import java-11-openjdk-11.0.14.1.1-6.el8

This commit is contained in:
CentOS Sources 2022-03-24 06:33:08 +00:00 committed by Stepan Oksanichenko
parent e2de325c39
commit cfb881c040
13 changed files with 1323 additions and 156 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
e36bde565834fe738fd222d419cfedc23ab80cee SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -3,6 +3,520 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.14.1 (2022-02-08):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk110141
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt
* Other changes
- JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
- JDK-8280786: Build failure on Solaris after 8262392
- JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1
New in release OpenJDK 11.0.14 (2022-01-18):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11014
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt
* New features
- JDK-8248238: Implementation: JEP 388: Windows AArch64 Support
* Security fixes
- JDK-8217375: jarsigner breaks old signature with long lines in manifest
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- JDK-8268488: More valuable DerValues
- JDK-8268494: Better inlining of inlined interfaces
- JDK-8268512: More content for ContentInfo
- JDK-8268795: Enhance digests of Jar files
- JDK-8268801: Improve PKCS attribute handling
- JDK-8268813, CVE-2022-21283: Better String matching
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- JDK-8269944: Better HTTP transport redux
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
- JDK-8270392, CVE-2022-21293: Improve String constructions
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
- JDK-8271962: Better TrueType font loading
- JDK-8271968: Better canonical naming
- JDK-8271987: Manifest improved manifest entries
- JDK-8272014, CVE-2022-21305: Better array indexing
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- JDK-8272272: Enhance jcmd communication
- JDK-8272462: Enhance image handling
- JDK-8273290: Enhance sound handling
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
- JDK-8279541: Improve HarfBuzz
* Other changes
- JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails
- JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater()
- JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac
- JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead
- JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX
- JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events
- JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked.
- JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception
- JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF
- JDK-8078219: Verify lack of @test tag in files in java/net test directory
- JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely"
- JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently
- JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently
- JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently
- JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
- JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails
- JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed
- JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java
- JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails
- JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel
- JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows
- JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed
- JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing
- JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X
- JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
- JDK-8179880: Refactor javax/security shell tests to plain java tests
- JDK-8180568: Refactor javax/crypto shell tests to plain java tests
- JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests
- JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures
- JDK-8180573: Refactor sun/security/tools shell tests to plain java tests
- JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
- JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2'
- JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails
- JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails
- JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows
- JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows
- JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac
- JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac
- JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac
- JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac
- JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac
- JDK-8199138: Add RISC-V support to Zero
- JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows
- JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c
- JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors
- JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception
- JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java
- JDK-8207936: TestZipFile failed with java.lang.AssertionError exception
- JDK-8208242: Add @requires to vmTestbase/gc/g1 tests
- JDK-8209611: use C++ compiler for hotspot tests
- JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti
- JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests
- JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp)
- JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86
- JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1
- JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests
- JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
- JDK-8210395: Add doc to SecurityTools.java
- JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests
- JDK-8210481: Remove #ifdef cplusplus from vmTestbase
- JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests
- JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests
- JDK-8210689: Remove the multi-line old C style for string literals
- JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests
- JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665
- JDK-8210920: Native C++ tests are not using CXXFLAGS
- JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)"
- JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti
- JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]*
- JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11
- JDK-8211171: move JarUtils to top-level testlibrary
- JDK-8211227: Inconsistent TLS protocol version in debug output
- JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]*
- JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp
- JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]*
- JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E]
- JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M]
- JDK-8211905: Remove multiple casts for EM06 file
- JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI)
- JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]*
- JDK-8212083: Handle remaining gc/lock native code and fix two strings
- JDK-8212148: Remove remaining NSK_CPP_STUBs
- JDK-8213110: Remove the use of applets in automatic tests
- JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default
- JDK-8213263: fix legal headers in test/langtools
- JDK-8213296: Fix legal headers in test/jdk/java/net
- JDK-8213301: Fix legal headers in jdk logging tests
- JDK-8213305: Fix legal headers in test/java/math
- JDK-8213306: Fix legal headers in test/java/nio
- JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools
- JDK-8213330: Fix legal headers in i18n tests
- JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name
- JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails
- JDK-8215410: Regression test for JDK-8214994
- JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher
- JDK-8215624: Add parallel heap iteration for jmap histo
- JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC
- JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted
- JDK-8216417: cleanup of IPv6 scope-id handling
- JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception
- JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX
- JDK-8217633: Configurable extensions with system properties
- JDK-8217882: java/net/httpclient/MaxStreams.java failed once
- JDK-8217903: java/net/httpclient/Response204.java fails with 404
- JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5"
- JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle
- JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address
- JDK-8221259: New tests for java.net.Socket to exercise long standing behavior
- JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris
- JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
- JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ
- JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'.
- JDK-8223138: Small clean-up in loop-tree support.
- JDK-8223139: Rename mandatory policy-do routines.
- JDK-8223140: Clean-up in 'ok_to_convert()'
- JDK-8223141: Change (count) suffix _ct into _cnt.
- JDK-8223400: Replace some enums with static const members in hotspot/runtime
- JDK-8223658: Performance regression of XML.validation in 13-b19
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
- JDK-8224829: AsyncSSLSocketClose.java has timing issue
- JDK-8225083: Remove Google certificate that is expiring in December 2021
- JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17
- JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx
- JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine"
- JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7
- JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text
- JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type"
- JDK-8230067: Add optional automatic retry when running jtreg tests
- JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms
- JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99
- JDK-8233403: Improve verbosity of some httpclient tests
- JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS
- JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS
- JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS
- JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS
- JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS
- JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos
- JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos
- JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos
- JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS
- JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing
- JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS
- JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos
- JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos
- JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
- JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos
- JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos
- JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos
- JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos
- JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos
- JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos
- JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos
- JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos
- JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos
- JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms
- JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10
- JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits
- JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1
- JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait
- JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel
- JDK-8237354: Add option to jcmd to write a gzipped heap dump
- JDK-8237589: Fix copyright header formatting
- JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version
- JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on
- JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled
- JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
