From 237e790af47a6dd21f712b9ec531719cba62451b Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 10:35:25 -0400 Subject: [PATCH] import CS java-17-openjdk-17.0.18.0.8-2.el9 --- .gitignore | 2 +- .java-17-openjdk.metadata | 2 +- SOURCES/NEWS | 4888 ++++++++++++++++- SOURCES/README.md | 41 + ...3226f.patch => fips-17u-e1780dd5d39.patch} | 1748 +++++- SOURCES/java-17-openjdk-portable.specfile | 2731 +++++++++ ...va_access_bridge_privileged_security.patch | 20 - ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 - SPECS/java-17-openjdk.spec | 1166 ++-- 9 files changed, 9953 insertions(+), 664 deletions(-) create mode 100644 SOURCES/README.md rename SOURCES/{fips-17u-72d08e3226f.patch => fips-17u-e1780dd5d39.patch} (79%) create mode 100644 SOURCES/java-17-openjdk-portable.specfile delete mode 100644 SOURCES/rh1648644-java_access_bridge_privileged_security.patch delete mode 100644 SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch diff --git a/.gitignore b/.gitignore index cee4799..ebe3a81 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz +SOURCES/openjdk-17.0.18+8.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata index f03aebb..03fdec4 100644 --- a/.java-17-openjdk.metadata +++ b/.java-17-openjdk.metadata @@ -1,2 +1,2 @@ -95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz +42959b06cbb8f537c9c4a6fca941685937df4d45 SOURCES/openjdk-17.0.18+8.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 3104608..52c9a4f 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,12 +3,4841 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.18 (2026-01-20): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17018 + +* CVEs + - CVE-2026-21925 + - CVE-2026-21932 + - CVE-2026-21933 + - CVE-2026-21945 +* Changes + - JDK-7124287: [macosx] JTableHeader doesn't get focus after pressing F8 key + - JDK-7191877: TEST_BUG: java/rmi/transport/checkLeaseInfoLeak/CheckLeaseLeak.java failing intermittently + - JDK-8139228: JFileChooser renders file names as HTML document + - JDK-8139392: JInternalFrame has incorrect padding + - JDK-8140527: JInternalFrame has incorrect title button width + - JDK-8201183: sjavac build failures: "Connection attempt failed: Connection refused" + - JDK-8201778: Speed up test javax/net/ssl/DTLS/PacketLossRetransmission.java + - JDK-8204868: java/util/zip/ZipFile/TestCleaner.java still fails with "cleaner failed to clean zipfile." + - JDK-8210807: Printing a JTable with a JScrollPane prints table without rows populated + - JDK-8219408: Tests should handle ${} in the view of jtreg "smart action" + - JDK-8230016: re-visit test sun/security/pkcs11/Serialize/SerializeProvider.java + - JDK-8236907: JTable added to nested panels does not paint last visible row + - JDK-8245545: Disable TLS_RSA cipher suites + - JDK-8252329: runtime/LoadClass/TestResize.java timed out + - JDK-8257810: Only First page are printed in JTable.scrollRectToVisible + - JDK-8265429: Improve GCM encryption + - JDK-8270083: -Wnonnull errors happen with GCC 11.1.1 + - JDK-8277424: javax/net/ssl/TLSCommon/TLSTest.java fails with connection refused + - JDK-8281440: AWT: Conversion from string literal loses const qualifier + - JDK-8281523: Accessibility: Conversion from string literal loses const qualifier + - JDK-8281525: Enable Zc:strictStrings flag in Visual Studio build + - JDK-8281682: Redundant .ico files in Windows app-image cause unnecessary bloat + - JDK-8282047: Enhance StringDecode/Encode microbenchmarks + - JDK-8283544: HttpClient GET method adds Content-Length: 0 header + - JDK-8285915: failure_handler: gather the contents of /etc/hosts file + - JDK-8286159: Memory leak in getAllConfigs of awt_GraphicsEnv.c:585 + - JDK-8286447: [Linux] AWT should start in Headless mode if headful AWT library not installed + - JDK-8287401: jpackage tests failing on Windows due to powershell issue + - JDK-8288109: HttpExchangeImpl.setAttribute does not allow null value after JDK-8266897 + - JDK-8288180: C2: VectorPhase must ensure that SafePointNode memory input is a MergeMemNode + - JDK-8290557: tools/jpackage/share/AddLauncherTest.java#id1 failed with "ERROR: Failed: Check icon file" + - JDK-8292043: Incorrect decoding near EOF for stateful decoders like UTF-16 + - JDK-8292214: Memory leak in getAllConfigs of awt_GraphicsEnv.c:386 + - JDK-8294314: Minimize disabled warnings in hotspot + - JDK-8294591: Fix cast-function-type warning in TemplateTable + - JDK-8294594: Fix cast-function-type warnings in signal handling code + - JDK-8294680: Refactor scaled border rendering + - JDK-8295301: Problem list TrayIcon tests that fail on Ubuntu 22.04 + - JDK-8295991: java/net/httpclient/CancelRequestTest.java fails intermittently + - JDK-8296489: tools/jpackage/windows/WinL10nTest.java fails with timeout + - JDK-8297302: gtest/AsyncLogGtest.java fails AsyncLogTest.stdoutOutput_vm + - JDK-8297531: sun/security/krb5/MicroTime.java fails with "Exception: What? only 100 musec precision?" + - JDK-8297936: Use reachabilityFence to manage liveness in ClassUnload tests + - JDK-8299278: tools/jpackage/share/AddLauncherTest.java#id1 failed AddLauncherTest.bug8230933 + - JDK-8299325: java/net/httpclient/CancelRequestTest.java fails "test CancelRequestTest.testGetSendAsync("https://localhost:46509/https1/x/same/interrupt", true, true)" + - JDK-8299553: Make ScaledEtchedBorderTest.java comprehensive + - JDK-8302838: jabswitch main() should avoid calling exit explicitly + - JDK-8303089: [jittester] Add time limit to IRTree generation + - JDK-8303959: tools/jpackage/share/RuntimePackageTest.java fails with java.lang.AssertionError missing files + - JDK-8304163: Move jdk.internal.module.ModuleInfoWriter to the test library + - JDK-8304811: vmTestbase/vm/mlvm/indy/func/jvmti/stepBreakPopReturn/INDIFY_Test.java fails with JVMTI_ERROR_TYPE_MISMATCH + - JDK-8305186: Reference.waitForReferenceProcessing should be more accessible to tests + - JDK-8305567: serviceability/tmtools/jstat/GcTest01.java failed utils.JstatGcResults.assertConsistency + - JDK-8305778: javax/swing/JTableHeader/6884066/bug6884066.java: Unexpected header's value; index = 4 value = E + - JDK-8308633: Increase precision of timestamps in g1 log + - JDK-8308780: Fix the Java Integer types on Windows + - JDK-8310049: Refactor Charset tests to use JUnit + - JDK-8310915: Typo in aarch64.ad: "envcodings" + - JDK-8311588: C2: RepeatCompilation compiler directive does not choose stress seed randomly + - JDK-8313355: javax/management/remote/mandatory/notif/ListenerScaleTest.java failed with "Exception: Failed: ratio=792.2791601423487" + - JDK-8313770: jdk/internal/platform/docker/TestSystemMetrics.java fails on Ubuntu + - JDK-8314136: Test java/net/httpclient/CancelRequestTest.java failed: WARNING: tracker for HttpClientImpl(42) has outstanding operations + - JDK-8314319: LogCompilation doesn't reset lateInlining when it encounters a failure. + - JDK-8317264: Pattern.Bound has `static` fields that should be `static final`. + - JDK-8317970: Bump target macosx-x64 version to 11.00.00 + - JDK-8318467: [jmh] tests concurrent.Queues and concurrent.ProducerConsumer hang with 101+ threads + - JDK-8318613: ChoiceFormat patterns are not well tested + - JDK-8318730: MonitorVmStartTerminate.java still times out after JDK-8209595 + - JDK-8320836: jtreg gtest runs should limit heap size + - JDK-8322135: Printing JTable in Windows L&F throws InternalError: HTHEME is null + - JDK-8322140: javax/swing/JTable/JTableScrollPrintTest.java does not print the rows and columns of the table in Nimbus and Aqua LookAndFeel + - JDK-8324065: Daylight saving information for `Africa/Casablanca` are incorrect + - JDK-8324491: Keyboard layout didn't keep its state if it was changed when dialog was active + - JDK-8324861: Exceptions::wrap_dynamic_exception() doesn't have ResourceMark + - JDK-8325647: [IR framework] Only prints stdout if exitCode is 134 + - JDK-8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically + - JDK-8327071: [Testbug] g-tests for cgroup leave files in /tmp on linux + - JDK-8327180: Failed: java/io/ObjectStreamClass/ObjectStreamClassCaching.java#G1 + - JDK-8327434: Test java/util/PluggableLocale/TimeZoneNameProviderTest.java timed out + - JDK-8327748: Convert javax/swing/JFileChooser/6798062/bug6798062.java applet test to main + - JDK-8327757: Convert javax/swing/JSlider/6524424/bug6524424.java applet to main + - JDK-8327856: Convert applet test SpanishDiacriticsTest.java to a main program + - JDK-8327980: Convert javax/swing/JToggleButton/4128979/bug4128979.java applet test to main + - JDK-8328124: Convert java/awt/Frame/ShownOnPack/ShownOnPack.html applet test to main + - JDK-8328247: Remove redundant dir for tests converted from applet to main + - JDK-8328299: Convert DnDFileGroupDescriptor.html applet test to main + - JDK-8328377: Convert java/awt/Cursor/MultiResolutionCursorTest test to main + - JDK-8328562: Convert java/awt/InputMethods/DiacriticsTest/DiacriticsTest.java applet test to main + - JDK-8331231: containers/docker/TestContainerInfo.java fails + - JDK-8331977: Crash: SIGSEGV in dlerror() + - JDK-8332271: Reading data from the clipboard from multiple threads crashes the JVM + - JDK-8333526: Restructure java/nio/channels/DatagramChannel/StressNativeSignal.java to a fail fast exception handling policy + - JDK-8333569: jpackage tests must run app launchers with retries on Linux only + - JDK-8333783: java/nio/channels/FileChannel/directio/DirectIOTest.java is unstable with AV software + - JDK-8334771: [TESTBUG] Run TestDockerMemoryMetrics.java with -Xcomp fails exitValue = 137 + - JDK-8335986: Test javax/swing/JCheckBox/4449413/bug4449413.java fails on Windows 11 x64 because RBMenuItem's and CBMenuItem's checkmark on the left side are not visible + - JDK-8337723: Remove redundant tests from com/sun/security/sasl/gsskerb + - JDK-8338428: Add logging of final VM flags while setting properties + - JDK-8338740: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes + - JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC + - JDK-8339366: [jittester] Make it possible to generate tests without execution + - JDK-8339386: Assertion on AIX - original PC must be in the main code section of the compiled method + - JDK-8339962: Open source AWT TextField tests - Set1 + - JDK-8340015: Open source several AWT focus tests - series 7 + - JDK-8340321: Disable SHA-1 in TLS/DTLS 1.2 handshake signatures + - JDK-8340354: Open source AWT desktop properties and print related tests + - JDK-8341097: GHA: Demote Mac x86 jobs to build only + - JDK-8341131: Some jdk/jfr/event/compiler tests shouldn't be executed with Xcomp + - JDK-8341138: Rename jtreg property docker.support as container.support + - JDK-8341496: Improve JMX connections + - JDK-8341861: GHA: Use only retention mechanism to remove bundles + - JDK-8342782: AWTEventMulticaster throws StackOverflowError using AquaButtonUI + - JDK-8343314: Move common properties from jpackage jtreg test declarations to TEST.properties file + - JDK-8343340: Swapping checking do not work for MetricsMemoryTester failcount + - JDK-8343875: Minor improvements of jpackage test library + - JDK-8344275: tools/jpackage/windows/Win8301247Test.java fails on localized Windows platform + - JDK-8344326: Move jpackage tests from "jdk.jpackage.tests" package to the default package + - JDK-8345213: JVM Prefers /etc/timezone Over /etc/localtime on Debian 12 + - JDK-8346234: javax/swing/text/DefaultEditorKit/4278839/bug4278839.java still fails in CI + - JDK-8346753: Test javax/swing/JMenuItem/RightLeftOrientation/RightLeftOrientation.java fails on Windows Server 2025 x64 because the icons of RBMenuItem and CBMenuItem are not visible in Nimbus LookAndFeel + - JDK-8346839: [TESTBUG] "java/awt/textfield/setechochartest4/setechochartest4.java" failed because the test frame disappears on clicking "Click Several Times" button + - JDK-8346875: Test jdk/jdk/jfr/event/os/TestCPULoad.java fails on macOS + - JDK-8346929: runtime/ClassUnload/DictionaryDependsTest.java fails with "Test failed: should be unloaded" + - JDK-8347129: cpuset cgroups controller is required for no good reason + - JDK-8347277: java/awt/Focus/ComponentLostFocusTest.java fails intermittently + - JDK-8347300: Don't exclude the "PATH" var from the environment when running app launchers in jpackage tests + - JDK-8347377: Add validation checks for ICC_Profile header fields + - JDK-8347826: Introspector shows wrong method list after 8071693 + - JDK-8347841: Test fixes that use deprecated time zone IDs + - JDK-8349188: LineBorder does not scale correctly + - JDK-8349534: Refactor jdk/sun/security/krb5/runNameEquals.sh to java test + - JDK-8350102: Decouple jpackage test-lib Executor.Result and Executor classes + - JDK-8350106: [PPC] Avoid ticks_unknown_not_Java AsyncGetCallTrace() if JavaFrameAnchor::_last_Java_pc not set + - JDK-8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError + - JDK-8351567: Jar Manifest test ValueUtf8Coding produces misleading diagnostic output + - JDK-8352678: Opensource few JMenuItem tests + - JDK-8352682: Opensource JComponent tests + - JDK-8352686: Opensource JInternalFrame tests - series3 + - JDK-8352687: Opensource few JInternalFrame and JTextField tests + - JDK-8352793: Open source several AWT TextComponent tests - Batch 1 + - JDK-8352800: [PPC] OpenJDK fails to build on PPC after JDK-8350106 + - JDK-8352865: Open source several AWT TextComponent tests - Batch 2 + - JDK-8352905: Open some JComboBox bugs 1 + - JDK-8352966: Opensource Several Font related tests - Batch 2 + - JDK-8352997: Open source several Swing JTabbedPane tests + - JDK-8353007: Open some JComboBox bugs 2 + - JDK-8353011: Open source Swing JButton tests - Set 1 + - JDK-8353201: Open source Swing Tooltip tests - Set 2 + - JDK-8353299: VerifyJarEntryName.java test fails + - JDK-8353309: Open source several Swing text tests + - JDK-8353319: Open source Swing tests - Set 3 + - JDK-8353445: Open source several AWT Menu tests - Batch 1 + - JDK-8353470: Clean up and open source couple AWT Graphics related tests (Part 2) + - JDK-8353483: Open source some JProgressBar tests + - JDK-8353486: Open source Swing Tests - Set 4 + - JDK-8353585: Provide ChoiceFormat#parse(String, ParsePosition) tests + - JDK-8353586: Open source several toolkit tests + - JDK-8353589: Open source a few Swing menu-related tests + - JDK-8353592: Open source several scrollbar tests + - JDK-8353661: Open source several swing tests batch5 + - JDK-8353832: Opensource FontClass, Selection and Icon tests + - JDK-8353950: Clipboard interaction on Windows is unstable + - JDK-8353957: Open source several AWT ScrollPane tests - Batch 1 + - JDK-8353958: Open source several AWT ScrollPane tests - Batch 2 + - JDK-8354095: Open some JTable bugs 5 + - JDK-8354106: Clean up and open source KeyEvent related tests (Part 2) + - JDK-8354214: Open source Swing tests Batch 2 + - JDK-8354233: Open some JTable bugs 6 + - JDK-8354235: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine + - JDK-8354248: Open source several AWT GridBagLayout and List tests + - JDK-8354340: Open source Swing Tests - Set 6 + - JDK-8354341: Open some JTable bugs 7 + - JDK-8354365: Opensource few Modal and Full Screen related tests + - JDK-8354418: Open source Swing tests Batch 4 + - JDK-8354451: Open source some more Swing popup menu tests + - JDK-8354465: Open some JTable bugs 8 + - JDK-8354466: Open some misc Swing bugs 9 + - JDK-8354472: Clean up and open source KeyEvent related tests (Part 3) + - JDK-8354493: Opensource Several MultiScreen and Insets related tests + - JDK-8354495: Open source several AWT DataTransfer tests + - JDK-8354532: Open source JFileChooser Tests - Set 7 + - JDK-8354552: Open source a few Swing tests + - JDK-8354553: Open source several clipboard tests batch0 + - JDK-8354561: Open source several swing tests batch0 + - JDK-8354646: java.awt.TextField allows to identify the spaces in a password when double clicked at the starting and end of the text + - JDK-8354653: Clean up and open source KeyEvent related tests (Part 4) + - JDK-8354701: Open source few JToolTip tests + - JDK-8354873: javax/swing/plaf/metal/MetalIconFactory/bug4952462.java failing on CI + - JDK-8354928: Clean up and open source some miscellaneous AWT tests + - JDK-8355077: Compiler error at splashscreen_gif.c due to unterminated string initialization + - JDK-8355333: Some Problem list entries point to non-existent / wrong files + - JDK-8355387: [jittester] Disable downcasts by default + - JDK-8355444: [java.io] Use @requires tag instead of exiting based on "os.name" property value + - JDK-8355478: DoubleActionESC.java fails intermittently + - JDK-8355558: SJIS.java test is always ignored + - JDK-8355561: [macos] Build failure with Xcode 16.3 + - JDK-8356040: java/util/PluggableLocale/LocaleNameProviderTest.java timed out + - JDK-8356145: ListEnterExitTest.java fails on macos + - JDK-8356187: TestJcmd.java may incorrectly parse podman version + - JDK-8356752: Log mouse enter and exit events for debugging + - JDK-8356897: Update NSS library to 3.111 + - JDK-8357305: Compilation failure in javax/swing/JMenuItem/bug6197830.java + - JDK-8357561: BootstrapLoggerTest does not work on Ubuntu 24 with LANG de_DE.UTF-8 + - JDK-8357675: Amend headless message + - JDK-8357799: Improve instructions for JFileChooser/HTMLFileName.java + - JDK-8357822: C2: Multiple string optimization tests are no longer testing string concatenation optimizations + - JDK-8358048: java/net/httpclient/HttpsTunnelAuthTest.java incorrectly calls Thread::stop + - JDK-8358334: C2/Shenandoah: incorrect execution with Unsafe + - JDK-8358532: JFileChooser in GTK L&F still displays HTML filename + - JDK-8358701: Remove misleading javax.management.remote API doc wording about JMX spec, and historic link to JMXMP + - JDK-8358748: Large page size initialization fails with assert "page_size must be a power of 2" + - JDK-8358764: (sc) SocketChannel.close when thread blocked in read causes connection to be reset (win) + - JDK-8358813: JPasswordField identifies spaces in password via delete shortcuts + - JDK-8359061: Update and ProblemList manual test java/awt/Cursor/CursorDragTest/ListDragCursor.java + - JDK-8359167: Remove unused test/hotspot/jtreg/vmTestbase/nsk/share/jpda/BindServer.java + - JDK-8359182: Use @requires instead of SkippedException for MaxPath.java + - JDK-8359207: Remove runtime/signal/TestSigusr2.java since it is always skipped + - JDK-8359402: Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp + - JDK-8359418: Test "javax/swing/text/GlyphView/bug4188841.java" failed because the phrase of text pane does not match the instructions + - JDK-8359428: Test 'javax/swing/JTabbedPane/bug4499556.java' failed because after selecting one of L&F items, the test case automatically failed when clicking on L&F Menu button again + - JDK-8359449: [TEST] open/test/jdk/java/io/File/SymLinks.java Refactor extract method for Windows specific test + - JDK-8359477: com/sun/net/httpserver/Test12.java appears to have a temp file race + - JDK-8359501: Enhance Handling of URIs + - JDK-8359687: Use PassFailJFrame for java/awt/print/Dialog/DialogType.java + - JDK-8360022: ClassRefDupInConstantPoolTest.java fails when running in repeat + - JDK-8360178: TestArguments.atojulong gtest has incorrect format string + - JDK-8360288: Shenandoah crash at size_given_klass in op_degenerated + - JDK-8360408: [TEST] Use @requires tag instead of exiting based on "os.name" property value for sun/net/www/protocol/file/FileURLTest.java + - JDK-8360411: [TEST] open/test/jdk/java/io/File/MaxPathLength.java Refactor extract method to encapsulate Windows specific test logic + - JDK-8361253: CommandLineOptionTest library should report observed values on failure + - JDK-8361298: SwingUtilities/bug4967768.java fails where character P is not underline + - JDK-8361314: Test serviceability/jvmti/VMEvent/MyPackage/VMEventRecursionTest.java FATAL ERROR in native method: Failed during the GetClassSignature call + - JDK-8361423: Add IPSupport::printPlatformSupport to java/net/NetworkInterface/IPv4Only.java + - JDK-8361447: [REDO] Checked version of JNI ReleaseArrayElements needs to filter out known wrapped arrays + - JDK-8361751: Test sun/tools/jcmd/TestJcmdSanity.java timed out on Windows + - JDK-8361754: New test runtime/jni/checked/TestCharArrayReleasing.java can cause disk full errors + - JDK-8361871: [GCC static analyzer] complains about use of uninitialized value ckpObject in p11_util.c + - JDK-8362204: test/jdk/sun/awt/font/TestDevTransform.java fails on Ubuntu 24.04 + - JDK-8362207: Add more test cases for possible double-rounding in fma + - JDK-8362308: Enhance Bitmap operations + - JDK-8362532: Test gc/g1/plab/* duplicate command-line options + - JDK-8362533: Tests sun/management/jmxremote/bootstrap/* duplicate VM flags + - JDK-8362602: Add test.timeout.factor to CompileFactory to avoid test timeouts + - JDK-8362632: Improve HttpServer Request handling + - JDK-8362855: Test java/net/ipv6tests/TcpTest.java should report SkippedException when there no ia4addr or ia6addr + - JDK-8363676: [GCC static analyzer] missing return value check of malloc in OGLContext_SetTransform + - JDK-8363720: Follow up to JDK-8360411 with post review comments + - JDK-8363966: GHA: Switch cross-compiling sysroots to Debian trixie + - JDK-8364214: Enhance polygon data support + - JDK-8364235: Fix for JDK-8361447 breaks the alignment requirements for GuardedMemory + - JDK-8364263: HttpClient: Improve encapsulation of ProxyServer + - JDK-8364484: misc tests fail with Received fatal alert: handshake_failure + - JDK-8364556: JFR: Disable SymbolTableStatistics and StringTableStatistics in default.jfc + - JDK-8364597: Replace THL A29 Limited with Tencent + - JDK-8364660: ClassVerifier::ends_in_athrow() should be removed + - JDK-8364993: JFR: Disable jdk.ModuleExport in default.jfc + - JDK-8364996: java/awt/font/FontNames/LocaleFamilyNames.java times out on Windows + - JDK-8365058: Enhance CopyOnWriteArraySet + - JDK-8365086: CookieStore.getURIs() and get(URI) should return an immutable List + - JDK-8365098: make/RunTests.gmk generates a wrong path to test artifacts on Alpine + - JDK-8365168: Use 64-bit aligned addresses for CK_ULONG access in PKCS11 native key code + - JDK-8365271: Improve Swing supports + - JDK-8365280: Enhance JOptionPane + - JDK-8365425: [macos26] javax/swing/JInternalFrame/8160248/JInternalFrameDraggingTest.java fails on macOS 26 + - JDK-8365615: Improve JMenuBar/RightLeftOrientation.java + - JDK-8365660: test/jdk/sun/security/pkcs11/KeyAgreement/ tests skipped without SkipExceprion + - JDK-8365790: Shutdown hook for application image does not work on Windows + - JDK-8365834: Mark java/net/httpclient/ManyRequests.java as intermittent + - JDK-8365913: Support latest MSC_VER in abstract_vm_version.cpp + - JDK-8365919: Replace currentTimeMillis with nanoTime in Stresser.java + - JDK-8366092: [GCC static analyzer] UnixOperatingSystem.c warning: use of uninitialized value 'systemTicks' + - JDK-8366159: SkippedException is treated as a pass for pkcs11/KeyStore, pkcs11/SecretKeyFactory and pkcs11/SecureRandom + - JDK-8366229: runtime/Thread/TooSmallStackSize.java runs with all collectors + - JDK-8366233: Bump update version for OpenJDK: jdk-17.0.18 + - JDK-8366342: Key generator and key pair generator tests skipping, but showing as passed + - JDK-8366359: Test should throw SkippedException when there is no lpstat + - JDK-8366764: Deproblemlist java/awt/ScrollPane/ScrollPositionTest.java + - JDK-8366844: Update and automate MouseDraggedOriginatedByScrollBarTest.java + - JDK-8367017: Remove legacy checks from WrappedToolkitTest and convert from bash + - JDK-8367133: DTLS: fragmentation of Finished message results in handshake failure + - JDK-8367237: Thread-Safety Usage Warning for java.text.Collator Classes + - JDK-8367348: Enhance PassFailJFrame to support links in HTML + - JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName + - JDK-8367869: Test java/io/FileDescriptor/Sync.java timed out + - JDK-8368032: Enhance Certificate Checking + - JDK-8368192: Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace + - JDK-8368668: Several vmTestbase/vm/gc/compact tests timed out on large memory machine + - JDK-8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out + - JDK-8369032: Add test to ensure serialized ICC_Profile stores only necessary optional data + - JDK-8369078: Fix faulty test conversion in IllegalCharsetName.java + - JDK-8369184: SimpleTimeZone equals() Returns True for Unequal Instances with Different hashCode Values + - JDK-8369226: GHA: Switch to MacOS 15 + - JDK-8369450: [Ubuntu 25.10] openjdk fails to build due to rust-coreutils date + - JDK-8369506: Bytecode rewriting causes Java heap corruption on AArch64 + - JDK-8369946: Bytecode rewriting causes Java heap corruption on PPC + - JDK-8369992: JFR: Disable Placeholder-, LoaderConstraints- and ProtectionDomainCacheTableStatistics in default.jfc + - JDK-8370465: Right to Left Orientation Issues with MenuItem Component + - JDK-8372439: [17u] build-test-lib is broken + - JDK-8372534: Update Libpng to 1.6.51 + - JDK-8375448: Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.18 + +Notes on individual issues: +=========================== + +core-libs/java.util:i18n: + +JDK-8345213: Changes to the Default Time Zone Detection on Debian-based Linux +============================================================================= +On Debian-based distributions OpenJDK now uses `/etc/localtime` to +determine the default time zone instead of the deprecated +`/etc/timezone`. + +security-libs/javax.net.ssl: + +JDK-8245545: Disabled TLS_RSA Cipher Suites +=========================================== +This release disables the TLS_RSA cipher suites by default because +they do not preserve forward-secrecy. Users can re-enable them (at +their own risk) by removing "TLS_RSA_*" from the +`jdk.tls.disabledAlgorithms` security property in `java.security`. +The newly-disabled cipher suites are TLS_RSA_WITH_AES_256_GCM_SHA384, +TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, +TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, and +TLS_RSA_WITH_AES_128_CBC_SHA. + +JDK-8340321: Disabled SHA-1 in TLS 1.2 and DTLS 1.2 Handshake Signatures +======================================================================== +This release disables deprecated SHA-1-based TLS 1.2 and DTLS 1.2 +handshake signatures by default. Users can re-enable them (at their +own risk) by removing `"rsa_pkcs1_sha1 usage HandshakeSignature, +ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage +HandshakeSignature"` from the `jdk.tls.disabledAlgorithms` security +property in `java.security`. + +New in release OpenJDK 17.0.17 (2025-10-21): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17017 + +* CVEs + - CVE-2025-53057 + - CVE-2025-53066 +* Changes + - JDK-8042381: Test javax/swing/JRootPane/4670486/bug4670486.java fails with Action has not been received + - JDK-8079786: [macosx] Test java/awt/Frame/DisposeParentGC/DisposeParentGC.java fails for Mac only + - JDK-8132785: java/lang/management/ThreadMXBean/ThreadLists.java fails intermittently + - JDK-8136895: Writer not closed with disk full error, file resource leaked + - JDK-8167252: Some of Charset.availableCharsets() does not contain itself + - JDK-8185429: [macos] After a modal dialog is closed, no window becomes active + - JDK-8196017: java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails + - JDK-8202667: java/awt/Debug/DumpOnKey/DumpOnKey.java times out on Windows + - JDK-8203867: Delete test java/awt/TrayIcon/DblClickActionEventTest/DblClickActionEventTest.html + - JDK-8217914: java/net/httpclient/ConnectTimeoutHandshakeSync.java failed on connection refused while doing POST + - JDK-8225777: java/awt/Mixing/MixingOnDialog.java fails on Ubuntu + - JDK-8226919: attach in linux hangs due to permission denied accessing /proc/pid/root + - JDK-8249825: Tests sun/security/ssl/SSLSocketImpl/SetClientMode.java and NonAutoClose.java marked with @ignore + - JDK-8264207: CodeStrings does not honour fixed address assumption. + - JDK-8266246: Swing test PressedIconTest.java sometimes fails on macOS 11 ARM + - JDK-8266247: Swing test bug7154030.java sometimes fails on macOS 11 ARM + - JDK-8273539: [PPC64] gtest build error after JDK-8264207 + - JDK-8274039: codestrings gtest fails when hsdis is present + - JDK-8274453: (sctp) com/sun/nio/sctp/SctpChannel/CloseDescriptors.java test should be resilient to lsof warnings + - JDK-8275079: Remove unnecessary conversion to String in java.net.http + - JDK-8276046: codestrings.validate_vm gtest fails on ppc64, s390 + - JDK-8276175: codestrings.validate_vm gtest still broken on ppc64 after JDK-8276046 + - JDK-8276401: Use blessed modifier order in java.net.http + - JDK-8276681: Additional malformed Javadoc inline tags in JDK source + - JDK-8277969: HttpClient SelectorManager shuts down when custom Executor rejects a task + - JDK-8279005: sun/tools/jstat tests do not check for test case exit codes after JDK-8245129 + - JDK-8280818: Expand bug8033699.java to iterate over all LaFs + - JDK-8282144: RandomSupport.convertSeedBytesToLongs sign extension overwrites previous bytes + - JDK-8282147: [TESTBUG] waitForIdle after creating frame in JSpinnerMouseAndKeyPressTest.java + - JDK-8283467: runtime/Thread/StopAtExit.java needs updating + - JDK-8285032: vmTestbase/nsk/jdi/EventSet/suspendPolicy/suspendpolicy008/ fails with "eventSet.suspendPolicy() != policyExpected" + - JDK-8285773: Replace Algorithms.eatMemory(...) with WB.fullGC() in vmTestbase/gc/gctests/ReferencesGC/ReferencesGC.java + - JDK-8285951: Replace Algorithms.eatMemory(...) with WB.fullGC() in vmTestbase_vm_gc_ref tests + - JDK-8286171: HttpClient/2 : Expect:100-Continue blocks indefinitely when response is not 100 + - JDK-8286194: ExecutorShutdown test fails intermittently + - JDK-8286660: codestrings gtest fails on AArch64: "udf" in padding + - JDK-8288209: SSL debug message wrong about unsupported authentication scheme + - JDK-8288746: HttpClient resources could be reclaimed more eagerly + - JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation + - JDK-8292876: Do not include the deprecated userinfo component of the URI in HTTP/2 headers + - JDK-8293713: java/net/httpclient/BufferingSubscriberTest.java fails in timeout, blocked in submission publisher + - JDK-8293786: HttpClient will not send more than 64 kb of data from the 2nd request in http2 + - JDK-8294509: The sign extension bug applies to 'public static int[] convertSeedBytesToInts(byte[] seed, int n, int z)' in RandomSupport + - JDK-8294839: Disable StressLongCountedLoop in compiler/loopopts/TestRemoveEmptyLoop.java + - JDK-8294916: Cancelling a request must eventually cause its response body subscriber to be unregistered + - JDK-8294985: SSLEngine throws IAE during parsing of X500Principal + - JDK-8295005: compiler/loopopts/TestRemoveEmptyLoop.java fails with release VMs after JDK-8294839 + - JDK-8295210: IR framework should not whitelist -XX:-UseTLAB + - JDK-8297075: java/net/httpclient/CancelStreamedBodyTest.java fails with "java.lang.AssertionError: WARNING: tracker for HttpClientImpl(1) has outstanding operations" + - JDK-8297106: Remove the -Xcheck:jni local reference capacity checking + - JDK-8297149: REDO JDK-8296889: Race condition when cancelling a request + - JDK-8297200: java/net/httpclient/SpecialHeadersTest.java failed once in AssertionError due to selector thread remaining alive + - JDK-8297424: java/net/httpclient/AsyncExecutorShutdown.java fails in AssertionError due to misplaced assert + - JDK-8297499: Parallel: Missing iteration over klass when marking objArrays/objArrayOops during Full GC + - JDK-8297740: runtime/ClassUnload/UnloadTest.java failed with "Test failed: should still be live" + - JDK-8298340: java/net/httpclient/CancelRequestTest.java fails with AssertionError: Found some subscribers for testPostInterrupt + - JDK-8298514: vmTestbase/nsk/jdi/EventRequestManager/threadDeathRequests/thrdeathreq002/TestDescription.java fails with usage tracker + - JDK-8298907: nsk JDI tests pass if the debuggee failed to launch + - JDK-8298931: java/net/httpclient/CancelStreamedBodyTest.java fails with AssertionError due to Pending TCP connections: 1 + - JDK-8299338: AssertionError in ResponseSubscribers$HttpResponseInputStream::onSubscribe + - JDK-8300207: Add a pre-check for the number of canonical equivalent permutations in j.u.r.Pattern + - JDK-8301004: httpclient: Add more debug to HttpResponseInputStream + - JDK-8301169: java/net/httpclient/ThrowingSubscribersAsInputStream.java,ThrowingSubscribersAsInputStreamAsync.java, and other httpclient tests failing on windows: Unable to establish loopback connection + - JDK-8301255: Http2Connection may send too many GOAWAY frames + - JDK-8302635: Race condition in HttpBodySubscriberWrapper when cancelling request + - JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java + - JDK-8307648: java/net/httpclient/ExpectContinueTest.java timed out + - JDK-8308185: Update Http2TestServerConnection to use SSLSocket.startHandshake() + - JDK-8312191: ColorConvertOp.filter for the default destination is too slow + - JDK-8312475: org.jline.util.PumpReader signed byte problem + - JDK-8313083: Print 'rss' and 'cache' as part of the container information + - JDK-8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation + - JDK-8314611: Provide more explicative error message parsing Currencies + - JDK-8314978: Multiple server call from connection failing with expect100 in getOutputStream + - JDK-8315505: CompileTask timestamp printed can overflow + - JDK-8316580: HttpClient with StructuredTaskScope does not close when a task fails + - JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong + - JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18 + - JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered + - JDK-8319174: Enhance robustness of some j.m.BigInteger constructors + - JDK-8319932: [JVMCI] class unloading related tests can fail on libgraal + - JDK-8320858: Move jpackage tests to tier3 + - JDK-8325910: Rename jnihelper.h + - JDK-8326606: Test javax/swing/text/BoxView/6494356/bug6494356.java performs a synchronization on a value based class + - JDK-8327750: Convert javax/swing/JFileChooser/FileFilterDescription/FileFilterDescription.java applet test to main + - JDK-8327751: Convert javax/swing/JInternalFrame/6726866/bug6726866.java applet test to main + - JDK-8327752: Convert javax/swing/JOptionPane/4174551/bug4174551.java applet to main + - JDK-8327753: Convert javax/swing/JOptionPane/8024926/bug8024926.java applet to main + - JDK-8327754: Convert javax/swing/JPopupMenu/7160604/bug7160604.java applet to main + - JDK-8327755: Convert javax/swing/JScrollBar/8039464/Test8039464.java applet to main + - JDK-8327756: Convert javax/swing/JSlider/4987336/bug4987336.java applet to main + - JDK-8327826: Convert javax/swing/border/Test4243289.java applet test to main + - JDK-8327835: Convert java/awt/FileDialog/RegexpFilterTest/RegexpFilterTest applet test to main + - JDK-8327838: Convert java/awt/FileDialog/MultipleMode/MultipleMode.html applet test to main + - JDK-8327872: Convert javax/swing/JToolTip/4644444/bug4644444.java applet test to main + - JDK-8327873: Convert javax/swing/border/Test4247606.java applet test to main + - JDK-8327874: Convert javax/swing/JTree/4314199/bug4314199.java applet test to main + - JDK-8327876: Convert javax/swing/border/Test4252164.java applet test to main + - JDK-8327879: Convert javax/swing/border/Test4760089.java applet test to main + - JDK-8327969: Convert javax/swing/border/Test6910490.java applet test to main + - JDK-8327972: Convert java/awt/FileDialog/SaveFileNameOverrideTest/SaveFileNameOverrideTest.html applet test to main + - JDK-8328000: Convert /java/awt/im/8154816/bug8154816.java applet test to main + - JDK-8328012: Convert InputMethod (/java/awt/im) applet tests to main + - JDK-8328030: Convert javax/swing/text/GlyphView/4984669/bug4984669.java applet test to main + - JDK-8328035: Convert javax/swing/text/html/TableView/7030332/bug7030332.java applet test to main + - JDK-8328087: Automate javax/swing/JTable/TAB/TAB.java applet test + - JDK-8328089: Automate javax/swing/JTable/4222153/bug4222153.java applet test + - JDK-8328154: Convert sun/java2d/loops/CopyAreaSpeed.java applet test to main + - JDK-8328190: Convert AWTPanelSmoothWheel.html applet test to main + - JDK-8328225: Convert ImageDecoratedDnD.html applet test to main + - JDK-8328244: Convert javax/swing/JSlider/6742358/bug6742358.java applet test to main + - JDK-8328248: Convert javax/swing/JSlider/6587742/bug6587742.java applet test to main + - JDK-8328262: Convert javax/swing/JSplitPane/8132123/bug8132123.java applet test to main + - JDK-8328279: Convert java/awt/Cursor/CursorOverlappedPanelsTest test to main + - JDK-8328328: Convert javax/swing/JTabbedPane/4666224/bug4666224.java applet test to main + - JDK-8328367: Convert java/awt/Component/UpdatingBootTime test to main + - JDK-8328378: Convert java/awt/FileDialog/FileDialogForDirectories test to main + - JDK-8328382: Convert java/awt/FileDialog/FileDialogForPackages test to main + - JDK-8328384: Convert java/awt/FileDialog/FileDialogOpenDirTest test to main + - JDK-8328385: Convert java/awt/FileDialog/FileDialogReturnTest test to main + - JDK-8328386: Convert java/awt/FileDialog/FileNameOverrideTest test to main + - JDK-8328398: Convert java/awt/im/4490692/bug4490692.html applet test to main + - JDK-8328401: Convert java/awt/Frame/InitialMaximizedTest/InitialMaximizedTest.html applet test to automated + - JDK-8328570: Convert closed JViewport manual applet tests to main + - JDK-8328631: Convert java/awt/InputMethods/InputMethodsTest/InputMethodsTest.java applet test to manual + - JDK-8330022: Failure test/hotspot/jtreg/vmTestbase/nsk/sysdict/share/BTreeTest.java: Could not initialize class java.util.concurrent.ThreadLocalRandom + - JDK-8330106: C2: VectorInsertNode::make() shouldn't call ConINode::make() directly + - JDK-8330535: Update nsk/jdb tests to use driver instead of othervm + - JDK-8332252: Clean up vmTestbase/vm/share + - JDK-8332494: java/util/zip/EntryCount64k.java failing with java.lang.RuntimeException: '\\A\\Z' missing from stderr + - JDK-8332551: Test vmTestbase/nsk/monitoring/MemoryNotificationInfo/from/from001/TestDescription.java timed out + - JDK-8334016: Make PrintNullString.java automatic + - JDK-8334320: Replace vmTestbase/metaspace/share/TriggerUnloadingWithWhiteBox.java with ClassUnloadCommon from testlibrary + - JDK-8334394: Race condition in Class::protectionDomain + - JDK-8334457: Test javax/swing/JTabbedPane/bug4666224.java fail on macOS with because pressing the ā€˜Cā€™ key does not switch the layout to WRAP_TAB_LAYOUT + - JDK-8335131: Test "javax/swing/JColorChooser/Test6977726.java" failed on ubuntu x64 because "Preview" title is missing for GTK L&F + - JDK-8335181: Incorrect handling of HTTP/2 GOAWAY frames in HttpClient + - JDK-8335252: Reduce size of j.u.Formatter.Conversion#isValid + - JDK-8335468: [XWayland] JavaFX hangs when calling java.awt.Robot.getPixelColor + - JDK-8336499: Failure when creating non-CRT RSA private keys in SunPKCS11 + - JDK-8337506: Disable "best-fit" mapping on Windows command line + - JDK-8339561: The test/jdk/java/awt/Paint/ListRepaint.java may fail after JDK-8327401 + - JDK-8339725: Concurrent GC crashed due to GetMethodDeclaringClass + - JDK-8339834: Replace usages of -mx and -ms in some tests + - JDK-8340146: ZGC: TestAllocateHeapAt.java should not run with UseLargePages + - JDK-8340185: Use make -k on GHA to catch more build errors + - JDK-8340389: vmTestbase/gc/gctests/PhantomReference/phantom001/TestDescription.java Test exit code: 97 with -Xcomp UseAVX=3 + - JDK-8340554: Improve MessageFormat readObject checks + - JDK-8341311: [Accessibility,macOS,VoiceOver] VoiceOver announces incorrect number of items in submenu of JPopupMenu + - JDK-8341370: Test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails intermittently on macOS-aarch64 + - JDK-8341964: Add mechanism to disable different parts of TLS cipher suite + - JDK-8342075: HttpClient: improve HTTP/2 flow control checks + - JDK-8342330: C2: "node pinned on loop exit test?" assert failure + - JDK-8343074: test/jdk/com/sun/net/httpserver/docs/test1/largefile.txt could be generated + - JDK-8343618: Stack smashing in awt_InputMethod.c on Linux s390x + - JDK-8343804: Show the default time zone with -XshowSettings option + - JDK-8343855: HTTP/2 ConnectionWindowUpdateSender may miss some unprocessed DataFrames from closed streams + - JDK-8343977: Convert java/awt/TextArea/TextAreaCursorTest/HoveringAndDraggingTest to main + - JDK-8344137: Update XML Security for Java to 3.0.5 + - JDK-8344338: javax/swing/JTextArea/bug4265784.java fails on Ubuntu 24.04.1 + - JDK-8344671: Few JFR streaming tests fail with application not alive error on MacOS 15 + - JDK-8345173: BlockLocationPrinter::print_location misses a ResourceMark + - JDK-8345471: Clean up compiler/intrinsics/sha/cli tests + - JDK-8345566: Deproblemlist test/jdk/javax/swing/JComboBox/6559152/bug6559152.java + - JDK-8345767: javax/swing/JSplitPane/4164779/JSplitPaneKeyboardNavigationTest.java fails in ubuntu22.04 + - JDK-8346285: Update jarsigner compatibility test for change in default digest algorithm + - JDK-8346751: Internal java compiler error with type annotations in constants expression in constant fields + - JDK-8346871: Improve robustness of java/util/zip/EntryCount64k.java test + - JDK-8346998: Test nsk/jvmti/ResourceExhausted/resexhausted003 fails with java.lang.OutOfMemoryError when CDS is off + - JDK-8347004: vmTestbase/metaspace/shrink_grow/ShrinkGrowTest/ShrinkGrowTest.java fails with CDS disabled + - JDK-8347302: Mark test tools/jimage/JImageToolTest.java as flagless + - JDK-8347373: HTTP/2 flow control checks may count unprocessed data twice + - JDK-8347381: Upgrade jQuery UI to version 1.14.1 + - JDK-8348328: Update IANA Language Subtag Registry to Version 2025-05-15 + - JDK-8348365: Bad format string in CLDRDisplayNamesTest + - JDK-8348760: RadioButton is not shown if JRadioButtonMenuItem is rendered with ImageIcon in WindowsLookAndFeel + - JDK-8349151: Refactor test/java/security/cert/CertificateFactory/slowstream.sh to java test + - JDK-8349214: Improve size optimization flags for MSVC builds + - JDK-8349583: Add mechanism to disable signature schemes based on their TLS scope + - JDK-8349849: PKCS11 SunTlsKeyMaterial crashes when used with TLS1.2 TlsKeyMaterialParameterSpec + - JDK-8350483: AArch64: turn on signum intrinsics by default on Ampere CPUs + - JDK-8350582: Correct the parsing of the ssl value in javax.net.debug + - JDK-8350767: Fix -Wzero-as-null-pointer-constant warnings in nsk jni stress tests + - JDK-8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled + - JDK-8350830: Values converted incorrectly when reading TLS session tickets + - JDK-8350964: Add an ArtifactResolver.fetch(clazz) method + - JDK-8351277: Remove pipewire from AIX build + - JDK-8351601: [JMH] test UnixSocketChannelReadWrite failed for 2 threads config + - JDK-8351884: Refactor bug8033699.java test code + - JDK-8351907: [XWayland] [OL10] Robot.mousePress() is delivered to wrong place + - JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool + - JDK-8351997: AArch64: Interpreter volatile reference stores with G1 are not sequentially consistent + - JDK-8352509: Update jdk.test.lib.SecurityTools jar method to accept List parameter + - JDK-8352624: Add missing {@code} to PassFailJFrame.Builder.splitUI + - JDK-8352637: Enhance bytecode verification + - JDK-8352677: Opensource JMenu tests - series2 + - JDK-8352719: Add an equals sign to the modules statement + - JDK-8352860: Open source events tests batch0 + - JDK-8352879: TestPeriod.java and TestGetContentType.java run wrong test class + - JDK-8352895: UserCookie.java runs wrong test class + - JDK-8352896: LambdaExpr02.java runs wrong test class + - JDK-8352946: SEGV_BND signal code of SIGSEGV missing from our signal-code table + - JDK-8353000: Open source several swing tests batch2 + - JDK-8353126: Open source events tests batch1 + - JDK-8353213: Open source several swing tests batch3 + - JDK-8353235: Test jdk/jfr/api/metadata/annotations/TestPeriod.java fails with IllegalArgumentException + - JDK-8353293: Open source several swing tests batch4 + - JDK-8353304: Open source two JTabbedPane tests + - JDK-8353489: Increase timeout and improve Windows compatibility in test/jdk/java/lang/ProcessBuilder/Basic.java + - JDK-8353549: Open source events tests batch2 + - JDK-8353568: SEGV_BNDERR signal code adjust definition + - JDK-8353655: Clean up and open source KeyEvent related tests (Part 1) + - JDK-8353662: Add test for non-local file URL fallback to FTP + - JDK-8353713: Improve Currency.getInstance exception handling + - JDK-8353748: Open source several swing tests batch6 + - JDK-8354285: Open source Swing tests Batch 3 + - JDK-8354327: Rewrite runtime/LoadClass/LoadClassNegative.java + - JDK-8354415: [Ubuntu25.04] api/java_awt/GraphicsDevice/indexTGF.html#SetDisplayMode - setDisplayMode_REFRESH_RATE_UNKNOWN fails: Height is different on vnc + - JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision + - JDK-8355051: Problemlist java/awt/Graphics2D/CopyAreaOOB.java on macosx-aarch64 + - JDK-8355249: Remove the use of WMIC from the entire source code + - JDK-8355262: Test sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java failed: accept timed out + - JDK-8355366: Fix the wrong usage of PassFailJFrame.forcePass() in some manual tests + - JDK-8355370: Include server name in HTTP test server thread names to improve diagnostics + - JDK-8355429: Open source ProgressMonitor test + - JDK-8355441: Remove antipattern from PassFailJFrame.forcePass javadoc + - JDK-8355453: nsk.share.jdi.Debugee.waitingEvent() does not timeout properly + - JDK-8355475: UNCTest should use an existing UNC path + - JDK-8355515: Clarify the purpose of forcePass() and forceFail() methods + - JDK-8355528: Update HarfBuzz to 11.2.0 + - JDK-8355578: [java.net] Use @requires tag instead of exiting based on "os.name" property value + - JDK-8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension + - JDK-8356294: Enhance Path Factories + - JDK-8357173: Split jtreg test group jdk tier3 + - JDK-8357253: Test test/jdk/sun/security/ssl/SSLSessionImpl/ResumeClientTLS12withSNI.java writes in src dir + - JDK-8357285: JSR166 Test case testShutdownNow_delayedTasks failed + - JDK-8357672: Extreme font sizes can cause font substitution + - JDK-8357793: [PPC64] VM crashes with -XX:-UseSIGTRAP -XX:-ImplicitNullChecks + - JDK-8357968: RISC-V: Interpreter volatile reference stores with G1 are not sequentially consistent + - JDK-8358004: Delete applications/scimark/Scimark.java test + - JDK-8358452: JNI exception pending in Java_sun_awt_screencast_ScreencastHelper_remoteDesktopKeyImpl of screencast_pipewire.c:1214 (ID: 51119) + - JDK-8358538: Update GHA Windows runner to 2025 + - JDK-8358617: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails with 403 due to system proxies + - JDK-8358660: Bump update version for OpenJDK: jdk-17.0.17 + - JDK-8358697: TextLayout/MyanmarTextTest.java passes if no Myanmar font is found + - JDK-8359272: Several vmTestbase/compact tests timed out on large memory machine + - JDK-8360042: GHA: Bump MSVC to 14.44 + - JDK-8360647: [XWayland] [OL10] NumPad keys are not triggered + - JDK-8360937: Enhance certificate handling + - JDK-8361212: Remove AffirmTrust root CAs + - JDK-8361478: GHA: Use MSYS2 from GHA runners + - JDK-8362390: AIX make fails in awt_GraphicsEnv.c + - JDK-8362582: GHA: Increase bundle retention time to deal with infra overload better + - JDK-8362839: [21u] Problem list more tests that fail in 21 and would be fixed by 8309622 + - JDK-8363965: GHA: Switch cross-compiling sysroots to Debian bookworm + - JDK-8365375: Method SU3.setAcceleratorSelectionForeground assigns to acceleratorForeground + - JDK-8365389: Remove static color fields from SwingUtilities3 and WindowsMenuItemUI + - JDK-8365811: test/jdk/java/net/CookieHandler/B6644726.java failure - "Should have 5 cookies. Got only 4, expires probably didn't parse correctly" + - JDK-8367388: Tests start to fail on JDK-21 after JDK-8351907 + - JDK-8368308: ISO 4217 Amendment 180 Update + - JDK-8369641: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.17 + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8342075: HttpClient: improve HTTP/2 flow control checks +=========================================================== +This release of OpenJDK 21 enhances the HTTP/2 client implementation +in `java.net.http.HttpClient` to report flow control errors back to +the server. While this should be transparent in most cases, it may +lead to streams being reset or connections being closed if connecting +to a HTTP/2 server that does not correctly handle these errors. + +Flow control limits can be adjusted using the following existing +properties: + +* `jdk.httpclient.connectionWindowSize` + - Specifies the HTTP/2 client connection window size in bytes. + - Default value: `2^26` (64 MiB) + - Range: `2^16-1` to `2^31-1`. + +* `jdk.httpclient.windowSize` + - Specifies the HTTP/2 client stream window size in bytes. + - Default value: `16777216` (16 MiB) + - Range: `2^14` to `2^31-1` + +Specifying an invalid value leads to the default value being used. +The implementation guarantees that the actual value used for the +connection window size will be no smaller than the stream window size. + +security-libs/javax.xml.crypto: + +JDK-8344137: Update XML Security for Java to 3.0.5 +================================================== +The XML Signature implementation has been updated to Apache Santuario +3.0.5 from 3.0.3. This adds support for four new SHA-3 based ECDSA +`SignatureMethod` algorithms. + +The `SignatureMethod` constants for these new algorithms are only +available in Java 25. Users will instead need to use the string +literals listed below to obtain instances of these new algorithms: + +* ECDSA_SHA3_224: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224 +* ECDSA_SHA3_256: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256 +* ECDSA_SHA3_384: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384 +* ECDSA_SHA3_512: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512 + +core-libs/javax.naming: + +JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation +=================================================================================================== +In the April 2021 security updates, `jdk.jndi.object.factoriesFilter` +was introduced as both a System and Security property to control +whether a specific object factory was permitted to instantiate objects +from the remote object references obtained using the protocols used in +JNDI. By default, it was set to `*` to allow all object factory +classes. + +With this update, two additional properties are introduced for more +granular control of each JNDI protocol: + +* `jdk.jndi.ldap.object.factoriesFilter` which filters object factory +classes used with object references obtained from a JNDI/LDAP context. +Its default value is `java.naming/com.sun.jndi.ldap.**;!*` to allow +only object factories defined in the `java.naming` module. + +* `jdk.jndi.rmi.object.factoriesFilter` which filters object factory +classes used with object references obtained from a JNDI/RMI context. +Its default value is `jdk.naming.rmi/com.sun.jndi.rmi.**;!*` to allow +only object factories defined in the `jdk.naming.rmi` module. + +All three properties are available as both System and Security +properties, with the System property taking precedence over the +Security property where the default is defined. + +Each filter can return a result of ALLOWED, REJECTED and UNDECIDED +using the Status enumeration from `java.io.ObjectInputFilter`. For an +object factory class to be accepted, either the global filter, +`jdk.jndi.object.factoriesFilter`, or the filter for the specific +protocol must return ALLOWED and neither must return REJECTED. + +If an application depends on custom object factories to instantiate +objects from remote RMI or LDAP object references, the appropriate +filter property will need to be adjusted to allow these factories to +function. Failure to do so will lead to the factory being blocked by +the filter and a plain `javax.naming.Reference` instance returned +instead. + +security-libs/javax.net.ssl: + +JDK-8341964: Add mechanism to disable different parts of TLS cipher suite +========================================================================= +The mechanisms in previous releases of OpenJDK for disabling TLS +algorithms were either too broad or too specific. Specifying an +algorithm (e.g. "RSA") would disable all suites using that +algorithm. The only alternative was to specify every suite. With this +release, the `jdk.tls.disabledAlgorithms` security property supports +wildcards for patterns that begin with "TLS_", so "TLS_RSA_*" can be +used to disable all suites that start with "TLS_RSA_". + +JDK-8349583: Add mechanism to disable signature schemes based on their TLS scope +================================================================================ +In this release, the `jdk.tls.disabledAlgorithms` property now +supports specifying the usage of a particular algorithm. An algorithm +can be limited to use only in a TLS handshake exchange or only in a +TLS certificate. + +The usage is specified by adding a suffix to the algorithm, consisting +of the word "usage" and either `HandshakeSignature` for TLS handshake +exchanges or `CertificateSignature` for TLS certificates. For +example, `rsa_pkcs1_sha1 usage HandshakeSignature` restricts the +`rsa_pkcs1_sha1` algorithm to use in TLS handshake exchanges only and +it can not be used to sign TLS certificates. + +tools/launcher: + +JDK-8337506: Disable "best-fit" mapping on Windows command line +=============================================================== +On Windows, the Java launcher in previous releases of OpenJDK used the +ANSI version of the GetCommandLine() Win32 API call to obtain +command-line arguments. If the arguments contained Unicode characters +that did not exist in the ANSI code page, they would be converted to +other characters using the Windows "best fit" mapping [0]. This +mapping could introduce unexpected characters and differed between +code pages. With this release, the JDK reads the command line +arguments as Unicode and then converts them to the ANSI codepage +itself, using the default replacement character for any that can not +be mapped. For cases where such Unicode characters need to be retained +as is, select UTF-8 in the Windows regional settings. + +[0] https://www.unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/readme.txt + +hotspot/runtime: + +JDK-8313083: Print 'rss' and 'cache' as part of the container information +========================================================================= +In this release, the information provided for containers is improved +by inclusion of the memory usage information for the Resident Set Size +(RSS) and the cache, in bytes. This is visible in the output of `jcmd + VM.info`, where `` is the running JVM, and in the `hs_err` +file generated on abrupt JVM termination. + +security-libs/java.security: + +JDK-8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation +============================================================================= +The SunMSCAPI provider in previous releases of OpenJDK required +administrator privileges to access the local computer key store. The +store is now accessed with the `CERT_STORE_MAXIMUM_ALLOWED_FLAG` set +so that non-elevated processes will be able to access the key store in +read only mode. + +JDK-8361212: Remove AffirmTrust root CAs +======================================== +The following root certificates from AffirmTrust, which were +deactivated in the 11.0.25 release of October 2024, have been removed +from the `cacerts` keystore: + +Alias name: affirmtrustcommercialca [jdk] +CN=AffirmTrust Commercial +O=AffirmTrust +C=US +SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 + +Alias name: affirmtrustnetworkingca [jdk] +CN=AffirmTrust Networking +O=AffirmTrust +C=US +SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B + +Alias name: affirmtrustpremiumca [jdk] +CN=AffirmTrust Premium +O=AffirmTrust +C=US +SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A + +Alias name: affirmtrustpremiumeccca [jdk] +CN=AffirmTrust Premium ECC +O=AffirmTrust +C=US +SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 + +New in release OpenJDK 17.0.16 (2025-07-15): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17016 + +* CVEs + - CVE-2025-30749 + - CVE-2025-30754 + - CVE-2025-50059 + - CVE-2025-50106 +* Changes + - JDK-4850101: Setting mnemonic to VK_F4 underlines the letter S in a button. + - JDK-5074006: Swing JOptionPane shows tag as a string after newline + - JDK-6956385: URLConnection.getLastModified() leaks file handles for jar:file and file: URLs + - JDK-8024624: [TEST_BUG] [macosx] CTRL+RIGHT(LEFT) doesn't move selection on next cell in JTable on Aqua L&F + - JDK-8042134: JOptionPane bungles HTML messages + - JDK-8051591: Test javax/swing/JTabbedPane/8007563/Test8007563.java fails + - JDK-8077371: Binary files in JAXP test should be removed + - JDK-8183348: Better cleanup for jdk/test/sun/security/pkcs12/P12SecretKey.java + - JDK-8196465: javax/swing/JComboBox/8182031/ComboPopupTest.java fails on Linux + - JDK-8202100: Merge vm/share/InMemoryJavaCompiler w/ jdk/test/lib/compiler/InMemoryJavaCompiler + - JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong value + - JDK-8218474: JComboBox display issue with GTKLookAndFeel + - JDK-8224267: JOptionPane message string with 5000+ newlines produces StackOverflowError + - JDK-8249831: Test sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java is marked with @ignore + - JDK-8251505: Use of types in compiler shared code should be consistent. + - JDK-8253440: serviceability/sa/TestJhsdbJstackLineNumbers.java failed with "Didn't find enough line numbers" + - JDK-8254786: java/net/httpclient/CancelRequestTest.java failing intermittently + - JDK-8256211: assert fired in java/net/httpclient/DependentPromiseActionsTest (infrequent) + - JDK-8258483: [TESTBUG] gtest CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is too small + - JDK-8269516: AArch64: Assembler cleanups + - JDK-8271419: Refactor test code for modifying CDS archive contents + - JDK-8276995: Bug in jdk.jfr.event.gc.collection.TestSystemGC + - JDK-8277983: Remove unused fields from sun.net.www.protocol.jar.JarURLConnection + - JDK-8279884: Use better file for cygwin source permission check + - JDK-8279894: javax/swing/JInternalFrame/8020708/bug8020708.java timeouts on Windows 11 + - JDK-8280468: Crashes in getConfigColormap, getConfigVisualId, XVisualIDFromVisual on Linux + - JDK-8280820: Clean up bug8033699 and bug8075609.java tests: regtesthelpers aren't used + - JDK-8280991: [XWayland] No displayChanged event after setDisplayMode call + - JDK-8281511: java/net/ipv6tests/UdpTest.java fails with checkTime failed + - JDK-8282863: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java fails on Windows 10 with HiDPI screen + - JDK-8286204: [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS + - JDK-8286789: Test forceEarlyReturn002.java timed out + - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native + - JDK-8286925: Move JSON parser used in JFR tests to test library + - JDK-8287352: DockerTestUtils::execute shows incorrect elapsed time + - JDK-8287801: Fix test-bugs related to stress flags + - JDK-8288707: javax/swing/JToolBar/4529206/bug4529206.java: setFloating does not work correctly + - JDK-8290162: Reset recursion counter missed in fix of JDK-8224267 + - JDK-8292064: Convert java/lang/management/MemoryMXBean shell tests to java version + - JDK-8293503: gc/metaspace/TestMetaspacePerfCounters.java#Epsilon-64 failed assertGreaterThanOrEqual: expected MMM >= NNN + - JDK-8294038: Remove "Classpath" exception from javax/swing tests + - JDK-8294155: Exception thrown before awaitAndCheck hangs PassFailJFrame + - JDK-8295470: Update openjdk.java.net => openjdk.org URLs in test code + - JDK-8295670: Remove duplication in java/util/Formatter/Basic*.java + - JDK-8295804: javax/swing/JFileChooser/JFileChooserSetLocationTest.java failed with "setLocation() is not working properly" + - JDK-8296072: CertAttrSet::encode and DerEncoder::derEncode should write into DerOutputStream + - JDK-8296167: test/langtools/tools/jdeps/jdkinternals/ShowReplacement.java failing after JDK-8296072 + - JDK-8296920: Regression Test DialogOrient.java fails on MacOS + - JDK-8297173: usageTicks and totalTicks should be volatile to ensure that different threads get the latest ticks + - JDK-8297242: Use-after-free during library unloading on Linux + - JDK-8298061: vmTestbase/nsk/sysdict/vm/stress/btree/btree012/btree012.java failed with "fatal error: refcount has gone to zero" + - JDK-8298147: Clang warns about pointless comparisons + - JDK-8298248: Limit sscanf output width in cgroup file parsers + - JDK-8298709: Fix typos in src/java.desktop/ and various test classes of client component + - JDK-8298730: Refactor subsystem_file_line_contents and add docs and tests + - JDK-8300645: Handle julong values in logging of GET_CONTAINER_INFO macros + - JDK-8300658: memory_and_swap_limit() reporting wrong values on systems with swapaccount=0 + - JDK-8302226: failure_handler native.core should wait for coredump to finish + - JDK-8303549: [AIX] TestNativeStack.java is failing with exit value 1 + - JDK-8303770: Remove Baltimore root certificate expiring in May 2025 + - JDK-8305010: Test vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java timed out: thread not suspended + - JDK-8305578: X11GraphicsDevice.pGetBounds() is slow in remote X11 sessions + - JDK-8306997: C2: "malformed control flow" assert due to missing safepoint on backedge with a switch + - JDK-8307318: Test serviceability/sa/ClhsdbCDSJstackPrintAll.java failed: ArrayIndexOutOfBoundsException + - JDK-8308875: java/awt/Toolkit/GetScreenInsetsCustomGC/GetScreenInsetsCustomGC.java failed with 'Cannot invoke "sun.awt.X11GraphicsDevice.getInsets()" because "device" is null' + - JDK-8309841: Jarsigner should print a warning if an entry is removed + - JDK-8310525: DynamicLauncher for JDP test needs to try harder to find a free port + - JDK-8312246: NPE when HSDB visits bad oop + - JDK-8314120: Add tests for FileDescriptor.sync + - JDK-8314236: Overflow in Collections.rotate + - JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java fails intermittently on Linux + - JDK-8314320: Mark runtime/CommandLine/ tests as flagless + - JDK-8314828: Mark 3 jcmd command-line options test as vm.flagless + - JDK-8315484: java/awt/dnd/RejectDragDropActionTest.java timed out + - JDK-8315669: Open source several Swing PopupMenu related tests + - JDK-8315721: CloseRace.java#id0 fails transiently on libgraal + - JDK-8315742: Open source several Swing Scroll related tests + - JDK-8315871: Opensource five more Swing regression tests + - JDK-8315876: Open source several Swing CSS related tests + - JDK-8315951: Open source several Swing HTMLEditorKit related tests + - JDK-8315981: Opensource five more random Swing tests + - JDK-8316061: Open source several Swing RootPane and Slider related tests + - JDK-8316156: ByteArrayInputStream.transferTo causes MaxDirectMemorySize overflow + - JDK-8316228: jcmd tests are broken by 8314828 + - JDK-8316324: Opensource five miscellaneous Swing tests + - JDK-8316388: Opensource five Swing component related regression tests + - JDK-8316451: 6 java/lang/instrument/PremainClass tests ignore VM flags + - JDK-8316452: java/lang/instrument/modules/AppendToClassPathModuleTest.java ignores VM flags + - JDK-8316460: 4 javax/management tests ignore VM flags + - JDK-8316497: ColorConvertOp - typo for non-ICC conversions needs one-line fix + - JDK-8316629: j.text.DateFormatSymbols setZoneStrings() exception is unhelpful + - JDK-8318700: MacOS Zero cannot run gtests due to wrong JVM path + - JDK-8318915: Enhance checks in BigDecimal.toPlainString() + - JDK-8318962: Update ProcessTools javadoc with suggestions in 8315097 + - JDK-8319572: Test jdk/incubator/vector/LoadJsvmlTest.java ignores VM flags + - JDK-8319578: Few java/lang/instrument ignore test.java.opts and accept test.vm.opts only + - JDK-8319690: [AArch64] C2 compilation hits offset_ok_for_immed: assert "c2 compiler bug" + - JDK-8320682: [AArch64] C1 compilation fails with "Field too big for insn" + - JDK-8320687: sun.jvmstat.monitor.MonitoredHost.getMonitoredHost() throws unexpected exceptions when invoked concurrently + - JDK-8321204: C2: assert(false) failed: node should be in igvn hash table + - JDK-8321479: java -D-D crashes + - JDK-8321509: False positive in get_trampoline fast path causes crash + - JDK-8321713: Harmonize executeTestJvm with create[Limited]TestJavaProcessBuilder + - JDK-8321718: ProcessTools.executeProcess calls waitFor before logging + - JDK-8321931: memory_swap_current_in_bytes reports 0 as "unlimited" + - JDK-8325435: [macos] Menu or JPopupMenu not closed when main window is resized + - JDK-8325680: Uninitialised memory in deleteGSSCB of GSSLibStub.c:179 + - JDK-8325682: Rename nsk_strace.h + - JDK-8326389: [test] improve assertEquals failure output + - JDK-8328301: Convert Applet test ManualHTMLDataFlavorTest.java to main program + - JDK-8328482: Convert and Open source few manual applet test to main based + - JDK-8328484: Convert and Opensource few JFileChooser applet test to main + - JDK-8328648: Remove applet usage from JFileChooser tests bug4150029 + - JDK-8328670: Automate and open source few closed manual applet test + - JDK-8328673: Convert closed text/html/CSS manual applet test to main + - JDK-8329261: G1: interpreter post-barrier x86 code asserts index size of wrong buffer + - JDK-8330534: Update nsk/jdwp tests to use driver instead of othervm + - JDK-8330598: java/net/httpclient/Http1ChunkedTest.java fails with java.util.MissingFormatArgumentException: Format specifier '%s' + - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor + - JDK-8333117: Remove support of remote and manual debuggee launchers + - JDK-8333680: com/sun/tools/attach/BasicTests.java fails with "SocketException: Permission denied: connect" + - JDK-8334560: [PPC64]: postalloc_expand_java_dynamic_call_sched does not copy all fields + - JDK-8334644: Automate javax/print/attribute/PageRangesException.java + - JDK-8334780: Crash: assert(h_array_list.not_null()) failed: invariant + - JDK-8334895: OpenJDK fails to configure on linux aarch64 when CDS is disabled after JDK-8331942 + - JDK-8335662: [AArch64] C1: guarantee(val < (1ULL << nbits)) failed: Field too big for insn + - JDK-8335684: Test ThreadCpuTime.java should pause like ThreadCpuTimeArray.java + - JDK-8335836: serviceability/jvmti/StartPhase/AllowedFunctions/AllowedFunctions.java fails with unexpected exit code: 112 + - JDK-8336587: failure_handler lldb command times out on macosx-aarch64 core file + - JDK-8337221: CompileFramework: test library to conveniently compile java and jasm sources for fuzzing + - JDK-8337299: vmTestbase/nsk/jdb/stop_at/stop_at002/stop_at002.java failure goes undetected + - JDK-8338154: Fix -Wzero-as-null-pointer-constant warnings in gtest framework + - JDK-8339148: Make os::Linux::active_processor_count() public + - JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms + - JDK-8339639: Opensource few AWT PopupMenu tests + - JDK-8339678: Update runtime/condy tests to be executed with VM flags + - JDK-8339727: Open source several AWT focus tests - series 1 + - JDK-8339794: Open source closed choice tests #1 + - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract + - JDK-8339836: Open source several AWT Mouse tests - Batch 1 + - JDK-8339842: Open source several AWT focus tests - series 2 + - JDK-8339895: Open source several AWT focus tests - series 3 + - JDK-8339906: Open source several AWT focus tests - series 4 + - JDK-8339935: Open source several AWT focus tests - series 5 + - JDK-8339982: Open source several AWT Mouse tests - Batch 2 + - JDK-8339984: Open source AWT MenuItem related tests + - JDK-8339995: Open source several AWT focus tests - series 6 + - JDK-8340077: Open source few Checkbox tests - Set2 + - JDK-8340084: Open source AWT Frame related tests + - JDK-8340143: Open source several Java2D rendering loop tests. + - JDK-8340164: Open source few Component tests - Set1 + - JDK-8340173: Open source some Component/Panel/EventQueue tests - Set2 + - JDK-8340176: Replace usage of -noclassgc with -Xnoclassgc in test/jdk/java/lang/management/MemoryMXBean/LowMemoryTest2.java + - JDK-8340193: Open source several AWT Dialog tests - Batch 1 + - JDK-8340228: Open source couple more miscellaneous AWT tests + - JDK-8340271: Open source several AWT Robot tests + - JDK-8340279: Open source several AWT Dialog tests - Batch 2 + - JDK-8340332: Open source mixed AWT tests - Set3 + - JDK-8340366: Open source several AWT Dialog tests - Batch 3 + - JDK-8340367: Opensource few AWT image tests + - JDK-8340393: Open source closed choice tests #2 + - JDK-8340407: Open source a few more Component related tests + - JDK-8340417: Open source some MenuBar tests - Set1 + - JDK-8340432: Open source some MenuBar tests - Set2 + - JDK-8340433: Open source closed choice tests #3 + - JDK-8340437: Open source few more AWT Frame related tests + - JDK-8340458: Open source additional Component tests (part 2) + - JDK-8340555: Open source DnD tests - Set4 + - JDK-8340560: Open Source several AWT/2D font and rendering tests + - JDK-8340605: Open source several AWT PopupMenu tests + - JDK-8340621: Open source several AWT List tests + - JDK-8340625: Open source additional Component tests (part 3) + - JDK-8340639: Open source few more AWT List tests + - JDK-8340713: Open source DnD tests - Set5 + - JDK-8340784: Remove PassFailJFrame constructor with screenshots + - JDK-8340790: Open source several AWT Dialog tests - Batch 4 + - JDK-8340809: Open source few more AWT PopupMenu tests + - JDK-8340874: Open source some of the AWT Geometry/Button tests + - JDK-8340907: Open source closed frame tests # 2 + - JDK-8340966: Open source few Checkbox and Cursor tests - Set1 + - JDK-8340967: Open source few Cursor tests - Set2 + - JDK-8340978: Open source few DnD tests - Set6 + - JDK-8340985: Open source some Desktop related tests + - JDK-8341000: Open source some of the AWT Window tests + - JDK-8341004: Open source AWT FileDialog related tests + - JDK-8341072: Open source several AWT Canvas and Rectangle related tests + - JDK-8341128: open source some 2d graphics tests + - JDK-8341148: Open source several Choice related tests + - JDK-8341162: Open source some of the AWT window test + - JDK-8341170: Open source several Choice related tests (part 2) + - JDK-8341177: Opensource few List and a Window test + - JDK-8341191: Open source few more AWT FileDialog tests + - JDK-8341239: Open source closed frame tests # 3 + - JDK-8341257: Open source few DND tests - Set1 + - JDK-8341258: Open source few various AWT tests - Set1 + - JDK-8341278: Open source few TrayIcon tests - Set7 + - JDK-8341298: Open source more AWT window tests + - JDK-8341373: Open source closed frame tests # 4 + - JDK-8341378: Open source few TrayIcon tests - Set8 + - JDK-8341447: Open source closed frame tests # 5 + - JDK-8341535: sun/awt/font/TestDevTransform.java fails with RuntimeException: Different rendering + - JDK-8341637: java/net/Socket/UdpSocket.java fails with "java.net.BindException: Address already in use" (macos-aarch64) + - JDK-8341972: java/awt/dnd/DnDRemoveFocusOwnerCrashTest.java timed out after JDK-8341257 + - JDK-8342376: More reliable OOM handling in ExceptionDuringDumpAtObjectsInitPhase test + - JDK-8342524: Use latch in AbstractButton/bug6298940.java instead of delay + - JDK-8342633: javax/management/security/HashedPasswordFileTest.java creates tmp file in src dir + - JDK-8343037: Missing @since tag on JColorChooser.showDialog overload + - JDK-8343103: Enable debug logging for vmTestbase/nsk/jvmti/scenarios/sampling/SP05/sp05t003/TestDescription.java + - JDK-8343124: Tests fails with java.lang.IllegalAccessException: class com.sun.javatest.regtest.agent.MainWrapper$MainTask cannot access + - JDK-8343170: java/awt/Cursor/JPanelCursorTest/JPanelCursorTest.java does not show the default cursor + - JDK-8343205: CompileBroker::possibly_add_compiler_threads excessively polls available memory + - JDK-8343529: serviceability/sa/ClhsdbWhere.java fails AssertionFailure: Corrupted constant pool + - JDK-8343891: Test javax/swing/JTabbedPane/TestJTabbedPaneBackgroundColor.java failed + - JDK-8343936: Adjust timeout in test javax/management/monitor/DerivedGaugeMonitorTest.java + - JDK-8344316: security/auth/callback/TextCallbackHandler/Password.java make runnable with JTReg and add the UI + - JDK-8344361: Restore null return for invalid services from legacy providers + - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout + - JDK-8345134: Test sun/security/tools/jarsigner/ConciseJarsigner.java failed: unable to find valid certification path to requested target + - JDK-8345357: test/jdk/javax/swing/JRadioButton/8033699/bug8033699.java fails in ubuntu22.04 + - JDK-8345447: test/jdk/javax/swing/JToolBar/4529206/bug4529206.java fails in ubuntu22.04 + - JDK-8345547: test/jdk/javax/swing/text/DefaultEditorKit/4278839/bug4278839.java fails in ubuntu22.04 + - JDK-8345598: Upgrade NSS binaries for interop tests + - JDK-8345625: Better HTTP connections + - JDK-8345728: [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state + - JDK-8345838: Remove the appcds/javaldr/AnonVmClassesDuringDump.java test + - JDK-8346049: jdk/test/lib/security/timestamp/TsaServer.java warnings + - JDK-8346581: JRadioButton/ButtonGroupFocusTest.java fails in CI on Linux + - JDK-8347000: Bug in com/sun/net/httpserver/bugs/B6361557.java test + - JDK-8347019: Test javax/swing/JRadioButton/8033699/bug8033699.java still fails: Focus is not on Radio Button Single as Expected + - JDK-8347083: Incomplete logging in nsk/jvmti/ResourceExhausted/resexhausted00* tests + - JDK-8347126: gc/stress/TestStressG1Uncommit.java gets OOM-killed + - JDK-8347267: [macOS]: UnixOperatingSystem.c:67:40: runtime error: division by zero + - JDK-8347286: (fs) Remove some extensions from java/nio/file/Files/probeContentType/Basic.java + - JDK-8347576: Error output in libjsound has non matching format strings + - JDK-8347629: Test FailOverDirectExecutionControlTest.java fails with -Xcomp + - JDK-8347911: Limit the length of inflated text chunks + - JDK-8347995: Race condition in jdk/java/net/httpclient/offline/FixedResponseHttpClient.java + - JDK-8348107: test/jdk/java/net/httpclient/HttpsTunnelAuthTest.java fails intermittently + - JDK-8348110: Update LCMS to 2.17 + - JDK-8348299: Update List/ItemEventTest/ItemEventTest.java + - JDK-8348596: Update FreeType to 2.13.3 + - JDK-8348597: Update HarfBuzz to 10.4.0 + - JDK-8348598: Update Libpng to 1.6.47 + - JDK-8348600: Update PipeWire to 1.3.81 + - JDK-8348865: JButton/bug4796987.java never runs because Windows XP is unavailable + - JDK-8348936: [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS + - JDK-8348989: Better Glyph drawing + - JDK-8349039: Adjust exception No type named in database + - JDK-8349111: Enhance Swing supports + - JDK-8349200: [JMH] time.format.ZonedDateTimeFormatterBenchmark fails + - JDK-8349348: Refactor ClassLoaderDeadlock.sh and Deadlock.sh to run fully in java + - JDK-8349492: Update sun/security/pkcs12/KeytoolOpensslInteropTest.java to use a recent Openssl version + - JDK-8349501: Relocate supporting classes in security/testlibrary to test/lib/jdk tree + - JDK-8349594: Enhance TLS protocol support + - JDK-8349751: AIX build failure after upgrade pipewire to 1.3.81 + - JDK-8349974: [JMH,17u] MaskQueryOperationsBenchmark fails java.lang.NoClassDefFoundError + - JDK-8350211: CTW: Attempt to preload all classes in constant pool + - JDK-8350224: Test javax/swing/JComboBox/TestComboBoxComponentRendering.java fails in ubuntu 23.x and later + - JDK-8350260: Improve HTML instruction formatting in PassFailJFrame + - JDK-8350383: Test: add more test case for string compare (UL case) + - JDK-8350386: Test TestCodeCacheFull.java fails with option -XX:-UseCodeCacheFlushing + - JDK-8350412: [21u] AArch64: Ambiguous frame layout leads to incorrect traces in JFR + - JDK-8350498: Remove two Camerfirma root CA certificates + - JDK-8350540: [17u,11u] B8312065.java fails Network is unreachable + - JDK-8350546: Several java/net/InetAddress tests fails UnknownHostException + - JDK-8350616: Skip ValidateHazardPtrsClosure in non-debug builds + - JDK-8350651: Bump update version for OpenJDK: jdk-17.0.16 + - JDK-8350924: javax/swing/JMenu/4213634/bug4213634.java fails + - JDK-8350991: Improve HTTP client header handling + - JDK-8351086: (fc) Make java/nio/channels/FileChannel/BlockDeviceSize.java test manual + - JDK-8352076: [21u] Problem list tests that fail in 21 and would be fixed by 8309622 + - JDK-8352109: java/awt/Desktop/MailTest.java fails in platforms where Action.MAIL is not supported + - JDK-8352302: Test sun/security/tools/jarsigner/TimestampCheck.java is failing + - JDK-8352649: [17u] guarantee(is_result_safe || is_in_asgct()) failed inside AsyncGetCallTrace + - JDK-8352676: Opensource JMenu tests - series1 + - JDK-8352680: Opensource few misc swing tests + - JDK-8352684: Opensource JInternalFrame tests - series1 + - JDK-8352706: httpclient HeadTest does not run on HTTP2 + - JDK-8352716: (tz) Update Timezone Data to 2025b + - JDK-8352908: Open source several swing tests batch1 + - JDK-8352942: jdk/jfr/startupargs/TestMemoryOptions.java fails with 32-bit build + - JDK-8353070: Clean up and open source couple AWT Graphics related tests (Part 1) + - JDK-8353138: Screen capture for test TaskbarPositionTest.java, failure case + - JDK-8353320: Open source more Swing text tests + - JDK-8353446: Open source several AWT Menu tests - Batch 2 + - JDK-8353475: Open source two Swing DefaultCaret tests + - JDK-8353685: Open some JComboBox bugs 4 + - JDK-8353709: Debug symbols bundle should contain full debug files when building --with-external-symbols-in-bundles=public + - JDK-8353714: [17u] Backport of 8347740 incomplete + - JDK-8353942: Open source Swing Tests - Set 5 + - JDK-8354554: Open source several clipboard tests batch1 + - JDK-8356053: Test java/awt/Toolkit/Headless/HeadlessToolkit.java fails by timeout + - JDK-8356096: ISO 4217 Amendment 179 Update + - JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS + - JDK-8357105: C2: compilation fails with "assert(false) failed: empty program detected during loop optimization" + - JDK-8357193: [VS 2022 17.14] Warning C5287 in debugInit.c: enum type mismatch during build + - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots + - JDK-8360147: Better Glyph drawing redux + - JDK-8361674: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.16 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8303770: Remove Baltimore root certificate expiring in May 2025 +=================================================================== +The following root certificate from Baltimore has been removed from +the `cacerts` keystore: + +Alias Name: baltimorecybertrustca [jdk] +Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE + +JDK-8350498: Remove two Camerfirma root CA certificates +======================================================= +The following expired root certificates from Camerfirma have been +removed from the `cacerts` keystore: + +Alias name: camerfirmachamberscommerceca [jdk] +CN=Chambers of Commerce Root +OU=http://www.chambersign.org +O=AC Camerfirma SA CIF A82743287 +C=EU +SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 + +Alias name: camerfirmachambersignca [jdk] +CN=Global Chambersign Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA + +JDK-8359170: Add 2 TLS and 2 CS Sectigo roots +============================================= +The following root certificates have been added to the cacerts +truststore: + +Name: Sectigo Limited +Alias Name: sectigocodesignroote46 +Distinguished Name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigocodesignrootr46 +Distinguished Name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigotlsroote46 +Distinguished Name: Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB + +Name: Sectigo Limited +Alias Name: sectigotlsrootr46 +Distinguished Name: Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB + +New in release OpenJDK 17.0.15 (2025-04-15): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17015 + +* CVEs + - CVE-2025-21587 + - CVE-2025-30691 + - CVE-2025-30698 +* Changes + - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG + - JDK-8065099: [macos] javax/swing/PopupFactory/6276087/NonOpaquePopupMenuTest.java fails: no background shine through + - JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts + - JDK-8198237: [macos] Test java/awt/Frame/ExceptionOnSetExtendedStateTest/ExceptionOnSetExtendedStateTest.java fails + - JDK-8198666: Many java/awt/Modal/OnTop/ test fails on mac + - JDK-8208565: [TEST_BUG] javax\swing\PopupFactory\6276087\NonOpaquePopupMenuTest.java throws NPE + - JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser + - JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog + - JDK-8266435: WBMPImageReader.read() should not truncate the input stream + - JDK-8267893: Improve jtreg test failure handler do get native/mixed stack traces for cores and live processes + - JDK-8270961: [TESTBUG] Move GotWrongOOMEException into vm.share.gc package + - JDK-8274893: Update java.desktop classes to use try-with-resources + - JDK-8276202: LogFileOutput.invalid_file_vm asserts when being executed from a read only working directory + - JDK-8277240: java/awt/Graphics2D/ScaledTransform/ScaledTransform.java