import java-11-openjdk-11.0.12.0.7-0.el8_4

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-11-openjdk.metadata

@@ -1,2 +1,2 @@
-a339f6e108c16a23c47504565b602a6fc395bf2e SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/NEWS

@@ -3,6 +3,414 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 11.0.12 (2021-07-20):
+=============================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk11012
+  * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt
+
+* Security fixes
+  - JDK-8256157: Improve bytecode assembly
+  - JDK-8256491: Better HTTP transport
+  - JDK-8258432, CVE-2021-2341: Improve file transfers
+  - JDK-8260453: Improve Font Bounding
+  - JDK-8260960: Signs of jarsigner signing
+  - JDK-8260967, CVE-2021-2369: Better jar file validation
+  - JDK-8262380: Enhance XML processing passes
+  - JDK-8262403: Enhanced data transfer
+  - JDK-8262410: Enhanced rules for zones
+  - JDK-8262477: Enhance String Conclusions
+  - JDK-8262967: Improve Zip file support
+  - JDK-8264066, CVE-2021-2388: Enhance compiler validation
+  - JDK-8264079: Improve abstractions
+  - JDK-8264460: Improve NTLM support
+* Other changes
+  - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
+  - JDK-7106851: Test should not use System.exit
+  - JDK-8073446: TimeZone getOffset API does not  return a dst offset between years 2038-2137
+  - JDK-8076190: Customizing the generation of a PKCS12 keystore
+  - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms
+  - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux
+  - JDK-8177068: incomplete classpath causes NPE in Flow
+  - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution
+  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
+  - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
+  - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen
+  - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails
+  - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException
+  - JDK-8206925: Support the certificate_authorities extension
+  - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty
+  - JDK-8207247: AARCH64: Enable Minimal and Client VM builds
+  - JDK-8207404: MulticastSocket tests failing on AIX
+  - JDK-8207779: Method::is_valid_method() compares 'this' with NULL
+  - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode.
+  - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64
+  - JDK-8210443: Migrate Locale matching tests to JDK Repo.
+  - JDK-8213231: ThreadSnapshot::_threadObj can become stale
+  - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail
+  - JDK-8213725: JShell NullPointerException due to class file with unexpected package
+  - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32
+  - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls
+  - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames
+  - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM
+  - JDK-8214854: JDWP: Unforseen output truncation in logging
+  - JDK-8214922: Add vectorization support for fmin/fmax
+  - JDK-8215009: GCC 8 compilation error in libjli
+  - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file
+  - JDK-8216259: AArch64: Vectorize Adler32 intrinsics
+  - JDK-8216314: SIGILL in CodeHeapState::print_names()
+  - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
+  - JDK-8217465: [REDO] - Optimize CodeHeap Analytics
+  - JDK-8217561: X86: Add floating-point Math.min/max intrinsics
+  - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken
+  - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output
+  - JDK-8219142: Remove unused JIMAGE_ResourcePath
+  - JDK-8219586: CodeHeap State Analytics processes dead nmethods
+  - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS
+  - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout
+  - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU
+  - JDK-8222412: AARCH64: multiple instructions encoding issues
+  - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions
+  - JDK-8223444: Improve CodeHeap Free Space Management
+  - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods
+  - JDK-8223667: ASAN build broken
+  - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021
+  - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails
+  - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out
+  - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay
+  - JDK-8226374: Restrict TLS signature schemes and named groups
+  - JDK-8226627: assert(t->singleton()) failed: must be a constant
+  - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint
+  - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow
+  - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15
+  - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size
+  - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
+  - JDK-8231460: Performance issue (CodeHeap) with large free blocks
+  - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint)
+  - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
+  - JDK-8232084: HotSpot build failed with GCC 9.2.1
+  - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl
+  - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread
+  - JDK-8233787: Break cycle in vm_version* includes
+  - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register
+  - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes
+  - JDK-8235368: Update BCEL to Version 6.4.1
+  - JDK-8236859: WebSocket over authenticating proxy fails with NPE
+  - JDK-8236992: AArch64: remove redundant load_klass in itable stub
+  - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: []
+  - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias <nnnnnn> already exists"
+  - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
+  - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
+  - JDK-8238812: assert(false) failed: bad AD file
+  - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
+  - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64
+  - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List`
+  - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
+  - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
+  - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
+  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
+  - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
+  - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
+  - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset
+  - JDK-8241475: AArch64: Add missing support for PopCountVI node
+  - JDK-8241829: Cleanup the code for PrinterJob on windows
+  - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned
+  - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
+  - JDK-8242429: Better implementation for sign extract
+  - JDK-8242557: Add length limit for strings in PNGImageWriter
+  - JDK-8242919: Paste locks up jshell
+  - JDK-8243155: AArch64: Add support for SqrtVF
+  - JDK-8243240: AArch64: Add support for MulVB
+  - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings
+  - JDK-8243559: Remove root certificates with 1024-bit keys
+  - JDK-8243597: AArch64: Add support for integer vector abs
+  - JDK-8244031: HttpClient should have more tests for HEAD requests
