + - JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos + - JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos + - JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos + - JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms + - JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10 + - JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits + - JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1 + - JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait + - JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel + - JDK-8237354: Add option to jcmd to write a gzipped heap dump + - JDK-8237589: Fix copyright header formatting + - JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version + - JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on + - JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240256: Better resource cleaning for SunPKCS11 Provider + - JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server + - JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system + - JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244292: Headful clients failing with --illegal-access=deny + - JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java + - JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList + - JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA + - JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems) + - JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh + - JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder + - JDK-8247510: typo in IllegalHandshakeMessage + - JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn + - JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java + - JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64 + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle + - JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows + - JDK-8250810: Push missing parts of JDK-8248817 + - JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate + - JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c + - JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails + - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits + - JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible + - JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id + - JDK-8251930: AArch64: Native types mismatch in hotspot + - JDK-8252049: Native memory leak in ciMethodData ctor + - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly + - JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC + - JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection + - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens + - JDK-8253497: Core Libs Terminology Refresh + - JDK-8253682: The AppletInitialFocusTest1.java is unstable + - JDK-8253763: ParallelObjectIterator should have virtual destructor + - JDK-8253866: Security Libs Terminology Refresh + - JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY" + - JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface + - JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows + - JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core + - JDK-8255722: Create a new test for rotated blit + - JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad + - JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions + - JDK-8256152: tests fail because of ambiguous method resolution + - JDK-8256182: Update qemu-debootstrap cross-compilation recipe + - JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed + - JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest + - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font + - JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64 + - JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows + - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3 + - JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection. + - JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit + - JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard + - JDK-8261036: Reduce classes loaded by CleanerFactory initialization + - JDK-8261071: AArch64: Refactor interpreter native wrappers + - JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261297: NMT: Final report should use scale 1 + - JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big + - JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed + - JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed" + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp + - JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method" + - JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout + - JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly + - JDK-8265019: Update tests for additional TestNG test permissions + - JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test + - JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0 + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java + - JDK-8266949: Check possibility to disable OperationTimedOut on Unix + - JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267304: Bump global JTReg memory limit to 768m + - JDK-8267652: c2 loop unrolling by 8 results in reading memory past array + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE + - JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1 + - JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only + - JDK-8269034: AccessControlException for SunPKCS11 daemon threads + - JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269768: JFR Terminology Refresh + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8269984: [macos] JTabbedPane title looks like disabled + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270216: [macOS] Update named used for Java run loop mode + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270344: Session resumption errors + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1 + - JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems` + - JDK-8272316: Wrong Boot JDK help message in 11 + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8272828: Add correct licenses to jszip.md + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14 + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 + - JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332 + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277815: Fix mistakes in legal header backports + +Notes on individual issues: +=========================== + +core-svc/tools: + +JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump +===================================================================== +A new integer option `gz` has been added