- JDK-8240256: Better resource cleaning for SunPKCS11 Provider
- JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server
- JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system
- JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
- JDK-8244292: Headful clients failing with --illegal-access=deny
- JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java
- JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList
- JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA
- JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems)
- JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh
- JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
- JDK-8247510: typo in IllegalHandshakeMessage
- JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn
- JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java
- JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
- JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle
- JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows
- JDK-8250810: Push missing parts of JDK-8248817
- JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate
- JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c
- JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails
- JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
- JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible
- JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id
- JDK-8251930: AArch64: Native types mismatch in hotspot
- JDK-8252049: Native memory leak in ciMethodData ctor
- JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
- JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC
- JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection
- JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
- JDK-8253497: Core Libs Terminology Refresh
- JDK-8253682: The AppletInitialFocusTest1.java is unstable
- JDK-8253763: ParallelObjectIterator should have virtual destructor
- JDK-8253866: Security Libs Terminology Refresh
- JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY"
- JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface
- JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows
- JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core
- JDK-8255722: Create a new test for rotated blit
- JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad
- JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions
- JDK-8256152: tests fail because of ambiguous method resolution
- JDK-8256182: Update qemu-debootstrap cross-compilation recipe
- JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed
- JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest
- JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font
- JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64
- JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows
- JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
- JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection.
- JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit
- JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard
- JDK-8261036: Reduce classes loaded by CleanerFactory initialization
- JDK-8261071: AArch64: Refactor interpreter native wrappers
- JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
- JDK-8261297: NMT: Final report should use scale 1
- JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big
- JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed
- JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed"
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp
- JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
- JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify
- JDK-8263773: Reenable German localization for builds at Oracle
- JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method"
- JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout
- JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly
- JDK-8265019: Update tests for additional TestNG test permissions
- JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test
- JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
- JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java
- JDK-8266949: Check possibility to disable OperationTimedOut on Unix
- JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
- JDK-8267304: Bump global JTReg memory limit to 768m
- JDK-8267652: c2 loop unrolling by 8 results in reading memory past array
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE
- JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1
- JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
- JDK-8269034: AccessControlException for SunPKCS11 daemon threads
- JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
- JDK-8269768: JFR Terminology Refresh
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
- JDK-8269984: [macos] JTabbedPane title looks like disabled
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
- JDK-8270216: [macOS] Update named used for Java run loop mode
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- JDK-8270290: NTLM authentication fails if HEAD request is used
- JDK-8270317: Large Allocation in CipherSuite
- JDK-8270344: Session resumption errors
- JDK-8270517: Add Zero support for LoongArch
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
- JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1
- JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems`
- JDK-8272316: Wrong Boot JDK help message in 11
- JDK-8272318: Improve performance of HeapDumpAllTest
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
- JDK-8272783: Epsilon: Refactor tests to improve performance
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
- JDK-8272828: Add correct licenses to jszip.md
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
- JDK-8272850: Drop zapping values in the Zap* option descriptions
- JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
- JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout
- JDK-8273026: Slow LoginContext.login() on multi threading application
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
- JDK-8273308: PatternMatchTest.java fails on CI
- JDK-8273314: Add tier4 test groups
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
- JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2
- JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
- JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
- JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields
- JDK-8273826: Correct Manifest file name and NPE checks
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
- JDK-8273968: JCK javax_xml tests fail in CI
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
- JDK-8274083: Update testing docs to mention tiered testing
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
- JDK-8274381: missing CAccessibility definitions in JNI code
- JDK-8274407: (tz) Update Timezone Data to 2021c
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- JDK-8274840: Update OS detection code to recognize Windows 11
- JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
- JDK-8275131: Exceptions after a touchpad gesture on macOS
- JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
- JDK-8275766: (tz) Update Timezone Data to 2021e
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
- JDK-8277815: Fix mistakes in legal header backports
Notes on individual issues:
===========================
core-svc/tools:
JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump
=====================================================================
A new integer option `gz` has been added to the `GC.heap_dump`
diagnostic command. If it is specified, it will enable the gzip
compression of the written heap dump. The supplied value is the
compression level. It can range from 1 (fastest) to 9 (slowest, but
best compression). The recommended level is 1.
security-libs/javax.net.ssl:
JDK-8260310: Configurable Extensions With System Properties
===========================================================
Two new system properties have been added. The system property,
`jdk.tls.client.disableExtensions`, is used to disable TLS extensions
used in the client. The system property,
`jdk.tls.server.disableExtensions`, is used to disable TLS extensions
used in the server. If an extension is disabled, it will be neither
produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS
extension names, as registered in the IANA documentation (for example,
server_name, status_request, and signature_algorithms_cert). Note that
the extension names are case sensitive. Unknown, unsupported,
misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is
complicated. For example, a TLS connection may not be able to be
established if a mandatory extension is disabled. Please do not
disable mandatory extensions, and do not use this feature unless you
clearly understand the impact.
security-libs/javax.crypto:pkcs11:
JDK-8272907: New SunPKCS11 Configuration Properties
===================================================
The SunPKCS11 provider gains new provider configuration attributes to
better control native resources usage. The SunPKCS11 provider consumes
native resources in order to work with native PKCS11 libraries. To
manage and better control the native resources, additional
configuration attributes are added to control the frequency of
clearing native references as well as whether to destroy the
underlying PKCS11 Token after logout.
The 3 new attributes for the SunPKCS11 provider configuration file
are:
1) `destroyTokenAfterLogout` (boolean, defaults to false)
If set to true, when `java.security.AuthProvider.logout()` is called
upon the SunPKCS11 provider instance, the underlying Token object will
be destroyed and resources will be freed. This essentially renders the
SunPKCS11 provider instance unusable after `logout()` calls. Note that
a PKCS11 provider with this attribute set to `true` should not be
added to the system provider list since the provider object is not
usable after a `logout()` method call.
2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds)
This defines the frequency for clearing native references during busy
periods (such as, how often should the cleaner thread processes the
no-longer-needed native references in the queue to free up native
memory). Note that the cleaner thread will switch to the
'longInterval' frequency after 200 failed tries (such as, when no
references are found in the queue).
3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds)
This defines the frequency for checking native reference during
non-busy period (such as, how often should the cleaner thread check
the queue for native references). Note that the cleaner thread will
switch back to the 'shortInterval' value if native PKCS11 references
for cleaning are detected.
core-libs/java.nio:
JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "."
=====================================================================================================
The ZIP file system provider has been changed to reject existing ZIP
files that contain entries with "." or ".." in name elements. ZIP
files with these entries can not be used as a file system. Invoking
the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw
`ZipException` if the ZIP file contains these entries.
security-libs/java.security:
JDK-8272535: Removed Google's GlobalSign Root Certificate
=========================================================
The following root certificate from Google has been removed from the
`cacerts` keystore:
Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
core-libs/java.time:
JDK-8274857: Update Timezone Data to 2021c
===========================================
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
New in release OpenJDK 11.0.13 (2021-10-19): New in release OpenJDK 11.0.13 (2021-10-19):
============================================= =============================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:

View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
index d18d70b5f9..30ab380e40 100644
--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
#ifdef ASSERT
if (istate->_msg != initialize) {
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
}
// Verify linkages.
interpreterState l = istate;

View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 300f3682655..6f3eb6c450b 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

View File

@ -1,6 +1,6 @@
name = NSS-FIPS name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@ nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly nssDbMode = readOnly
nssModule = fips nssModule = fips

View File

@ -1,18 +0,0 @@
commit 598fe421216b0a437fa36ee91a29966599867aa3
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:12:52 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index ab59a334cd..5db744ff17 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";

View File

@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 0cf61732d7..2cd851587c 100644 index 5460efcf8c..f08dc2fafc 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java --- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base { @@ -182,6 +182,7 @@ module java.base {
@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644
jdk.attach, jdk.attach,
jdk.charsets, jdk.charsets,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index b00b738b85..1eca1f8f0a 100644 index 5e227f4531..164de8ff08 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; @@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import jdk.internal.misc.InnocuousThread;
+import jdk.internal.misc.SharedSecrets; +import jdk.internal.misc.SharedSecrets;
+ +
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.ResourcesMgr; import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER; import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
*/ */
public final class SunPKCS11 extends AuthProvider { public final class SunPKCS11 extends AuthProvider {
@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644
private static final long serialVersionUID = -1354835039035306505L; private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { @@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) { if (nssModule != null) {
nssModule.setProvider(this); nssModule.setProvider(this);
} }