+  - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected
+  - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails
+  - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
+  - JDK-8246274: G1 old gen allocation tracking is not in a separate class
+  - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop
+  - JDK-8247408: IdealGraph bit check expression canonicalization
+  - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29
+  - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
+  - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32
+  - JDK-8248043: Need to eliminate excessive i2l conversions
+  - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+  - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr
+  - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values
+  - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
+  - JDK-8249189: AARCH64: more L2I conversions can be skipped
+  - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
+  - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
+  - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
+  - JDK-8250876: Fix issues with cross-compile on macos
+  - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits
+  - JDK-8251525: AARCH64: Faster Math.signum(fp)
+  - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
+  - JDK-8252311: AArch64: save two words in itable lookup stub
+  - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525
+  - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
+  - JDK-8253167: ARM32 builds fail after JDK-8247910
+  - JDK-8253572: [windows] CDS archive may fail to open with long file names
+  - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
+  - JDK-8253948: Memory leak in ImageFileReader
+  - JDK-8254631: Better support ALPN byte wire values in SunJSSE
+  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
+  - JDK-8255086: Update the root locale display names
+  - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
+  - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
+  - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0
+  - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small
+  - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1
+  - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
+  - JDK-8256523: Streamline Java SHA2 implementation
+  - JDK-8257414: Drag n Drop target area is wrong on high DPI systems
+  - JDK-8257569: Failure observed with JfrVirtualMemory::initialize
+  - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure
+  - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12
+  - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist
+  - JDK-8257621: JFR StringPool misses cached items across consecutive recordings
+  - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32
+  - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads
+  - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code
+  - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m
+  - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m
+  - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m
+  - JDK-8258414: OldObjectSample events too expensive
+  - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions
+  - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
+  - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
+  - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
+  - JDK-8259232: Bad JNI lookup during printing
+  - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
+  - JDK-8259343: [macOS] Update JNI error handling in Cocoa code.
+  - JDK-8259585: Accessible actions do not work on mac os x
+  - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros
+  - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
+  - JDK-8259710: Inlining trace leaks memory
+  - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion
+  - JDK-8259777: Incorrect predication condition generated by ADLC
+  - JDK-8259786: initialize last parameter of getpwuid_r
+  - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
+  - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs
+  - JDK-8259886: Improve SSL session cache performance and scalability
+  - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
+  - JDK-8260030: Improve stringStream buffer handling
+  - JDK-8260236: better init AnnotationCollector _contended_group
+  - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
+  - JDK-8260284: C2: assert(_base == Int) failed: Not an Int
+  - JDK-8260380: Upgrade to LittleCMS 2.12
+  - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
+  - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
+  - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
+  - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module
+  - JDK-8260653: Unreachable nodes keep speculative types alive
+  - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out
+  - JDK-8260925: HttpsURLConnection does not work  with other JSSE provider.
+  - JDK-8260926: Trace resource exhausted events unconditionally
+  - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
+  - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
+  - JDK-8261167: print_process_memory_info add a close call after fopen
+  - JDK-8261170: Upgrade to freetype 2.10.4
+  - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code
+  - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
+  - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
+  - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
+  - JDK-8261354: SIGSEGV at MethodIteratorHost
+  - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
+  - JDK-8261397: try catch Method failing to work when dividing an integer by 0
+  - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage
+  - JDK-8261447: MethodInvocationCounters frequently run into overflow
+  - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
+  - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer
+  - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0
+  - JDK-8261649: AArch64: Optimize LSE atomics in C++ code
+  - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
+  - JDK-8261752: Multiple GC test are missing memory requirements
+  - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks
+  - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance
+  - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
+  - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node"
+  - JDK-8262110: DST starts from incorrect time in 2038
+  - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0
+  - JDK-8262163: Extend settings printout in jcmd VM.metaspace
+  - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source
+  - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
+  - JDK-8262446: DragAndDrop hangs on Windows
+  - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c
+  - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds
+  - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
+  - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies
+  - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
+  - JDK-8262837: handle split_USE correctly
+  - JDK-8262900: ToolBasicTest fails to access HTTP server it starts
+  - JDK-8263260: [s390] Support latest hardware (z14 and z15)