to the `GC.heap_dump` +diagnostic command. If it is specified, it will enable the gzip +compression of the written heap dump. The supplied value is the +compression level. It can range from 1 (fastest) to 9 (slowest, but +best compression). The recommended level is 1. + +security-libs/javax.net.ssl: + +JDK-8260310: Configurable Extensions With System Properties +=========================================================== +Two new system properties have been added. The system property, +`jdk.tls.client.disableExtensions`, is used to disable TLS extensions +used in the client. The system property, +`jdk.tls.server.disableExtensions`, is used to disable TLS extensions +used in the server. If an extension is disabled, it will be neither +produced nor processed in the handshake messages. + +The property string is a list of comma separated standard TLS +extension names, as registered in the IANA documentation (for example, +server_name, status_request, and signature_algorithms_cert). Note that +the extension names are case sensitive. Unknown, unsupported, +misspelled and duplicated TLS extension name tokens will be ignored. + +Please note that the impact of blocking TLS extensions is +complicated. For example, a TLS connection may not be able to be +established if a mandatory extension is disabled. Please do not +disable mandatory extensions, and do not use this feature unless you +clearly understand the impact. + +security-libs/javax.crypto:pkcs11: + +JDK-8272907: New SunPKCS11 Configuration Properties +=================================================== +The SunPKCS11 provider gains new provider configuration attributes to +better control native resources usage. The SunPKCS11 provider consumes +native resources in order to work with native PKCS11 libraries. To +manage and better control the native resources, additional +configuration attributes are added to control the frequency of +clearing native references as well as whether to destroy the +underlying PKCS11 Token after logout. + +The 3 new attributes for the SunPKCS11 provider configuration file +are: + +1) `destroyTokenAfterLogout` (boolean, defaults to false) + +If set to true, when `java.security.AuthProvider.logout()` is called +upon the SunPKCS11 provider instance, the underlying Token object will +be destroyed and resources will be freed. This essentially renders the +SunPKCS11 provider instance unusable after `logout()` calls. Note that +a PKCS11 provider with this attribute set to `true` should not be +added to the system provider list since the provider object is not +usable after a `logout()` method call. + +2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds) + +This defines the frequency for clearing native references during busy +periods (such as, how often should the cleaner thread processes the +no-longer-needed native references in the queue to free up native +memory). Note that the cleaner thread will switch to the +'longInterval' frequency after 200 failed tries (such as, when no +references are found in the queue). + +3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds) + +This defines the frequency for checking native reference during +non-busy period (such as, how often should the cleaner thread check +the queue for native references). Note that the cleaner thread will +switch back to the 'shortInterval' value if native PKCS11 references +for cleaning are detected. + +core-libs/java.nio: + +JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "." +===================================================================================================== +The ZIP file system provider has been changed to reject existing ZIP +files that contain entries with "." or ".." in name elements. ZIP +files with these entries can not be used as a file system. Invoking +the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw +`ZipException` if the ZIP file contains these entries. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + New in release OpenJDK 11.0.13 (2021-10-19): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch new file mode 100644 index 0000000..1bfc571 --- /dev/null +++ b/SOURCES/jdk8257794-remove_broken_assert.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +index d18d70b5f9..30ab380e40 100644 +--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp ++++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) { + #ifdef ASSERT + if (istate->_msg != initialize) { + assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit"); +- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong")); + } + // Verify linkages. + interpreterState l = istate; diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch new file mode 100644 index 0000000..7a25e4b --- /dev/null +++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch @@ -0,0 +1,26 @@ +diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +index 300f3682655..6f3eb6c450b 100644 +--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java ++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + ctx = getLdapCtxFromUrl( + r.getDomainName(), url, new LdapURL(u), env); + return ctx; ++ } catch (AuthenticationException e) { ++ // do not retry on a different endpoint to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + // try the next element + lastException = e; +@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + for (String u : urls) { + try { + return getUsingURL(u, env); ++ } catch (AuthenticationException e) { ++ // do not retry on a different URL to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + ex = e; + } diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch deleted file mode 100644 index 78552c3..0000000 --- a/SOURCES/rh1996182-extend_security_policy.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit 598fe421216b0a437fa36ee91a29966599867aa3 -Author: Andrew Hughes -Date: Mon Aug 30 16:12:52 2021 +0100 - - RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc - -diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy -index ab59a334cd..5db744ff17 100644 ---- openjdk.orig/src/java.base/share/lib/security/default.policy -+++ openjdk/src/java.base/share/lib/security/default.policy -@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch index d3a1dde..10c5666 100644 --- a/SOURCES/rh1996182-login_to_nss_software_token.patch +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100 RH1996182: Login to the NSS Software Token in FIPS Mode diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 0cf61732d7..2cd851587c 100644 +index 5460efcf8c..f08dc2fafc 100644 --- openjdk.orig/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java @@ -182,6 +182,7 @@ module java.base { @@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644 jdk.attach, jdk.charsets, diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index b00b738b85..1eca1f8f0a 100644 +index 5e227f4531..164de8ff08 100644 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; +@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; + import jdk.internal.misc.InnocuousThread; +import jdk.internal.