View File

@ -0,0 +1,28 @@
commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:00:55 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index 2ec51d57806..8489b940c43 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -36,6 +36,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -368,6 +369,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ unsafe.ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

View File

@ -0,0 +1,24 @@
commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 17 19:44:03 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..34d0ff0ce91 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

View File

@ -0,0 +1,220 @@
commit e2be09f982af1cc05f5e6556d51900bca4757416
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 28 05:30:32 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 34d0ff0ce91..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,25 +23,99 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
+#define MSG_MAX_SIZE 256
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-#define MSG_MAX_SIZE 96
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
+}
+
+#endif
/*
* Class: java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-
-#else // SYSCONF_NSS
+ FILE *fe;
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
-}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
}

View File

@ -23,6 +23,8 @@
%bcond_without staticlibs %bcond_without staticlibs
# Remove build artifacts by default # Remove build artifacts by default
%bcond_with artifacts %bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Workaround for stripping of debug symbols from static libraries # Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs} %if %{with staticlibs}
@ -32,6 +34,13 @@
%global include_staticlibs 0 %global include_staticlibs 0
%endif %endif
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
%global build_hotspot_first 1
%else
%global build_hotspot_first 0
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info. # This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -76,7 +85,7 @@
# in alternatives those are slaves and master, very often triplicated by man pages # in alternatives those are slaves and master, very often triplicated by man pages
# in files all masters and slaves are ghosted # in files all masters and slaves are ghosted
# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` # the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ # you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
# TODO - fix those hardcoded lists via single list # TODO - fix those hardcoded lists via single list
# Those files must *NOT* be ghosted for *slowdebug* packages # Those files must *NOT* be ghosted for *slowdebug* packages
# FIXME - if you are moving jshell or jlink or similar, always modify all three sections # FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@ -102,7 +111,9 @@
# Set of architectures for which we build fastdebug builds # Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64 %global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler # Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches} %{arm} %global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
%global zero_arches ppc s390
# Set of architectures which run a full bootstrap cycle # Set of architectures which run a full bootstrap cycle
%global bootstrap_arches %{jit_arches} %global bootstrap_arches %{jit_arches}
# Set of architectures which support SystemTap tapsets # Set of architectures which support SystemTap tapsets
@ -121,6 +132,8 @@
%global zgc_arches x86_64 %global zgc_arches x86_64
# Set of architectures for which alt-java has SSB mitigation # Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64 %global ssbd_arches x86_64
# Set of architectures where we verify backtraces with gdb
%global gdb_arches %{jit_arches} %{zero_arches}
# By default, we build a slowdebug build during main build on JIT architectures # By default, we build a slowdebug build during main build on JIT architectures
%if %{with slowdebug} %if %{with slowdebug}
@ -174,7 +187,7 @@
%global fastdebug_build %{nil} %global fastdebug_build %{nil}
%endif %endif
# If you disable both builds, then the build fails # If you disable all builds, then the build fails
# Build and test slowdebug first as it provides the best diagnostics # Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@ -185,9 +198,9 @@
%endif %endif
%ifarch %{bootstrap_arches} %ifarch %{bootstrap_arches}
%global bootstrap_build 1 %global bootstrap_build true
%else %else
%global bootstrap_build 1 %global bootstrap_build false
%endif %endif
%if %{include_staticlibs} %if %{include_staticlibs}
@ -208,6 +221,11 @@
%global release_targets images docs-zip %global release_targets images docs-zip
# No docs nor bootcycle for debug builds # No docs nor bootcycle for debug builds
%global debug_targets images %global debug_targets images
# Target to use to just build HotSpot
%global hotspot_target hotspot
# JDK to use for bootstrapping
%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
# Disable LTO as this causes build failures at the moment. # Disable LTO as this causes build failures at the moment.
# See RHBZ#1861401 # See RHBZ#1861401
@ -297,8 +315,8 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global featurever 11 %global featurever 11
%global interimver 0 %global interimver 0
%global updatever 13 %global updatever 14
%global patchver 0 %global patchver 1
# If you bump featurever, you must bump also vendor_version_string # If you bump featurever, you must bump also vendor_version_string
# Used via new version scheme. JDK 11 was # Used via new version scheme. JDK 11 was
# GA'ed in September 2018 => 18.9 # GA'ed in September 2018 => 18.9
@ -344,8 +362,8 @@
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8 %global buildver 1
%global rpmrelease 3 %global rpmrelease 6
#%%global tagsuffix %%{nil} #%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -394,8 +412,8 @@
%global jdkimage jdk %global jdkimage jdk
%global static_libs_image static-libs %global static_libs_image static-libs