+  - JDK-8263311: Watch registry changes for remote printers update instead of polling
+  - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
+  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
+  - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
+  - JDK-8263448: CTW: fatal error: meet not symmetric
+  - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
+  - JDK-8263557: Possible NULL dereference in Arena::destruct_contents()
+  - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
+  - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
+  - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
+  - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
+  - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
+  - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
+  - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
+  - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting
+  - JDK-8264190: Harden TLS interop tests
+  - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test
+  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
+  - JDK-8264360: Loop strip mining verification fails with "should be on the backedge"
+  - JDK-8264626: C1 should be able to inline excluded methods
+  - JDK-8264640: CMS ParScanClosure misses a barrier
+  - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
+  - JDK-8264821: DirectIOTest fails on a system with large block size
+  - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch
+  - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
+  - JDK-8264958: C2 compilation fails with assert "n is later than its clone"
+  - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
+  - JDK-8265154: vinserti128 operand mix up for KNL platforms
+  - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
+  - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
+  - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement
+  - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
+  - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
+  - JDK-8265666: Enable AIX build platform to make external debug symbols
+  - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
+  - JDK-8265690: Use the latest Ubuntu base image version in Docker testing
+  - JDK-8265718: Build failure after JDK-8258414 11u backport
+  - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
+  - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind
+  - JDK-8265938: C2's conditional move optimization does not handle top Phi
+  - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
+  - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
+  - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753
+  - JDK-8266802: Shenandoah: Round up region size to page size unconditionally
+  - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x
+  - JDK-8266929: Unable to use algorithms from 3p providers
+  - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
+  - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
+  - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
+  - JDK-8267641: [11u] 8227609 backport typo
+  - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64
+  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+JDK-8256902: Removed Root Certificates with 1024-bit Keys
+=========================================================
+The following root certificates with weak 1024-bit RSA public keys
+have been removed from the `cacerts` keystore:
+
+Alias Name: thawtepremiumserverca [jdk]
+Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+
+Alias Name: verisignclass2g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3ca [jdk]
+Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisigntsaca [jdk]
+Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+
+JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate
+=================================================================
+
+The following root certificate have been removed from the cacerts truststore:
+
+Alias Name: soneraclass2ca
+Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI
+
+JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms
+======================================================================
+The default encryption and MAC algorithms used in a PKCS #12 keystore
+have been updated. The new algorithms are based on AES-256 and SHA-256
+and are stronger than the old algorithms that were based on RC2,
+DESede, and SHA-1. See the security properties starting with
+`keystore.pkcs12` in the `java.security` file for detailed
+information.
+
+For compatibility, a new system property named
+`keystore.pkcs12.legacy` is defined that will revert the algorithms to
+use the older, weaker algorithms. There is no value defined for this
+property.
+
+security-libs/javax.net.ssl:
+
+JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
+=========================================================================================
+Certain TLS ALPN values couldn't be properly read or written by the
+SunJSSE provider. This is due to the choice of Strings as the API
+interface and the undocumented internal use of the UTF-8 Character Set
+which converts characters larger than U+00007F (7-bit ASCII) into
+multi-byte arrays that may not be expected by a peer.
+
+ALPN values are now represented using the network byte representation
+expected by the peer, which should require no modification for
+standard 7-bit ASCII-based character Strings. However, SunJSSE now
+encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
+characters.  This means applications that used characters above
+U+000007F that were previously encoded using UTF-8 may need to either
+be modified to perform the UTF-8 conversion, or set the Java security
+property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
+
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
+JDK-8244460: Support for certificate_authorities Extension
+==========================================================
+The "certificate_authorities" extension is an optional extension
+introduced in TLS 1.3. It is used to indicate the certificate
+authorities (CAs) that an endpoint supports and should be used by the
+receiving endpoint to guide certificate selection.
+
+With this JDK release, the "certificate_authorities" extension is
+supported for TLS 1.3 in both the client and the server sides.  This
+extension is always present for client certificate selection, while it
+is optional for server certificate selection.
+
+Applications can enable this extension for server certificate
+selection by setting the `jdk.tls.client.enableCAExtension` system
+property to `true`.  The default value of the property is `false`.
+
+Note that if the client trusts more CAs than the size limit of the
+extension (less than 2^16 bytes), the extension is not enabled.  Also,
+some server implementations do not allow handshake messages to exceed
+2^14 bytes.  Consequently, there may be interoperability issues when
+`jdk.tls.client.enableCAExtension` is set to `true` and the client
+trusts more CAs than the server implementation limit.
+
 New in release OpenJDK 11.0.11 (2021-04-20):
 =============================================
 Live versions of these release notes can be found at:

SOURCES/TestSecurityProperties.java

@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+    // JDK 11
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+    // JDK 8
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+    public static void main(String[] args) {
+        Properties jdkProps = new Properties();
+        loadProperties(jdkProps);
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
+            String securityVal = Security.getProperty(sKey);
+            String jdkSecVal = jdkProps.getProperty(sKey);
+            if (!securityVal.equals(jdkSecVal)) {
+                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
+                             sKey + "'" + " but got value '" + securityVal + "'";
+                throw new RuntimeException("Test failed! " + msg);
+            } else {
+                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+            }
+        }
+        System.out.println("TestSecurityProperties PASSED!");
+    }
+    
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
+        System.out.println("Debug: Java version is " + javaVersion);
+        String propsFile = JDK_PROPS_FILE_JDK_11;
+        if (javaVersion.startsWith("1.8.0")) {
+            propsFile = JDK_PROPS_FILE_JDK_8;
+        }
+        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
+        }
+    }
+}

SPECS/java-11-openjdk.spec

@@ -173,10 +173,8 @@
 %endif
 
 # If you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
+# Build and test slowdebug first as it provides the best diagnostics
-%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
+%global build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
-# Test slowdebug first as it provides the best diagnostics
-%global rev_build_loop  %{slowdebug_build} %{fastdebug_build} %{normal_build}
 
 %if %{include_staticlibs}
 %global staticlibs_loop %{staticlibs_suffix}
@@ -291,7 +289,7 @@
 # New Version-String scheme-style defines
 %global featurever 11
 %global interimver 0
-%global updatever 11
+%global updatever 12
 %global patchver 0
 # If you bump featurever, you must bump also vendor_version_string
 # Used via new version scheme. JDK 11 was
@@ -338,8 +336,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        7
-%global rpmrelease      2
+%global rpmrelease      0
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -1197,12 +1195,15 @@ Source13: TestCryptoLevel.java
 # Ensure ECDSA is working
 Source14: TestECDSA.java
 
-# nss fips configuration file
+# Verify system crypto (policy) can be disabled via a property
-Source15: nss.fips.cfg.in
+Source15: TestSecurityProperties.java
 
 # Ensure vendor settings are correct
 Source16: CheckVendor.java
 
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
 ############################################
 #
 # RPM/distribution specific patches
@@ -1606,10 +1607,6 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
-if [ %{include_normal_build} -eq 0 ] ; then
-  echo "You have disabled the normal build, but this is required to provide docs for the debug build."
-  exit 15
-fi
 %setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
@@ -1690,7 +1687,7 @@ done
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 
 # Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
 
 %build
@@ -1711,9 +1708,8 @@ export CFLAGS="$CFLAGS -mieee"
 
 # We use ourcppflags because the OpenJDK build seems to
 # pass EXTRA_CFLAGS to the HotSpot C++ compiler...
-# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags -Wno-error"
-EXTRA_CFLAGS="%ourcppflags -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse"
+EXTRA_CPP_FLAGS="%ourcppflags"
-EXTRA_CPP_FLAGS="%ourcppflags -std=gnu++98 -fno-delete-null-pointer-checks -fno-lifetime-dse"
 
 %ifarch %{power64} ppc
 # fix rpmlint warnings
@@ -1847,7 +1843,7 @@ done # end of release / debug cycle loop
 %check
 
 # We test debug first as it will give better diagnostics on a crash
-for suffix in %{rev_build_loop} ; do
+for suffix in %{build_loop} ; do
 
 top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
 %if %{include_staticlibs}
@@ -1869,6 +1865,10 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
 $JAVA_HOME/bin/javac -d . %{SOURCE14}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
 
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
 # Check correct vendor values have been set
 $JAVA_HOME/bin/javac -d . %{SOURCE16}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
@@ -2343,6 +2343,31 @@ end
 %endif
 
 %changelog
+* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-0
+- Update to jdk-11.0.12.0+7
+- Update release notes to 11.0.12.0+7
+- Switch to GA mode for final release.
+- This tarball is embargoed until 2021-07-20 @ 1pm PT.
+- Resolves: rhbz#1972395
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
+- Update to jdk-11.0.12.0+6
+- Update release notes to 11.0.12.0+6
+- Switch to EA mode for 11.0.12 pre-release builds.
+- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
+- Re-order source files to sync with Fedora.
+- Remove explicit compiler flags which should be handled by the upstream build
+  (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
+- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
+- Resolves: rhbz#1972395
+
+* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.6-0.0.ea
+- Add a test verifying system crypto policies can be disabled
+- Resolves: rhbz#1972395
+
 * Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-2
 - Require tzdata 2021a to match upstream change JDK-8260356
 - Resolves: rhbz#1942310