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider { @@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..9490624 --- /dev/null +++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d +Author: Andrew Hughes +Date: Tue Jan 18 02:00:55 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 2ec51d57806..8489b940c43 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -368,6 +369,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..b8c8ba5 --- /dev/null +++ b/SOURCES/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2 +Author: Fridrich Strba +Date: Mon Jan 17 19:44:03 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..34d0ff0ce91 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..dd30384 --- /dev/null +++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,220 @@ +commit e2be09f982af1cc05f5e6556d51900bca4757416 +Author: Andrew Hughes +Date: Mon Feb 28 05:30:32 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 34d0ff0ce91..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,25 +23,99 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + ++#define MSG_MAX_SIZE 256 + #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +-#define MSG_MAX_SIZE 96 + ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif + + /* + * Class: java_security_SystemConfigurator +@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); +- +-#else // SYSCONF_NSS ++ FILE *fe; + +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS +-} +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 52c9766..0f3a4d3 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -23,6 +23,8 @@ %bcond_without staticlibs # Remove build artifacts by default %bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -32,6 +34,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -76,7 +85,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -102,7 +111,9 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets @@ -121,6 +132,8 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -174,7 +187,7 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} @@ -185,9 +198,9 @@ %endif %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif %if %{include_staticlibs} @@ -208,6 +221,11 @@ %global release_targets images docs-zip # No docs nor bootcycle for debug builds %global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk # Disable LTO as this causes build failures at the moment. # See RHBZ#1861401 @@ -297,8 +315,8 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 13 -%global patchver 0 +%global updatever 14 +%global patchver 1 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was # GA'ed in September 2018 => 18.9 @@ -344,8 +362,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 3 +%global buildver 1 +%global rpmrelease 6 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -394,8 +412,8 @@ %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:build/jdk11.build%{?1}} -%define installoutputdir() %{expand:install/jdk11.install%{?1}} +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -410,7 +428,7 @@ %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ -# Never generate lib-style provides/requires for slowdebug packages +# Never generate lib-style provides/requires for any debug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ @@ -443,6 +461,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -460,6 +481,50 @@ # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -467,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ @@ -506,12 +570,23 @@ alternatives \\ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -538,26 +613,34 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ %ifarch %{aot_arches} --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ @@ -565,7 +648,9 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -623,15 +708,22 @@ alternatives \\ --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -639,10 +731,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -654,42 +750,54 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -760,8 +868,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so @@ -795,7 +905,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/conf/security/policy/limited %dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy @@ -855,8 +965,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -1015,8 +1127,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2021a required as of JDK-8260356 in April 2021 CPU -Requires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +Requires: tzdata-java >= 2021e # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1029,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1111,10 +1225,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1236,9 +1350,15 @@ Patch1007: rh1915071-always_initialise_configurator_access.patch Patch1008: rh1929465-improve_system_FIPS_detection.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1009: rh1996182-login_to_nss_software_token.patch -Patch1010: rh1996182-extend_security_policy.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false Patch1011: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1262,6 +1382,20 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch +# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked +Patch8: jdk8275535-rh2053256-ldap_auth.patch + +############################################# +# +# Backportable patches +# +# This section includes patches which are +# present in the current development tree, but +# need to be reviewed & pushed to the appropriate +# updates tree of OpenJDK. +############################################# +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch101: jdk8257794-remove_broken_assert.patch ############################################# # @@ -1298,8 +1432,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1307,11 +1441,11 @@ BuildRequires: unzip BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2021a required as of JDK-8260356 in April 2021 CPU -BuildRequires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +BuildRequires: tzdata-java >= 2021e # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1593,7 +1727,7 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1606,7 +1740,8 