# output dir stub # output dir stub
%define buildoutputdir() %{expand:build/jdk11.build%{?1}} %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
%define installoutputdir() %{expand:install/jdk11.install%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch # we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk # main id and dir of this jdk
@ -410,7 +428,7 @@
%if %is_system_jdk %if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$ %global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$
# Never generate lib-style provides/requires for slowdebug packages # Never generate lib-style provides/requires for any debug packages
%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
@ -443,6 +461,9 @@
%global alternatives_requires %{_sbindir}/alternatives %global alternatives_requires %{_sbindir}/alternatives
%endif %endif
%global family %{name}.%{_arch}
%global family_noarch %{name}
%if %{with_systemtap} %if %{with_systemtap}
# Where to install systemtap tapset (links) # Where to install systemtap tapset (links)
# We would like these to be in a package specific sub-dir, # We would like these to be in a package specific sub-dir,
@ -460,6 +481,50 @@
# not-duplicated scriptlets for normal/debug packages # not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%define save_alternatives() %{expand:
# warning! alternatives are localised!
# LANG=cs_CZ.UTF-8 alternatives --display java | head
# LANG=en_US.UTF-8 alternatives --display java | head
function nonLocalisedAlternativesDisplayOfMaster() {
LANG=en_US.UTF-8 alternatives --display "$MASTER"
}
function headOfAbove() {
nonLocalisedAlternativesDisplayOfMaster | head -n $1
}
MASTER="%{?1}"
LOCAL_LINK="%{?2}"
FAMILY="%{?3}"
rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
if headOfAbove 1 | grep -q manual ; then
if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
fi
fi
fi
}
%define save_and_remove_alternatives() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
upgrade1_uninstal0=%{?3}
if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
%{save_alternatives %{?1} %{?2} %{?4}}
fi
alternatives --remove "%{?1}" "%{?2}"
}
%define set_if_needed_alternatives() %{expand:
MASTER="%{?1}"
FAMILY="%{?2}"
ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
if [ -e "$ALTERNATIVES_FILE" ] ; then
rm "$ALTERNATIVES_FILE"
alternatives --set $MASTER $FAMILY
fi
}
%define post_script() %{expand: %define post_script() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -467,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0 exit 0
} }
%define alternatives_java_install() %{expand:
%define post_headless() %{expand: if [ "x$debug" == "xtrue" ] ; then
%ifarch %{share_arches} set -x
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null fi
%endif
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
fi fi
ext=.gz ext=.gz
key=java
alternatives \\ alternatives \\
--install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
--slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
--slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
--slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@ -506,12 +570,23 @@ alternatives \\
--slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
%{set_if_needed_alternatives $key %{family}}
for X in %{origin} %{javaver} ; do for X in %{origin} %{javaver} ; do
alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} key=jre_"$X"
alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
done done
update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} key=jre_%{javaver}_%{origin}
alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -538,26 +613,34 @@ exit 0
%define postun_headless() %{expand: %define postun_headless() %{expand:
alternatives --remove java %{jrebindir -- %{?1}}/java if [ "x$debug" == "xtrue" ] ; then
alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} set -x
alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} fi
alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
%{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
} }
%define posttrans_script() %{expand: %define posttrans_script() %{expand:
%{update_desktop_icons} %{update_desktop_icons}
} }
%define post_devel() %{expand:
%define alternatives_javac_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
fi fi
ext=.gz ext=.gz
key=javac
alternatives \\ alternatives \\
--install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
--slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
%ifarch %{aot_arches} %ifarch %{aot_arches}
--slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\
@ -565,7 +648,9 @@ alternatives \\
--slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
--slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
%ifarch %{sa_arches} %ifarch %{sa_arches}
%ifnarch %{zero_arches}
--slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
%endif
%endif %endif
--slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
--slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
@ -623,15 +708,22 @@ alternatives \\
--slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\
%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\
--slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
%{set_if_needed_alternatives $key %{family}}
for X in %{origin} %{javaver} ; do for X in %{origin} %{javaver} ; do
alternatives \\ key=java_sdk_"$X"
--install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
done done
update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} key=java_sdk_%{javaver}_%{origin}
alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
}
%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -639,10 +731,14 @@ exit 0
} }
%define postun_devel() %{expand: %define postun_devel() %{expand:
alternatives --remove javac %{sdkbindir -- %{?1}}/javac if [ "x$debug" == "xtrue" ] ; then
alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} set -x
alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} fi
alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
update-desktop-database %{_datadir}/applications &> /dev/null || : update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -654,42 +750,54 @@ exit 0
} }