dialog does not get disposed + - JDK-8281234: The -protected option is not always checked in keytool and jarsigner + - JDK-8282314: nsk/jvmti/SuspendThread/suspendthrd003 may leak memory + - JDK-8283387: [macos] a11y : Screen magnifier does not show selected Tab + - JDK-8283404: [macos] a11y : Screen magnifier does not show JMenu name + - JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java + - JDK-8286779: javax.crypto.CryptoPolicyParser#isConsistent always returns 'true' + - JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native + - JDK-8290400: Must run exe installers in jpackage jtreg tests without UI + - JDK-8292588: [macos] Multiscreen/MultiScreenLocationTest/MultiScreenLocationTest.java: Robot.mouseMove test failed on Screen #0 + - JDK-8292704: sun/security/tools/jarsigner/compatibility/Compatibility.java use wrong key size for EC + - JDK-8292848: AWT_Mixing and TrayIcon tests fail on el8 with hard-coded isOel7 + - JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic + - JDK-8293412: Remove unnecessary java.security.egd overrides + - JDK-8294067: [macOS] javax/swing/JComboBox/6559152/bug6559152.java Cannot select an item from popup with the ENTER key. + - JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x + - JDK-8295087: Manual Test to Automated Test Conversion + - JDK-8295176: some langtools test pollutes source tree + - JDK-8296591: Signature benchmark + - JDK-8296818: Enhance JMH tests java/security/Signatures.java + - JDK-8299077: [REDO] JDK-4512626 Non-editable JTextArea provides no visual indication of keyboard focus + - JDK-8299127: [REDO] JDK-8194048 Regression automated test '/open/test/jdk/javax/swing/text/DefaultCaret/HidingSelection/HidingSelectionTest.java' fails + - JDK-8299128: [REDO] JDK-8213562 Test javax/swing/text/DefaultCaret/HidingSelection/MultiSelectionTest.java fails + - JDK-8299739: HashedPasswordFileTest.java and ExceptionTest.java can fail with java.lang.NullPointerException + - JDK-8299994: java/security/Policy/Root/Root.java fails when home directory is read-only + - JDK-8301989: new javax.swing.text.DefaultCaret().setBlinkRate(N) results in NPE + - JDK-8302111: Serialization considerations + - JDK-8305853: java/text/Format/DateFormat/DateFormatRegression.java fails with "Uncaught exception thrown in test method Test4089106" + - JDK-8306711: Improve diagnosis of `IntlTest` framework + - JDK-8308341: JNI_GetCreatedJavaVMs returns a partially initialized JVM + - JDK-8309171: Test vmTestbase/nsk/jvmti/scenarios/jni_interception/JI05/ji05t001/TestDescription.java fails after JDK-8308341 + - JDK-8309231: ProblemList vmTestbase/nsk/jvmti/scenarios/jni_interception/JI05/ji05t001/TestDescription.java + - JDK-8309740: Expand timeout windows for tests in JDK-8179502 + - JDK-8309841: Jarsigner should print a warning if an entry is removed + - JDK-8310234: Refactor Locale tests to use JUnit + - JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready + - JDK-8311306: Test com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java failed: out of expected range + - JDK-8311546: Certificate name constraints improperly validated with leading period + - JDK-8311663: Additional refactoring of Locale tests to JUnit + - JDK-8312416: Tests in Locale should have more descriptive names + - JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above + - JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action! + - JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump + - JDK-8314225: SIGSEGV in JavaThread::is_lock_owned + - JDK-8314610: hotspot can't compile with the latest of gtest because of + - JDK-8314752: Use google test string comparison macros + - JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]: + - JDK-8314975: JavadocTester should set source path if not specified + - JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out + - JDK-8315825: Open some swing tests + - JDK-8315882: Open some swing tests 2 + - JDK-8315883: Open source several Swing JToolbar tests + - JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests + - JDK-8316056: Open source several Swing JTree tests + - JDK-8316146: Open some swing tests 4 + - JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests + - JDK-8316218: Open some swing tests 5 + - JDK-8316371: Open some swing tests 6 + - JDK-8316559: Refactor some util/Calendar tests to JUnit + - JDK-8316627: JViewport Test headless failure + - JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest + - JDK-8317631: Refactor ChoiceFormat tests to use JUnit + - JDK-8317636: Improve heap walking API tests to verify correctness of field indexes + - JDK-8318442: java/net/httpclient/ManyRequests2.java fails intermittently on Linux + - JDK-8319567: Update java/lang/invoke tests to support vm flags + - JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags + - JDK-8319569: Several java/util tests should be updated to accept VM flags + - JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags + - JDK-8319648: java/lang/SecurityManager tests ignore vm flags + - JDK-8319672: Several classloader tests ignore VM flags + - JDK-8319673: Few security tests ignore VM flags + - JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags + - JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless + - JDK-8319818: Address GCC 13.2.0 warnings (stringop-overflow and dangling-pointer) + - JDK-8320372: test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed + - JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1 + - JDK-8320691: Timeout handler on Windows takes 2 hours to complete + - JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing + - JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded" + - JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "" is null' + - JDK-8323196: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Events are not ordered! Reuse = false" + - JDK-8324672: Update jdk/java/time/tck/java/time/TCKInstant.java now() to be more robust + - JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2 + - JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information + - JDK-8325042: Remove unused JVMDITools test files + - JDK-8325529: Remove unused imports from `ModuleGenerator` test file + - JDK-8325659: Normalize Random usage by incubator vector tests + - JDK-8325906: Problemlist vmTestbase/vm/mlvm/meth/stress/compiler/deoptimize/Test.java#id1 until JDK-8320865 is fixed + - JDK-8325908: Finish removal of IntlTest and CollatorTest + - JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64 + - JDK-8326421: Add jtreg test for large arrayCopy disjoint case. + - JDK-8326525: com/sun/tools/attach/BasicTests.java does not verify AgentLoadException case + - JDK-8327098: GTest needs larger combination limit + - JDK-8327476: Upgrade JLine to 3.26.1 + - JDK-8327505: Test com/sun/jmx/remote/NotificationMarshalVersions/TestSerializationMismatch.java fails + - JDK-8327857: Remove applet usage from JColorChooser tests Test4222508 + - JDK-8327859: Remove applet usage from JColorChooser tests Test4319113 + - JDK-8327986: ASAN reports use-after-free in DirectivesParserTest.empty_object_vm + - JDK-8328005: Convert java/awt/im/JTextFieldTest.java applet test to main + - JDK-8328085: C2: Use after free in PhaseChaitin::Register_Allocate() + - JDK-8328121: Remove applet usage from JColorChooser tests Test4759306 + - JDK-8328130: Remove applet usage from JColorChooser tests Test4759934 + - JDK-8328185: Convert java/awt/image/MemoryLeakTest/MemoryLeakTest.java applet test to main + - JDK-8328227: Remove applet usage from JColorChooser tests Test4887836 + - JDK-8328368: Convert java/awt/image/multiresolution/MultiDisplayTest/MultiDisplayTest.java applet test to main + - JDK-8328370: Convert java/awt/print/Dialog/PrintApplet.java applet test to main + - JDK-8328380: Remove applet usage from JColorChooser tests Test6348456 + - JDK-8328387: Convert java/awt/Frame/FrameStateTest/FrameStateTest.html applet test to main + - JDK-8328403: Remove applet usage from JColorChooser tests Test6977726 + - JDK-8328553: Get rid of JApplet in test/jdk/sanity/client/lib/SwingSet2/src/DemoModule.java + - JDK-8328558: Convert javax/swing/JCheckBox/8032667/bug8032667.java applet test to main + - JDK-8328717: Convert javax/swing/JColorChooser/8065098/bug8065098.java applet test to main + - JDK-8328719: Convert java/awt/print/PageFormat/SetOrient.html applet test to main + - JDK-8328730: Convert java/awt/print/bug8023392/bug8023392.html applet test to main + - JDK-8328753: Open source few Undecorated Frame tests + - JDK-8328819: Remove applet usage from JFileChooser tests bug6698013 + - JDK-8328827: Convert java/awt/print/PrinterJob/PrinterDialogsModalityTest/PrinterDialogsModalityTest.html applet test to main + - JDK-8329210: Delete Redundant Printer Dialog Modality Test + - JDK-8329320: Simplify awt/print/PageFormat/NullPaper.java test + - JDK-8329322: Convert PageFormat/Orient.java to use PassFailJFrame + - JDK-8329692: Add more details to FrameStateTest.java test instructions + - JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty + - JDK-8331153: JFR: Improve logging of jdk/jfr/api/consumer/filestream/TestOrdered.java + - JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor + - JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1 + - JDK-8332158: [XWayland] test/jdk/java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java + - JDK-8332917: failure_handler should execute gdb "info threads" command on linux + - JDK-8333360: PrintNullString.java doesn't use float arguments + - JDK-8333391: Test com/sun/jdi/InterruptHangTest.java failed: Thread was never interrupted during sleep + - JDK-8333403: Write a test to check various components events are triggered properly + - JDK-8333427: langtools/tools/javac/newlines/NewLineTest.java is failing on Japanese Windows + - JDK-8334305: Remove all code for nsk.share.Log verbose mode + - JDK-8334490: Normalize string with locale invariant `toLowerCase()` + - JDK-8334777: Test javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java failed with NullPointerException + - JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment + - JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test + - JDK-8335789: [TESTBUG] XparColor.java test fails with Error. Parse Exception: Invalid or unrecognized bugid: @ + - JDK-8336012: Fix usages of jtreg-reserved properties + - JDK-8336498: [macos] [build]: install-file macro may run into permission denied error + - JDK-8336692: Redo fix for JDK-8284620 + - JDK-8336942: Improve test coverage for class loading elements with annotations of different retentions + - JDK-8337222: gc/TestDisableExplicitGC.java fails due to unexpected CodeCache GC + - JDK-8337494: Clarify JarInputStream behavior + - JDK-8337692: Better TLS connection support + - JDK-8337826: Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754 + - JDK-8337886: java/awt/Frame/MaximizeUndecoratedTest.java fails in OEL due to a slight color difference + - JDK-8337951: Test sun/security/validator/samedn.sh CertificateNotYetValidException: NotBefore validation + - JDK-8338100: C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop + - JDK-8338426: Test java/nio/channels/Selector/WakeupNow.java failed + - JDK-8338430: Improve compiler transformations + - JDK-8338571: [TestBug] DefaultCloseOperation.java test not working as expected wrt instruction after JDK-8325851 fix + - JDK-8338595: Add more linesize for MIME decoder in macro bench test Base64Decode + - JDK-8338668: Test javax/swing/JFileChooser/8080628/bug8080628.java doesn't test for GTK L&F + - JDK-8339154: Cleanups and JUnit conversion of test/jdk/java/util/zip/Available.java + - JDK-8339261: Logs truncated in test javax/net/ssl/DTLS/DTLSRehandshakeTest.java + - JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine + - JDK-8339524: Clean up a few ExtendedRobot tests + - JDK-8339687: Rearrange reachabilityFence()s in jdk.test.lib.util.ForceGC + - JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class + - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract + - JDK-8339883: Open source several AWT/2D related tests + - JDK-8339902: Open source couple TextField related tests + - JDK-8339943: Frame not disposed in java/awt/dnd/DropActionChangeTest.java + - JDK-8340078: Open source several 2D tests + - JDK-8340116: test/jdk/sun/security/tools/jarsigner/PreserveRawManifestEntryAndDigest.java can fail due to regex + - JDK-8340411: open source several 2D imaging tests + - JDK-8340480: Bad copyright notices in changes from JDK-8339902 + - JDK-8340687: Open source closed frame tests #1 + - JDK-8340719: Open source AWT List tests + - JDK-8340969: jdk/jfr/startupargs/TestStartDuration.java should be marked as flagless + - JDK-8341037: Use standard layouts in DefaultFrameIconTest.java and MenuCrash.java + - JDK-8341111: open source several AWT tests including menu shortcut tests + - JDK-8341316: [macos] javax/swing/ProgressMonitor/ProgressMonitorEscapeKeyPress.java fails sometimes in macos + - JDK-8341412: Various test failures after JDK-8334305 + - JDK-8341424: GHA: Collect hs_errs from build time failures + - JDK-8341453: java/awt/a11y/AccessibleJTableTest.java fails in some cases where the test tables are not visible + - JDK-8341722: Fix some warnings as errors when building on Linux with toolchain clang + - JDK-8341881: [REDO] java/nio/file/attribute/BasicFileAttributeView/CreationTime.java#tmp fails on alinux3 + - JDK-8341978: Improve JButton/bug4490179.java + - JDK-8341982: Simplify JButton/bug4323121.java + - JDK-8342098: Write a test to compare the images + - JDK-8342145: File libCreationTimeHelper.c compile fails on Alpine + - JDK-8342270: Test sun/security/pkcs11/Provider/RequiredMechCheck.java needs write access to src tree + - JDK-8342498: Add test for Allocation elimination after use as alignment reference by SuperWord + - JDK-8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay + - JDK-8342541: Exclude List/KeyEventsTest/KeyEventsTest.java from running on macOS + - JDK-8342562: Enhance Deflater operations + - JDK-8342602: Remove JButton/PressedButtonRightClickTest test + - JDK-8342607: Enhance register printing on x86_64 platforms + - JDK-8342609: jpackage test helper function incorrectly removes a directory instead of its contents only + - JDK-8342634: javax/imageio/plugins/wbmp/WBMPStreamTruncateTest.java creates temp file in src dir + - JDK-8342635: javax/swing/JFileChooser/FileSystemView/WindowsDefaultIconSizeTest.java creates tmp file in src dir + - JDK-8342704: GHA: Report truncation is broken after JDK-8341424 + - JDK-8342811: java/net/httpclient/PlainProxyConnectionTest.java failed: Unexpected connection count: 5 + - JDK-8342858: Make target mac-jdk-bundle fails on chmod command + - JDK-8342988: GHA: Build JTReg in single step + - JDK-8343007: Enhance Buffered Image handling + - JDK-8343100: Consolidate EmptyFolderTest and EmptyFolderPackageTest jpackage tests into single java file + - JDK-8343101: Rework BasicTest.testTemp test cases + - JDK-8343118: [TESTBUG] java/awt/PrintJob/PrintCheckboxTest/PrintCheckboxManualTest.java fails with rror. Can't find HTML file PrintCheckboxManualTest.html + - JDK-8343128: PassFailJFrame.java test result: Error. Bad action for script: build} + - JDK-8343129: Disable unstable check of ThreadsListHandle.sanity_vm ThreadList values + - JDK-8343178: Test BasicTest.java javac compile fails cannot find symbol + - JDK-8343378: Exceptions in javax/management DeadLockTest.java do not cause test failure + - JDK-8343491: javax/management/remote/mandatory/connection/DeadLockTest.java failing with NoSuchObjectException: no such object in table + - JDK-8343599: Kmem limit and max values swapped when printing container information + - JDK-8343724: [PPC64] Disallow OptoScheduling + - JDK-8343882: BasicAnnoTests doesn't handle multiple annotations at the same position + - JDK-8344581: [TESTBUG] java/awt/Robot/ScreenCaptureRobotTest.java failing on macOS + - JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19 + - JDK-8344646: The libjsig deprecation warning should go to stderr not stdout + - JDK-8345296: AArch64: VM crashes with SIGILL when prctl is disallowed + - JDK-8345368: java/io/File/createTempFile/SpecialTempFile.java fails on Windows Server 2025 + - JDK-8345371: Bump update version for OpenJDK: jdk-17.0.15 + - JDK-8345375: Improve debuggability of test/jdk/java/net/Socket/CloseAvailable.java + - JDK-8345414: Google CAInterop test failures + - JDK-8345468: test/jdk/javax/swing/JScrollBar/4865918/bug4865918.java fails in ubuntu22.04 + - JDK-8346055: javax/swing/text/StyledEditorKit/4506788/bug4506788.java fails in ubuntu22.04 + - JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI + - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs + - JDK-8346671: java/nio/file/Files/probeContentType/Basic.java fails on Windows 2025 + - JDK-8346828: javax/swing/JScrollBar/4865918/bug4865918.java still fails in CI + - JDK-8346887: DrawFocusRect() may cause an assertion failure + - JDK-8346908: Update JDK 17 javadoc man page + - JDK-8346972: Test java/nio/channels/FileChannel/LoopingTruncate.java fails sometimes with IOException: There is not enough space on the disk + - JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test + - JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header + - JDK-8347740: java/io/File/createTempFile/SpecialTempFile.java failing + - JDK-8347847: Enhance jar file support + - JDK-8347965: (tz) Update Timezone Data to 2025a + - JDK-8348625: [21u, 17u] Revert JDK-8185862 to restore old java.awt.headless behavior on Windows + - JDK-8348675: TrayIcon tests fail in Ubuntu 24.10 Wayland + - JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates + - JDK-8352097: (tz) zone.tab update missed in 2025a backport + - JDK-8353905: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.15 + +Notes on individual issues: +=========================== + +security-libs/javax.net.ssl: + +JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs +============================================================================= +In accordance with similar plans recently announced by Google, +Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer +Security (TLS) certificates issued after the 15th of April 2025 which +are anchored by Camerfirma root certificates. + +Certificates issued on or before April 15th, 2025 will continue to +be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2025-04-15 and anchored by a +distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - +2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see +current address at www.camerfirma.com/address), C=EU" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Camerfirma root certificates +included in the JDK: + +Alias name: camerfirmachamberscommerceca [jdk] +CN=Chambers of Commerce Root +OU=http://www.chambersign.org +O=AC Camerfirma SA CIF A82743287 +C=EU +SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 + +Alias name: camerfirmachambersca [jdk] +CN=Chambers of Commerce Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0 + +Alias name: camerfirmachambersignca [jdk] +CN=Global Chambersign Root - 2008 +O=AC Camerfirma S.A. +SERIALNUMBER=A82743287 +L=Madrid (see current address at www.camerfirma.com/address) +C=EU +SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "CAMERFIRMA_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +security-libs/javax.crypto:pkcs11: + +JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic +========================================================================== +In OpenJDK 14, the notion of legacy mechanisms was introduced into the +SunPKCS11 provider. If a mechanism was found to be using a weak +algorithm, it was determined to be legacy and disabled. + +However, this approach has proved inflexible. There was no way for the +user to override the legacy determination and enable the mechanism +anyway. Also, a mechanism being used for signing would be declared +legacy and disabled if it had a weak encryption algorithm, even though +encryption was not being used. Similarly, a weak signing algorithm +would prevent the mechanism's use as a cipher for encryption or +decryption. + +This OpenJDK release resolves these issues. It introduces the PKCS11 +provider configuration attribute "allowLegacy" which can be set to +`true` if the user wishes to override the legacy determination. By +default, it is set to `false`. The legacy determination now also +considers the service type and will only check encryption algorithms +for Ciphers and only signature algorithms for Signatures. + +hotspot/runtime: + +JDK-8308341: JNI_GetCreatedJavaVMs returns a partially initialized JVM +====================================================================== +In previous OpenJDK releases, the JNI method `jint +JNI_GetCreatedJavaVMs(JavaVM **vm_buf, jsize bufLen, jsize *numVMs)` +could return a VM in the `vm_buf` array which was still in the process +of being initialised. With this release, the method now only returns +fully initialised VMs. + +Before making use of the `vm_buf` array, please ensure that the number +of VMs returned in `numVMs` is greater than zero. + +security-libs/java.security: + +JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts +============================================================= +This OpenJDK release introduces three new properties which allow +greater control over the timeouts for OCSP connections and certificate +retrieval: + +* `com.sun.security.ocsp.readtimeout` is paired with the existing +`com.sun.security.ocsp.timeout` to allow the timeout for reading data +to be set separately from the timeout for the transport layer. If +`com.sun.security.ocsp.readtimeout` is not set, it will default to the +value of `com.sun.security.ocsp.timeout` as before, which itself has a +default of 15 seconds. + +* `com.sun.security.cert.timeout` is used to set the connection timeout +for the download of certificates for certificate authorities. It defaults +to 15 seconds. + +* `com.sun.security.crl.readtimeout` is used to set the data read timeout +for the download of certificates for certificate authorities. It defaults +to 15 seconds. + +Note that certificate downloads only take place if the +``com.sun.security.enableAIAcaIssuers` property is set to `true`. + +The syntax of all four property values has also been improved. The +value is still expected to be a positive decimal integer value, but an +optional suffix can be appended to cause the value to be interpreted +as either seconds ("s") or milliseconds ("ms"). If no suffix is given, +the value is assumed to be in seconds as before. Anything other than a +decimal digit prior to the suffix will be rejected and the default +used instead. For example, "-5", "0xA" and "6.2" are all invalid +values. + +JDK-8309841: Jarsigner should print a warning if an entry is removed +==================================================================== +In previous OpenJDK releases, the jarsigner tool did not detect the +case where a file was removed from a signed JAR file but its signature +was still present. With this release, `jarsigner -verify` checks that +every signature has a matching file entry and prints a warning if this +is not the case. The `-verbose` option can also be added to the +command to see the names of the mismatched entries. + +New in release OpenJDK 17.0.14 (2025-01-21): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17014 + +* CVEs + - CVE-2025-21502 +* Changes + - JDK-7093691: Nimbus LAF: disabled JComboBox using renderer has bad font color + - JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect + - JDK-8071693: Introspector ignores default interface methods + - JDK-8195675: Call to insertText with single character from custom Input Method ignored + - JDK-8202926: Test java/awt/Focus/WindowUpdateFocusabilityTest/WindowUpdateFocusabilityTest.html fails + - JDK-8207908: JMXStatusTest.java fails assertion intermittently + - JDK-8225220: When the Tab Policy is checked,the scroll button direction displayed incorrectly. + - JDK-8240343: JDI stopListening/stoplis001 "FAILED: listening is successfully stopped without starting listening" + - JDK-8254759: [TEST_BUG] [macosx] javax/swing/JInternalFrame/4202966/IntFrameCoord.html fails + - JDK-8258734: jdk/jfr/event/oldobject/TestClassLoaderLeak.java failed with "RuntimeException: Could not find class leak" + - JDK-8268364: jmethod clearing should be done during unloading + - JDK-8269770: nsk tests should start IOPipe channel before launch debuggee - Debugee.prepareDebugee + - JDK-8271003: hs_err improvement: handle CLASSPATH env setting longer than O_BUFLEN + - JDK-8271456: Avoid looking up standard charsets in "java.desktop" module + - JDK-8271821: mark hotspot runtime/MinimalVM tests which ignore external VM flags + - JDK-8271825: mark hotspot runtime/LoadClass tests which ignore external VM flags + - JDK-8271836: runtime/ErrorHandling/ClassPathEnvVar.java fails with release VMs + - JDK-8272746: ZipFile can't open big file (NegativeArraySizeException) + - JDK-8273914: Indy string concat changes order of operations + - JDK-8274170: Add hooks for custom makefiles to augment jtreg test execution + - JDK-8274505: Too weak variable type leads to unnecessary cast in java.desktop + - JDK-8276763: java/nio/channels/SocketChannel/AdaptorStreams.java fails with "SocketTimeoutException: Read timed out" + - JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test + - JDK-8280131: jcmd reports "Module jdk.jfr not found." when "jdk.management.jfr" is missing + - JDK-8281379: Assign package declarations to all jtreg test cases under gc + - JDK-8282578: AIOOBE in javax.sound.sampled.Clip + - JDK-8283214: [macos] Screen magnifier does not show the magnified text for JComboBox + - JDK-8283222: improve diagnosability of runtime/8176717/TestInheritFD.java timeouts + - JDK-8284291: sun/security/krb5/auto/Renew.java fails intermittently on Windows 11 + - JDK-8284874: Add comment to ProcessHandle/OnExitTest to describe zombie problem + - JDK-8286160: (fs) Files.exists returns unexpected results with C:\pagefile.sys because it's not readable + - JDK-8287003: InputStreamReader::read() can return zero despite writing a char in the buffer + - JDK-8288976: classfile parser 'wrong name' error message has the names the wrong way around + - JDK-8289184: runtime/ClassUnload/DictionaryDependsTest.java failed with "Test failed: should be unloaded" + - JDK-8290023: Remove use of IgnoreUnrecognizedVMOptions in gc tests + - JDK-8290269: gc/shenandoah/TestVerifyJCStress.java fails due to invalid tag: required after JDK-8290023 + - JDK-8292309: Fix java/awt/PrintJob/ConstrainedPrintingTest/ConstrainedPrintingTest.java test + - JDK-8293061: Combine CDSOptions and AppCDSOptions test utility classes + - JDK-8293877: Rewrite MineField test + - JDK-8294193: Files.createDirectories throws FileAlreadyExistsException for a symbolic link whose target is an existing directory + - JDK-8294726: Update URLs in minefield tests + - JDK-8295239: Refactor java/util/Formatter/Basic script into a Java native test launcher + - JDK-8295344: Harden runtime/StackGuardPages/TestStackGuardPages.java + - JDK-8295859: Update Manual Test Groups + - JDK-8296709: WARNING: JNI call made without checking exceptions + - JDK-8296718: Refactor bootstrap Test Common Functionalities to test/lib/Utils + - JDK-8296787: Unify debug printing format of X.509 cert serial numbers + - JDK-8296972: [macos13] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java: getExtendedState() != 6 as expected. + - JDK-8298513: vmTestbase/nsk/jdi/EventSet/suspendPolicy/suspendpolicy009/TestDescription.java fails with usage tracker + - JDK-8300416: java.security.MessageDigestSpi clone can result in thread-unsafe clones + - JDK-8301379: Verify TLS_ECDH_* cipher suites cannot be negotiated + - JDK-8302225: SunJCE Provider doesn't validate key sizes when using 'constrained' transforms for AES/KW and AES/KWP + - JDK-8303697: ProcessTools doesn't print last line of process output + - JDK-8303705: Field sleeper.started should be volatile JdbLockTestTarg.java + - JDK-8303742: CompletableFuture.orTimeout leaks if the future completes exceptionally + - JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose + - JDK-8304557: java/util/concurrent/CompletableFuture/CompletableFutureOrTimeoutExceptionallyTest.java times out + - JDK-8306015: Update sun.security.ssl TLS tests to use SSLContextTemplate or SSLEngineTemplate + - JDK-8307297: Move some DnD tests to open + - JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM + - JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1 + - JDK-8309303: jdk/internal/misc/VM/RuntimeArguments test ignores jdk/internal/vm/options + - JDK-8309532: java/lang/Class/getDeclaredField/FieldSetAccessibleTest should filter modules that depend on JVMCI + - JDK-8310072: JComboBox/DisabledComboBoxFontTestAuto: Enabled and disabled ComboBox does not match in these LAFs: GTK+ + - JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests + - JDK-8312111: open/test/jdk/java/awt/Robot/ModifierRobotKey/ModifierRobotKeyTest.java fails on ubuntu 23.04 + - JDK-8313374: --enable-ccache's CCACHE_BASEDIR breaks builds + - JDK-8313638: Add test for dump of resolved references + - JDK-8313854: Some tests in serviceability area fail on localized Windows platform + - JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le + - JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..) + - JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags + - JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags + - JDK-8314831: NMT tests ignore vm flags + - JDK-8315097: Rename createJavaProcessBuilder + - JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags + - JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm + - JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm + - JDK-8316446: 4 sun/management/jdp tests ignore VM flags + - JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags + - JDK-8316464: 3 sun/tools tests ignore VM flags + - JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829 + - JDK-8316581: Improve performance of Symbol::print_value_on() + - JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm + - JDK-8317116: Provide layouts for multiple test UI in PassFailJFrame + - JDK-8317188: G1: Make TestG1ConcRefinementThreads use createTestJvm + - JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm + - JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm + - JDK-8317738: CodeCacheFullCountTest failed with "VirtualMachineError: Out of space in CodeCache for method handle intrinsic" + - JDK-8318964: Fix build failures caused by 8315097 + - JDK-8319574: Exec/process tests should be marked as flagless + - JDK-8319640: ClassicFormat::parseObject (from DateTimeFormatter) does not conform to the javadoc and may leak DateTimeException + - JDK-8319651: Several network tests ignore vm flags when start java process + - JDK-8319817: Charset constructor should make defensive copy of aliases + - JDK-8320586: update manual test/jdk/TEST.groups + - JDK-8320665: update jdk_core at open/test/jdk/TEST.groups + - JDK-8320673: PageFormat/CustomPaper.java has no Pass/Fail buttons; multiple instructions + - JDK-8320675: PrinterJob/SecurityDialogTest.java hangs + - JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed + - JDK-8321299: runtime/logging/ClassLoadUnloadTest.java doesn't reliably trigger class unloading + - JDK-8321470: ThreadLocal.nextHashCode can be static final + - JDK-8321543: Update NSS to version 3.96 + - JDK-8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile + - JDK-8322754: click JComboBox when dialog about to close causes IllegalComponentStateException + - JDK-8322766: Micro bench SSLHandshake should use default algorithms + - JDK-8322809: SystemModulesMap::classNames and moduleNames arrays do not match the order + - JDK-8322830: Add test case for ZipFile opening a ZIP with no entries + - JDK-8323562: SaslInputStream.read() may return wrong value + - JDK-8323688: C2: Fix UB of jlong overflow in PhaseIdealLoop::is_counted_loop() + - JDK-8324808: Manual printer tests have no Pass/Fail buttons, instructions close set 3 + - JDK-8324841: PKCS11 tests still skip execution + - JDK-8325038: runtime/cds/appcds/ProhibitedPackage.java can fail with UseLargePages + - JDK-8325525: Create jtreg test case for JDK-8325203 + - JDK-8325587: Shenandoah: ShenandoahLock should allow blocking in VM + - JDK-8325610: CTW: Add StressIncrementalInlining to stress options + - JDK-8325616: JFR ZGC Allocation Stall events should record stack traces + - JDK-8325762: Use PassFailJFrame.Builder.splitUI() in PrintLatinCJKTest.java + - JDK-8325851: Hide PassFailJFrame.Builder constructor + - JDK-8326100: DeflaterDictionaryTests should use Deflater.getBytesWritten instead of Deflater.getTotalOut + - JDK-8326121: vmTestbase/gc/g1/unloading/tests/unloading_keepRef_rootClass_inMemoryCompilation_keep_cl failed with Full gc happened. Test was useless. + - JDK-8326611: Clean up vmTestbase/nsk/stress/stack tests + - JDK-8326898: NSK tests should listen on loopback addresses only + - JDK-8326948: Force English locale for timeout formatting + - JDK-8327401: Some jtreg tests fail on Wayland without any tracking bug + - JDK-8327474: Review use of java.io.tmpdir in jdk tests + - JDK-8327924: Simplify TrayIconScalingTest.java + - JDK-8328021: Convert applet test java/awt/List/SetFontTest/SetFontTest.html to main program + - JDK-8328242: Add a log area to the PassFailJFrame + - JDK-8328303: 3 JDI tests timed out with UT enabled + - JDK-8328379: Convert URLDragTest.html applet test to main + - JDK-8328402: Implement pausing functionality for the PassFailJFrame + - JDK-8328619: sun/management/jmxremote/bootstrap/SSLConfigFilePermissionTest.java failed with BindException: Address already in use + - JDK-8328697: SubMenuShowTest and SwallowKeyEvents tests stabilization + - JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket + - JDK-8328957: Update PKCS11Test.java to not use hardcoded path + - JDK-8330045: Enhance array handling + - JDK-8330278: Have SSLSocketTemplate.doClientSide use loopback address + - JDK-8330464: hserr generic events - add entry for the before_exit calls + - JDK-8330621: Make 5 compiler tests use ProcessTools.executeProcess + - JDK-8330814: Cleanups for KeepAliveCache tests + - JDK-8331142: Add test for number of loader threads in BasicDirectoryModel + - JDK-8331391: Enhance the keytool code by invoking the buildTrustedCerts method for essential options + - JDK-8331405: Shenandoah: Optimize ShenandoahLock with TTAS + - JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock + - JDK-8331495: Limit BasicDirectoryModel/LoaderThreadCount.java to Windows only + - JDK-8331626: unsafe.cpp:162:38: runtime error in index_oop_from_field_offset_long - applying non-zero offset 4563897424 to null pointer + - JDK-8331789: ubsan: deoptimization.cpp:403:29: runtime error: load of value 208, which is not a valid value for type 'bool' + - JDK-8331863: DUIterator_Fast used before it is constructed + - JDK-8331864: Update Public Suffix List to 1cbd6e7 + - JDK-8331999: BasicDirectoryModel/LoaderThreadCount.java frequently fails on Windows in CI + - JDK-8332340: Add JavacBench as a test case for CDS + - JDK-8332473: ubsan: growableArray.hpp:290:10: runtime error: null pointer passed as argument 1, which is declared to never be null + - JDK-8332589: ubsan: unix/native/libjava/ProcessImpl_md.c:562:5: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332720: ubsan: instanceKlass.cpp:3550:76: runtime error: member call on null pointer of type 'struct Array' + - JDK-8332724: x86 MacroAssembler may over-align code + - JDK-8332777: Update JCStress test suite + - JDK-8332825: ubsan: guardedMemory.cpp:35:11: runtime error: null pointer passed as argument 2, which is declared to never be null + - JDK-8332866: Crash in ImageIO JPEG decoding when MEM_STATS in enabled + - JDK-8332901: Select{Current,New}ItemTest.java for Choice don't open popup on macOS + - JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool' + - JDK-8332904: ubsan ppc64le: c1_LIRGenerator_ppc.cpp:581:21: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int' + - JDK-8332935: Crash: assert(*lastPtr != 0) failed: Mismatched JNINativeInterface tables, check for new entries + - JDK-8333317: Test sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java failed with: Invalid ECDH ServerKeyExchange signature + - JDK-8333824: Unused ClassValue in VarHandles + - JDK-8334057: JLinkReproducibleTest.java support receive test.tool.vm.opts + - JDK-8334405: java/nio/channels/Selector/SelectWithConsumer.java#id0 failed in testWakeupDuringSelect + - JDK-8334562: Automate com/sun/security/auth/callback/TextCallbackHandler/Default.java test + - JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling + - JDK-8335142: compiler/c1/TestTraceLinearScanLevel.java occasionally times out with -Xcomp + - JDK-8335267: [XWayland] move screencast tokens from .awt to .java folder + - JDK-8335344: test/jdk/sun/security/tools/keytool/NssTest.java fails to compile + - JDK-8335428: Enhanced Building of Processes + - JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ... + - JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs + - JDK-8335530: Java file extension missing in AuthenticatorTest + - JDK-8335709: C2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop + - JDK-8335904: Fix invalid comment in ShenandoahLock + - JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files + - JDK-8336240: Test com/sun/crypto/provider/Cipher/DES/PerformanceTest.java fails with java.lang.ArithmeticException + - JDK-8336257: Additional tests in jmxremote/startstop to match on PID not app name + - JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive + - JDK-8336342: Fix known X11 library locations in sysroot + - JDK-8336343: Add more known sysroot library locations for ALSA + - JDK-8336413: gtk headers : Fix typedef redeclaration of GMainContext and GdkPixbuf + - JDK-8336564: Enhance mask blit functionality redux + - JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout + - JDK-8337066: Repeated call of StringBuffer.reverse with double byte string returns wrong result + - JDK-8337320: Update ProblemList.txt with tests known to fail on XWayland + - JDK-8337410: The makefiles should set problemlist and adjust timeout basing on the given VM flags + - JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS + - JDK-8337810: ProblemList BasicDirectoryModel/LoaderThreadCount.java on Windows + - JDK-8337851: Some tests have name which confuse jtreg + - JDK-8337966: (fs) Files.readAttributes fails with Operation not permitted on older docker releases + - JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion + - JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned after JDK-8338058 + - JDK-8338109: java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java duplicate in ProblemList + - JDK-8338286: GHA: Demote x86_32 to hotspot build only + - JDK-8338380: Update TLSCommon/interop/AbstractServer to specify an interface to listen for connections + - JDK-8338402: GHA: some of bundles may not get removed + - JDK-8338748: [17u,21u] Test Disconnect.java compile error: cannot find symbol after JDK-8299813 + - JDK-8338751: ConfigureNotify behavior has changed in KWin 6.2 + - JDK-8338759: Add extra diagnostic to java/net/InetAddress/ptr/Lookup.java + - JDK-8339081: Bump update version for OpenJDK: jdk-17.0.14 + - JDK-8339180: Enhanced Building of Processes: Follow-on Issue + - JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code + - JDK-8339384: Unintentional IOException in jdk.jdi module when JDWP end of stream occurs + - JDK-8339470: [17u] More defensive fix for 8163921 + - JDK-8339487: ProcessHandleImpl os_getChildren sysctl call - retry in case of ENOMEM and enhance exception message + - JDK-8339548: GHA: RISC-V: Use Debian snapshot archive for bootstrap + - JDK-8339560: Unaddressed comments during code review of JDK-8337664 + - JDK-8339591: Mark jdk/jshell/ExceptionMessageTest.java intermittent + - JDK-8339637: (tz) Update Timezone Data to 2024b + - JDK-8339644: Improve parsing of Day/Month in tzdata rules + - JDK-8339731: java.desktop/share/classes/javax/swing/text/html/default.css typo in margin settings + - JDK-8339741: RISC-V: C ABI breakage for integer on stack + - JDK-8339787: Add some additional diagnostic output to java/net/ipv6tests/UdpTest.java + - JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files + - JDK-8339892: Several security shell tests don't set TESTJAVAOPTS + - JDK-8339931: Update problem list for WindowUpdateFocusabilityTest.java + - JDK-8340007: Refactor KeyEvent/FunctionKeyTest.java + - JDK-8340008: KeyEvent/KeyTyped/Numpad1KeyTyped.java has 15 seconds timeout + - JDK-8340210: Add positionTestUI() to PassFailJFrame.Builder + - JDK-8340230: Tests crash: assert(is_in_encoding_range || k->is_interface() || k->is_abstract()) failed: sanity + - JDK-8340306: Add border around instructions in PassFailJFrame + - JDK-8340308: PassFailJFrame: Make rows default to number of lines in instructions + - JDK-8340365: Position the first window of a window list + - JDK-8340387: Update OS detection code to recognize Windows Server 2025 + - JDK-8340418: GHA: MacOS AArch64 bundles can be removed prematurely + - JDK-8340461: Amend description for logArea + - JDK-8340466: Add description for PassFailJFrame constructors + - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names + - JDK-8340632: ProblemList java/nio/channels/DatagramChannel/ for Macos + - JDK-8340657: [PPC64] SA determines wrong unextendedSP + - JDK-8340684: Reading from an input stream backed by a closed ZipFile has no test coverage + - JDK-8340785: Update description of PassFailJFrame and samples + - JDK-8340799: Add border inside instruction frame in PassFailJFrame + - JDK-8340812: LambdaForm customization via MethodHandle::updateForm is not thread safe + - JDK-8340815: Add SECURITY.md file + - JDK-8340899: Remove wildcard bound in PositionWindows.positionTestWindows + - JDK-8341146: RISC-V: Unnecessary fences used for load-acquire in template interpreter + - JDK-8341235: Improve default instruction frame title in PassFailJFrame + - JDK-8341562: RISC-V: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341635: [17u] runtime/ErrorHandling/ClassPathEnvVar test ignores external VM flags + - JDK-8341688: Aarch64: Generate comments in -XX:+PrintInterpreter to link to source code + - JDK-8341806: Gcc version detection failure on Alinux3 + - JDK-8341927: Replace hardcoded security providers with new test.provider.name system property + - JDK-8341997: Tests create files in src tree instead of scratch dir + - JDK-8342181: Update tests to use stronger Key and Salt size + - JDK-8342183: Update tests to use stronger algorithms and keys + - JDK-8342188: Update tests to use stronger key parameters and certificates + - JDK-8342496: C2/Shenandoah: SEGV in compiled code when running jcstress + - JDK-8342578: GHA: RISC-V: Bootstrap using Debian snapshot is still failing + - JDK-8342669: [21u] Fix TestArrayAllocatorMallocLimit after backport of JDK-8315097 + - JDK-8342681: TestLoadBypassesNullCheck.java fails improperly specified VM option + - JDK-8342701: [PPC64] TestOSRLotsOfLocals.java crashes + - JDK-8342962: [s390x] TestOSRLotsOfLocals.java crashes + - JDK-8343285: java.lang.Process is unresponsive and CPU usage spikes to 100% + - JDK-8343474: [updates] Customize README.md to specifics of update project + - JDK-8343687: [17u] TestAntiDependencyForPinnedLoads requires UTF-8 + - JDK-8343848: Fix typo of property name in TestOAEPPadding after 8341927 + - JDK-8343877: Test AsyncClose.java intermittent fails - Socket.getInputStream().read() wasn't preempted + - JDK-8343923: GHA: Switch to Xcode 15 on MacOS AArch64 runners + - JDK-8347011: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.14 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8273914: Indy string concat changes order of operations +=========================================================== +The implementation of JEP-280, "Indify String Concatenation", in +OpenJDK 9's javac compiler introduced a regression in the order in +which string concatenation expressions are evaluated. Section 15.7.1 +in the Java Language Specification (JLS) requires the operands to be +fully evaluated in left-to-right order. The conversion to using +invokedynamic calls for this evaluation caused all operands to be +evaluated and then separately converted to strings. This release +resolves the regression by eagerly converting each argument to a +string after evaluation. + +As an example, consider the following code: + +StringBuilder builder = new StringBuilder("foo"); +return "" + builder + builder.append("bar"); + +The third argument of the concatenation has the side-effect of +altering the value of builder to be "foobar". If the arguments are +evaluated eagerly, the concatenation becomes "" + "foo" + "foobar", +resulting in "foofoobar" as the output. This is the result when +compiled with a version of javac prior to OpenJDK 9 or when running +javac with the -XDstringConcat=inline command line option to use the +previous concatenation approach. + +If the JEP-280 string concatenation option (the default) is used to +compile the code with versions of OpenJDK which suffer from the +regression (which was first resolved in OpenJDK 19), the second +argument is not converted to a string until after the builder.append +method has altered the StringBuilder object. The concatenation +wrongly becomes "" + "foobar" + "foobar", resulting in "foobarfoobar" +as the output. + +core-libs/java.util.jar: + +JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files +=================================================================================================================== +In previous OpenJDK releases, when the jar tool extracted files from +an archive, it would overwrite any existing files with the same name +in the target directory. With this release, a new option ('-k' or +'--keep-old-files') may be specified so that existing files are not +overwritten. + +The option may be specified in short or long option form, as in the +following examples: + +* jar xkf foo.jar +* jar --extract --keep-old-files --file foo.jar + +By default, the old behaviour remains in place and files will be +overwritten. + +core-libs/java.time: + +JDK-8339637: (tz) Update Timezone Data to 2024b +=============================================== +This OpenJDK release upgrades the in-tree copy of the IANA timezone +database to 2024b. This timezone update is primarily concerned with +improving historical data for Mexico, Monogolia and Portugal. It also +makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET +timezone the same as CET. + +The 2024b update also makes a number of legacy timezone IDs equal to +geographical names rather than fixed offsets, as follows: + +* EST => America/Panama instead of -5:00 +* MST => America/Phoenix instead of -7:00 +* HST => Pacific/Honolulu instead of -10:00 + +For long term support releases of OpenJDK, this change is overridden +locally to retain the existing fixed offset mapping. + +New in release OpenJDK 17.0.13 (2024-10-15): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17013 + +* CVEs + - CVE-2024-21208 + - CVE-2024-21210 + - CVE-2024-21217 + - CVE-2024-21235 +* Security fixes + - JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property + - JDK-8307383: Enhance DTLS connections + - JDK-8328286: Enhance HTTP client + - JDK-8328544: Improve handling of vectorization + - JDK-8328726: Better Kerberos support + - JDK-8331446: Improve deserialization support + - JDK-8332644: Improve graph optimizations + - JDK-8335713: Enhance vectorization analysis +* Other changes + - JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/ReadLongZipFileName.java leaks files if it fails + - JDK-7026262: HttpServer: improve handling of finished HTTP exchanges + - JDK-7124313: [macosx] Swing Popups should overlap taskbar + - JDK-8005885: enhance PrintCodeCache to print more data + - JDK-8051959: Add thread and timestamp options to java.security.debug system property + - JDK-8170817: G1: Returning MinTLABSize from unsafe_max_tlab_alloc causes TLAB flapping + - JDK-8183227: read/write APIs in class os shall return ssize_t + - JDK-8193547: Regression automated test '/open/test/jdk/java/awt/Toolkit/DesktopProperties/rfe4758438.java' fails + - JDK-8222884: ConcurrentClassDescLookup.java times out intermittently + - JDK-8233725: ProcessTools.startProcess() has output issues when using an OutputAnalyzer at the same time + - JDK-8238169: BasicDirectoryModel getDirectories and DoChangeContents.run can deadlock + - JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due to "BindException: Address already in use" + - JDK-8255898: Test java/awt/FileDialog/FilenameFilterTest/FilenameFilterTest.java fails on Mac OS + - JDK-8256291: RunThese30M fails "assert(_class_unload ? true : ((((JfrTraceIdBits::load(class_loader_klass)) & ((1 << 4) << 8)) != 0))) failed: invariant" + - JDK-8257540: javax/swing/JFileChooser/8041694/bug8041694.java failed with "RuntimeException: The selected directory name is not the expected 'd ' but 'D '." + - JDK-8259866: two java.util tests failed with "IOException: There is not enough space on the disk" + - JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit + - JDK-8263031: HttpClient throws Exception if it receives a Push Promise that is too large + - JDK-8265919: RunThese30M fails "assert((!(((((JfrTraceIdBits::load(value)) & ((1 << 4) << 8)) != 0))))) failed: invariant" + - JDK-8269428: java/util/concurrent/ConcurrentHashMap/ToArray.java timed out + - JDK-8269657: Test java/nio/channels/DatagramChannel/Loopback.java failed: Unexpected message + - JDK-8272232: javax/swing/JTable/4275046/bug4275046.java failed with "Expected value in the cell: 'rededited' but found 'redEDITED'." + - JDK-8272558: IR Test Framework README misses some flags + - JDK-8272777: Clean up remaining AccessController warnings in test library + - JDK-8273216: JCMD does not work across container boundaries with Podman + - JDK-8273430: Suspicious duplicate condition in java.util.regex.Grapheme#isExcludedSpacingMark + - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 + - JDK-8275851: Deproblemlist open/test/jdk/javax/swing/JComponent/6683775/bug6683775.java + - JDK-8276660: Scalability bottleneck in java.security.Provider.getService() + - JDK-8277042: add test for 8276036 to compiler/codecache + - JDK-8279068: IGV: Update to work with JDK 16 and 17 + - JDK-8279164: Disable TLS_ECDH_* cipher suites + - JDK-8279222: Incorrect legacyMap.get in java.security.Provider after JDK-8276660 + - JDK-8279337: The MToolkit is still referenced in a few places + - JDK-8279641: Create manual JTReg tests for Swing accessibility + - JDK-8279878: java/awt/font/JNICheck/JNICheck.sh test fails on Ubuntu 21.10 + - JDK-8280034: ProblemList jdk/jfr/api/consumer/recordingstream/TestOnEvent.java on linux-x64 + - JDK-8280392: java/awt/Focus/NonFocusableWindowTest/NonfocusableOwnerTest.java failed with "RuntimeException: Test failed." + - JDK-8280970: Cleanup dead code in java.security.Provider + - JDK-8280982: [Wayland] [XWayland] java.awt.Robot taking screenshots + - JDK-8280988: [XWayland] Click on title to request focus test failures + - JDK-8280990: [XWayland] XTest emulated mouse click does not bring window to front + - JDK-8280993: [XWayland] Popup is not closed on click outside of area controlled by XWayland + - JDK-8280994: [XWayland] Drag and Drop does not work in java -> wayland app direction + - JDK-8281944: JavaDoc throws java.lang.IllegalStateException: ERRONEOUS + - JDK-8282354: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/ tests + - JDK-8282526: Default icon is not painted properly + - JDK-8283728: jdk.hotspot.agent: Wrong location for RISCV64ThreadContext.java + - JDK-8284316: Support accessibility ManualTestFrame.java for non SwingSet tests + - JDK-8284585: PushPromiseContinuation test fails intermittently in timeout + - JDK-8285497: Add system property for Java SE specification maintenance version + - JDK-8288568: Reduce runtime of java.security microbenchmarks + - JDK-8289182: NMT: MemTracker::baseline should return void + - JDK-8290966: G1: Record number of PLAB filled and number of direct allocations + - JDK-8291760: PipelineLeaksFD.java still fails: More or fewer pipes than expected + - JDK-8292044: HttpClient doesn't handle 102 or 103 properly + - JDK-8292739: Invalid legacy entries may be returned by Provider.getServices() call + - JDK-8292948: JEditorPane ignores font-size styles in external linked css-file + - JDK-8293862: javax/swing/JFileChooser/8046391/bug8046391.java failed with 'Cannot invoke "java.awt.Image.getWidth(java.awt.image.ImageObserver)" because "retVal" is null' + - JDK-8293872: Make runtime/Thread/ThreadCountLimit.java more robust + - JDK-8294148: Support JSplitPane for instructions and test UI + - JDK-8294691: dynamicArchive/RelativePath.java is running other test case + - JDK-8294994: Update Jarsigner and Keytool i18n tests to validate i18n compliance + - JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries + - JDK-8296410: HttpClient throws java.io.IOException: no statuscode in response for HTTP2 + - JDK-8296812: sprintf is deprecated in Xcode 14 + - JDK-8297878: KEM: Implementation + - JDK-8298381: Improve handling of session tickets for multiple SSLContexts + - JDK-8298596: vmTestbase/nsk/sysdict/vm/stress/chain/chain008/chain008.java fails with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" + - JDK-8298809: Clean up vm/compiler/InterfaceCalls JMH + - JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl when connection is idle + - JDK-8299254: Support dealing with standard assert macro + - JDK-8299378: sprintf is deprecated in Xcode 14 + - JDK-8299395: Remove metaprogramming/removeCV.hpp + - JDK-8299396: Remove metaprogramming/removeExtent.hpp + - JDK-8299397: Remove metaprogramming/isFloatingPoint.hpp + - JDK-8299398: Remove metaprogramming/isConst.hpp + - JDK-8299399: Remove metaprogramming/isArray.hpp + - JDK-8299402: Remove metaprogramming/isVolatile.hpp + - JDK-8299479: Remove metaprogramming/decay.hpp + - JDK-8299481: Remove metaprogramming/removePointer.hpp + - JDK-8299482: Remove metaprogramming/isIntegral.hpp + - JDK-8299487: Test java/net/httpclient/whitebox/SSLTubeTestDriver.java timed out + - JDK-8299635: Hotspot update for deprecated sprintf in Xcode 14 + - JDK-8299779: Test tools/jpackage/share/jdk/jpackage/tests/MainClassTest.java timed out + - JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram + - JDK-8299971: Remove metaprogramming/conditional.hpp + - JDK-8299972: Remove metaprogramming/removeReference.hpp + - JDK-8300169: Build failure with clang-15 + - JDK-8300260: Remove metaprogramming/isSame.hpp + - JDK-8300264: Remove metaprogramming/isPointer.hpp + - JDK-8300265: Remove metaprogramming/isSigned.hpp + - JDK-8300806: Update googletest to v1.13.0 + - JDK-8300910: Remove metaprogramming/integralConstant.hpp + - JDK-8301132: Test update for deprecated sprintf in Xcode 14 + - JDK-8301200: Don't scale timeout stress with timeout factor + - JDK-8301274: update for deprecated sprintf for security components + - JDK-8301279: update for deprecated sprintf for management components + - JDK-8301686: TLS 1.3 handshake fails if server_name doesn't match resuming session + - JDK-8301704: Shorten the number of GCs in UnloadingTest.java to verify a class loader not being unloaded + - JDK-8302495: update for deprecated sprintf for java.desktop + - JDK-8302800: Augment NaN handling tests of FDLIBM methods + - JDK-8303216: Prefer ArrayList to LinkedList in sun.net.httpserver.ServerImpl + - JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL + - JDK-8303527: update for deprecated sprintf for jdk.hotspot.agent + - JDK-8303617: update for deprecated sprintf for jdk.jdwp.agent + - JDK-8303830: update for deprecated sprintf for jdk.accessibility + - JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file + - JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test + - JDK-8303942: os::write should write completely + - JDK-8303965: java.net.http.HttpClient should reset the stream if response headers contain malformed header fields + - JDK-8304375: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Expected at least some events to be out of order! Reuse = false" + - JDK-8304962: sun/net/www/http/KeepAliveCache/B5045306.java: java.lang.RuntimeException: Failed: Initial Keep Alive Connection is not being reused + - JDK-8304963: HttpServer closes connection after processing HEAD after JDK-7026262 + - JDK-8305072: Win32ShellFolder2.compareTo is inconsistent + - JDK-8305079: Remove finalize() from compiler/c2/Test719030 + - JDK-8305081: Remove finalize() from test/hotspot/jtreg/compiler/runtime/Test8168712 + - JDK-8305825: getBounds API returns wrong value resulting in multiple Regression Test Failures on Ubuntu 23.04 + - JDK-8305959: x86: Improve itable_stub + - JDK-8306583: Add JVM crash check in CDSTestUtils.executeAndLog + - JDK-8306929: Avoid CleanClassLoaderDataMetaspaces safepoints when previous versions are shared + - JDK-8306946: jdk/test/lib/process/ProcessToolsStartProcessTest.java fails with "wrong number of lines in OutputAnalyzer output" + - JDK-8307091: A few client tests intermittently throw ConcurrentModificationException + - JDK-8307193: Several Swing jtreg tests use class.forName on L&F classes + - JDK-8307352: AARCH64: Improve itable_stub + - JDK-8307448: Test RedefineSharedClassJFR fail due to wrong assumption + - JDK-8307779: Relax the java.awt.Robot specification + - JDK-8307848: update for deprecated sprintf for jdk.attach + - JDK-8307850: update for deprecated sprintf for jdk.jdi + - JDK-8308022: update for deprecated sprintf for java.base + - JDK-8308144: Uncontrolled memory consumption in SSLFlowDelegate.Reader + - JDK-8308184: Launching java with large number of jars in classpath with java.protocol.handler.pkgs system property set can lead to StackOverflowError + - JDK-8308801: update for deprecated sprintf for libnet in java.base + - JDK-8308891: TestCDSVMCrash.java needs @requires vm.cds + - JDK-8309241: ClassForNameLeak fails intermittently as the class loader hasn't been unloaded + - JDK-8309621: [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 + - JDK-8309703: AIX build fails after JDK-8280982 + - JDK-8309756: Occasional crashes with pipewire screen capture on Wayland + - JDK-8309934: Update GitHub Actions to use JDK 17 for building jtreg + - JDK-8310070: Test: javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out + - JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when EnableJVMCI is specified + - JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option + - JDK-8310334: [XWayland][Screencast] screen capture error message in debug + - JDK-8310628: GcInfoBuilder.c missing JNI Exception checks + - JDK-8310683: Refactor StandardCharset/standard.java to use JUnit + - JDK-8311208: Improve CDS Support + - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin + - JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved + - JDK-8312140: jdk/jshell tests failed with JDI socket timeouts + - JDK-8312229: Crash involving yield, switch and anonymous classes + - JDK-8313256: Exclude failing multicast tests on AIX + - JDK-8313394: Array Elements in OldObjectSample event has the incorrect description + - JDK-8313674: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java should test for more block devices + - JDK-8313697: [XWayland][Screencast] consequent getPixelColor calls are slow + - JDK-8313873: java/nio/channels/DatagramChannel/SendReceiveMaxSize.java fails on AIX due to small default RCVBUF size and different IPv6 Header interpretation + - JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/CodeCacheFullCountTest.java fails with java.lang.VirtualMachineError + - JDK-8314476: TestJstatdPortAndServer.java failed with "java.rmi.NoSuchObjectException: no such object in table" + - JDK-8314614: jdk/jshell/ImportTest.java failed with "InternalError: Failed remote listen" + - JDK-8314837: 5 compiled/codecache tests ignore VM flags + - JDK-8315024: Vector API FP reduction tests should not test for exact equality + - JDK-8315362: NMT: summary diff reports threads count incorrectly + - JDK-8315422: getSoTimeout() would be in try block in SSLSocketImpl + - JDK-8315437: Enable parallelism in vmTestbase/nsk/monitoring/stress/classload tests + - JDK-8315442: Enable parallelism in vmTestbase/nsk/monitoring/stress/thread tests + - JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn + - JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java fails after JDK-8314837 + - JDK-8315651: Stop hiding AIX specific multicast socket errors via NetworkConfiguration (aix) + - JDK-8315684: Parallelize sun/security/util/math/TestIntegerModuloP.java + - JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests + - JDK-8315804: Open source several Swing JTabbedPane JTextArea JTextField tests + - JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test + - JDK-8315965: Open source various AWT applet tests + - JDK-8316104: Open source several Swing SplitPane and RadioButton related tests + - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak + - JDK-8316211: Open source several manual applet tests + - JDK-8316240: Open source several add/remove MenuBar manual tests + - JDK-8316285: Opensource JButton manual tests + - JDK-8316306: Open source and convert manual Swing test + - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes + - JDK-8316387: Exclude more failing multicast tests on AIX after JDK-8315651 + - JDK-8316389: Open source few AWT applet tests + - JDK-8316468: os::write incorrectly handles partial write + - JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm + - JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java + - JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm + - JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java: Press on the outside area didn't cause ungrab + - JDK-8317316: G1: Make TestG1PercentageOptions use createTestJvm + - JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm + - JDK-8317358: G1: Make TestMaxNewSize use createTestJvm + - JDK-8317360: Missing null checks in JfrCheckpointManager and JfrStringPool initialization routines + - JDK-8317372: Refactor some NumberFormat tests to use JUnit + - JDK-8317635: Improve GetClassFields test to verify correctness of field order + - JDK-8317831: compiler/codecache/CheckLargePages.java fails on OL 8.8 with unexpected memory string + - JDK-8318039: GHA: Bump macOS and Xcode versions + - JDK-8318089: Class space not marked as such with NMT when CDS is off + - JDK-8318474: Fix memory reporter for thread_count + - JDK-8318479: [jmh] the test security.CacheBench failed for multiple threads run + - JDK-8318605: Enable parallelism in vmTestbase/nsk/stress/stack tests + - JDK-8318696: Do not use LFS64 symbols on Linux + - JDK-8318986: Improve GenericWaitBarrier performance + - JDK-8319103: Popups that request focus are not shown on Linux with Wayland + - JDK-8319197: Exclude hb-subset and hb-style from compilation + - JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit immediates + - JDK-8319713: Parallel: Remove PSAdaptiveSizePolicy::should_full_GC + - JDK-8320079: The ArabicBox.java test has no control buttons + - JDK-8320379: C2: Sort spilling/unspilling sequence for better ld/st merging into ldp/stp on AArch64 + - JDK-8320602: Lock contention in SchemaDVFactory.getInstance() + - JDK-8320608: Many jtreg printing tests are missing the @printer keyword + - JDK-8320655: awt screencast robot spin and sync issues with native libpipewire api + - JDK-8320692: Null icon returned for .exe without custom icon + - JDK-8320945: problemlist tests failing on latest Windows 11 update + - JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2 + - JDK-8321176: [Screencast] make a second attempt on screencast failure + - JDK-8321220: JFR: RecordedClass reports incorrect modifiers + - JDK-8322008: Exclude some CDS tests from running with -Xshare:off + - JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC and ZGC + - JDK-8322726: C2: Unloaded signature class kills argument value + - JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed + - JDK-8323122: AArch64: Increase itable stub size estimate + - JDK-8323584: AArch64: Unnecessary ResourceMark in NativeCall::set_destination_mt_safe + - JDK-8323670: A few client tests intermittently throw ConcurrentModificationException + - JDK-8323801: tag doesn't strikethrough the text + - JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE + - JDK-8324646: Avoid Class.forName in SecureRandom constructor + - JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG + - JDK-8324668: JDWP process management needs more efficient file descriptor handling + - JDK-8324753: [AIX] adjust os_posix after JDK-8318696 + - JDK-8324755: Enable parallelism in vmTestbase/gc/gctests/LargeObjects tests + - JDK-8324933: ConcurrentHashTable::statistics_calculate synchronization is expensive + - JDK-8325022: Incorrect error message on client authentication + - JDK-8325179: Race in BasicDirectoryModel.validateFileCache + - JDK-8325194: GHA: Add macOS M1 testing + - JDK-8325384: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java failing intermittently when main thread is a virtual thread + - JDK-8325444: GHA: JDK-8325194 causes a regression + - JDK-8325567: jspawnhelper without args fails with segfault + - JDK-8325620: HTMLReader uses ConvertAction instead of specified CharacterAction for , , + - JDK-8325621: Improve jspawnhelper version checks + - JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes survive minor garbage collections + - JDK-8326106: Write and clear stack trace table outside of safepoint + - JDK-8326332: Unclosed inline tags cause misalignment in summary tables + - JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate + - JDK-8326734: text-decoration applied to lost when mixed with or + - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails + - JDK-8327137: Add test for ConcurrentModificationException in BasicDirectoryModel + - JDK-8327312: [17u] Problem list ReflectionCallerCacheTest.java due to 8324978 + - JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java on all platforms with ZGC + - JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out + - JDK-8327787: Convert javax/swing/border/Test4129681.java applet test to main + - JDK-8327840: Automate javax/swing/border/Test4129681.java + - JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/GetBoundsResizeTest.java applet test to main + - JDK-8328075: Shenandoah: Avoid forwarding when objects don't move in full-GC + - JDK-8328110: Allow simultaneous use of PassFailJFrame with split UI and additional windows + - JDK-8328115: Convert java/awt/font/TextLayout/TestJustification.html applet test to main + - JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest to automatic main test + - JDK-8328218: Delete test java/awt/Window/FindOwner/FindOwner.html + - JDK-8328234: Remove unused nativeUtils files + - JDK-8328238: Convert few closed manual applet tests to main + - JDK-8328269: NonFocusablePopupMenuTest.java should be marked as headful + - JDK-8328273: sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java failed with java.rmi.server.ExportException: Port already in use + - JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/ClickDuringKeypress.java imports Applet + - JDK-8328561: test java/awt/Robot/ManualInstructions/ManualInstructions.java isn't used + - JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main + - JDK-8328647: TestGarbageCollectorMXBean.java fails with C1-only and -Xcomp + - JDK-8328896: Fontmetrics for large Fonts has zero width + - JDK-8328953: JEditorPane.read throws ChangedCharSetException + - JDK-8328999: Update GIFlib to 5.2.2 + - JDK-8329004: Update Libpng to 1.6.43 + - JDK-8329103: assert(!thread->in_asgct()) failed during multi-mode profiling + - JDK-8329109: Threads::print_on() tries to print CPU time for terminated GC threads + - JDK-8329126: No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 + - JDK-8329134: Reconsider TLAB zapping + - JDK-8329510: Update ProblemList for JFileChooser/8194044/FileSystemRootTest.java + - JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed because The End and Start buttons are not placed correctly and Tab focus does not move as expected + - JDK-8329605: hs errfile generic events - move memory protections and nmethod flushes to separate sections + - JDK-8329663: hs_err file event log entry for thread adding/removing should print current thread + - JDK-8329667: [macos] Issue with JTree related fix for JDK-8317771 + - JDK-8329995: Restricted access to `/proc` can cause JFR initialization to crash + - JDK-8330063: Upgrade jQuery to 3.7.1 + - JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp + - JDK-8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512) + - JDK-8330615: avoid signed integer overflows in zip_util.c readCen / hashN + - JDK-8331011: [XWayland] TokenStorage fails under Security Manager + - JDK-8331063: Some HttpClient tests don't report leaks + - JDK-8331077: nroff man page update for jar tool + - JDK-8331164: createJMHBundle.sh download jars fail when url needed to be redirected + - JDK-8331265: Bump update version for OpenJDK: jdk-17.0.13 + - JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect + - JDK-8331466: Problemlist serviceability/dcmd/gc/RunFinalizationTest.java on generic-all + - JDK-8331605: jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test failure + - JDK-8331746: Create a test to verify that the cmm id is not ignored + - JDK-8331798: Remove unused arg of checkErgonomics() in TestMaxHeapSizeTools.java + - JDK-8331885: C2: meet between unloaded and speculative types is not symmetric + - JDK-8332008: Enable issuestitle check + - JDK-8332113: Update nsk.share.Log to be always verbose + - JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in ff_Adlm.xml + - JDK-8332248: (fc) java/nio/channels/FileChannel/BlockDeviceSize.java failed with RuntimeException + - JDK-8332424: Update IANA Language Subtag Registry to Version 2024-05-16 + - JDK-8332524: Instead of printing "TLSv1.3," it is showing "TLS13" + - JDK-8332898: failure_handler: log directory of commands + - JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/TestDescription.java fails with no GC's recorded + - JDK-8333270: HandlersOnComplexResetUpdate and HandlersOnComplexUpdate tests fail with "Unexpected reference" if timeoutFactor is less than 1/3 + - JDK-8333353: Delete extra empty line in CodeBlob.java + - JDK-8333398: Uncomment the commented test in test/jdk/java/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java + - JDK-8333477: Delete extra empty spaces in Makefiles + - JDK-8333698: [17u] TestJstatdRmiPort fails after JDK-8333667 + - JDK-8333716: Shenandoah: Check for disarmed method before taking the nmethod lock + - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1 + - JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw an exception with 0 failures + - JDK-8334166: Enable binary check + - JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java should not depend on SecurityManager + - JDK-8334332: TestIOException.java fails if run by root + - JDK-8334333: MissingResourceCauseTestRun.java fails if run by root + - JDK-8334335: [TESTBUG] Backport of 8279164 to 11u & 17u includes elements of JDK-8163327 + - JDK-8334339: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java fails on alinux3 + - JDK-8334418: Update IANA Language Subtag Registry to Version 2024-06-14 + - JDK-8334482: Shenandoah: Deadlock when safepoint is pending during nmethods iteration + - JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java fails on linux-aarch64 + - JDK-8334653: ISO 4217 Amendment 177 Update + - JDK-8334769: Shenandoah: Move CodeCache_lock close to its use in ShenandoahConcurrentNMethodIterator + - JDK-8335536: Fix assertion failure in IdealGraphPrinter when append is true + - JDK-8335775: Remove extraneous 's' in comment of rawmonitor.cpp test file + - JDK-8335808: update for deprecated sprintf for jfrTypeSetUtils + - JDK-8335918: update for deprecated sprintf for jvmti + - JDK-8335967: "text-decoration: none" does not work with "A" HTML tags + - JDK-8336301: test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion + - JDK-8336928: GHA: Bundle artifacts removal broken + - JDK-8337038: Test java/nio/file/attribute/BasicFileAttributeView/CreationTime.java shoud set as /native + - JDK-8337283: configure.log is truncated when build dir is on different filesystem + - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs + - JDK-8337669: [17u] Backport of JDK-8284047 missed to delete a file + - JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods + - JDK-8338696: (fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux) + - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339 + - JDK-8341057: Add 2 SSL.com TLS roots + - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 + - JDK-8341673: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.13 + +Notes on individual issues: +=========================== + +tools/jpackage: + +JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries +========================================================================================= +The jpackage tool uses `dpkg -S` to lookup which package provides a +particular file on Debian and Ubuntu systems. However, on newer Debian +and Ubuntu systems, `dpkg -S` does not resolve symlinks. In this +OpenJDK release, jpackage now resolves symlinks before passing the +real path of the file to dpkg. + +security-libs/javax.net.ssl: + +JDK-8279164: Disable TLS_ECDH_* cipher suites +============================================= +The TLS_ECDH cipher suites do not preserve forward secrecy and are +rarely used in practice. With this release, they are disabled by +adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in +the `java.security` configuration file. Attempts to use these suites +with this release will result in a `SSLHandshakeException` being +thrown. Note that ECDH cipher suites which use RC4 were already +disabled prior to this change. + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "ECDH" is no longer +listed in the `jdk.tls.disabledAlgorithms` security property. + +This change has no effect on TLS_ECDHE cipher suites, which remain +enabled by default. + +JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs +JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 +==================================================================================================== +In accordance with similar plans recently announced by Google and +Mozilla, the JDK will not trust Transport Layer Security (TLS) +certificates issued after the 11th of November 2024 which are anchored +by Entrust root certificates. This includes certificates branded as +AffirmTrust, which are managed by Entrust. + +Certificates issued on or before November 11th, 2024 will continue to +be trusted until they expire. + +If a server's certificate chain is anchored by an affected +certificate, attempts to negotiate a TLS session will fail with an +Exception that indicates the trust anchor is not trusted. For example, + +"TLS server certificate issued after 2024-11-11 and anchored by a +distrusted legacy Entrust root CA: CN=Entrust.net Certification +Authority (2048), OU=(c) 1999 Entrust.net Limited, +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), +O=Entrust.net" + +To check whether a certificate in a JDK keystore is affected by this +change, you can the `keytool` utility: + +keytool -v -list -alias -keystore + +If any of the certificates in the chain are affected by this change, +then you will need to update the certificate or contact the +organisation responsible for managing the certificate. + +These restrictions apply to the following Entrust root certificates +included in the JDK: + +Alias name: entrustevca [jdk] +CN=Entrust Root Certification Authority +OU=(c) 2006 Entrust, Inc. +OU=www.entrust.net/CPS is incorporated by reference +O=Entrust, Inc. +C=US +SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C + +Alias name: entrustrootcaec1 [jdk] +CN=Entrust Root Certification Authority - EC1 +OU=(c) 2012 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 + +Alias name: entrustrootcag2 [jdk] +CN=Entrust Root Certification Authority - G2 +OU=(c) 2009 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 + +Alias name: entrustrootcag4 [jdk] +CN=Entrust Root Certification Authority - G4 +OU=(c) 2015 Entrust, Inc. - for authorized use only +OU=See www.entrust.net/legal-terms +O=Entrust, Inc. +C=US +SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 + +Alias name: entrust2048ca [jdk] +CN=Entrust.net Certification Authority (2048) +OU=(c) 1999 Entrust.net Limited +OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.) +O=Entrust.net +SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 + +Alias name: affirmtrustcommercialca [jdk] +CN=AffirmTrust Commercial +O=AffirmTrust +C=US +SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 + +Alias name: affirmtrustnetworkingca [jdk] +CN=AffirmTrust Networking +O=AffirmTrust +C=US +SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B + +Alias name: affirmtrustpremiumca [jdk] +CN=AffirmTrust Premium +O=AffirmTrust +C=US +SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A + +Alias name: affirmtrustpremiumeccca [jdk] +CN=AffirmTrust Premium ECC +O=AffirmTrust +C=US +SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so "ENTRUST_TLS" is no +longer listed in the `jdk.security.caDistrustPolicies` security +property. + +tools/launcher: + +JDK-8310201: Reduce verbose locale output in -XshowSettings launcher option +=========================================================================== +In previous releases of OpenJDK, the `-XshowSettings` launcher option printed a +long list of available locales which obscured other settings. In this release, +the `-XshowSettings` launcher option no longer prints the list of available +locales by default. To view all settings related to available locales, users +can now use the -XshowSettings:locale option. + +security-libs/java.security: + +JDK-8051959: Add thread and timestamp options to java.security.debug system property +==================================================================================== +This release adds the following additional options to the +`java.security.debug` property which can be applied to any specified +component: + +* `+timestamp`: Print a timestamp with each debug statement. +* `+thread`: Print thread and caller information for each debug statement. + +For example, `-Djava.security.debug=all+timestamp+thread` turns on +debug information for all components with both timestamps and thread +information. + +In contrast, `-Djava.security.debug=properties+timestamp` turns on +debug information only for security properties and includes a +timestamp. + +You can use `-Djava.security.debug=help` to display a complete list of +supported components and options. + +JDK-8341057: Add 2 SSL.com TLS roots +==================================== +The following root certificates have been added to the cacerts +truststore: + +Name: SSL.com +Alias Name: ssltlsrootecc2022 +Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US + +Name: SSL.com +Alias Name: ssltlsrootrsa2022 +Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US + +client-libs: + +JDK-8307779: Relax the java.awt.Robot specification +=================================================== +This release of OpenJDK 17 updates to the latest maintenance release +of the Java 17 specification. This relaxes the specification of three +methods in the `java.awt.Robot` class - `mouseMove(int,int)`, +`getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to +allow these methods to fail when the desktop environment does not +permit moving the mouse pointer or capturing screen content. + +core-libs/javax.naming: + +JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property +=============================================================================================================================== +With this OpenJDK release, the JDK implementation of the LDAP provider +no longer supports the deserialisation of Java objects by +default. This is achieved by the system property +`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by +default. + +Note that this release also increases the scope of the +`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction +of RMI remote objects from the `javaRemoteLocation` LDAP attribute. + +The result of this change is that transparent deserialisation of Java +objects will require an explicit opt-in. Applications that wish to +reconstruct Java objects and RMI stubs from LDAP attributes will need +to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`. + +core-libs/java.net: + +JDK-8328286: Enhance HTTP client +================================ +This OpenJDK release limits the maximum header field size accepted by +the HTTP client within the JDK for all supported versions of the HTTP +protocol. The header field size is computed as the sum of the size of +the uncompressed header name, the size of the uncompressed header +value and a overhead of 32 bytes for each field section line. If a +peer sends a field section that exceeds this limit, a +`java.net.ProtocolException` will be raised. + +This release also introduces a new system property, +`jdk.http.maxHeaderSize`. This property can be used to alter the +maximum header field size (in bytes) or disable it by setting the +value to zero or a negative value. The default value is 393,216 bytes +or 384kB. + +core-svc/java.lang.management: + +JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods +========================================================================================================== +In previous OpenJDK releases, the behaviour of the `isVerbose` and +`setVerbose` methods in `ClassLoadingMXBean` and `MemoryMXBean` was +inconsistent. The `setVerbose` method would only alter the level of +logging to `stdout`, setting it to `info` when passed the argument +`true`, and `off` when passed `false`. However, the `isVerbose` method +would check if logging was enabled on any output, causing it to return +`true` due to the presence of file logging, even when +`setVerbose(false)` had been called to turn off `stdout` logging. +With this release, the `isVerbose` methods only return `true` if +`stdout` logging is enabled. + +security-libs/javax.crypto: + +JDK-8297878: New Key Encapsulation Mechanism API +================================================ +We introduce a new javax.crypto API for key encapsulation mechanisms +(KEMs), an encryption technique for securing symmetric keys using +public key cryptography. + +New in release OpenJDK 17.0.12 (2024-07-16): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17012 + +* CVEs + - CVE-2024-21147 + - CVE-2024-21145 + - CVE-2024-21140 + - CVE-2024-21131 + - CVE-2024-21138 +* Security fixes + - JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL + - JDK-8314794: Improve UTF8 String supports + - JDK-8319859: Better symbol storage + - JDK-8320097: Improve Image transformations + - JDK-8320548: Improved loop handling + - JDK-8323231: Improve array management + - JDK-8323390: Enhance mask blit functionality + - JDK-8324559: Improve 2D image handling + - JDK-8325600: Better symbol storage + - JDK-8327413: Enhance compilation efficiency +* Other changes + - JDK-8015739: Background of JInternalFrame is located out of JInternalFrame + - JDK-8042380: Test javax/swing/JFileChooser/4524490/bug4524490.java fails with InvocationTargetException + - JDK-8159927: Add a test to verify JMOD files created in the images do not have debug symbols + - JDK-8163229: several regression tests have a main method that is never executed + - JDK-8163921: HttpURLConnection default Accept header is malformed according to HTTP/1.1 RFC + - JDK-8177107: Reduce memory footprint of java.lang.reflect.Constructor/Method + - JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 + - JDK-8187759: Background not refreshed when painting over a transparent JFrame + - JDK-8213714: AttachingConnector/attach/attach001 failed due to "bind failed: Address already in use" + - JDK-8223696: java/net/httpclient/MaxStreams.java failed with didn't finish within the time-out + - JDK-8256660: Disable DTLS 1.0 + - JDK-8260540: serviceability/jdwp/AllModulesCommandTest.java failed with "Debuggee error: 'ERROR: transport error 202: bind failed: Address already in use'" + - JDK-8263940: NPE when creating default file system when default file system provider is packaged as JAR file on class path + - JDK-8264322: Generate CDS archive when creating custom JDK image + - JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java failing on macOS 11 ARM + - JDK-8267796: vmTestbase/nsk/jvmti/scenarios/hotswap/HS201/hs201t002/TestDescription.java fails with NoClassDefFoundError + - JDK-8268974: GetJREPath() JLI function fails to locate libjava.so if not standard Java launcher is used + - JDK-8269914: Factor out heap printing for G1 young and full gc + - JDK-8270018: Add scoped object for g1 young gc JFR notification + - JDK-8272315: Improve assert_different_registers + - JDK-8272651: G1 heap region info print order changed by JDK-8269914 + - JDK-8272903: Missing license header in ArenaAllocator.java + - JDK-8272916: Copyright year was modified unintentionally in jlink.properties and ImagePluginStack.java + - JDK-8273153: Consolidate file_exists into os:file_exists + - JDK-8273774: CDSPluginTest should only expect classes_nocoops.jsa exists on supported 64-bit platforms + - JDK-8275334: Move class loading Events to a separate section in hs_err files + - JDK-8275868: ciReplay: Inlining fails with "unloaded signature classes" due to wrong protection domains + - JDK-8276227: ciReplay: SIGSEGV if classfile for replay compilation is not present after JDK-8275868 + - JDK-8278893: Parallel: Remove GCWorkerDelayMillis + - JDK-8280030: [REDO] Parallel: More precise boundary in ObjectStartArray::object_starts_in_range + - JDK-8280056: gtest/LargePageGtests.java#use-large-pages failed "os.release_one_mapping_multi_commits_vm" + - JDK-8280113: (dc) DatagramSocket.receive does not always throw when the channel is closed + - JDK-8280377: MethodHandleProxies does not correctly invoke default methods with varags + - JDK-8280546: Remove hard-coded 127.0.0.1 loopback address + - JDK-8280835: jdk/javadoc/tool/CheckManPageOptions.java depends on source hierarchy + - JDK-8281658: Add a security category to the java -XshowSettings option + - JDK-8282094: [REDO] Parallel: Refactor PSCardTable::scavenge_contents_parallel + - JDK-8283349: Robustness improvements to java/util/prefs/AddNodeChangeListener.jar + - JDK-8285452: Add a new test library API to replace a file content using FileUtils.java + - JDK-8286045: Use ForceGC for cleaner test cases + - JDK-8286311: remove boilerplate from use of runTests + - JDK-8286490: JvmtiEventControllerPrivate::set_event_callbacks CLEARING_MASK computation is incorrect + - JDK-8286740: JFR: Active Setting event emitted incorrectly + - JDK-8286781: Replace the deprecated/obsolete gethostbyname and inet_addr calls + - JDK-8289401: Add dump output to TestRawRSACipher.java + - JDK-8289643: File descriptor leak with ProcessBuilder.startPipeline + - JDK-8290126: Add a check in JavadocTester for "javadoc should not crash" + - JDK-8290885: java/lang/ProcessBuilder/PipelineLeaksFD.java fail: More or fewer pipes than expected + - JDK-8290901: Reduce use of -source in langtools tests + - JDK-8291753: Add JFR event for GC CPU Time + - JDK-8294137: Review running times of java.math tests + - JDK-8294156: Allow PassFailJFrame.Builder to create test UI + - JDK-8294699: Launcher causes lingering busy cursor + - JDK-8295026: Remove unused fields in StyleSheet + - JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6 and newer + - JDK-8295944: Move the Http2TestServer and related classes into a package of its own + - JDK-8296137: diags-examples.xml is broken + - JDK-8296190: TestMD5Intrinsics and TestMD5MultiBlockIntrinsics don't test the intrinsics + - JDK-8296610: java/net/HttpURLConnection/SetAuthenticator/HTTPSetAuthenticatorTest.java failed with "BindException: Address already in use: connect" + - JDK-8297082: Remove sun/tools/jhsdb/BasicLauncherTest.java from problem list + - JDK-8297292: java/nio/channels/FileChannel/FileExtensionAndMap.java is too slow + - JDK-8297445: PPC64: Represent Registers as values + - JDK-8297449: Update JInternalFrame Metal Border code + - JDK-8297645: Drop the test/jdk/java/net/httpclient/reactivestreams-tck-tests/TckDriver.java test + - JDK-8297695: Fix typos in test/langtools files + - JDK-8298413: [s390] CPUInfoTest fails due to uppercase feature string + - JDK-8298939: Refactor open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.sh to jtreg java test + - JDK-8299023: TestPLABResize.java and TestPLABPromotion.java are failing intermittently + - JDK-8299858: [Metrics] Swap memory limit reported incorrectly when too large + - JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java failing with ZipException:R0 on OL9 + - JDK-8301381: Verify DTLS 1.0 cannot be negotiated + - JDK-8301753: AppendFile/WriteFile has differences between make 3.81 and 4+ + - JDK-8302069: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java update + - JDK-8302512: Update IANA Language Subtag Registry to Version 2023-02-14 + - JDK-8302907: [PPC64] Use more constexpr in class Register + - JDK-8303457: Introduce convenience test library APIs for creating test servers for tests in test/jdk/java/net/httpclient + - JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java independent of the zip command line + - JDK-8304761: Update IANA Language Subtag Registry to Version 2023-03-22 + - JDK-8304927: Update java/net/httpclient/BasicAuthTest.java to check basic auth over HTTP/2 + - JDK-8305169: java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java -- test server didn't start in timely manner + - JDK-8305645: System Tray icons get corrupted when Windows primary monitor changes + - JDK-8305819: LogConfigurationTest intermittently fails on AArch64 + - JDK-8305874: Open source AWT Key, Text Event related tests + - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none" + - JDK-8305942: Open source several AWT Focus related tests + - JDK-8305943: Open source few AWT Focus related tests + - JDK-8306031: Update IANA Language Subtag Registry to Version 2023-04-13 + - JDK-8306040: HttpResponseInputStream.available() returns 1 on empty stream + - JDK-8306067: Open source AWT Graphics,GridBagLayout related tests + - JDK-8306634: Open source AWT Event related tests + - JDK-8306714: Open source few Swing event and AbstractAction tests + - JDK-8306838: GetGraphicsTest needs to be headful + - JDK-8307411: Test java/foreign/channels/TestAsyncSocketChannels.java failed: IllegalStateException: Already closed + - JDK-8307423: [s390x] Represent Registers as values + - JDK-8308021: Update IANA Language Subtag Registry to Version 2023-05-11 + - JDK-8309409: Update HttpInputStreamTest and BodyProcessorInputStreamTest to use hg.openjdk.org + - JDK-8309527: Improve test proxy performance + - JDK-8309630: Clean up tests that reference deploy modules + - JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath directory to test/jdk/jdk/internal/loader + - JDK-8309890: TestStringDeduplicationInterned.java waits for the wrong condition + - JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen + - JDK-8310818: Refactor more Locale tests to use JUnit + - JDK-8311893: Interactive component with ARIA role 'tabpanel' does not have a programmatically associated name + - JDK-8311964: Some jtreg tests failing on x86 with error 'unrecognized VM options' (C2 flags) + - JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/jdk_crypto_ec.java cannot handle empty modules + - JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh from ProblemList + - JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection + - JDK-8312916: Remove remaining usages of -Xdebug from test/hotspot/jtreg + - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales + - JDK-8313702: Update IANA Language Subtag Registry to Version 2023-08-02 + - JDK-8314283: Support for NSS tests on aarch64 platforms + - JDK-8314832: Few runtime/os tests ignore vm flags + - JDK-8314835: gtest wrappers should be marked as flagless + - JDK-8315071: Modify TrayIconScalingTest.java, PrintLatinCJKTest.java to use new PassFailJFrame's builder pattern usage + - JDK-8315117: Update Zlib Data Compression Library to Version 1.3 + - JDK-8315609: Open source few more swing text/html tests + - JDK-8315652: RISC-V: Features string uses wrong separator for jtreg + - JDK-8315663: Open source misc awt tests + - JDK-8315677: Open source few swing JFileChooser and other tests + - JDK-8315726: Open source several AWT applet tests + - JDK-8315741: Open source few swing JFormattedTextField and JPopupMenu tests + - JDK-8315824: Open source several Swing Text/HTML related tests + - JDK-8315834: Open source several Swing JSpinner related tests + - JDK-8315889: Open source several Swing HTMLDocument related tests + - JDK-8315898: Open source swing JMenu tests + - JDK-8316017: Refactor timeout handler in PassFailJFrame + - JDK-8316053: Open some swing tests 3 + - JDK-8316138: Add GlobalSign 2 TLS root certificates + - JDK-8316142: Enable parallelism in vmTestbase/nsk/monitoring/stress/lowmem tests + - JDK-8316154: Opensource JTextArea manual tests + - JDK-8316164: Opensource JMenuBar manual test + - JDK-8316186: RISC-V: Remove PlatformCmpxchg<4> + - JDK-8316242: Opensource SwingGraphics manual test + - JDK-8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags + - JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java fails on CentOS Linux release 8.5.2111 and Fedora 27 + - JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests + - JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child VM: abnormal termination + - JDK-8318322: Update IANA Language Subtag Registry to Version 2023-10-16 + - JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java failing with Error. Can't find library: /open/test/jdk/java/awt/regtesthelpers" after JDK-8316053 + - JDK-8318599: HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 + - JDK-8318727: Enable parallelism in vmTestbase/vm/gc/concurrent tests + - JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/WhiteBox.java shows intermittent failures on linux ppc64le and aarch64 + - JDK-8318854: [macos14] Running any AWT app prints Secure coding warning + - JDK-8319048: Monitor deflation unlink phase prolongs time to safepoint + - JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64 + - JDK-8319136: Skip pkcs11 tests on linux-aarch64 + - JDK-8319268: Build failure with GCC8.3.1 after 8313643 + - JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails with -XX:+UseZGC + - JDK-8319372: C2 compilation fails with "Bad immediate dominator info" + - JDK-8320005: Allow loading of shared objects with .a extension on AIX + - JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails intermittently on macOS 14 + - JDK-8320129: "top" command during jtreg failure handler does not display CPU usage on OSX + - JDK-8320303: Allow PassFailJFrame to accept single window creator + - JDK-8320342: Use PassFailJFrame for TruncatedPopupMenuTest.java + - JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters + - JDK-8320681: [macos] Test tools/jpackage/macosx/MacAppStoreJlinkOptionsTest.java timed out on macOS + - JDK-8320712: Rewrite BadFactoryTest in pure Java + - JDK-8320943: Files/probeContentType/Basic.java fails on latest Windows 11 - content type mismatch + - JDK-8321107: Add more test cases for JDK-8319372 + - JDK-8321489: Update LCMS to 2.16 + - JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java fails with "Alias <246810> does not exist" + - JDK-8322239: [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane + - JDK-8322503: Shenandoah: Clarify gc state usage + - JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on AArch64 due to unexpected PrintAssembly output + - JDK-8322920: Some ProcessTools.execute* functions are declared to throw Throwable + - JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA + - JDK-8323519: Add applications/ctw/modules to Hotspot tiered testing + - JDK-8323717: Introduce test keyword for tests that need external dependencies + - JDK-8323994: gtest runner repeats test name for every single gtest assertion + - JDK-8324050: Issue store-store barrier after re-materializing objects during deoptimization + - JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails with the shape has not been applied msg + - JDK-8324243: Compilation failures in java.desktop module with gcc 14 + - JDK-8324598: use mem_unit when working with sysinfo memory and swap related information + - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1 + - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16 + - JDK-8324733: [macos14] Problem list tests which fail due to macOS bug described in JDK-8322653 + - JDK-8324824: AArch64: Detect Ampere-1B core and update default options for Ampere CPUs + - JDK-8325137: com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java can fail in Xcomp with out of expected range + - JDK-8325203: System.exit(0) kills the launched 3rd party application + - JDK-8325213: Flags introduced by configure script are not passed to ADLC build + - JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive + - JDK-8325326: [PPC64] Don't relocate in case of allocation failure + - JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phi + - JDK-8325432: enhance assert message "relocation addr must be in this section" + - JDK-8325496: Make TrimNativeHeapInterval a product switch + - JDK-8325579: Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket + - JDK-8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests + - JDK-8325876: crashes in docker container tests on Linuxppc64le Power8 machines + - JDK-8325972: Add -x to bash for building with LOG=debug + - JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode + - JDK-8326101: [PPC64] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns + - JDK-8326201: [S390] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1 + - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit + - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out + - JDK-8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used + - JDK-8326638: Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop + - JDK-8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message + - JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java assumes profiles were generated by LCMS + - JDK-8326794: Bump update version for OpenJDK: jdk-17.0.12 + - JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries + - JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect atomic memory operations + - JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due to ongoing Debian t64 transition + - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + - JDK-8327059: os::Linux::print_proc_sys_info add swappiness information + - JDK-8327136: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java fails on libgraal + - JDK-8327631: Update IANA Language Subtag Registry to Version 2024-03-07 + - JDK-8327989: java/net/httpclient/ManyRequest.java should not use "localhost" in URIs + - JDK-8327998: Enable java/lang/ProcessBuilder/JspawnhelperProtocol.java on Mac + - JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328165: improve assert(idx < _maxlrg) failed: oob + - JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes + - JDK-8328168: Epsilon: Premature OOM when allocating object larger than uncommitted heap size + - JDK-8328194: Add a test to check default rendering engine + - JDK-8328524: [x86] StringRepeat.java failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328540: test javax/swing/JSplitPane/4885629/bug4885629.java fails on windows hidpi + - JDK-8328638: Fallback option for POST-only OCSP requests + - JDK-8328705: GHA: Cross-compilation jobs do not require build JDK + - JDK-8328812: Update and move siphash license + - JDK-8328825: Google CAInterop test failures + - JDK-8328948: GHA: Restoring sysroot from cache skips the build after JDK-8326960 + - JDK-8328988: [macos14] Problem list LightweightEventTest.java which fails due to macOS bug described in JDK-8322653 + - JDK-8328997: Remove unnecessary template parameter lists in GrowableArray + - JDK-8329013: StackOverflowError when starting Apache Tomcat with signed jar + - JDK-8329213: Better validation for com.sun.security.ocsp.useget option + - JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms = -Xmx + - JDK-8329570: G1: Excessive is_obj_dead_cond calls in verification + - JDK-8329823: RISC-V: Need to sync CPU features with related JVM flags + - JDK-8330094: RISC-V: Save and restore FRM in the call stub + - JDK-8330156: RISC-V: Range check auipc + signed 12 imm instruction + - JDK-8330242: RISC-V: Simplify and remove CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp + - JDK-8330523: Reduce runtime and improve efficiency of KeepAliveTest + - JDK-8330815: Use pattern matching for instanceof in KeepAliveCache + - JDK-8331113: createJMHBundle.sh support configurable maven repo mirror + - JDK-8331352: error: template-id not allowed for constructor/destructor in C++20 + - JDK-8331641: [17u]: Bump GHA bootstrap JDK to 17.0.11 + - JDK-8331942: On Linux aarch64, CDS archives should be using 64K alignment by default + - JDK-8334441: Mark tests in jdk_security_infra group as manual + - JDK-8335963: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.12 + +Notes on individual issues: +=========================== + +security-libs/javax.security: + +JDK-8328638: Fallback Option For POST-only OCSP Requests +======================================================== +JDK-8179503, introduced in OpenJDK 17, added support for using the +HTTP GET method for OCSP requests. This was turned on unconditionally +for small requests. + +RFC 5019 and RFC 6960 explicitly allow and recommend the use of HTTP +GET requests. However, some OCSP responders have been observed to not +work well with such requests. + +With this release, the JDK system property +`com.sun.security.ocsp.useget` is introduced. The default setting is +'true' which retains the current behaviour of using GET requests for +small requests. If the property is instead set to 'false', only HTTP +POST requests will be used, regardless of size. + +This option is non-standard and may be removed again if problematic +OCSP responders are no longer an issue. + +security-libs/javax.net.ssl: + +JDK-8256660: Disabled DTLS 1.0 +============================== +Support for both Datagram Transport Layer Security (DTLS) 1.0 and 1.2 +was introduced in OpenJDK 9 (JEP-219). The use of DTLS 1.0 (based on +TLS 1.1) is now no longer recommended, as it is considered weak and +insecure by modern standards. With this release, the JVM will throw a +`SSLHandshakeException` if use of DTLS 1.0 is attempted. + +Users can, *at their own risk*, remove this restriction by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) so `DTLSv1.0` is no longer +listed in the `jdk.tls.disabledAlgorithms` security property. + +infrastructure/build: + +JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries +================================================================================== +Native executables and libraries in the JDK use embedded runtime +search paths to locate required internal JDK native libraries. On +Linux systems, there are two ways of specifying these search paths; +DT_RPATH and DT_RUNPATH. + +The main difference between the two options is that paths specified by +DT_RPATH are searched before those in the LD_LIBRARY_PATH environment +variable, whereas DT_RUNPATH paths are considered afterwards. This +means the use of DT_RUNPATH can allow JDK internal libraries to be +overridden by libraries of the same name found on the LD_LIBRARY_PATH. + +Builds of earlier OpenJDK releases left the choice of which type of +runtime search path to use down to the default of the linker. With +this release, the option `--disable-new-dtags` is explicitly passed to +the linker to avoid setting DT_RUNPATH. + +hotspot/runtime: + +JDK-8325496: Make TrimNativeHeapInterval a product switch +========================================================= +The option '-XX:TrimNativeHeapInterval=ms', where 'ms' is the interval +in milliseconds, is now an official product switch. It allows the +virtual machine to trim the native heap at the specified interval on +supported platforms (currently only Linux with glibc). A value of +zero (the default) disables trimming. + +security-libs/java.security: + +JDK-8281658: Add a security category to the java -XshowSettings option +====================================================================== +The `-XshowSettings` launcher option now has a 'security' category, allowing +the following arguments to be passed: + +* -XshowSettings:security or -XshowSettings:security:all: show all security settings and continue +* -XshowSettings:security:properties - show security properties and continue +* -XshowSettings:security:providers - show static security provider settings and continue +* -XshowSettings:security:tls - show TLS related security settings and continue + +The output will include third-party security providers if they are +included in the application class path or module path, and configured +in the java.security file. + +JDK-8316138: Added GlobalSign R46 and E46 Root CA Certificates +============================================================== +The following root certificates have been added to the cacerts truststore: + +Name: GlobalSign +Alias Name: globalsignr46 +Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE + +Name: GlobalSign +Alias Name: globalsigne46 +Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE + +hotspot/gc: + +JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration +================================================================================= +The Code Root Scan phase of garbage collection finds references to +Java objects within compiled code. To speed up this process, a cache +is maintained within each region of the compiled code that contains +references into the Java heap. + +On the assumption that the set of references was small, previous +releases used a single thread per region to iterate through these +references. This introduced a scalability bottleneck, where +performance could be reduced if a particular region contained a large +number of references. + +In this release, multiple threads are used, removing this bottleneck. + +New in release OpenJDK 17.0.11 (2024-04-16): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17011 + +* CVEs + - CVE-2024-21012 + - CVE-2024-21011 + - CVE-2024-21068 + - CVE-2024-21094 +* Security fixes + - JDK-8315708: Enhance HTTP/2 client usage + - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array" + - JDK-8318340: Improve RSA key implementations + - JDK-8319851: Improve exception logging + - JDK-8322122: Enhance generation of addresses +* Other changes + - JDK-6928542: Chinese characters in RTF are not decoded + - JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/bug4517214.java fails on MacOS + - JDK-7148092: [macosx] When Alt+down arrow key is pressed, the combobox popup does not appear. + - JDK-7167356: (javac) investigate failing tests in JavacParserTest + - JDK-8054022: HttpURLConnection timeouts with Expect: 100-Continue and no chunking + - JDK-8054572: [macosx] JComboBox paints the border incorrectly + - JDK-8169475: WheelModifier.java fails by timeout + - JDK-8205076: [17u] Inet6AddressImpl.c: `lookupIfLocalHost` accesses `int InetAddress.preferIPv6Address` as a boolean + - JDK-8209595: MonitorVmStartTerminate.java timed out + - JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests + - JDK-8261404: Class.getReflectionFactory() is not thread-safe + - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from + - JDK-8263256: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test + - JDK-8269258: java/net/httpclient/ManyRequestsLegacy.java failed with connection timeout + - JDK-8271118: C2: StressGCM should have higher priority than frequency-based policy + - JDK-8271616: oddPart in MutableBigInteger::mutableModInverse contains info on final result + - JDK-8272811: Document the effects of building with _GNU_SOURCE in os_posix.hpp + - JDK-8272853: improve `JavadocTester.runTests` + - JDK-8273454: C2: Transform (-a)*(-b) into a*b + - JDK-8274060: C2: Incorrect computation after JDK-8273454 + - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + - JDK-8274621: NullPointerException because listenAddress[0] is null + - JDK-8274632: Possible pointer overflow in PretouchTask chunk claiming + - JDK-8274634: Use String.equals instead of String.compareTo in java.desktop + - JDK-8276125: RunThese24H.java SIGSEGV in JfrThreadGroup::thread_group_id + - JDK-8278028: [test-library] Warnings cleanup of the test library + - JDK-8278312: Update SimpleSSLContext keystore to use SANs for localhost IP addresses + - JDK-8278363: Create extented container test groups + - JDK-8280241: (aio) AsynchronousSocketChannel init fails in IPv6 only Windows env + - JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from problemlist. + - JDK-8281543: Remove unused code/headerfile dtraceAttacher.hpp + - JDK-8281585: Remove unused imports under test/lib and jtreg/gc + - JDK-8283400: [macos] a11y : Screen magnifier does not reflect JRadioButton value change + - JDK-8283626: AArch64: Set relocInfo::offset_unit to 4 + - JDK-8283994: Make Xerces DatatypeException stackless + - JDK-8286312: Stop mixing signed and unsigned types in bit operations + - JDK-8286846: test/jdk/javax/swing/plaf/aqua/CustomComboBoxFocusTest.java fails on mac aarch64 + - JDK-8287832: jdk/jfr/event/runtime/TestActiveSettingEvent.java failed with "Expected two batches of Active Setting events" + - JDK-8288663: JFR: Disabling the JfrThreadSampler commits only a partially disabled state + - JDK-8288846: misc tests fail "assert(ms < 1000) failed: Un-interruptable sleep, short time use only" + - JDK-8289764: gc/lock tests failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8290041: ModuleDescriptor.hashCode is inconsistent + - JDK-8290203: ProblemList vmTestbase/nsk/jvmti/scenarios/capability/CM03/cm03t001/TestDescription.java on linux-all + - JDK-8290399: [macos] Aqua LAF does not fire an action event if combo box menu is displayed + - JDK-8292458: Atomic operations on scoped enums don't build with clang + - JDK-8292946: GC lock/jni/jnilock001 test failed "assert(gch->gc_cause() == GCCause::_scavenge_alot || !gch->incremental_collection_failed()) failed: Twice in a row" + - JDK-8293117: Add atomic bitset functions + - JDK-8293547: Add relaxed add_and_fetch for macos aarch64 atomics + - JDK-8294158: HTML formatting for PassFailJFrame instructions + - JDK-8294254: [macOS] javax/swing/plaf/aqua/CustomComboBoxFocusTest.java failure + - JDK-8294535: Add screen capture functionality to PassFailJFrame + - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + - JDK-8295124: Atomic::add to pointer type may return wrong value + - JDK-8295274: HelidonAppTest.java fails "assert(event->should_commit()) failed: invariant" from compiled frame" + - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts + - JDK-8297968: Crash in PrintOptoAssembly + - JDK-8298087: XML Schema Validation reports an required attribute twice via ErrorHandler + - JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java failed: ExceptionInInitializerError: target class not found + - JDK-8300269: The selected item in an editable JComboBox with titled border is not visible in Aqua LAF + - JDK-8301306: java/net/httpclient/* fail with -Xcomp + - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + - JDK-8301787: java/net/httpclient/SpecialHeadersTest failing after JDK-8301306 + - JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/TestAMEnotNPE.java + - JDK-8303605: Memory leaks in Metaspace gtests + - JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM + - JDK-8304696: Duplicate class names in dynamicArchive tests can lead to test failure + - JDK-8305356: Fix ignored bad CompileCommands in tests + - JDK-8305900: Use loopback IP addresses in security policy files of httpclient tests + - JDK-8305906: HttpClient may use incorrect key when finding pooled HTTP/2 connection for IPv6 address + - JDK-8305962: update jcstress to 0.16 + - JDK-8305972: Update XML Security for Java to 3.0.2 + - JDK-8306014: Update javax.net.ssl TLS tests to use SSLContextTemplate or SSLEngineTemplate + - JDK-8306408: Fix the format of several tables in building.md + - JDK-8307185: pkcs11 native libraries make JNI calls into java code while holding GC lock + - JDK-8307926: Support byte-sized atomic bitset operations + - JDK-8307955: Prefer to PTRACE_GETREGSET instead of PTRACE_GETREGS in method 'ps_proc.c::process_get_lwp_regs' + - JDK-8307990: jspawnhelper must close its writing side of a pipe before reading from it + - JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC while allocating + - JDK-8308245: Add -proc:full to describe current default annotation processing policy + - JDK-8308336: Test java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java failed: java.net.BindException: Address already in use + - JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition + - JDK-8309305: sun/security/ssl/SSLSocketImpl/BlockedAsyncClose.java fails with jtreg test timeout + - JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/agentthr001/TestDescription.java crashing due to empty while loop + - JDK-8309733: [macOS, Accessibility] VoiceOver: Incorrect announcements of JRadioButton + - JDK-8309870: Using -proc:full should be considered requesting explicit annotation processing + - JDK-8310106: sun.security.ssl.SSLHandshake.getHandshakeProducer() incorrectly checks handshakeConsumers + - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/bug6889007.java fails + - JDK-8310380: Handle problems in core-related tests on macOS when codesign tool does not work + - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing + - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + - JDK-8310838: Correct range notations in MethodTypeDesc specification + - JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate + - JDK-8310923: Refactor Currency tests to use JUnit + - JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + - JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + - JDK-8311581: Remove obsolete code and comments in TestLVT.java + - JDK-8311645: Memory leak in jspawnhelper spawnChild after JDK-8307990 + - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC + - JDK-8312428: PKCS11 tests fail with NSS 3.91 + - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" + - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + - JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + - JDK-8313206: PKCS11 tests silently skip execution + - JDK-8313575: Refactor PKCS11Test tests + - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/TestFloatingDecimal should use RandomFactory + - JDK-8313643: Update HarfBuzz to 8.2.2 + - JDK-8313816: Accessing jmethodID might lead to spurious crashes + - JDK-8314164: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + - JDK-8314220: Configurable InlineCacheBuffer size + - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags + - JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + - JDK-8315042: NPE in PKCS7.parseOldSignedData + - JDK-8315594: Open source few headless Swing misc tests + - JDK-8315600: Open source few more headless Swing misc tests + - JDK-8315602: Open source swing security manager test + - JDK-8315611: Open source swing text/html and tree test + - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + - JDK-8315731: Open source several Swing Text related tests + - JDK-8315761: Open source few swing JList and JMenuBar tests + - JDK-8315920: C2: "control input must dominate current control" assert failure + - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/bug4654927.java: component must be showing on the screen to determine its location + - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + - JDK-8316028: Update FreeType to 2.13.2 + - JDK-8316030: Update Libpng to 1.6.40 + - JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + - JDK-8316304: (fs) Add support for BasicFileAttributes.creationTime() for Linux + - JDK-8316392: compiler/interpreter/TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal + - JDK-8316414: C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 + - JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests + - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC + - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/CheckOrigin.java as vm.flagless + - JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable + - JDK-8316693: Simplify at-requires checkDockerSupport() + - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries + - JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + - JDK-8317039: Enable specifying the JDK used to run jtreg + - JDK-8317144: Exclude sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java on Linux ppc64le + - JDK-8317307: test/jdk/com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + - JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) + - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma + - JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 + - JDK-8317960: [17u] Excessive CPU usage on AbstractQueuedSynchronized.isEnqueued + - JDK-8318154: Improve stability of WheelModifier.java test + - JDK-8318183: C2: VM may crash after hitting node limit + - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows + - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + - JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal + - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + - JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + - JDK-8318689: jtreg is confused when folder name is the same as the test name + - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with "transport error 202: bind failed: Address already in use" + - JDK-8318951: Additional negative value check in JPEG decoding + - JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + - JDK-8318957: Enhance agentlib:jdwp help output by info about allow option + - JDK-8318961: increase javacserver connection timeout values and max retry attempts + - JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + - JDK-8318983: Fix comment typo in PKCS12Passwd.java + - JDK-8319124: Update XML Security for Java to 3.0.3 + - JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils + - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader + - JDK-8319456: jdk/jfr/event/gc/collection/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + - JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + - JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + - JDK-8320168: handle setsocktopt return values + - JDK-8320208: Update Public Suffix List to b5bf572 + - JDK-8320300: Adjust hs_err output in malloc/mmap error cases + - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320798: Console read line with zero out should zero out underlying buffer + - JDK-8320885: Bump update version for OpenJDK: jdk-17.0.11 + - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs + - JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + - JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + - JDK-8321408: Add Certainly roots R1 and E1 + - JDK-8321480: ISO 4217 Amendment 176 Update + - JDK-8321599: Data loss in AVX3 Base64 decoding + - JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint + - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform + - JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces + - JDK-8322417: Console read line with zero out should zero out when throwing exception + - JDK-8322583: RISC-V: Enable fast class initialization checks + - JDK-8322725: (tz) Update Timezone Data to 2023d + - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray + - JDK-8322772: Clean up code after JDK-8322417 + - JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output + - JDK-8322968: [17u] Amend Atomics gtest with 1-byte tests + - JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + - JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread + - JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation + - JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + - JDK-8323331: fix typo hpage_pdm_size + - JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled + - JDK-8323515: Create test alias "all" for all test roots + - JDK-8323637: Capture hotspot replay files in GHA + - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + - JDK-8323806: [17u] VS2017 build fails with warning after 8293117. + - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'" + - JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode + - JDK-8324347: Enable "maybe-uninitialized" warning for FreeType 2.13.1 + - JDK-8324514: ClassLoaderData::print_on should print address of class loader + - JDK-8324647: Invalid test group of lib-test after JDK-8323515 + - JDK-8324659: GHA: Generic jtreg errors are not reported + - JDK-8324937: GHA: Avoid multiple test suites per job + - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing + - JDK-8325150: (tz) Update Timezone Data to 2024a + - JDK-8325585: Remove no longer necessary calls to set/unset-in-asgct flag in JDK 17 + - JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE + - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + - JDK-8327391: Add SipHash attribution file + - JDK-8329836: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.11 + +Notes on individual issues: +=========================== + +security-libs/javax.xml.crypto: + +JDK-8319124: Update XML Security for Java to 3.0.3 +================================================== +The XML signature implementation in OpenJDK 21 has been updated to +Apache Santuario 3.0.3. This update introduces four new SHA-3 based +RSA-MGF1 SignatureMethod algorithms. + +However, the API of javax.xml.crypto.dsig.SignatureMethod can not be +changed in update releases to provide constants for these new +algorithms. The equivalent string literals should be used as below: + +* SHA3_224_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1" +* SHA3_256_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1" +* SHA3_384_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1" +* SHA3_512_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1" + +This