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. @@ -1664,6 +1799,8 @@ pushd %{top_level_dir_name} %patch7 -p1 popd # openjdk +%patch101 + %patch1000 %patch600 %patch1001 @@ -1673,8 +1810,13 @@ popd # openjdk %patch1007 %patch1008 %patch1009 -%patch1010 %patch1011 +%patch1014 +%patch1015 +%patch1016 +%patch1017 + +%patch8 # Extract systemtap tapsets %if %{with_systemtap} @@ -1727,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1754,17 +1895,21 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif # Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" -export EXTRA_CFLAGS EXTRA_ASFLAGS +export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS function buildjdk() { local outputdir=${1} - local installdir=${2} - local buildjdk=${3} - local maketargets="${4}" - local debuglevel=${5} - local link_opt=${6} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} @@ -1777,11 +1922,11 @@ function buildjdk() { echo "Using link_opt: ${link_opt}" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" - mkdir -p ${outputdir} ${installdir} + mkdir -p ${outputdir} pushd ${outputdir} bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1798,7 +1943,7 @@ function buildjdk() { --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ - --enable-sysconf-nss \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -1826,8 +1971,15 @@ function buildjdk() { $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) popd +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} echo "Installing images..." mv ${outputdir}/images ${installdir} if [ -d ${outputdir}/bundles ] ; then @@ -1843,38 +1995,46 @@ function buildjdk() { echo "Removing output directory..."; rm -rf ${outputdir} %endif + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi } -function installjdk() { - local imagepath=${1} - - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; - - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ - - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd -} +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif for suffix in %{build_loop} ; do @@ -1885,7 +2045,6 @@ for suffix in %{build_loop} ; do debugbuild=`echo $suffix | sed "s/-//g"` fi - systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk for loop in %{main_suffix} %{staticlibs_loop} ; do @@ -1902,18 +2061,25 @@ for suffix in %{build_loop} ; do # Use system libraries link_opt="system" # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" + # build speed-up. We also avoid bootstrapping these + # slower builds. if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} fi -%if %{bootstrap_build} - buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - %{!?with_artifacts:rm -rf ${bootinstalldir}} -%else - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} -%endif # Restore original source tree we modified by removing full in-tree sources rm -rf %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name} @@ -1923,15 +2089,12 @@ for suffix in %{build_loop} ; do # Static library cycle only builds the static libraries maketargets="%{static_libs_target}" # Always just do the one build for the static libraries - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} fi done # end of main / staticlibs loop - # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} - installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} - # build cycles done # end of release / debug cycle loop @@ -2040,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" < 0 -# This fails on s390x for some reason. Disable for now. See: -# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 -%ifnarch s390x +%ifarch %{gdb_arches} grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif -%endif # Check src.zip has all sources. See RHBZ#1130490 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -2280,6 +2439,9 @@ end %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -2289,14 +2451,14 @@ end %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -2309,6 +2471,9 @@ end %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -2344,6 +2509,9 @@ end %posttrans fastdebug %{posttrans_script -- %{fastdebug_suffix_unquoted}} +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + %post devel-fastdebug %{post_devel -- %{fastdebug_suffix_unquoted}} @@ -2450,6 +2618,100 @@ end %endif %changelog +* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052827 + +* Fri Feb 25 2022 Andrew Hughes - 1:11.0.14.1.1-5 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053284 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3 +- Family extracted to globals +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-2 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008192 + +* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1 +- Update to jdk-11.0.14.1+1 +- Update release notes to 11.0.14.1+1 +- Require tzdata 2021e as of JDK-8275766. +- Resolves: rhbz#2052809 +- Resolves: rhbz#1966234 + +* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-6 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052816 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-5 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Sync gdb test with java-1.8.0-openjdk. +- Improve architecture restrictions for the gdb test. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.9-5 +- Give javadoc-zip its own Provides, next to the plain javadoc ones +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-4 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Resolves: rhbz#2021559 + +* Thu Feb 10 2022 Severin Gehwolf - 1:11.0.14.0.9-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023534 + +* Mon Jan 17 2022 Andrew Hughes - 1:11.0.14.0.9-2 +- Update to jdk-11.0.14.0+9 +- Update release notes to 11.0.14.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#2039366 + +* Fri Jan 14 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea +- Update to jdk-11.0.14.0+8 +- Update release notes to 11.0.14.0+8 +- Resolves: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.14.0.1-0.1.ea +- Update to jdk-11.0.14.0+1 +- Update release notes to 11.0.14.0+1 +- Switch to EA mode for 11.0.14 pre-release builds. +- Rename blacklisted.certs to blocked.certs following JDK-8253866 +- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034 +- Related: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022821 + +* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-4 +- Replaced hardcoded 11 by featurever where appropriate +- Fixed comment of `for slowdebug` to correct `any debug` +- Related: rhbz#2022821 + * Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-3 - Update to jdk-11.0.13.0+8 - Update release notes to 11.0.13.0+8