%define posttrans_devel() %{expand: %define posttrans_devel() %{expand:
%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons} %{update_desktop_icons}
} }
%define post_javadoc() %{expand: %define alternatives_javadoc_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
fi fi
alternatives \\ key=javadocdir
--install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
$PRIORITY --family %{name} %{set_if_needed_alternatives $key %{family_noarch}}
exit 0 exit 0
} }
%define postun_javadoc() %{expand: %define postun_javadoc() %{expand:
alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0 exit 0
} }
%define post_javadoc_zip() %{expand: %define alternatives_javadoczip_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority} PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1 let PRIORITY=PRIORITY-1
fi fi
key=javadoczip
alternatives \\ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
--install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ %{set_if_needed_alternatives $key %{family_noarch}}
$PRIORITY --family %{name}
exit 0 exit 0
} }
%define postun_javadoc_zip() %{expand: %define postun_javadoc_zip() %{expand:
alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0 exit 0
} }
@ -760,8 +868,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
# Some architectures don't have the serviceability agent # Some architectures don't have the serviceability agent
%ifarch %{sa_arches} %ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
%endif %endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
@ -795,7 +905,7 @@ exit 0
%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited %dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited %dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
@ -855,8 +965,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
# Some architectures don't have the serviceability agent # Some architectures don't have the serviceability agent
%ifarch %{sa_arches} %ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%endif %endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
@ -1015,8 +1127,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package # Require zone-info data provided by tzdata-java sub-package
# 2021a required as of JDK-8260356 in April 2021 CPU # 2021e required as of JDK-8275766 in January 2022 CPU
Requires: tzdata-java >= 2021a Requires: tzdata-java >= 2021e
# for support of kernel stream control # for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
@ -1029,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs
%endif %endif
# for printing support # for printing support
Requires: cups-libs Requires: cups-libs
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives # Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires} Requires(post): %{alternatives_requires}
# Postun requires alternatives to uninstall tool alternatives # Postun requires alternatives to uninstall tool alternatives
@ -1111,10 +1225,10 @@ Requires(post): %{alternatives_requires}
Requires(postun): %{alternatives_requires} Requires(postun): %{alternatives_requires}
# Standard JPackage javadoc provides # Standard JPackage javadoc provides
Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
%if %is_system_jdk %if %is_system_jdk
Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
%endif %endif
} }
@ -1236,9 +1350,15 @@ Patch1007: rh1915071-always_initialise_configurator_access.patch
Patch1008: rh1929465-improve_system_FIPS_detection.patch Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode # RH1996182: Login to the NSS software token in FIPS mode
Patch1009: rh1996182-login_to_nss_software_token.patch Patch1009: rh1996182-login_to_nss_software_token.patch
Patch1010: rh1996182-extend_security_policy.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
############################################# #############################################
# #
@ -1262,6 +1382,20 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# PR3695: Allow use of system crypto policy to be disabled by the user # PR3695: Allow use of system crypto policy to be disabled by the user
Patch7: pr3695-toggle_system_crypto_policy.patch Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch8: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
# Backportable patches
#
# This section includes patches which are
# present in the current development tree, but
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch101: jdk8257794-remove_broken_assert.patch
############################################# #############################################
# #
@ -1298,8 +1432,8 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel BuildRequires: libXrender-devel
BuildRequires: libXt-devel BuildRequires: libXt-devel
BuildRequires: libXtst-devel BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg and FIPS support # Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel >= 3.53 BuildRequires: nss-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel BuildRequires: xorg-x11-proto-devel
BuildRequires: zip BuildRequires: zip
@ -1307,11 +1441,11 @@ BuildRequires: unzip
BuildRequires: javapackages-filesystem BuildRequires: javapackages-filesystem
BuildRequires: java-%{buildjdkver}-openjdk-devel BuildRequires: java-%{buildjdkver}-openjdk-devel
# Zero-assembler build requirement # Zero-assembler build requirement
%ifnarch %{jit_arches} %ifarch %{zero_arches}
BuildRequires: libffi-devel BuildRequires: libffi-devel
%endif %endif
# 2021a required as of JDK-8260356 in April 2021 CPU # 2021e required as of JDK-8275766 in January 2022 CPU
BuildRequires: tzdata-java >= 2021a BuildRequires: tzdata-java >= 2021e
# Earlier versions have a bug in tree vectorization on PPC # Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8 BuildRequires: gcc >= 4.8.3-8
@ -1593,7 +1727,7 @@ Group: Documentation
Requires: javapackages-filesystem Requires: javapackages-filesystem
Obsoletes: javadoc-debug Obsoletes: javadoc-debug
%{java_javadoc_rpo %{nil}} %{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc %description javadoc
The %{origin_nice} %{featurever} API documentation. The %{origin_nice} %{featurever} API documentation.
@ -1606,7 +1740,8 @@ Group: Documentation