enhancement also introduces support for the ED25519 and ED448 +elliptic curve algorithms, which are both Edwards-curve Digital +Signature Algorithm (EdDSA) signature schemes. + +In contrast to the upstream version of Apache Santuario 3.0.3, the JDK +still supports the `here()` function. However, future support for the +`here()` function is not guaranteed. You should avoid using `here()` +in new XML signatures. You should also update any XML signatures that +currently use `here()` to stop using this function. + +The `here()` function is enabled by default. To disable the `here()` +function, set the `jdk.xml.dsig.hereFunctionSupported` system property +is to "false". + +core-libs/java.lang: + +JDK-8307990: Fixed Indefinite `jspawnhelper` Hangs +================================================== +With this fix, `jspawnhelper` will reliably receive an EOF signal from +the communication pipe and terminate when the parent process dies +prematurely. + +client-libs/java.awt + +JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops +======================================================================= +The java.awt.SystemTray API is used to interact with the system's +desktop taskbar to provide notifications and may include an icon +representing an application. The GNOME desktop's support for taskbar +icons has not worked properly for several years, due to a platform +bug. This bug, in turn, affects the JDK's SystemTray support on GNOME +desktops. + +Therefore, in accordance with the SystemTray API specification, +java.awt.SystemTray.isSupported() will now return false on systems +that exhibit this bug, which is assumed to be those running a version +of GNOME Shell below 45. + +The impact of this change is likely to be minimal, as users of the +SystemTray API should already be able to handle isSupported() +returning false and the system tray on such platforms has already been +unsupported for a number of years for all applications. + +security-libs/java.security: + +JDK-8321408: Added Certainly R1 and E1 Root Certificates +======================================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certainly +Alias Name: certainlyrootr1 +Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US + +Name: Certainly +Alias Name: certainlyroote1 +Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US + +New in release OpenJDK 17.0.10 (2024-01-16): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1710 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20932 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8276123, JDK-8316613: ZipFile::getEntry will not return a file entry when there is a directory entry of the same name within a Zip File + - JDK-8308204: Enhanced certificate processing + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-6445283: ProgressMonitorInputStream not large file aware (>2GB) + - JDK-8041447: Test javax/swing/dnd/7171812/bug7171812.java fails with java.lang.RuntimeException: Test failed, scroll on drag doesn't work + - JDK-8061729: Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs + - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException + - JDK-8168469: Memory leak in JceSecurity + - JDK-8176567: nsk/jdi/ReferenceType/instances/instances002: TestFailure: Unexpected size of referenceType.instances(nsk.share.jdi.TestInterfaceImplementer1): 11, expected: 10 + - JDK-8193543: Regression automated test '/open/test/jdk/java/awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java' fails + - JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/isexceeded001/TestDescription.java still failing + - JDK-8202790: DnD test DisposeFrameOnDragTest.java does not clean up + - JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/ChoicePopupLocation.java fails + - JDK-8207166: jdk/jshell/JdiHangingLaunchExecutionControlTest.java - launch timeout + - JDK-8225313: serviceability/jvmti/HeapMonitor/MyPackage/HeapMonitorStatObjectCorrectnessTest.java failed with Unexpected high difference percentage + - JDK-8228990: JFR: TestNetworkUtilizationEvent.java expects 2+ Network interfaces on Linux but finding 1 + - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" + - JDK-8232933: Javac inferred type does not conform to equality constraint + - JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/AccessibleChoiceTest.java fails + - JDK-8244289: fatal error: Possible safepoint reached by thread that does not allow it + - JDK-8247351: [aarch64] NullPointerException during stack walking (clhsdb "where -a") + - JDK-8249826: 5 javax/net/ssl/SSLEngine tests use @ignore w/o bug-id + - JDK-8258951: java/net/httpclient/HandshakeFailureTest.java failed with "RuntimeException: Not found expected SSLHandshakeException in java.io.IOException" + - JDK-8262186: Call X509KeyManager.chooseClientAlias once for all key types + - JDK-8262901: [macos_aarch64] NativeCallTest expected:<-3.8194101E18> but was:<3.02668882E10> + - JDK-8265586: [windows] last button is not shown in AWT Frame with BorderLayout and MenuBar set. + - JDK-8266593: vmTestbase/nsk/jvmti/PopFrame/popframe011 fails with "assert(java_thread == _state->get_thread()) failed: Must be" + - JDK-8268433: serviceability/dcmd/framework/VMVersionTest.java fails with Unable to send object throw not established PipeIO Listener Thread connection + - JDK-8268916: Tests for AffirmTrust roots + - JDK-8269425: 2 jdk/jfr/api/consumer/streaming tests failed to attach + - JDK-8270199: Most SA tests are skipped on macosx-aarch64 because all executables are signed + - JDK-8270447: [IR Framework] Add missing compilation level restriction when using FlipC1C2 stress option + - JDK-8271073: Improve testing with VM option VerifyArchivedFields + - JDK-8271566: DSA signature length value is not accurate in P11Signature + - JDK-8271824: mark hotspot runtime/CompressedOops tests which ignore external VM flags + - JDK-8271826: mark hotspot runtime/condy tests which ignore external VM flags + - JDK-8271828: mark hotspot runtime/classFileParserBug tests which ignore external VM flags + - JDK-8271829: mark hotspot runtime/Throwable tests which ignore external VM flags + - JDK-8271886: mark hotspot runtime/InvocationTests tests which ignore external VM flags + - JDK-8271887: mark hotspot runtime/CDSCompressedKPtrs tests which ignore external VM flags + - JDK-8271890: mark hotspot runtime/Dictionary tests which ignore external VM flags + - JDK-8271891: mark hotspot runtime/Safepoint tests which ignore external VM flags + - JDK-8271892: mark hotspot runtime/PrintStringTableStats/PrintStringTableStatsTest.java test as ignoring external VM flags + - JDK-8271893: mark hotspot runtime/PerfMemDestroy/PerfMemDestroy.java test as ignoring external VM flags + - JDK-8271904: mark hotspot runtime/ClassFile tests which ignore external VM flags + - JDK-8271905: mark hotspot runtime/Metaspace tests which ignore external VM flags + - JDK-8272099: mark hotspot runtime/Monitor tests which ignore external VM flags + - JDK-8272291: mark hotspot runtime/logging tests which ignore external VM flags + - JDK-8272551: mark hotspot runtime/modules tests which ignore external VM flags + - JDK-8272552: mark hotspot runtime/cds tests which ignore external VM flags + - JDK-8272998: ImageIO.read() throws incorrect exception type + - JDK-8273456: Do not hold ttyLock around stack walking + - JDK-8273522: Rename test property vm.cds.archived.java.heap to vm.cds.write.archived.java.heap + - JDK-8273629: compiler/uncommontrap/TestDeoptOOM.java fails with release VMs + - JDK-8273831: PrintServiceLookup spawns 2 threads in the current classloader, getting orphaned + - JDK-8273921: Refactor NSK/JDI tests to create thread using factory + - JDK-8274211: Test man page that options are documented + - JDK-8274345: make build-test-lib is broken + - JDK-8275329: ZGC: vmTestbase/gc/gctests/SoftReference/soft004/soft004.java fails with assert(_phases->length() <= 1000) failed: Too many recored phases? + - JDK-8275333: Print count in "Too many recored phases?" assert + - JDK-8275440: Remove VirtualSpaceList::is_full() + - JDK-8275509: ModuleDescriptor.hashCode isn't reproducible across builds + - JDK-8276036: The value of full_count in the message of insufficient codecache is wrong + - JDK-8276054: JMH benchmarks for Fences + - JDK-8276711: compiler/codecache/cli tests failing when SegmentedCodeCache used with -Xint + - JDK-8276819: javax/print/PrintServiceLookup/FlushCustomClassLoader.java fails to free + - JDK-8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions + - JDK-8279856: Parallel: Use PreservedMarks to record promotion-failed objects + - JDK-8281015: Further simplify NMT backend + - JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails with java.lang.RuntimeException: values differ by more than 1GB + - JDK-8281874: Can't unpack msi installers from test/jdk/tools/jpackage/windows/test/jdk/tools/jpackage/windows/WinShortcutPromptTest.java test + - JDK-8282011: test/jdk/tools/jpackage/windows/WinL10nTest.java test fails if light.exe is not in %PATH% + - JDK-8282017: sun/net/www/protocol/https/HttpsURLConnection/B6216082.java fails with "SocketException: Unexpected end of file from server" + - JDK-8283670: gtest os.release_multi_mappings_vm is still racy + - JDK-8284047: Harmonize/Standardize the SSLSocket/SSLEngine/SSLSocketSSLEngine test templates + - JDK-8285516: clearPassword should be called in a finally try block + - JDK-8285785: CheckCleanerBound test fails with PasswordCallback object is not released + - JDK-8285867: Convert applet manual tests SelectionVisible.java to Frame and automate + - JDK-8286430: make test TEST="gtest:" exits with error when it shouldn't + - JDK-8286473: Drop --enable-preview from Record related tests + - JDK-8286474: Drop --enable-preview from Sealed Classes related tests + - JDK-8286475: Drop --enable-preview from instanceof pattern matching related tests + - JDK-8286969: Add a new test library API to execute kinit in SecurityTools.java + - JDK-8287596: Reorg jdk.test.lib.util.ForceGC + - JDK-8287671: Adjust ForceGC to invoke System::gc fewer times for negative case + - JDK-8287867: Bad merge of jdk/test/lib/util/ForceGC.java causing test compilation error + - JDK-8288325: [windows] Actual and Preferred Size of AWT Non-resizable frame are different + - JDK-8288961: jpackage: test MSI installation fix + - JDK-8288993: Make AwtFramePackTest generic by removing @requires tag + - JDK-8289584: (fs) Print size values in java/nio/file/FileStore/Basic.java when they differ by > 1GiB + - JDK-8289745: JfrStructCopyFailed uses heap words instead of bytes for object sizes + - JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests failed with "isUsageThresholdExceeded() returned false, and is still false, while threshold = MMMMMMM and used peak = NNNNNNN" + - JDK-8291154: Create a non static nested class without enclosing class throws VerifyError + - JDK-8291550: RISC-V: jdk uses misaligned memory access when AvoidUnalignedAccess enabled + - JDK-8291911: java/io/File/GetXSpace.java fails with "53687091200 != 161051996160" + - JDK-8292067: Convert test/sun/management/jmxremote/bootstrap shell tests to java version + - JDK-8292072: NMT: repurpose Tracking overhead counter as global malloc counter + - JDK-8292261: adjust timeouts in JLI GetObjectSizeIntrinsicsTest.java + - JDK-8292381: java/net/httpclient/SpecialHeadersTest.java fails with "ERROR: Shutting down connection: HTTP/2 client stopped" + - JDK-8292636: (dc) Problem listing of java/nio/channels/DatagramChannel/Unref.java has incorrect issue ID + - JDK-8292717: Clean up checking of testing requirements in configure + - JDK-8293156: Dcmd VM.classloaders fails to print the full hierarchy + - JDK-8293335: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1failed with "Agent communication error: java.io.EOFException" + - JDK-8293343: sun/management/jmxremote/bootstrap/RmiSslNoKeyStoreTest.java failed with "Agent communication error: java.io.EOFException" + - JDK-8293563: [macos-aarch64] SA core file tests failing with sun.jvm.hotspot.oops.UnknownOopException + - JDK-8293579: tools/jpackage/share/jdk/jpackage/tests/UnicodeArgsTest.java fails on Japanese Windows platform + - JDK-8294402: Add diagnostic logging to VMProps.checkDockerSupport + - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env + - JDK-8294881: test/hotspot/jtreg/vmTestbase/nsk/jdi/VirtualMachine/dispose/dispose003/TestDescription.java fails + - JDK-8295229: Try to verify gtest version + - JDK-8295424: adjust timeout for another JLI GetObjectSizeIntrinsicsTest.java subtest + - JDK-8296275: Write a test to verify setAccelerator method of JMenuItem + - JDK-8296437: NMT incurs costs if disabled + - JDK-8296821: compiler/jvmci/jdk.vm.ci.code.test/src/jdk/vm/ci/code/test/NativeCallTest.java fails after JDK-8262901 + - JDK-8297142: jdk/jfr/event/runtime/TestShutdown.java fails on Linux ppc64le and Linux aarch64 + - JDK-8297296: java/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with "No MouseReleased event on label!" + - JDK-8297367: disable TestRedirectLinks.java in slowdebug mode + - JDK-8297640: Increase buffer size for buf (insert_features_names) in Abstract_VM_Version::insert_features_names + - JDK-8297798: Timeout with DTLSOverDatagram test template + - JDK-8297958: NMT: Display peak values + - JDK-8298298: NMT: count deltas are printed with 32-bit signed size + - JDK-8298619: java/io/File/GetXSpace.java is failing + - JDK-8298735: Some tools/jpackage/windows/* tests fails with jtreg test timeout + - JDK-8298867: Basics.java fails with SSL handshake exception + - JDK-8298868: Update EngineCloseOnAlert.java for changes to TLS implementation + - JDK-8298869: Update ConnectionTest.java for changes to TLS implementation + - JDK-8298872: Update CheckStatus.java for changes to TLS implementation + - JDK-8298873: Update IllegalRecordVersion.java for changes to TLS implementation + - JDK-8298874: Update TestAllSuites.java for TLS v1.2 and 1.3 + - JDK-8298905: Test "java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java" fails because the frames of instruction does not display + - JDK-8299075: TestStringDeduplicationInterned.java fails because extra deduplication + - JDK-8299207: [Testbug] Add back test/jdk/java/awt/Graphics2D/DrawPrimitivesTest.java + - JDK-8299241: jdk/jfr/api/consumer/streaming/TestJVMCrash.java generates unnecessary core file + - JDK-8299255: Unexpected round errors in FreetypeFontScaler + - JDK-8299677: Formatter.format might take a long time to format an integer or floating-point + - JDK-8299748: java/util/zip/Deinflate.java failing on s390x + - JDK-8300259: Add test coverage for processing of pending block files in signed JARs + - JDK-8300272: Improve readability of the test JarWithOneNonDisabledDigestAlg + - JDK-8300727: java/awt/List/ListGarbageCollectionTest/AwtListGarbageCollectionTest.java failed with "List wasn't garbage collected" + - JDK-8300997: Add curl support to createJMHBundle.sh + - JDK-8301065: Handle control characters in java_lang_String::print + - JDK-8301189: validate-source fails after JDK-8298873 + - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ + - JDK-8301377: adjust timeout for JLI GetObjectSizeIntrinsicsTest.java subtest again + - JDK-8301455: comments in TestTypeAnnotations still refer to resolved JDK-8068737 + - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed + - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs + - JDK-8301570: Test runtime/jni/nativeStack/ needs to detach the native thread + - JDK-8301701: java/net/DatagramSocket/DatagramSocketMulticasting.java should be hardened + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8302109: Trivial fixes to btree tests + - JDK-8302525: Write a test to check various components send Events while mouse and key are used simultaneously + - JDK-8302607: increase timeout for ContinuousCallSiteTargetChange.java + - JDK-8303607: SunMSCAPI provider leaks memory and keys + - JDK-8303922: build-test-lib target is broken + - JDK-8304174: Remove delays from httpserver tests + - JDK-8304954: SegmentedCodeCache fails when using large pages + - JDK-8305502: adjust timeouts in three more M&M tests + - JDK-8305505: NPE in javazic compiler + - JDK-8305646: compile error on Alpine with gcc12 after 8298619 in libGetXSpace.c + - JDK-8306280: Open source several choice AWT tests + - JDK-8307123: Fix deprecation warnings in DPrinter + - JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing JTableHeader tests + - JDK-8307403: java/util/zip/DeInflate.java timed out + - JDK-8307732: build-test-lib is broken + - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors + - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 + - JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler.compile does not close files + - JDK-8308223: failure handler missed jcmd.vm.info command + - JDK-8308592: Framework for CA interoperability testing + - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows + - JDK-8308910: Allow executeAndLog to accept running process + - JDK-8309032: jpackage does not work for module projects unless --module-path is specified + - JDK-8309104: [JVMCI] compiler/unsafe/UnsafeGetStableArrayElement test asserts wrong values with Graal + - JDK-8309216: Cast from jchar* to char* in test java/io/GetXSpace.java + - JDK-8309258: RISC-V: Add riscv_hwprobe syscall + - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads + - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI + - JDK-8310233: Fix THP detection on Linux + - JDK-8310265: (process) jspawnhelper should not use argv[0] + - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic + - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + - JDK-8310656: RISC-V: __builtin___clear_cache can fail silently. + - JDK-8310687: JDK-8303215 is incomplete + - JDK-8311511: Improve description of NativeLibrary JFR event + - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers + - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8312065: Socket.connect does not timeout when profiling + - JDK-8312078: [PPC] JcmdScale.java Failing on AIX + - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 + - JDK-8312182: THPs cause huge RSS due to thread start timing issue + - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support + - JDK-8312395: Improve assertions in growableArray + - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node + - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere + - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation + - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update + - JDK-8312612: handle WideCharToMultiByte return values + - JDK-8312620: WSL Linux build crashes after JDK-8310233 + - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased + - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver + - JDK-8312974: Bump update version for OpenJDK: jdk-17.0.10 + - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources + - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + - JDK-8313322: RISC-V: implement MD5 intrinsic + - JDK-8313626: C2 crash due to unexpected exception control flow + - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors + - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv + - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + - JDK-8313781: Add regression tests for large page logging and user-facing error messages + - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used + - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md + - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info + - JDK-8314045: ArithmeticException in GaloisCounterMode + - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection + - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges + - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 + - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores + - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags + - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError + - JDK-8314495: Update to use jtreg 7.3.1 + - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM + - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. + - JDK-8315062: [GHA] get-bootjdk action should return the abolute path + - JDK-8315195: RISC-V: Update hwprobe query for new extensions + - JDK-8315206: RISC-V: hwprobe query is_set return wrong value + - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? + - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + - JDK-8315549: CITime misreports code/total nmethod sizes + - JDK-8315606: Open source few swing text/html tests + - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java + - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java + - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test + - JDK-8315696: SignedLoggerFinderTest.java test failed + - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le + - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test + - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies + - JDK-8315863: [GHA] Update checkout action to use v4 + - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests + - JDK-8316087: Test SignedLoggerFinderTest.java is still failing + - JDK-8316178: Better diagnostic header for CodeBlobs + - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font + - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + - JDK-8316514: Better diagnostic header for VtableStub + - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg + - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b + - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning + - JDK-8316746: Top of lock-stack does not match the unlocked object + - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize + - JDK-8316859: RISC-V: Disable detection of V through HWCAP + - JDK-8316906: Clarify TLABWasteTargetPercent flag + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 + - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 + - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux + - JDK-8317772: NMT: Make peak values available in release builds + - JDK-8317834: java/lang/Thread/IsAlive.java timed out + - JDK-8317920: JDWP-agent sends broken exception event with onthrow option + - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases + - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 + - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java + - JDK-8318759: Add four DigiCert root certificates + - JDK-8318855: Extra file added by mistake during the backport of JDK-8283326 + - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit + - JDK-8319184: RISC-V: improve MD5 intrinsic + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc + - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit + - JDK-8320053: GHA: Cross-compile gtest code + - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all + - JDK-8323422: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.10 + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows +====================================================================== +On Windows 10 version 1709 and above, TCP_KEEPIDLE and +TCP_KEEPINTERVAL are now supported in the +java.net.ExtendedSocketOptions class. Similarly, on Windows 10 +version 1703 and above, TCP_KEEPCOUNT is now supported. + +security-libs/javax.net.ssl: + +JDK-8262186: Call `X509KeyManager.chooseClientAlias` Once for All Key Types +=========================================================================== +The (D)TLS implementation in OpenJDK now makes only one call to the +X509Keymanager.chooseClientAlias method during handshaking for client +authentication, regardless of how many algorithms are requested. + +hotspot/runtime: + +JDK-8317772: NMT: Make peak values available in release builds +============================================================== +The peak value is the highest value for committed memory in a given +Native Memory Tracking (NMT) category over the lifetime of the JVM +process. NMT reports will now show the peak value for all categories. + +If the committed memory for a category is at its peak, NMT will +print "at peak". Otherwise, it prints the peak value. + +For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that +compiler arena memory peaked above 6 MB, but now hovers around 200KB. + +JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used +=========================================================================== +On Linux, the JVM will now print the following message to standard +output if Transparent Huge Pages (THPs) are requested, but are not +supported on the operating system: + +"UseTransparentHugePages disabled; transparent huge pages are not +supported by the operating system." + +security-libs/java.security: + +JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar +=============================================================================================================================== +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 17.0.8 release of OpenJDK by JDK-8300596, with +a default of 8MB. This default proved to be too small for some JAR +files. This release, 17.0.10, increases it to 16MB. + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + +New in release OpenJDK 17.0.9 (2023-10-17): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1709 + +* CVEs + - CVE-2023-22081 + - CVE-2023-22025 +* Security fixes + - JDK-8286503, JDK-8312367: Enhance security classes + - JDK-8296581: Better system proxy support + - JDK-8297856: Improve handling of Bidi characters + - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39 + - JDK-8306881, JDK-8307286: Update FreeType to 2.13.0 + - JDK-8309966: Enhanced TLS connections + - JDK-8312248: Enhanced archival support redux + - JDK-8314649: Enhanced archival support redux + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 +* New features + - JDK-8276799: Implementation of JEP 422: Linux/RISC-V Port +* Other changes + - JDK-6176679: Application freezes when copying an animated gif image to the system clipboard + - JDK-6381945: (cal) Japanese calendar unit test system should avoid multiple static imports + - JDK-8040793: vmTestbase/nsk/monitoring/stress/lowmem fails on calling isCollectionUsageThresholdExceeded() + - JDK-8153837: AArch64: Handle special cases for MaxINode & MinINode + - JDK-8156889: ListKeychainStore.sh fails in some virtualized environments + - JDK-8171221: Remove -XX:+CheckMemoryInitialization + - JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh to Java Jtreg Test + - JDK-8195589: T6587786.java failed after JDK-8189997 + - JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE" + - JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java fails on Windows + - JDK-8229147: Linux os::create_thread() overcounts guardpage size with newer glibc (>=2.27) + - JDK-8252713: jtreg time out of CtrlASCII.java seems to hang the Xserver. + - JDK-8255548: Missing coverage for javax.xml.crypto.dom.DOMCryptoContext + - JDK-8263044: jdk/jfr/jvm/TestDumpOnCrash.java timed out + - JDK-8267188: gc/stringdedup/TestStringDeduplicationInterned.java fails with Shenandoah + - JDK-8267341: macos attempt_reserve_memory_at(arg1, arg2, true) failure + - JDK-8267517: async logging for stdout and stderr + - JDK-8267860: Off-by-one bug when searching arrays in AlpnGreaseTest + - JDK-8268852: AsyncLogWriter should not overide is_Named_thread() + - JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java failed with ArrayIndexOutOfBoundsException: Array index out of range: -4 + - JDK-8269466: Factor out the common code for initializing and starting internal VM JavaThreads + - JDK-8270331: [TESTBUG] Error: Not a test or directory containing tests: java/awt/print/PrinterJob/InitToBlack.java + - JDK-8270794: Avoid loading Klass* twice in TypeArrayKlass::oop_size() + - JDK-8270894: Use acquire semantics in ObjectSynchronizer::read_stable_mark() + - JDK-8271707: migrate tests to use jdk.test.whitebox.WhiteBox + - JDK-8271898: disable os.release_multi_mappings_vm on macOS-X64 + - JDK-8272586: emit abstract machine code in hs-err logs + - JDK-8272654: Mark word accesses should not use Access API + - JDK-8273092: Sort classlist in JDK image + - JDK-8273803: Zero: Handle "zero" variant in CommandLineOptionTest.java + - JDK-8274986: max code printed in hs-err logs should be configurable + - JDK-8275031: runtime/ErrorHandling/MachCodeFramesInErrorFile.java fails when hsdis is present + - JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java fails with D3D basic render driver + - JDK-8275415: Prepare Leak Profiler for Lilliput + - JDK-8275662: remove test/lib/sun/hotspot + - JDK-8276333: jdk/jfr/event/oldobject/TestLargeRootSet.java failed "assert(!contains(edge->reference())) failed: invariant" + - JDK-8276651: java/lang/ProcessHandle tests fail with "RuntimeException: Input/output error" in java.lang.ProcessHandleImpl$Info.info0 + - JDK-8276696: ParallelObjectIterator freed at the wrong time in VM_HeapDumper + - JDK-8277102: Dubious PrintCompilation output + - JDK-8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out + - JDK-8277417: C1 LIR instruction for load-klass + - JDK-8277427: Update jib-profiles.js to use JMH 1.33 devkit + - JDK-8277654: Shenandoah: Don't produce new memory state in C2 LRB runtime call + - JDK-8277860: PPC: Remove duplicate info != NULL check + - JDK-8278141: LIR_OpLoadKlass::_info shadows the field of the same name from LIR_Op + - JDK-8278456: Define jtreg jdk_desktop test group time-based sub-tasks for use by headful testing. + - JDK-8279545: Buffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517 + - JDK-8280032: Update jib-profiles.js to use JMH 1.34 devkit + - JDK-8280396: G1: Full gc mark stack draining should prefer to make work available to other threads + - JDK-8280885: Shenandoah: Some tests failed with "EA: missing allocation reference path" + - JDK-8281507: Two javac tests have bad jtreg `@clean` tags + - JDK-8281717: Cover logout method for several LoginModule + - JDK-8282404: DrawStringWithInfiniteXform.java failed with "RuntimeException: drawString with InfiniteXform transform takes long time" + - JDK-8282651: ZGC: vmTestbase/gc/ArrayJuggle/ tests fails intermittently with exit code 97 + - JDK-8282665: [REDO] ByteBufferTest.java: replace endless recursion with RuntimeException in void ck(double x, double y) + - JDK-8283056: show abstract machine code in hs-err for all VM crashes + - JDK-8283276: java/io/ObjectStreamClass/ObjectStreamClassCaching.java fails with various GCs + - JDK-8283326: Implement SafeFetch statically + - JDK-8283724: Incorrect description for jtreg-failure-handler option + - JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream should only check inflated bytes + - JDK-8283865: riscv: Break down -XX:+UseRVB into seperate options for each bitmanip extension + - JDK-8283929: GHA: Add RISC-V build config + - JDK-8284068: riscv: should call Atomic::release_store in JavaThread::set_thread_state + - JDK-8284090: com/sun/security/auth/module/AllPlatforms.java fails to compile + - JDK-8284273: Early crashes in os::print_context on AArch64 + - JDK-8284760: Correct type/array element offset in LibraryCallKit::get_state_from_digest_object() + - JDK-8284772: GHA: Use GCC Major Version Dependencies Only + - JDK-8284910: Buffer clean in PasswordCallback + - JDK-8284937: riscv: should not allocate special register for temp + - JDK-8284997: arm32 build crashes since JDK-8283326 + - JDK-8285303: riscv: Incorrect register mask in call_native_base + - JDK-8285437: riscv: Fix MachNode size mismatch for MacroAssembler::verify_oops* + - JDK-8285630: Fix a configure error in RISC-V cross build + - JDK-8285675: Temporary fix for arm32 SafeFetch + - JDK-8285699: riscv: Provide information when hitting a HaltNode + - JDK-8285711: riscv: RVC: Support disassembler show-bytes option + - JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests + - JDK-8285980: Several tests in compiler/c2/irTests miss @requires vm.compiler2.enabled + - JDK-8286481: Exception printed to stdout on Windows when storing transparent image in clipboard + - JDK-8286620: Create regression test for verifying setMargin() of JRadioButton + - JDK-8286623: Bundle zlib by default with JDK on macos aarch64 + - JDK-8287227: Shenandoah: A couple of virtual thread tests failed with iu mode even without Loom enabled. + - JDK-8287418: riscv: Fix correctness issue of MacroAssembler::movptr + - JDK-8287552: riscv: Fix comment typo in li64 + - JDK-8287970: riscv: jdk/incubator/vector/*VectorTests failing + - JDK-8288719: [arm32] SafeFetch32 thumb interleaving causes random crashes + - JDK-8289077: Add manual tests to open + - JDK-8289238: Refactoring changes to PassFailJFrame Test Framework + - JDK-8289510: Improve test coverage for XPath Axes: namespace + - JDK-8289512: Fix GCC 12 warnings for adlc output_c.cpp + - JDK-8289547: Update javax/swing/Popup/TaskbarPositionTest.java + - JDK-8289646: configure script failed on WSL + - JDK-8289688: jfr command hangs when it processes invalid file + - JDK-8289748: C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM + - JDK-8289797: tools/launcher/I18NArgTest.java fails on Japanese Windows environment + - JDK-8289917: Metadata for regionsRefilled of G1EvacuationStatistics event is wrong + - JDK-8290137: riscv: small refactoring for add_memory_int32/64 + - JDK-8290164: compiler/runtime/TestConstantsInError.java fails on riscv + - JDK-8290464: Optimize ResourceArea zapping on ResourceMark release + - JDK-8290469: Add new positioning options to PassFailJFrame test framework + - JDK-8290496: riscv: Fix build warnings-as-errors with GCC 11 + - JDK-8291444: GHA builds/tests won't run manually if disabled from automatic running + - JDK-8291830: jvmti/RedefineClasses/StressRedefine failed: assert(!is_null(v)) failed: narrow klass value can never be zero + - JDK-8291893: riscv: remove fence.i used in user space + - JDK-8291947: riscv: fail to build after JDK-8290840 + - JDK-8291952: riscv: Remove PRAGMA_NONNULL_IGNORED + - JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup required permissions for jtreg version 7 jar + - JDK-8292315: Tests should not rely on specific JAR file names (hotspot) + - JDK-8292316: Tests should not rely on specific JAR file names (jpackage) + - JDK-8292683: Remove BadKeyUsageTest.java from Problem List + - JDK-8292698: Improve performance of DataInputStream + - JDK-8292716: Configure should check that jtreg is of the required version + - JDK-8292763: JDK-8292716 breaks configure without jtreg + - JDK-8292867: RISC-V: Simplify weak CAS return value handling + - JDK-8293012: ConstantPool::print_on can crash if _cache is NULL + - JDK-8293050: RISC-V: Remove redundant non-null assertions about macro-assembler + - JDK-8293098: GHA: Harmonize GCC version handling for host and cross builds + - JDK-8293100: RISC-V: Need to save and restore callee-saved FloatRegisters in StubGenerator::generate_call_stub + - JDK-8293107: GHA: Bump to Ubuntu 22.04 + - JDK-8293114: JVM should trim the native heap + - JDK-8293166: jdk/jfr/jvm/TestDumpOnCrash.java fails on Linux ppc64le and Linux aarch64 + - JDK-8293177: Verify version numbers in legal files + - JDK-8293180: JQuery UI license file not updated + - JDK-8293252: Shenandoah: ThreadMXBean synchronizer tests crash with aggressive heuristics + - JDK-8293361: GHA: dump config.log in case of configure failure + - JDK-8293474: RISC-V: Unify the way of moving function pointer + - JDK-8293524: RISC-V: Use macro-assembler functions as appropriate + - JDK-8293566: RISC-V: Clean up push and pop registers + - JDK-8293811: Provide a reason for PassFailJFrame.forceFail + - JDK-8293851: hs_err should print more stack in hex dump + - JDK-8294012: RISC-V: get/put_native_u8 missing the case when address&7 is 6 + - JDK-8294083: RISC-V: Minimal build failed with --disable-precompiled-headers + - JDK-8294086: RISC-V: Cleanup InstructionMark usages in the backend + - JDK-8294087: RISC-V: RVC: Fix a potential alignment issue and add more alignment assertions for the patchable calls/nops + - JDK-8294149: JMH 1.34 and later requires jopt-simple 5.0.4 + - JDK-8294187: RISC-V: Unify all relocations for the backend into AbstractAssembler::relocate() + - JDK-8294366: RISC-V: Partially mark out incompressible regions + - JDK-8294430: RISC-V: Small refactoring for movptr_with_offset + - JDK-8294492: RISC-V: Use li instead of patchable movptr at non-patchable callsites + - JDK-8294679: RISC-V: Misc crash dump improvements + - JDK-8294941: GHA: Cut down cross-compilation sysroots + - JDK-8294956: GHA: qemu-debootstrap is deprecated, use the regular one + - JDK-8295110: RISC-V: Mark out relocations as incompressible + - JDK-8295213: Run GHA manually with user-specified make and configure arguments + - JDK-8295270: RISC-V: Clean up and refactoring for assembler functions + - JDK-8295396: RISC-V: Cleanup useless CompressibleRegions + - JDK-8295657: SA: Allow larger object alignments + - JDK-8295737: macOS: Print content cut off when width > height with portrait orientation + - JDK-8295811: serviceability/sa/TestObjectAlignment.java fails on x86_32 + - JDK-8295812: Skip the "half float" support in LittleCMS during the build + - JDK-8295894: Remove SECOM certificate that is expiring in September 2023 + - JDK-8295926: RISC-V: C1: Fix LIRGenerator::do_LibmIntrinsic + - JDK-8295968: RISC-V: Rename some assembler intrinsic functions for RVV 1.0 + - JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/AbstractDrbg/SpecTest.java intermittently timeout + - JDK-8296435: RISC-V: Small refactoring for increment/decrement + - JDK-8296447: RISC-V: Make the operands order of vrsub_vx/vrsub_vi consistent with RVV 1.0 spec + - JDK-8296448: RISC-V: Fix temp usages of heapbase register killed by MacroAssembler::en/decode_klass_not_null + - JDK-8296602: RISC-V: improve performance of copy_memory stub + - JDK-8296771: RISC-V: C2: assert(false) failed: bad AD file + - JDK-8296796: Provide clean, platform-agnostic interface to C-heap trimming + - JDK-8296916: RISC-V: Move some small macro-assembler functions to header file + - JDK-8297350: Update JMH devkit to 1.36 + - JDK-8297359: RISC-V: improve performance of floating Max Min intrinsics + - JDK-8297476: Increase InlineSmallCode default from 1000 to 2500 for RISC-V + - JDK-8297644: RISC-V: Compilation error when shenandoah is disabled + - JDK-8297681: Unnecessary color conversion during 4BYTE_ABGR_PRE to INT_ARGB_PRE blit + - JDK-8297697: RISC-V: Add support for SATP mode detection + - JDK-8297715: RISC-V: C2: Use single-bit instructions from the Zbs extension + - JDK-8297887: Update Siphash + - JDK-8297923: java.awt.ScrollPane broken after multiple scroll up/down + - JDK-8298138: Shenandoah: HdrSeq asserts "sub-bucket index (512) overflow for value ( 1.00)" + - JDK-8298921: Create a regression test for JDK-8139581 + - JDK-8298974: Add ftcolor.c to imported freetype sources + - JDK-8299158: Improve MD5 intrinsic on AArch64 + - JDK-8299168: RISC-V: Fix MachNode size mismatch for MacroAssembler::_verify_oops* + - JDK-8299330: Minor improvements in MSYS2 Workflow handling + - JDK-8299617: CurrencySymbols.properties is missing the copyright notice + - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge + - JDK-8299713: Test javax/swing/JTableHeader/6889007/bug6889007.java failed: Wrong type of cursor + - JDK-8299827: Add resolved IP address in connection exception for sockets + - JDK-8299847: RISC-V: Improve PrintOptoAssembly output of CMoveI/L nodes + - JDK-8299962: Speed up compiler/intrinsics/unsafe/DirectByteBufferTest.java and HeapByteBufferTest.java + - JDK-8300053: Shenandoah: Handle more GCCauses in ShenandoahControlThread::request_gc + - JDK-8300098: java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3 + - JDK-8300109: RISC-V: Improve code generation for MinI/MaxI nodes + - JDK-8300405: Screen capture for test JFileChooserSetLocationTest.java, failure case + - JDK-8300584: Accelerate AVX-512 CRC32C for small buffers + - JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api for host values + - JDK-8300693: Lower the compile threshold and reduce the iterations of warmup loop in VarHandles tests + - JDK-8301033: RISC-V: Handle special cases for MinI/MaxI nodes for Zbb + - JDK-8301036: RISC-V: Factor out functions baseOffset & baseOffset32 from MacroAssembler + - JDK-8301067: RISC-V: better error message when reporting unsupported satp modes + - JDK-8301074: Replace NULL with nullptr in share/opto/ + - JDK-8301097: Update GHA XCode to 12.5.1 + - JDK-8301153: RISC-V: pipeline class for several instructions is not set correctly + - JDK-8301167: Update VerifySignedJar to actually exercise and test verification + - JDK-8301187: Memory leaks in OopMapCache + - JDK-8301269: Update Commons BCEL to Version 6.7.0 + - JDK-8301313: RISC-V: C2: assert(false) failed: bad AD file due to missing match rule + - JDK-8301367: Add exception handler method to the BaseLdapServer + - JDK-8301628: RISC-V: c2 fix pipeline class for several instructions + - JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit + - JDK-8301818: RISC-V: Factor out function mvw from MacroAssembler + - JDK-8301852: RISC-V: Optimize class atomic when order is memory_order_relaxed + - JDK-8301959: Compile command in compiler.loopopts.TestRemoveEmptyCountedLoop does not work + - JDK-8302114: RISC-V: Several foreign jtreg tests fail with debug build after JDK-8301818 + - JDK-8302150: Speed up compiler/codegen/Test7100757.java + - JDK-8302161: Upgrade jQuery UI to version 1.13.2 + - JDK-8302182: Update Public Suffix List to 88467c9 + - JDK-8302289: RISC-V: Use bgez instruction in arraycopy_simple_check when possible + - JDK-8302736: Major performance regression in Math.log on aarch64 + - JDK-8302776: RISC-V: Fix typo CSR_INSTERT to CSR_INSTRET + - JDK-8303047: avoid NULL after 8301661 + - JDK-8303154: Investigate and improve instruction cache flushing during compilation + - JDK-8303215: Make thread stacks not use huge pages + - JDK-8303279: C2: crash in SubTypeCheckNode::sub() at IGVN split if + - JDK-8304293: RISC-V: JDK-8276799 missed atomic intrinsic support for C1 + - JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373 + - JDK-8304353: Add lib-test tier1 testing in GHA + - JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1 + - JDK-8304845: Update PCSC-Lite for Suse Linux to 1.9.9 and fix incomplete license wording + - JDK-8304976: Optimize DateTimeFormatterBuilder.ZoneTextPrinterParser.getTree() + - JDK-8305006: Use correct register in riscv_enc_fast_unlock() + - JDK-8305008: RISC-V: Factor out immediate checking functions from assembler_riscv.inline.hpp + - JDK-8305112: RISC-V: Typo fix for RVC description + - JDK-8305236: Some LoadLoad barriers in the interpreter are unnecessary after JDK-8220051 + - JDK-8305421: Work around JDK-8305420 in CDSJDITest.java + - JDK-8305425: Thread.isAlive0 doesn't need to call into the VM + - JDK-8305512: RISC-V: Enable RVC extension by default on supported hardware + - JDK-8305670: Performance regression in LockSupport.unpark with lots of idle threads + - JDK-8305728: RISC-V: Use bexti instruction to do single-bit testing + - JDK-8305763: Parsing a URI with an underscore goes through a silent exception, negatively impacting performance + - JDK-8305766: ProblemList runtime/CompressedOops/CompressedClassPointers.java + - JDK-8305858: Resolve multiple definition of 'handleSocketError' when statically linking with JDK native libraries + - JDK-8305950: Have -XshowSettings option display tzdata version + - JDK-8305995: Footprint regression from JDK-8224957 + - JDK-8306060: Open source few AWT Insets related tests + - JDK-8306076: Open source AWT misc tests + - JDK-8306134: Open source some AWT tests relating to Button and a few other classes + - JDK-8306135: Clean up and open source some AWT tests + - JDK-8306137: Open source several AWT ScrollPane related tests + - JDK-8306281: function isWsl() returns false on WSL2 + - JDK-8306372: Open source AWT CardLayout and Checkbox tests + - JDK-8306428: RunThese30M.java crashed with assert(early->flag() == current->flag() || early->flag() == mtNone) + - JDK-8306430: Open source some AWT tests related to TextComponent and Toolkit + - JDK-8306435: Juggle04/TestDescription.java should be a booleanArr test and not a byteArr one + - JDK-8306484: Open source several AWT Choice jtreg tests + - JDK-8306566: Open source several clipboard AWT tests + - JDK-8306575: Clean up and open source four Dialog related tests + - JDK-8306636: Disable compiler/c2/Test6905845.java with -XX:TieredStopAtLevel=3 + - JDK-8306638: Open source some AWT tests related to datatransfer and Toolkit + - JDK-8306667: RISC-V: Fix storeImmN0 matching rule by using zr register + - JDK-8306682: Open source a few more AWT Choice tests + - JDK-8306718: Optimize and opensource some old AWT tests + - JDK-8306738: Select num workers for safepoint ParallelCleanupTask + - JDK-8306765: Some client related jtreg problem list entries are malformed + - JDK-8306812: Open source several AWT Miscellaneous tests + - JDK-8307067: remove broken EnableThreadSMRExtraValidityChecks option + - JDK-8307068: store a JavaThread* in the java.lang.Thread object after the JavaThread* is added to the main ThreadsList + - JDK-8307078: Opensource and clean up five more AWT Focus related tests + - JDK-8307079: Update test java/awt/Choice/DragOffNoSelect.java + - JDK-8307083: Open source some drag and drop tests 3 + - JDK-8307147: [x86] Dangling pointer warning for Assembler::_attributes + - JDK-8307150: RISC-V: Remove remaining StoreLoad barrier with UseCondCardMark for Serial/Parallel GC + - JDK-8307156: native_thread not protected by TLH + - JDK-8307165: java/awt/dnd/NoFormatsDropTest/NoFormatsDropTest.java timed out + - JDK-8307299: Move more DnD tests to open + - JDK-8307301: Update HarfBuzz to 7.2.0 + - JDK-8307348: Parallelize heap walk for ObjectCount(AfterGC) JFR event collection + - JDK-8307395: Add missing STS to Shenandoah + - JDK-8307446: RISC-V: Improve performance of floating point to integer conversion + - JDK-8307526: [JFR] Better handling of tampered JFR repository + - JDK-8307555: Reduce memory reads in x86 MD5 intrinsic + - JDK-8307569: Build with gcc8 is broken after JDK-8307301 + - JDK-8307572: AArch64: Vector registers are clobbered by some macroassemblers + - JDK-8307603: [AIX] Broken build after JDK-8307301 + - JDK-8307604: gcc12 based Alpine build broken build after JDK-8307301 + - JDK-8307651: RISC-V: stringL_indexof_char instruction has wrong format string + - JDK-8307653: Adjust delay time and gc log argument in TestAbortOnVMOperationTimeout + - JDK-8307683: Loop Predication should not hoist range checks with trap on success projection by negating their condition + - JDK-8307766: Linux: Provide the option to override the timer slack + - JDK-8308089: [riscv-port-jdk17u] Intrinsify Unsafe.storeStoreFence + - JDK-8308090: Add container tests for on-the-fly resource quota updates + - JDK-8308152: PropertyDescriptor should work with overridden generic getter method + - JDK-8308156: VerifyCACerts.java misses blank in error output + - JDK-8308192: Error in parsing replay file when staticfield is an array of single dimension + - JDK-8308232: nsk/jdb tests don't pass -verbose flag to the debuggee + - JDK-8308277: RISC-V: Improve vectorization of Match.sqrt() on floats + - JDK-8308283: Build failure with GCC12 & GCC13 + - JDK-8308300: enhance exceptions in MappedMemoryUtils.c + - JDK-8308643: Incorrect value of 'used' jvmstat counter + - JDK-8308766: TLAB initialization may cause div by zero + - JDK-8308803: Improve java/util/UUID/UUIDTest.java + - JDK-8308872: enhance logging and some exception in krb5/Config.java + - JDK-8308997: RISC-V: Sign extend when comparing 32-bit value with zero instead of testing the sign bit + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8309095: Remove UTF-8 character from TaskbarPositionTest.java + - JDK-8309107: Bump update version for OpenJDK: jdk-17.0.9 + - JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + - JDK-8309138: Fix container tests for jdks with symlinked conf dir + - JDK-8309228: Clarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp + - JDK-8309254: Implement fast-path for ASCII-compatible CharsetEncoders on RISC-V + - JDK-8309266: C2: assert(final_con == (jlong)final_int) failed: final value should be integer + - JDK-8309297: Adjust ShenandoahHeap print_heap_regions_on + - JDK-8309340: Provide sctpHandleSocketErrorWithMessage + - JDK-8309427: [riscv-port-jdk17u] Remove unused RoundDoubleModeV C2 node + - JDK-8309550: jdk.jfr.internal.Utils::formatDataAmount method should gracefully handle amounts equal to Long.MIN_VALUE + - JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level + - JDK-8309613: [Windows] hs_err files sometimes miss information about the code containing the error + - JDK-8309746: Reconfigure check should include make/conf/version-numbers.conf + - JDK-8309862: Unsafe list operations in JfrStringPool + - JDK-8309956: Shenandoah: Strengthen the mark word check in string dedup + - JDK-8309959: JFR: Display N/A for missing data amount + - JDK-8310054: ScrollPane insets are incorrect + - JDK-8310126: C1: Missing receiver null check in Reference::get intrinsic + - JDK-8310259: Pin msys2/setup-msys2 github action to a specific commit + - JDK-8310549: avoid potential leaks in KeystoreImpl.m related to JNU_CHECK_EXCEPTION early returns + - JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/interrupt001.java timed out due to missing prompt + - JDK-8310873: Re-enable locked_create_entry symbol check in runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V + - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute + - JDK-8311249: Remove unused MemAllocator::obj_memory_range + - JDK-8311285: report some fontconfig related environment variables in hs_err file + - JDK-8311689: Wrong visible amount in Adjustable of ScrollPane + - JDK-8311862: RISC-V: small improvements to shift immediate instructions + - JDK-8311923: TestIRMatching.java fails on RISC-V + - JDK-8312029: Add CriticalNative tests to ProblemList for 8312028 + - JDK-8312511: GHA: Bump cross-compile runner to Ubuntu 22.04 + - JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative is failing: did not see the expected RSS reduction + - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) + - JDK-8313262: C2: Sinking node may cause required cast to be dropped + - JDK-8313402: C1: Incorrect LoadIndexed value numbering + - JDK-8313428: GHA: Bump GCC versions for July 2023 updates + - JDK-8313576: GCC 7 reports compiler warning in bundled freetype 2.13.0 + - JDK-8313676: Amend TestLoadIndexedMismatch test to target intrinsic directly + - JDK-8313678: SymbolTable can leak Symbols during cleanup + - JDK-8313701: GHA: RISC-V should use the official repository for bootstrap + - JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase + - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer + - JDK-8313815: The exception messages printed by jcmd ManagementAgent.start are corrupted on Japanese Windows + - JDK-8313874: JNI NewWeakGlobalRef throws exception for null arg + - JDK-8314020: Print instruction blocks in byte units + - JDK-8314117: RISC-V: Incorrect VMReg encoding in RISCV64Frame.java + - JDK-8314118: Update JMH devkit to 1.37 + - JDK-8314262: GHA: Cut down cross-compilation sysroots deeper + - JDK-8314426: runtime/os/TestTrimNative.java is failing on slow machines + - JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/JMapHeapConfigTest.java fails + - JDK-8314517: some tests fail in case ipv6 is disabled on the machine + - JDK-8314552: Fix javadoc tests to work with jtreg 7 + - JDK-8314658: [17u] GHA: Sync up debian-version for cross-builds + - JDK-8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev + - JDK-8314960: Add Certigna Root CA - 2 + - JDK-8317040: Exclude cleaner test failing on older releases + - JDK-8317643: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.9 + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8276799: Implementation of JEP 422: Linux/RISC-V Port +========================================================= +https://openjdk.org/jeps/422 + +RISC-V is a free and open-source RISC instruction set architecture +(ISA) designed originally at the University of California, Berkeley, +and now developed collaboratively under the sponsorship of RISC-V +International. It is already supported by a wide range of language +toolchains. With the increasing availability of RISC-V hardware, the +JDK port has been backported to 17u, following introduction in 19. + +security-libs/javax.net.ssl: + +JDK-8301700: The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit +=================================================================================================== +The JDK implementation of TLS 1.2 now uses a default Diffie Hellman +keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and +either the client or server does not support FFDHE. + +The JDK TLS implementation supports FFDHE, which can negotiate a +stronger keysize, and this is enabled by default. + +As a workaround, users can revert to the previous key size by setting +the `jdk.tls.ephemeralDHKeySize` system property to 1024 (at their own +risk). + +This change does not affect TLS 1.3 as the minimum DH group size is +already 2048 bits. + +tools/launcher: + +JDK-8305950: `-XshowSettings:locale` Output Now Includes Tzdata Version +======================================================================= +The `-XshowSettings` launcher option has been enhanced to print the +tzdata version used by the JDK. The tzdata version is displayed as +part of the `locale` showSettings option. + +Example output using `-X:showSettings:locale`: + +Locale settings: + default locale = English + default display locale = English + default format locale = English + tzdata version = 2023c + +security-libs/java.security: + +JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate +================================================================== +The following root certificate from SECOM Trust System has been +removed from the `cacerts` keystore: + +Alias Name: secomscrootca1 [jdk] +Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP + +JDK-8314960: Added Certigna Root CA Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + +New in release OpenJDK 17.0.8.1 (2023-08-24): +============================================= +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17081 + +* Other changes + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8314677: Bump update version for OpenJDK: jdk-17.0.8.1 + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) +===================================================================== +Additional validity checks in the handling of Zip64 files, +JDK-8302483, were introduced in the 11.0.20 release of OpenJDK, +causing the use of some valid zip files to now fail with an +error. This release, 11.0.20.1, allows for zero length headers and +additional padding produced by some Zip64 creation tools. With both +releases, the checks can be disabled by setting the new system +property, `jdk.util.zip.disableZip64ExtraFieldValidation` to `true`. + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) +===================================================================== +Additional validity checks in the handling of Zip64 files, +JDK-8302483, introduced in 17.0.8, caused the use of some valid zip +files to now fail with the error, `Invalid CEN header (invalid zip64 +extra data field size)` + +This release, 17.0.8.1, allows for zero length headers and additional +padding produced by some Zip64 creation tools. + +The following third party tools have also released patches to better +adhere to the ZIP File Format Specification: + +* Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11 +* Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14 +* BND issue with writing invalid Extra Headers fixed in BND 5.3 + +The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch. + +If these improved validation checks cause issues for deployed zip or +jar files, check how the file was created and whether patches are +available from the generating software to resolve the issue. With +both JDK releases, the checks can be disabled by setting the new +system property, `jdk.util.zip.disableZip64ExtraFieldValidation` to +`true`. + +New in release OpenJDK 17.0.8 (2023-07-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1708 + +* CVEs + - CVE-2023-22006 + - CVE-2023-22036 + - CVE-2023-22041 + - CVE-2023-22044 + - CVE-2023-22045 + - CVE-2023-22049 + - CVE-2023-25193 +* Security fixes + - JDK-8294323: Improve Shared Class Data + - JDK-8296565: Enhanced archival support + - JDK-8298676, JDK-8300891: Enhanced Look and Feel + - JDK-8300285: Enhance TLS data handling + - JDK-8300596: Enhance Jar Signature validation + - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1 + - JDK-8302475: Enhance HTTP client file downloading + - JDK-8302483: Enhance ZIP performance + - JDK-8303376: Better launching of JDI + - JDK-8304460: Improve array usages + - JDK-8304468: Better array usages + - JDK-8305312: Enhanced path handling + - JDK-8308682: Enhance AES performance +* Other changes + - JDK-8178806: Better exception logging in crypto code + - JDK-8201516: DebugNonSafepoints generates incorrect information + - JDK-8224768: Test ActalisCA.java fails + - JDK-8227060: Optimize safepoint cleanup subtask order + - JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError + - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel + - JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java doesn' initialize eName + - JDK-8245877: assert(_value != __null) failed: resolving NULL _value in JvmtiExport::post_compiled_method_load + - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken + - JDK-8252990: Intrinsify Unsafe.storeStoreFence + - JDK-8254711: Add java.security.Provider.getService JFR Event + - JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates + - JDK-8261495: Shenandoah: reconsider update references memory ordering + - JDK-8268288: jdk/jfr/api/consumer/streaming/TestOutOfProcessMigration.java fails with "Error: ShouldNotReachHere()" + - JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java fails: unexpected log message + - JDK-8268582: javadoc throws NPE with --ignore-source-errors option + - JDK-8269821: Remove is-queue-active check in inner loop of write_ref_array_pre_work + - JDK-8270434: JDI+UT: Unexpected event in JDI tests + - JDK-8270859: Post JEP 411 refactoring: client libs with maximum covering > 10K + - JDK-8270869: G1ServiceThread may not terminate + - JDK-8271519: java/awt/event/SequencedEvent/MultipleContextsFunctionalTest.java failed with "Total [200] - Expected [400]" + - JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can still fail with "ERROR: new event is not ThreadStartEvent" + - JDK-8274243: Implement fast-path for ASCII-compatible CharsetEncoders on aarch64 + - JDK-8274615: Support relaxed atomic add for linux-aarch64 + - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile + - JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression + - JDK-8275287: Relax memory ordering constraints on updating instance class and array class counters + - JDK-8275721: Name of UTC timezone in a locale changes depending on previous code + - JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit) + - JDK-8276058: Some swing test fails on specific CI macos system + - JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/bug6276188.java fails to compile after JDK-8276058 + - JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905 + - JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly identify it as pause + - JDK-8278434: timeouts in test java/time/test/java/time/format/TestZoneTextPrinterParser.java + - JDK-8278834: Error "Cannot read field "sym" because "this.lvar[od]" is null" when compiling + - JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error + - JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test + - JDK-8282227: Locale information for nb is not working properly + - JDK-8282704: runtime/Thread/StopAtExit.java may leak memory + - JDK-8283057: Update GCC to version 11.2.0 for Oracle builds on Linux + - JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2 + - JDK-8283520: JFR: Memory leak in dcmd_arena + - JDK-8283566: G1: Improve G1BarrierSet::enqueue performance + - JDK-8284331: Add sanity check for signal handler modification warning. + - JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java failed with Default Button not pressed for L&F: com.sun.java.swing.plaf.motif.MotifLookAndFeel + - JDK-8285987: executing shell scripts without #! fails on Alpine linux + - JDK-8286191: misc tests fail due to JDK-8285987 + - JDK-8286287: Reading file as UTF-16 causes Error which "shouldn't happen" + - JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator + - JDK-8286346: 3-parameter version of AllocateHeap should not ignore AllocFailType + - JDK-8286398: Address possibly lossy conversions in jdk.internal.le + - JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code + - JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider + - JDK-8287541: Files.writeString fails to throw IOException for charset "windows-1252" + - JDK-8287854: Dangling reference in ClassVerifier::verify_class + - JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable + - JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies + - JDK-8288589: Files.readString ignores encoding errors for UTF-16 + - JDK-8289509: Improve test coverage for XPath Axes: descendant, descendant-or-self, following, following-sibling + - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space + - JDK-8289949: Improve test coverage for XPath: operators + - JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is subject to undefined behavior + - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067 + - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value + - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately + - JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected + - JDK-8292301: [REDO v2] C2 crash when allocating array of size too large + - JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests resilience under spurious failures + - JDK-8292713: Unsafe.allocateInstance should be intrinsified without UseUnalignedAccesses + - JDK-8292755: Non-default method in interface leads to a stack overflow in JShell + - JDK-8292990: Improve test coverage for XPath Axes: parent + - JDK-8293295: Add type check asserts to java_lang_ref_Reference accessors + - JDK-8293492: ShenandoahControlThread missing from hs-err log and thread dump + - JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG + - JDK-8293887: AArch64 build failure with GCC 12 due to maybe-uninitialized warning in libfdlibm k_rem_pio2.c + - JDK-8294183: AArch64: Wrong macro check in SharedRuntime::generate_deopt_blob + - JDK-8294281: Allow warnings to be disabled on a per-file basis + - JDK-8294673: JFR: Add SecurityProviderService#threshold to TestActiveSettingEvent.java + - JDK-8294717: (bf) DirectByteBuffer constructor will leak if allocating Deallocator or Cleaner fails with OOME + - JDK-8294906: Memory leak in PKCS11 NSS TLS server + - JDK-8295564: Norwegian Nynorsk Locale is missing formatting + - JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames + - JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java fails intermittently on a VM + - JDK-8296318: use-def assert: special case undetected loops nested in infinite loops + - JDK-8296343: CPVE thrown on missing content-length in OCSP response + - JDK-8296412: Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts + - JDK-8296545: C2 Blackholes should allow load optimizations + - JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not + - JDK-8297000: [jib] Add more friendly warning for proxy issues + - JDK-8297154: Improve safepoint cleanup logging + - JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter + - JDK-8297587: Upgrade JLine to 3.22.0 + - JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception + - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs + - JDK-8298488: [macos13] tools/jpackage tests failing with "Exit code: 137" on macOS + - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors + - JDK-8299179: ArrayFill with store on backedge needs to reduce length by 1 + - JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE + - JDK-8299544: Improve performance of CRC32C intrinsics (non-AVX-512) for small inputs + - JDK-8299570: [JVMCI] Insufficient error handling when CodeBuffer is exhausted + - JDK-8299959: C2: CmpU::Value must filter overflow computation against local sub computation + - JDK-8300042: Improve CPU related JFR events descriptions + - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument + - JDK-8300823: UB: Compile::_phase_optimize_finished is initialized too late + - JDK-8300939: sun/security/provider/certpath/OCSP/OCSPNoContentLength.java fails due to network errors + - JDK-8301050: Detect Xen Virtualization on Linux aarch64 + - JDK-8301119: Support for GB18030-2022 + - JDK-8301123: Enable Symbol refcounting underflow checks in PRODUCT + - JDK-8301190: [vectorapi] The typeChar of LaneType is incorrect when default locale is tr + - JDK-8301216: ForkJoinPool invokeAll() ignores timeout + - JDK-8301338: Identical branch conditions in CompileBroker::print_heapinfo + - JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument + - JDK-8301637: ThreadLocalRandom.current().doubles().parallel() contention + - JDK-8301661: Enhance os::pd_print_cpu_info on macOS and Windows + - JDK-8302151: BMPImageReader throws an exception reading BMP images + - JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined must respect ForceInline + - JDK-8302320: AsyncGetCallTrace obtains too few frames in sanity test + - JDK-8302491: NoClassDefFoundError omits the original cause of an error + - JDK-8302508: Add timestamp to the output TraceCompilerThreads + - JDK-8302594: use-after-free in Node::destruct + - JDK-8302595: use-after-free related to GraphKit::clone_map + - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message + - JDK-8302849: SurfaceManager might expose partially constructed object + - JDK-8303069: Memory leak in CompilerOracle::parse_from_line + - JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN + - JDK-8303130: Document required Accessibility permissions on macOS + - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return + - JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8 + - JDK-8303440: The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id + - JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates + - JDK-8303476: Add the runtime version in the release file of a JDK image + - JDK-8303482: Update LCMS to 2.15 + - JDK-8303508: Vector.lane() gets wrong value on x86 + - JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling + - JDK-8303564: C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi + - JDK-8303575: adjust Xen handling on Linux aarch64 + - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return + - JDK-8303588: [JVMCI] make JVMCI source directories conform with standard layout + - JDK-8303809: Dispose context in SPNEGO NegotiatorImpl + - JDK-8303822: gtestMain should give more helpful output + - JDK-8303861: Error handling step timeouts should never be blocked by OnError and others + - JDK-8303937: Corrupted heap dumps due to missing retries for os::write() + - JDK-8303949: gcc10 warning Linux ppc64le - note: the layout of aggregates containing vectors with 8-byte alignment has changed in GCC 5 + - JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed + - JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java fails when checking LD_LIBRARY_PATH + - JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype + - JDK-8304291: [AIX] Broken build after JDK-8301998 + - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998 + - JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0 + - JDK-8304671: javac regression: Compilation with --release 8 fails on underscore in enum identifiers + - JDK-8304683: Memory leak in WB_IsMethodCompatible + - JDK-8304760: Add 2 Microsoft TLS roots + - JDK-8304867: Explicitly disable dtrace for ppc builds + - JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with ZGC + - JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic + - JDK-8305113: (tz) Update Timezone Data to 2023c + - JDK-8305400: ISO 4217 Amendment 175 Update + - JDK-8305403: Shenandoah evacuation workers may deadlock + - JDK-8305481: gtest is_first_C_frame failing on ARM + - JDK-8305690: [X86] Do not emit two REX prefixes in Assembler::prefix + - JDK-8305711: Arm: C2 always enters slowpath for monitorexit + - JDK-8305721: add `make compile-commands` artifacts to .gitignore + - JDK-8305975: Add TWCA Global Root CA + - JDK-8305993: Add handleSocketErrorWithMessage to extend nio Net.c exception message + - JDK-8305994: Guarantee eventual async monitor deflation + - JDK-8306072: Open source several AWT MouseInfo related tests + - JDK-8306133: Open source few AWT Drag & Drop related tests + - JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests + - JDK-8306432: Open source several AWT Text Component related tests + - JDK-8306466: Open source more AWT Drag & Drop related tests + - JDK-8306489: Open source AWT List related tests + - JDK-8306543: GHA: MSVC installation is failing + - JDK-8306640: Open source several AWT TextArea related tests + - JDK-8306652: Open source AWT MenuItem related tests + - JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed + - JDK-8306664: GHA: Update MSVC version to latest stepping + - JDK-8306681: Open source more AWT DnD related tests + - JDK-8306683: Open source several clipboard and color AWT tests + - JDK-8306752: Open source several container and component AWT tests + - JDK-8306753: Open source several container AWT tests + - JDK-8306755: Open source few Swing JComponent and AbstractButton tests + - JDK-8306768: CodeCache Analytics reports wrong threshold + - JDK-8306774: Make runtime/Monitor/GuaranteedAsyncDeflationIntervalTest.java more reliable + - JDK-8306825: Monitor deflation might be accidentally disabled by zero intervals + - JDK-8306850: Open source AWT Modal related tests + - JDK-8306871: Open source more AWT Drag & Drop tests + - JDK-8306883: Thread stacksize is reported with wrong units in os::create_thread logging + - JDK-8306941: Open source several datatransfer and dnd AWT tests + - JDK-8306943: Open source several dnd AWT tests + - JDK-8306954: Open source five Focus related tests + - JDK-8306955: Open source several JComboBox jtreg tests + - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep + - JDK-8306996: Open source Swing MenuItem related tests + - JDK-8307080: Open source some more JComboBox jtreg tests + - JDK-8307128: Open source some drag and drop tests 4 + - JDK-8307130: Open source few Swing JMenu tests + - JDK-8307133: Open source some JTable jtreg tests + - JDK-8307134: Add GTS root CAs + - JDK-8307135: java/awt/dnd/NotReallySerializableTest/NotReallySerializableTest.java failed + - JDK-8307331: Correctly update line maps when class redefine rewrites bytecodes + - JDK-8307346: Add missing gc+phases logging for ObjectCount(AfterGC) JFR event collection code + - JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could leave files owned by root on macOS + - JDK-8307378: Allow collectors to provide specific values for GC notifications' actions + - JDK-8307381: Open Source JFrame, JIF related Swing Tests + - JDK-8307425: Socket input stream read burns CPU cycles with back-to-back poll(0) calls + - JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has invalid jtreg `@requires` clause + - JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not removed from ExternalEditorTest + - JDK-8308880: [17u] micro bench ZoneStrings missed in backport of 8278434 + - JDK-8308884: [17u/11u] Backout JDK-8297951 + - JDK-8311467: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8 + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8308884: GregorianCalender.computeTime() JVM Crash +====================================================== +A virtual machine crash was observed in JDK 11.0.19 when executing the +`GregorianCalender.computeTime()` method (JDK-8307683). It was found +that although the root cause of the crash is an old issue, a recent +fix for a rare issue in the C2 compiler (JDK-8297951) made the crash +much more likely. To mitigate this, the fix has been reverted in JDK +11.0.20 and will be reapplied once JDK-8307683 is resolved. + +core-libs/java.nio.charsets: + +JDK-8301119: Support for GB18030-2022 +===================================== +The China National Standard body (CESI) recently published +GB18030-2022 as an update to the GB18030 standard, synchronising the +character set with Unicode 11.0. This updated version of GB18030 is +now the default GB18030 character set used in this release of +OpenJDK. However, this updated character set contains incompatible +changes compared with GB18030-2000, which was used in previous +releases of OpenJDK 11. To use the previous version of the character +set, the new system property `jdk.charset.GB18030` should be set to +`2000`. + +core-libs/java.util.jar: + +JDK-8300596: Enhance Jar Signature validation +============================================= +A System property "jdk.jar.maxSignatureFileSize" is introduced to +configure the maximum number of bytes allowed for the +signature-related files in a JAR file during verification. The default +value is 8000000 bytes (8 MB). + +JDK-8302483: Enhance ZIP performance +==================================== +This release of OpenJDK includes stronger checks on the Zip64 fields +of zip files. In the event that these checks cause failures on trusted +zip files, the checks can be disabled by setting the new system +property, `jdk.util.zip.disableZip64ExtraFieldValidation` to `true`. + +security-libs/java.security: + +JDK-8307134: Added 4 GTS Root CA Certificates +============================================= +The following root certificates have been added to the cacerts +truststore: + +Name: Google Trust Services LLC +Alias Name: gtsrootcar1 +Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar2 +Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar3 +Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US + +Name: Google Trust Services LLC +Alias Name: gtsrootcar4 +Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US + +JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates +===================================================================== +The following root certificates has been added to the cacerts +truststore: + +Name: Microsoft Corporation +Alias Name: microsoftecc2017 +Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US + +Name: Microsoft Corporation +Alias Name: microsoftrsa2017 +Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US + +JDK-8305975: Added TWCA Root CA Certificate +=========================================== +The following root certificate has been added to the cacerts +truststore: + +Name: TWCA +Alias Name: twcaglobalrootca +Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW + +JDK-8303465: Enhance Contents (Trusted Certificate Entries) of macOS KeychainStore +================================================================================== +Recent changes to the MacOS KeychainStore implementation were +incomplete and only considered certificates within the user domain. +With this release, the implementation exposes certificates from both +the user and admin domain, and will exclude those certificates that +include a "deny" entry in their trust settings. + +JDK-8254711: New JFR Event: jdk.SecurityProviderService +======================================================= +Calls to the `java.security.Provider.getService(String type, String +algorithm)` method now trigger a Java Flight Recorder (JFR) event. + +The event contains three fields: + +* type - the type of service +* algorithm - the algorithm name +* provider - the security provider + +This event is disabled by default. It may be enabled via the usual JFR +configuration files and options. + +New in release OpenJDK 17.0.7 (2023-04-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1707 + +* CVEs + - CVE-2023-21930 + - CVE-2023-21937 + - CVE-2023-21938 + - CVE-2023-21939 + - CVE-2023-21954 + - CVE-2023-21967 + - CVE-2023-21968 +* Security fixes + - JDK-8287404: Improve ping times + - JDK-8288436: Improve Xalan supports + - JDK-8294474: Better AES support + - JDK-8295304: Runtime support improvements + - JDK-8296676, JDK-8296622: Improve String platform support + - JDK-8296684: Improve String platform support + - JDK-8296692: Improve String platform support + - JDK-8296832: Improve Swing platform support + - JDK-8297371: Improve UTF8 representation redux + - JDK-8298191: Enhance object reclamation process + - JDK-8298310: Enhance TLS session negotiation + - JDK-8298667: Improved path handling + - JDK-8299129: Enhance NameService lookups +* Other changes + - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion + - JDK-6779701: Wrong defect ID in the code of test LocalRMIServerSocketFactoryTest.java + - JDK-8008243: Zero: Implement fast bytecodes + - JDK-8048190: NoClassDefFoundError omits original ExceptionInInitializerError + - JDK-8065097: [macosx] javax/swing/Popup/TaskbarPositionTest.java fails because Popup is one pixel off + - JDK-8144030: [macosx] test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again) + - JDK-8155246: Throw error if default java.security file is missing + - JDK-8186765: Speed up test sun/net/www/protocol/https/HttpsClient/ProxyAuthTest.java + - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails + - JDK-8195809: [TESTBUG] jps and jcmd -l support for containers is not tested + - JDK-8208077: File.listRoots performance degradation + - JDK-8209935: Test to cover CodeSource.getCodeSigners() + - JDK-8210927: JDB tests do not update source path after doing a redefine class + - JDK-8212961: [TESTBUG] vmTestbase/nsk/stress/jni/ native code cleanup + - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails + - JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections + - JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize, should be used in TEST.properties + - JDK-8231491: JDI tc02x004 failed again due to wrong # of breakpoints + - JDK-8235297: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java fails intermittent + - JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out after 8 minutes + - JDK-8242115: C2 SATB barriers are not safepoint-safe + - JDK-8244669: convert clhsdb "mem" command from javascript to java + - JDK-8245654: Add Certigna Root CA + - JDK-8251177: [macosx] The text "big" is truncated in JTabbedPane + - JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" + - JDK-8258512: serviceability/sa/TestJmapCore.java timed out on macOS 10.13.6 + - JDK-8262386: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out + - JDK-8266974: duplicate property key in java.sql.rowset resource bundle + - JDK-8267038: Update IANA Language Subtag Registry to Version 2022-03-02 + - JDK-8270156: Add "randomness" and "stress" keys to JTreg tests which use StressGCM, StressLCM and/or StressIGVN + - JDK-8270476: Make floating-point test infrastructure more lambda and method reference friendly + - JDK-8271471: [IR Framework] Rare occurrence of "" in PrintIdeal/PrintOptoAssembly can let tests fail + - JDK-8271838: AmazonCA.java interop test fails + - JDK-8272702: Resolving URI relative path with no / may lead to incorrect toString + - JDK-8272985: Reference discovery is confused about atomicity and degree of parallelism + - JDK-8273154: Provide a JavadocTester method for non-overlapping, unordered output matching + - JDK-8273410: IR verification framework fails with "Should find method name in validIrRulesMap" + - JDK-8274911: testlibrary_tests/ir_framework/tests/TestIRMatching.java fails with "java.lang.RuntimeException: Should have thrown exception" + - JDK-8275173: testlibrary_tests/ir_framework/tests/TestCheckedTests.java fails after JDK-8274911 + - JDK-8275301: Unify C-heap buffer overrun checks into NMT + - JDK-8275320: NMT should perform buffer overrun checks + - JDK-8275582: Don't purge metaspace mapping lists + - JDK-8275704: Metaspace::contains() should be threadsafe + - JDK-8275843: Random crashes while the UI code is executed + - JDK-8276064: CheckCastPP with raw oop input floats below a safepoint + - JDK-8276086: Increase size of metaspace mappings + - JDK-8277485: Zero: Fix _fast_{i,f}access_0 bytecodes handling + - JDK-8277822: Remove debug-only heap overrun checks in os::malloc and friends + - JDK-8277946: NMT: Remove VM.native_memory shutdown jcmd command option + - JDK-8277990: NMT: Remove NMT shutdown capability + - JDK-8278961: Enable debug logging in java/net/DatagramSocket/SendDatagramToBadAddress.java + - JDK-8279024: Remove javascript references from clhsdb.html + - JDK-8279119: src/jdk.hotspot.agent/doc/index.html file contains references to scripts that no longer exist + - JDK-8279351: [TESTBUG] SADebugDTest.java does not handle "Address already in use" error + - JDK-8279614: The left line of the TitledBorder is not painted on 150 scale factor + - JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 + - JDK-8280048: Missing comma in copyright header + - JDK-8280132: Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder + - JDK-8280166: Extend java/lang/instrument/GetObjectSizeIntrinsicsTest.java test cases + - JDK-8280553: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java can fail if GC occurs + - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption + - JDK-8280784: VM_Cleanup unnecessarily processes all thread oops + - JDK-8280868: LineBodyHandlerTest.java creates and discards too