Requires: javapackages-filesystem Requires: javapackages-filesystem
Obsoletes: javadoc-zip-debug Obsoletes: javadoc-zip-debug
%{java_javadoc_rpo %{nil}} %{java_javadoc_rpo -- %{nil} -zip}
%{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc-zip %description javadoc-zip
The %{origin_nice} %{featurever} API documentation compressed in a single archive. The %{origin_nice} %{featurever} API documentation compressed in a single archive.
@ -1664,6 +1799,8 @@ pushd %{top_level_dir_name}
%patch7 -p1 %patch7 -p1
popd # openjdk popd # openjdk
%patch101
%patch1000 %patch1000
%patch600 %patch600
%patch1001 %patch1001
@ -1673,8 +1810,13 @@ popd # openjdk
%patch1007 %patch1007
%patch1008 %patch1008
%patch1009 %patch1009
%patch1010
%patch1011 %patch1011
%patch1014
%patch1015
%patch1016
%patch1017
%patch8
# Extract systemtap tapsets # Extract systemtap tapsets
%if %{with_systemtap} %if %{with_systemtap}
@ -1727,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg # Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
@ -1754,17 +1895,21 @@ EXTRA_CPP_FLAGS="%ourcppflags"
# fix rpmlint warnings # fix rpmlint warnings
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
%endif %endif
%ifarch %{ix86}
# Align stack boundary on x86_32
EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
%endif
# Fixes annocheck warnings in assembler files due to missing build notes # Fixes annocheck warnings in assembler files due to missing build notes
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
export EXTRA_CFLAGS EXTRA_ASFLAGS export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS
function buildjdk() { function buildjdk() {
local outputdir=${1} local outputdir=${1}
local installdir=${2} local buildjdk=${2}
local buildjdk=${3} local maketargets="${3}"
local maketargets="${4}" local debuglevel=${4}
local debuglevel=${5} local link_opt=${5}
local link_opt=${6}
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir} local top_dir_abs_build_path=$(pwd)/${outputdir}
@ -1777,11 +1922,11 @@ function buildjdk() {
echo "Using link_opt: ${link_opt}" echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir} ${installdir} mkdir -p ${outputdir}
pushd ${outputdir} pushd ${outputdir}
bash ${top_dir_abs_src_path}/configure \ bash ${top_dir_abs_src_path}/configure \
%ifnarch %{jit_arches} %ifarch %{zero_arches}
--with-jvm-variants=zero \ --with-jvm-variants=zero \
%endif %endif
%ifarch %{ppc64le} %ifarch %{ppc64le}
@ -1798,7 +1943,7 @@ function buildjdk() {
--with-boot-jdk=${buildjdk} \ --with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \ --with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \ --with-native-debug-symbols="%{debug_symbols}" \
--enable-sysconf-nss \ --disable-sysconf-nss \
--enable-unlimited-crypto \ --enable-unlimited-crypto \
--with-zlib=system \ --with-zlib=system \
--with-libjpeg=${link_opt} \ --with-libjpeg=${link_opt} \
@ -1826,8 +1971,15 @@ function buildjdk() {
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
popd popd
}
function installjdk() {
local outputdir=${1}
local installdir=${2}
local imagepath=${installdir}/images/%{jdkimage}
echo "Installing build from ${outputdir} to ${installdir}..." echo "Installing build from ${outputdir} to ${installdir}..."
mkdir -p ${installdir}
echo "Installing images..." echo "Installing images..."
mv ${outputdir}/images ${installdir} mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then if [ -d ${outputdir}/bundles ] ; then
@ -1843,38 +1995,46 @@ function buildjdk() {
echo "Removing output directory..."; echo "Removing output directory...";
rm -rf ${outputdir} rm -rf ${outputdir}
%endif %endif
if [ -d ${imagepath} ] ; then
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
fi
} }
function installjdk() { %if %{build_hotspot_first}
local imagepath=${1} # Build a fresh libjvm.so first and use it to bootstrap
cp -LR --preserve=mode,timestamps %{bootjdk} newboot
# the build (erroneously) removes read permissions from some jars systemjdk=$(pwd)/newboot
# this is a regression in OpenJDK 7 (our compiler): buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; %else
systemjdk=%{bootjdk}
# Build screws up permissions on binaries %endif
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
}
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
@ -1885,7 +2045,6 @@ for suffix in %{build_loop} ; do
debugbuild=`echo $suffix | sed "s/-//g"` debugbuild=`echo $suffix | sed "s/-//g"`
fi fi
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
for loop in %{main_suffix} %{staticlibs_loop} ; do for loop in %{main_suffix} %{staticlibs_loop} ; do
@ -1902,18 +2061,25 @@ for suffix in %{build_loop} ; do
# Use system libraries # Use system libraries
link_opt="system" link_opt="system"
# Debug builds don't need same targets as release for # Debug builds don't need same targets as release for
# build speed-up # build speed-up. We also avoid bootstrapping these
maketargets="%{release_targets}" # slower builds.
if echo $debugbuild | grep -q "debug" ; then if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}" maketargets="%{debug_targets}"
run_bootstrap=false
else
maketargets="%{release_targets}"
run_bootstrap=%{bootstrap_build}
fi
if ${run_bootstrap} ; then
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir}
buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi fi
%if %{bootstrap_build}
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
%else
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
%endif
# Restore original source tree we modified by removing full in-tree sources # Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name} rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name}
@ -1923,15 +2089,12 @@ for suffix in %{build_loop} ; do
# Static library cycle only builds the static libraries # Static library cycle only builds the static libraries
maketargets="%{static_libs_target}" maketargets="%{static_libs_target}"
# Always just do the one build for the static libraries # Always just do the one build for the static libraries
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi fi
done # end of main / staticlibs loop done # end of main / staticlibs loop
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# build cycles # build cycles
done # end of release / debug cycle loop done # end of release / debug cycle loop
@ -2040,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
handle SIGSEGV pass nostop noprint handle SIGSEGV pass nostop noprint
handle SIGILL pass nostop noprint handle SIGILL pass nostop noprint
set breakpoint pending on set breakpoint pending on
break javaCalls.cpp:1 break javaCalls.cpp:58
commands 1 commands 1
backtrace backtrace
quit quit
end end
run -version run -version
EOF EOF
%if 0%{?fedora} > 0 %ifarch %{gdb_arches}
# This fails on s390x for some reason. Disable for now. See:
# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
%ifnarch s390x
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif %endif
%endif
# Check src.zip has all sources. See RHBZ#1130490 # Check src.zip has all sources. See RHBZ#1130490
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
@ -2280,6 +2439,9 @@ end
%posttrans %posttrans
%{posttrans_script %{nil}} %{posttrans_script %{nil}}
%posttrans headless
%{alternatives_java_install %{nil}}
%post devel %post devel
%{post_devel %{nil}} %{post_devel %{nil}}
@ -2289,14 +2451,14 @@ end
%posttrans devel %posttrans devel
%{posttrans_devel %{nil}} %{posttrans_devel %{nil}}
%post javadoc %posttrans javadoc
%{post_javadoc %{nil}} %{alternatives_javadoc_install %{nil}}
%postun javadoc %postun javadoc
%{postun_javadoc %{nil}} %{postun_javadoc %{nil}}
%post javadoc-zip %posttrans javadoc-zip
%{post_javadoc_zip %{nil}} %{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip %postun javadoc-zip
%{postun_javadoc_zip %{nil}} %{postun_javadoc_zip %{nil}}
@ -2309,6 +2471,9 @@ end
%post headless-slowdebug %post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}} %{post_headless -- %{debug_suffix_unquoted}}
%posttrans headless-slowdebug
%{alternatives_java_install -- %{debug_suffix_unquoted}}
%postun slowdebug %postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}} %{postun_script -- %{debug_suffix_unquoted}}
@ -2344,6 +2509,9 @@ end
%posttrans fastdebug %posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}} %{posttrans_script -- %{fastdebug_suffix_unquoted}}
%posttrans headless-fastdebug
%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
%post devel-fastdebug %post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}} %{post_devel -- %{fastdebug_suffix_unquoted}}
@ -2450,6 +2618,100 @@ end
%endif %endif
%changelog %changelog
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-6
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Resolves: rhbz#2052827
* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-5
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053284
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-4
- Storing and restoring alterntives during update manually
- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
-- The move of alternatives creation to posttrans to fix:
-- Bug 1200302 - dnf reinstall breaks alternatives
-- Had caused the alternatives to be removed, and then created again,
-- instead of being added, and then removing the old, and thus persisting
-- the selection in family
-- Thus this fix, is storing the family of manually selected master, and if
-- stored, then it is restoring the family of the master
- Resolves: rhbz#2008192
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-3
- Family extracted to globals
- Resolves: rhbz#2008192
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-2
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008192
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-1
- Update to jdk-11.0.14.1+1
- Update release notes to 11.0.14.1+1
- Require tzdata 2021e as of JDK-8275766.
- Resolves: rhbz#2052809
- Resolves: rhbz#1966234
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-6
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052816
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-5
- Refactor build functions so we can build just HotSpot without any attempt at installation.
- Sync gdb test with java-1.8.0-openjdk.
- Improve architecture restrictions for the gdb test.
- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
- Explicitly list JIT architectures rather than relying on those with slowdebug builds
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
- Related: rhbz#2052809
* Fri Feb 11 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.0.9-5
- Give javadoc-zip its own Provides, next to the plain javadoc ones
- Related: rhbz#2052809
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-4
- Fix FIPS issues in native code and with initialisation of java.security.Security
- Resolves: rhbz#2021559
* Thu Feb 10 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.14.0.9-3
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023534
* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-2
- Update to jdk-11.0.14.0+9
- Update release notes to 11.0.14.0+9
- Switch to GA mode for final release.
- Resolves: rhbz#2039366
* Fri Jan 14 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea
- Update to jdk-11.0.14.0+8
- Update release notes to 11.0.14.0+8
- Resolves: rhbz#2022821
* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.1-0.1.ea
- Update to jdk-11.0.14.0+1
- Update release notes to 11.0.14.0+1
- Switch to EA mode for 11.0.14 pre-release builds.
- Rename blacklisted.certs to blocked.certs following JDK-8253866
- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034
- Related: rhbz#2022821
* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-5
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
- Related: rhbz#2022821
* Wed Dec 01 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.13.0.8-4
- Replaced hardcoded 11 by featurever where appropriate
- Fixed comment of `for slowdebug` to correct `any debug`
- Related: rhbz#2022821
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3 * Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3
- Update to jdk-11.0.13.0+8 - Update to jdk-11.0.13.0+8
- Update release notes to 11.0.13.0+8 - Update release notes to 11.0.13.0+8