many clients + - JDK-8280889: java/lang/instrument/GetObjectSizeIntrinsicsTest.java fails with -XX:-UseCompressedOops + - JDK-8280896: java/nio/file/Files/probeContentType/Basic.java fails on Windows 11 + - JDK-8281122: [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 + - JDK-8281170: Test jdk/tools/jpackage/windows/WinInstallerIconTest always fails on Windows 11 + - JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java to stop HttpServer cleanly in case of exceptions + - JDK-8282143: Objects.requireNonNull should be ForceInline + - JDK-8282577: ICC_Profile.setData(int, byte[]) invalidates the profile + - JDK-8282771: Create test case for JDK-8262981 + - JDK-8282958: Rendering Issues with Borders on Windows High-DPI systems + - JDK-8283606: Tests may fail with zh locale on MacOS + - JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/thread001 failed due to SocketTimeoutException + - JDK-8283719: java/util/logging/CheckZombieLockTest.java failing intermittently + - JDK-8283870: jdeprscan --help causes an exception when the locale is ja, zh_CN or de + - JDK-8284115: [IR Framework] Compilation is not found due to rare safepoint while dumping PrintIdeal/PrintOptoAssembly + - JDK-8284165: Add pid to process reaper thread name + - JDK-8284524: Create an automated test for JDK-4422362 + - JDK-8284726: Print active locale settings in hs_err reports and in VM.info + - JDK-8284767: Create an automated test for JDK-4422535 + - JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432 + - JDK-8285690: CloneableReference subtest should not throw CloneNotSupportedException + - JDK-8285755: JDK-8285093 changed the default for --with-output-sync + - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work + - JDK-8285919: Remove debug printout from JDK-8285093 + - JDK-8285965: TestScenarios.java does not check for "" correctly + - JDK-8286030: Avoid JVM crash when containers share the same /tmp dir + - JDK-8286154: Fix 3rd party notices in test files + - JDK-8286562: GCC 12 reports some compiler warnings + - JDK-8286694: Incorrect argument processing in java launcher + - JDK-8286705: GCC 12 reports use-after-free potential bugs + - JDK-8286707: JFR: Don't commit JFR internal jdk.JavaMonitorWait events + - JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too strong + - JDK-8286844: com/sun/jdi/RedefineCrossEvent.java failed with 1 threads completed while VM suspended + - JDK-8286873: Improve websocket test execution time + - JDK-8286962: java/net/httpclient/ServerCloseTest.java failed once with ConnectException + - JDK-8287180: Update IANA Language Subtag Registry to Version 2022-08-08 + - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency + - JDK-8287491: compiler/jvmci/errors/TestInvalidDebugInfo.java fails new assert: assert((uint)t < T_CONFLICT + 1) failed: invalid type # + - JDK-8287593: ShortResponseBody could be made more resilient to rogue connections + - JDK-8287754: Update jib GNU make dependency on Windows to latest cygwin build + - JDK-8288005: HotSpot build with disabled PCH fails for Windows AArch64 + - JDK-8288130: compiler error with AP and explicit record accessor + - JDK-8288332: Tier1 validate-source fails after 8279614 + - JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java is unstable in MacOS machines + - JDK-8288854: getLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE + - JDK-8289400: Improve com/sun/jdi/TestScaffold error reporting + - JDK-8289440: Remove vmTestbase/nsk/monitoring/MemoryPoolMBean/isCollectionUsageThresholdExceeded/isexceeded003 from ProblemList.txt + - JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling + - JDK-8289511: Improve test coverage for XPath Axes: child + - JDK-8289647: AssertionError during annotation processing of record related tests + - JDK-8289948: Improve test coverage for XPath functions: Node Set Functions + - JDK-8290067: Show stack dimensions in UL logging when attaching threads + - JDK-8290083: ResponseBodyBeforeError: AssertionError or SSLException: Unsupported or unrecognized SSL message + - JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension + - JDK-8290322: Optimize Vector.rearrange over byte vectors for AVX512BW targets. + - JDK-8290836: Improve test coverage for XPath functions: String Functions + - JDK-8290837: Improve test coverage for XPath functions: Boolean Functions + - JDK-8290838: Improve test coverage for XPath functions: Number Functions + - JDK-8290850: C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph + - JDK-8290899: java/lang/String/StringRepeat.java test requests too much heap on windows x86 + - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" + - JDK-8291825: java/time/nontestng/java/time/zone/CustomZoneNameTest.java fails if defaultLocale and defaultFormatLocale are different + - JDK-8292033: Move jdk.X509Certificate event logic to JCA layer + - JDK-8292066: Convert TestInputArgument.sh and TestSystemLoadAvg.sh to java version + - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded + - JDK-8292177: InitialSecurityProperty JFR event + - JDK-8292285: C2: remove unreachable block after NeverBranch-to-Goto conversion + - JDK-8292297: Fix up loading of override java.security properties file + - JDK-8292328: AccessibleActionsTest.java test instruction for show popup on JLabel did not specify shift key + - JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases + - JDK-8292602: ZGC: C2 late barrier analysis uses invalid dominator information + - JDK-8292660: C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly + - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable" + - JDK-8292877: java/util/concurrent/atomic/Serial.java uses {Double,Long}Accumulator incorrectly + - JDK-8293000: Review running times of jshell regression tests + - JDK-8293326: jdk/sun/security/tools/jarsigner/compatibility/SignTwice.java slow on Windows + - JDK-8293466: libjsig should ignore non-modifying sigaction calls + - JDK-8293493: Signal Handlers printout should show signal block state + - JDK-8293531: C2: some vectorapi tests fail assert "Not monotonic" with flag -XX:TypeProfileLevel=222 + - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections + - JDK-8293691: converting a defined BasicType value to a string should not crash the VM + - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings + - JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with "RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG" + - JDK-8293965: Code signing warnings after JDK-8293550 + - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop + - JDK-8294160: misc crash dump improvements + - JDK-8294217: Assertion failure: parsing found no loops but there are some + - JDK-8294310: compare.sh fails on macos after JDK-8293550 + - JDK-8294378: URLPermission constructor exception when using tr locale + - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite() + - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316 + - JDK-8294580: frame::interpreter_frame_print_on() crashes if free BasicObjectLock exists in frame + - JDK-8294677: chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications + - JDK-8294705: Disable an assertion in test/jdk/java/util/DoubleStreamSums/CompensatedSums.java + - JDK-8294902: Undefined Behavior in C2 regalloc with null references + - JDK-8294947: Use 64bit atomics in patch_verified_entry on x86_64 + - JDK-8294958: java/net/httpclient/ConnectTimeout tests are slow + - JDK-8295000: java/util/Formatter/Basic test cleanup + - JDK-8295066: Folding of loads is broken in C2 after JDK-8242115 + - JDK-8295116: C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead + - JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you should use literals" + - JDK-8295413: com/sun/jdi/EATests.java fails with compiler flag -XX:+StressReflectiveCode + - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file + - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 + - JDK-8295685: Update Libpng to 1.6.38 + - JDK-8295724: VirtualMachineError: Out of space in CodeCache for method handle intrinsic + - JDK-8295774: Write a test to verify List sends ItemEvent/ActionEvent + - JDK-8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver + - JDK-8295788: C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" + - JDK-8296136: Use correct register in aarch64_enc_fast_unlock() + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296329: jar validator doesn't account for minor class file version + - JDK-8296389: C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors + - JDK-8296548: Improve MD5 intrinsic for x86_64 + - JDK-8296611: Problemlist several sun/security tests until JDK-8295343 is resolved + - JDK-8296619: Upgrade jQuery to 3.6.1 + - JDK-8296675: Exclude linux-aarch64 in NSS tests + - JDK-8296878: Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters + - JDK-8296904: Improve handling of macos xcode toolchain + - JDK-8296912: C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 + - JDK-8296924: C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address + - JDK-8297088: Update LCMS to 2.14 + - JDK-8297211: Expensive fillInStackTrace operation in HttpURLConnection.getOutputStream0 when no content-length in response + - JDK-8297259: Bump update version for OpenJDK: jdk-17.0.7 + - JDK-8297264: C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top + - JDK-8297431: [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception + - JDK-8297437: javadoc cannot link to old docs (with old style anchors) + - JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses result - NULL check + - JDK-8297489: Modify TextAreaTextEventTest.java as to verify the content change of TextComponent sends TextEvent + - JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check + - JDK-8297569: URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 + - JDK-8297642: PhaseIdealLoop::only_has_infinite_loops must detect all loops that never lead to termination + - JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + - JDK-8297959: Provide better descriptions for some Operating System JFR events + - JDK-8297963: Partially fix string expansion issues in UTIL_DEFUN_NAMED and related macros + - JDK-8298027: Remove SCCS id's from awt jtreg tests + - JDK-8298035: Provide better descriptions for JIT compiler JFR events + - JDK-8298073: gc/metaspace/CompressedClassSpaceSizeInJmapHeap.java causes test task timeout on macosx + - JDK-8298093: improve cleanup and error handling of awt_parseColorModel in awt_parseImage.c + - JDK-8298108: Add a regression test for JDK-8297684 + - JDK-8298129: Let checkpoint event sizes grow beyond u4 limit + - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8298459: Fix msys2 linking and handling out of tree build directory for source zip creation + - JDK-8298472: AArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options + - JDK-8298527: Cygwin's uname -m returns different string than before + - JDK-8298568: Fastdebug build fails after JDK-8296389 + - JDK-8298588: WebSockets: HandshakeUrlEncodingTest unnecessarily depends on a response body + - JDK-8298649: JFR: RemoteRecordingStream support for checkpoint event sizes beyond u4 + - JDK-8298726: (fs) Change PollingWatchService to record last modified time as FileTime rather than milliseconds + - JDK-8298947: compiler/codecache/MHIntrinsicAllocFailureTest.java fails intermittently + - JDK-8299015: Ensure that HttpResponse.BodySubscribers.ofFile writes all bytes + - JDK-8299018: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes + - JDK-8299194: CustomTzIDCheckDST.java may fail at future date + - JDK-8299296: Write a test to verify the components selection sends ItemEvent + - JDK-8299388: java/util/regex/NegativeArraySize.java fails on Alpine and sometimes Windows + - JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299470: sun/jvm/hotspot/SALauncher.java handling of negative rmiport args + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299497: Usage of constructors of primitive wrapper classes should be avoided in java.desktop API docs + - JDK-8299520: TestPrintXML.java output error messages in case compare fails + - JDK-8299597: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.7 + - JDK-8299657: sun/tools/jhsdb/SAGetoptTest.java fails after 8299470 + - JDK-8299671: Speed up compiler/intrinsics/string/TestStringLatin1IndexOfChar.java + - JDK-8299789: Compilation of gtest causes build to fail if runtime libraries are in different dirs + - JDK-8299957: Enhance error logging in instrument coding with additional jplis_assert_msg + - JDK-8299970: Speed up compiler/arraycopy/TestArrayCopyConjoint.java + - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems + - JDK-8300205: Swing test bug8078268 make latch timeout configurable + - JDK-8300266: Detect Virtualization on Linux aarch64 + - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 + - JDK-8300590: [JVMCI] BytecodeFrame.equals is broken + - JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + - JDK-8300692: GCC 12 reports some compiler warnings in bundled freetype + - JDK-8300751: [17u] Remove duplicate entry in javac.properties + - JDK-8300773: Address the inconsistency between the constant array and pool size + - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns + - JDK-8301342: Prefer ArrayList to LinkedList in LayoutComparator + - JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build JDK 11.0.18 + - JDK-8301760: Fix possible leak in SpNegoContext dispose + - JDK-8301842: JFR: increase checkpoint event size for stacktrace and string pool + - JDK-8302152: Speed up tests with infinite loops, sleep less + - JDK-8302692: [17u] Update GHA Boot JDK to 17.0.6 + - JDK-8302879: doc/building.md update link to jtreg builds + - JDK-8304871: Use default visibility for static library builds + +Notes on individual issues: +=========================== + +client-libs/javax.swing: + +JDK-8296832: Improve Swing platform support +=========================================== +Earlier OpenJDK releases would always render HTML object tags embedded in +Swing HTML components. With this release, rendering only occurs when the +new system property "swing.html.object" is set to true. By default, it +is set to false. + +security-libs/java.security: + +JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate +========================================================== +The following root certificate has been added to the cacerts truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR + +JDK-8292177: New JFR Event: jdk.InitialSecurityProperty +======================================================= +The initial security properties loaded by the java.security.Security class +are now accessible in the new JFR event, `jdk.InitialSecurityProperty`. + +The event contains two fields: + +* key - the security property key +* value - the corresponding security property value + +The combination of this new event and the existing +`jdk.SecurityPropertyModification` event means that security +properties can now be monitored throughout their lifecycle. + +The initial security properties are now also printed to the standard +error output stream when `-Djava.security.debug=properties` is passed +to the Java virtual machine. + +JDK-8155246: Throw Error If Default java.security File Fails to Load +==================================================================== +A hardcoded set of security properties was used in previous releases +when the `java.security` file could not be loaded. This set of +properties were poorly maintained and it was not obvious to the user +that they were being utilised. This release instead throws an +`InternalError` if the `java.security` file can not be loaded. + +core-libs/java.io: + +JDK-8208077: File::listRoots Changed To Return All Available Drives On Windows +============================================================================== +The `java.io.File.listRoots()` method on Windows systems filtered out disk +drives that could not be accessed or did not have media loaded. The +use of this filtering led to observable performance issues. This release +now returns all available disk drives, unfiltered. + New in release OpenJDK 17.0.6 (2023-01-17): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1706 + * https://bit.ly/openjdk1706 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html +* CVEs + - CVE-2023-21835 + - CVE-2023-21843 +* Security fixes + - JDK-8286070: Improve UTF8 representation + - JDK-8286496: Improve Thread labels + - JDK-8287411: Enhance DTLS performance + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds * Other changes - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails @@ -252,13 +5081,15 @@ Live versions of these release notes can be found at: - JDK-8295554: Move the "sizecalc.h" to the correct location - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - JDK-8296715: CLDR v42 update for tzdata 2022f - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect @@ -278,10 +5109,33 @@ Live versions of these release notes can be found at: - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java Notes on individual issues: =========================== +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + security-libs/java.security: JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set @@ -302,10 +5156,18 @@ the same change is made in third party modules. Developers of third party modules are advised to verify that their logout() method does not throw a NullPointerException. +security-libs/javax.net.ssl: + +JDK-8287411: Enhance DTLS performance +===================================== +The JDK now exchanges DTLS cookies for all handshakes, new and +resumed. The previous behaviour can be re-enabled by setting the new +system property `jdk.tls.enableDtlsResumeCookie` to `false`. + New in release OpenJDK 17.0.5 (2022-10-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1705 + * https://bit.ly/openjdk1705 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html * Security fixes @@ -673,7 +5535,7 @@ Runtime to crash unpredictably. New in release OpenJDK 17.0.4 (2022-07-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1704 + * https://bit.ly/openjdk1704 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt * Security fixes @@ -990,7 +5852,7 @@ the use of special devices such as `NUL:` New in release OpenJDK 17.0.3 (2022-04-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1703 + * https://bit.ly/openjdk1703 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt * Security fixes @@ -1186,6 +6048,20 @@ Live versions of these release notes can be found at: Notes on individual issues: =========================== +core-libs/java.io: + +JDK-8278356: Improve file creation +================================== +This release changes the Windows implementation of `java.io.File` so +that stricter validity checks are performed by default on file +paths. This includes disallowing colons (ā€˜:ā€™) in the path other than +immediately after a single drive letter. It also disallows paths which +represent NTFS Alternate Data Streams (ADS) such as +ā€œfilename:streamnameā€. To disable strict path checking in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `true` (case ignored). This might be preferable if, for +example, Windows special device paths such as `NUL:` are used. + security-libs/java.security: JDK-8274791: Support for RSASSA-PSS in OCSP Response @@ -1195,7 +6071,7 @@ An OCSP response signed with the RSASSA-PSS algorithm is now supported. New in release OpenJDK 17.0.2 (2022-01-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1702 + * https://bit.ly/openjdk1702 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt * Security fixes diff --git a/SOURCES/README.md b/SOURCES/README.md new file mode 100644 index 0000000..8a2724b --- /dev/null +++ b/SOURCES/README.md @@ -0,0 +1,41 @@ +OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. + +For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream +release page for OpenJDK 17 and the preceding interim releases: + +* 12: https://openjdk.java.net/projects/jdk/12/ +* 13: https://openjdk.java.net/projects/jdk/13/ +* 14: https://openjdk.java.net/projects/jdk/14/ +* 15: https://openjdk.java.net/projects/jdk/15/ +* 16: https://openjdk.java.net/projects/jdk/16/ +* 17: https://openjdk.java.net/projects/jdk/17/ + +# Rebuilding the OpenJDK package + +The OpenJDK packages are now created from a single build which is then +packaged for different major versions of Red Hat Enterprise Linux +(RHEL). This allows the OpenJDK team to focus their efforts on the +development and testing of this single build, rather than having +multiple builds which only differ by the platform they were built on. + +This does make rebuilding the package slightly more complicated than a +normal package. Modifications should be made to the +`java-17-openjdk-portable.specfile` file, which can be found with this +README file in the source RPM or installed in the documentation tree +by the `java-17-openjdk-headless` RPM. + +Once the modified `java-17-openjdk-portable` RPMs are built, they +should be installed and will produce a number of tarballs in the +`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be +built, which will use these tarballs to create the usual RPMs found in +RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the +desired final RPMs are produced. + +Note that the `java-17-openjdk.spec` file has a hard requirement on +the exact version of java-17-openjdk-portable to use, so this will +need to be modified if the version or rpmrelease values are changed in +`java-17-openjdk-portable.specfile`. + +To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` +builds may be disabled using `--without fastdebug` and `--without +slowdebug`. diff --git a/SOURCES/fips-17u-72d08e3226f.patch b/SOURCES/fips-17u-e1780dd5d39.patch similarity index 79% rename from SOURCES/fips-17u-72d08e3226f.patch rename to SOURCES/fips-17u-e1780dd5d39.patch index a3daa18..ebb9723 100644 --- a/SOURCES/fips-17u-72d08e3226f.patch +++ b/SOURCES/fips-17u-e1780dd5d39.patch @@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 +index 865feea36d9..5c3a137e65c 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -33,6 +33,7 @@ m4_include([lib-std.m4]) @@ -136,10 +136,10 @@ index a65d91ee974..a8f054c1397 100644 BASIC_JDKLIB_LIBS="" if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index d557549adb3..1cb44bd2595 100644 +index 807ba27589b..47cb6b7753b 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -844,6 +844,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # @@ -1362,27 +1362,18 @@ index a020e1c15d8..3c064965e82 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..96a3ba4040c 100644 +index 2477027969c..06b1b6c671c 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - +@@ -33,6 +33,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ +@@ -57,6 +58,11 @@ import sun.security.jca.*; public final class Security { @@ -1394,7 +1385,7 @@ index ff2bc942c03..96a3ba4040c 100644 /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { +@@ -74,6 +80,19 @@ public final class Security { } static { @@ -1414,26 +1405,19 @@ index ff2bc942c03..96a3ba4040c 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { +@@ -97,6 +116,7 @@ public final class Security { + private static void initialize() { props = new Properties(); - boolean loadedProps = false; boolean overrideAll = false; + boolean systemSecPropsEnabled = false; // first load the system properties file // to determine the value of security.overridePropertiesFile -@@ -99,6 +122,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -193,6 +217,61 @@ public final class Security { +@@ -117,6 +137,60 @@ public final class Security { } + loadProps(null, extraPropFile, overrideAll); } - ++ + boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); + boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); + if (sdebug != null) { @@ -1453,9 +1437,7 @@ index ff2bc942c03..96a3ba4040c 100644 + } + } + -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { ++ if (systemSecPropsEnabled) { + boolean shouldEnable; + String sysProp = System.getProperty("com.redhat.fips"); + if (sysProp == null) { @@ -1489,15 +1471,27 @@ index ff2bc942c03..96a3ba4040c 100644 + "system security properties being enabled."); + } + } + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -124,10 +198,9 @@ public final class Security { + props.getProperty(key)); + } + } +- } - /* +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..98ffced455b +index 00000000000..9d26a54f5d4 --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ +@@ -0,0 +1,232 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1578,26 +1572,9 @@ index 00000000000..98ffced455b + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); + } + + /* @@ -1652,7 +1629,7 @@ index 00000000000..98ffced455b + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } @@ -1785,10 +1762,10 @@ index 00000000000..3f3caac64dc + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..a1ee182d913 100644 +index ea28bb8747e..77161eb3844 100644 --- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; +@@ -40,6 +40,7 @@ import java.io.FilePermission; import java.io.ObjectInputStream; import java.io.RandomAccessFile; import java.security.ProtectionDomain; @@ -1796,7 +1773,7 @@ index f6d3638c3dd..a1ee182d913 100644 import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for -@@ -81,6 +82,7 @@ public class SharedSecrets { +@@ -83,6 +84,7 @@ public class SharedSecrets { private static JavaSecuritySpecAccess javaSecuritySpecAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; @@ -1804,7 +1781,7 @@ index f6d3638c3dd..a1ee182d913 100644 public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { javaUtilCollectionAccess = juca; -@@ -442,4 +444,15 @@ public class SharedSecrets { +@@ -457,4 +459,15 @@ public class SharedSecrets { MethodHandles.lookup().ensureInitialized(c); } catch (IllegalAccessException e) {} } @@ -1821,7 +1798,7 @@ index f6d3638c3dd..a1ee182d913 100644 + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 9faee9cae36..27f43550aa4 100644 +index 8f1ecae3ed1..044056c7bc8 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java @@ -152,6 +152,8 @@ module java.base { @@ -1832,9 +1809,9 @@ index 9faee9cae36..27f43550aa4 100644 + jdk.crypto.ec, jdk.jartool, jdk.jlink, - jdk.net, + jdk.jfr, diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..709d32912ca 100644 +index 912cad59714..7803e97f7ef 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -30,6 +30,7 @@ import java.net.*; @@ -1856,7 +1833,7 @@ index 912cad59714..709d32912ca 100644 // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; -@@ -94,99 +99,101 @@ public final class SunEntries { +@@ -94,89 +99,92 @@ public final class SunEntries { // common attribute map HashMap attrs = new HashMap<>(3); @@ -1920,8 +1897,6 @@ index 912cad59714..709d32912ca 100644 - "sun.security.provider.DSA$SHA3_384withDSA", attrs); - addWithAlias(p, "Signature", "SHA3-512withDSA", - "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); + if (!systemFipsEnabled) { + /* + * SecureRandom engines @@ -1944,32 +1919,7 @@ index 912cad59714..709d32912ca 100644 + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", attrs); -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- attrs.remove("KeySize"); + /* + * Signature engines + */ @@ -2032,16 +1982,39 @@ index 912cad59714..709d32912ca 100644 + "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); + add(p, "Signature", "SHA3-512withDSAinP1363Format", + "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ } + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + /* + * Key Pair Generator engines + */ +@@ -184,9 +192,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); @@ -2049,7 +2022,7 @@ index 912cad59714..709d32912ca 100644 /* * Algorithm Parameter Generator engines -@@ -201,40 +208,42 @@ public final class SunEntries { +@@ -201,40 +211,42 @@ public final class SunEntries { addWithAlias(p, "AlgorithmParameters", "DSA", "sun.security.provider.DSAParameters", attrs); @@ -2126,7 +2099,7 @@ index 912cad59714..709d32912ca 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 +index ca79f25cc44..a12fcbbd6e7 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -2148,19 +2121,7 @@ index ca79f25cc44..225517ac69b 100644 private void add(Provider p, String type, String algo, String cn, List aliases, HashMap attrs) { services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { add(p, "KeyFactory", "RSA", "sun.security.rsa.RSAKeyFactory$Legacy", getAliases("PKCS1"), null); @@ -2547,10 +2508,10 @@ index 00000000000..dc8bc72fccb + } +} diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 63be286686d..b0a589c3fb4 100644 +index 50944836820..9391ad0d798 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security -@@ -79,6 +79,16 @@ security.provider.tbd=Apple +@@ -82,6 +82,17 @@ security.provider.tbd=Apple #endif security.provider.tbd=SunPKCS11 @@ -2563,11 +2524,12 @@ index 63be286686d..b0a589c3fb4 100644 +fips.provider.4=SunJSSE +fips.provider.5=SunJCE +fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. -@@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false +@@ -292,6 +303,47 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12 @@ -2615,7 +2577,7 @@ index 63be286686d..b0a589c3fb4 100644 # # Controls compatibility mode for JKS and PKCS12 keystore types. # -@@ -326,6 +377,13 @@ package.definition=sun.misc.,\ +@@ -329,6 +381,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true @@ -2631,7 +2593,7 @@ index 63be286686d..b0a589c3fb4 100644 # the javax.net.ssl package. diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in new file mode 100644 -index 00000000000..55bbba98b7a +index 00000000000..6de716e6b42 --- /dev/null +++ b/src/java.base/share/conf/security/nss.fips.cfg.in @@ -0,0 +1,8 @@ @@ -2644,10 +2606,10 @@ index 00000000000..55bbba98b7a +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..3ee2ce6ea88 100644 +index 9bd5dd53bd3..d1eba14c252 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy -@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.charsets" { grant codeBase "jrt:/jdk.crypto.ec" { permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; @@ -2655,7 +2617,7 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "loadLibrary.sunec"; permission java.security.SecurityPermission "putProviderProperty.SunEC"; permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { +@@ -133,6 +134,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { grant codeBase "jrt:/jdk.crypto.cryptoki" { permission java.lang.RuntimePermission "accessClassInPackage.com.sun.crypto.provider"; @@ -2663,6 +2625,15 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; +@@ -143,6 +145,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c new file mode 100644 index 00000000000..ddf9befe5bc @@ -3525,7 +3496,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..5696b904979 100644 +index 006aa67f621..fd86a52e65c 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3547,35 +3518,27 @@ index 9b69072280e..5696b904979 100644 private static final long serialVersionUID = -2575874101938349339L; private static final String PUBLIC = "public"; -@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { - this.tokenObject = tokenObject; - this.sensitive = sensitive; - this.extractable = extractable; -- char[] tokenLabel = this.token.tokenInfo.label; -- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -- && tokenLabel[2] == 'S'); -+ boolean isNSS = P11Util.isNSS(this.token); - boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && - extractable && !tokenObject); - this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), +@@ -406,9 +411,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); -- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { + +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); + boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ if (!exportable && (attributes[1].getBoolean() || -+ (attributes[2].getBoolean() == false))) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { -@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { - } ++ boolean keySensitive = (!exportable && ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -463,7 +469,8 @@ abstract class P11Key implements Key, Length { + public String getFormat() { token.ensureValid(); -- if (sensitive || (extractable == false)) { +- if (sensitive || !extractable || (isNSS && tokenObject)) { + if (!plainKeySupportEnabled && -+ (sensitive || (extractable == false))) { ++ (sensitive || !extractable || (isNSS && tokenObject))) { return null; } else { return "RAW"; @@ -3837,7 +3800,7 @@ index 00000000000..ae4262703e6 + +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -index 8d1b8ccb0ae..950ed20cf62 100644 +index 8d1b8ccb0ae..7ea9b4c5e7f 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java @@ -31,6 +31,7 @@ import java.security.*; @@ -3848,7 +3811,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644 import javax.crypto.spec.*; import static sun.security.pkcs11.TemplateManager.*; -@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { return p11Key; } @@ -3877,9 +3840,11 @@ index 8d1b8ccb0ae..950ed20cf62 100644 + } + + if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { -+ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; -+ if (P11Util.isNSS(token) || p11Ver.major < 2 || -+ p11Ver.major == 2 && p11Ver.minor < 40) { ++ CK_INFO p11Info = token.p11.getInfo(); ++ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion ++ : null); ++ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < ++ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { + // NSS keeps using the old structure beyond PKCS #11 v2.40 + ckMech = new CK_MECHANISM(kdfData.kdfMech, + new CK_PKCS5_PBKD2_PARAMS(password, salt, @@ -3977,7 +3942,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644 static void fixDESParity(byte[] key, int offset) { for (int i = 0; i < 8; i++) { int b = key[offset] & 0xfe; -@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { keySpec = new SecretKeySpec(keyBytes, "DESede"); return engineGenerateSecret(keySpec); } @@ -3987,7 +3952,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644 } throw new InvalidKeySpecException ("Unsupported spec: " + keySpec.getClass().getName()); -@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { // see JCE spec protected SecretKey engineTranslateKey(SecretKey key) throws InvalidKeyException { @@ -3998,7 +3963,7 @@ index 8d1b8ccb0ae..950ed20cf62 100644 } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -index 262cfc062ad..72b64f72c0a 100644 +index cabee449346..72b64f72c0a 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java @@ -27,6 +27,10 @@ package sun.security.pkcs11; @@ -4012,7 +3977,7 @@ index 262cfc062ad..72b64f72c0a 100644 /** * Collection of static utility methods. -@@ -40,10 +44,106 @@ public final class P11Util { +@@ -40,6 +44,93 @@ public final class P11Util { private static volatile Provider sun, sunRsaSign, sunJce; @@ -4106,21 +4071,8 @@ index 262cfc062ad..72b64f72c0a 100644 private P11Util() { // empty } - -+ static boolean isNSS(Token token) { -+ char[] tokenLabel = token.tokenInfo.label; -+ if (tokenLabel != null && tokenLabel.length >= 3) { -+ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -+ && tokenLabel[2] == 'S'); -+ } -+ return false; -+ } -+ - static Provider getSunProvider() { - Provider p = sun; - if (p == null) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index aa35e8fa668..f4d7c9cc201 100644 +index 00fbbcfe07c..b5a30c6da4e 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -4186,7 +4138,7 @@ index aa35e8fa668..f4d7c9cc201 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider { +@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { @Override public SunPKCS11 run() throws Exception { @@ -4197,15 +4149,26 @@ index aa35e8fa668..f4d7c9cc201 100644 + * fips.nssdb.path System property after expansion. + * Security properties expansion is unsupported. + */ -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, ++ String nssdbPath = + SecurityProperties.privilegedGetOverridable( -+ FIPS_NSSDB_PATH_PROP)); ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } + } return new SunPKCS11(new Config(newConfigName)); } }); -@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -4226,7 +4189,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider { +@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -4241,7 +4204,7 @@ index aa35e8fa668..f4d7c9cc201 100644 if (p11Info.cryptokiVersion.major < 2) { throw new ProviderException("Only PKCS#11 v2.0 and later " + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { final String className; final List aliases; final int[] mechanisms; @@ -4262,7 +4225,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } private P11Service service(Token token, int mechanism) { return new P11Service -@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider { +@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { private static void d(String type, String algorithm, String className, int[] m) { @@ -4295,7 +4258,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } private static void register(Descriptor d) { -@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider { +@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; @@ -4303,7 +4266,7 @@ index aa35e8fa668..f4d7c9cc201 100644 String P11Signature = "sun.security.pkcs11.P11Signature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; -@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider { +@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { d(MAC, "SslMacSHA1", P11Mac, m(CKM_SSL3_SHA1_MAC)); @@ -4334,7 +4297,7 @@ index aa35e8fa668..f4d7c9cc201 100644 d(KPG, "RSA", P11KeyPairGenerator, getAliases("PKCS1"), m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider { +@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { d(SKF, "ChaCha20", P11SecretKeyFactory, m(CKM_CHACHA20_POLY1305)); @@ -4401,7 +4364,7 @@ index aa35e8fa668..f4d7c9cc201 100644 // XXX attributes for Ciphers (supported modes, padding) dA(CIP, "ARCFOUR", P11Cipher, m(CKM_RC4)); -@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider { +@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { d(CIP, "RSA/ECB/NoPadding", P11RSACipher, m(CKM_RSA_X_509)); @@ -4448,10 +4411,10 @@ index aa35e8fa668..f4d7c9cc201 100644 d(SIG, "RawDSA", P11Signature, List.of("NONEwithDSA"), m(CKM_DSA)); -@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider { - if (ds == null) { +@@ -1120,9 +1332,21 @@ public final class SunPKCS11 extends AuthProvider { continue; } + boolean allowLegacy = config.getAllowLegacy(); + descLoop: for (Descriptor d : ds) { Integer oldMech = supportedAlgs.get(d); @@ -4467,10 +4430,16 @@ index aa35e8fa668..f4d7c9cc201 100644 + } + } + } - supportedAlgs.put(d, integerMech); - continue; - } -@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider { + + // assume full support if no mech info available + if (!allowLegacy && mechInfo != null) { +@@ -1211,11 +1435,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { if (token.isValid() == false) { throw new NoSuchAlgorithmException("Token has been removed"); } @@ -4488,7 +4457,26 @@ index aa35e8fa668..f4d7c9cc201 100644 + * property. + */ + try { -+ token.ensureLoggedIn(null); ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } + } catch (PKCS11Exception | LoginException e) { + throw new ProviderException("FIPS: error during the Token" + + " login required for the " + getType() + @@ -4498,7 +4486,7 @@ index aa35e8fa668..f4d7c9cc201 100644 try { return newInstance0(param); } catch (PKCS11Exception e) { -@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1235,6 +1500,8 @@ public final class SunPKCS11 extends AuthProvider { } else if (algorithm.endsWith("GCM/NoPadding") || algorithm.startsWith("ChaCha20-Poly1305")) { return new P11AEADCipher(token, algorithm, mechanism); @@ -4507,7 +4495,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } else { return new P11Cipher(token, algorithm, mechanism); } -@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1570,6 +1837,9 @@ public final class SunPKCS11 extends AuthProvider { try { session = token.getOpSession(); p11.C_Logout(session.id()); @@ -4518,7 +4506,7 @@ index aa35e8fa668..f4d7c9cc201 100644 debug.println("logout succeeded"); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 +index 1f94fe3e18a..99eec2114e4 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -33,6 +33,7 @@ import java.lang.ref.*; @@ -4604,7 +4592,7 @@ index 0c9ebb289c1..b4b2448464d 100644 // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) // methods instead of creating yet another constructor diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -index e8b048869c4..a25fa1c39e5 100644 +index 7b874ced493..d6c291ebc57 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java @@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; @@ -4907,7 +4895,7 @@ index 1f9c4d39f57..5e3c1b9d29f 100644 public String toString() { StringBuilder sb = new StringBuilder(); diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..5fbf8addcba 100644 +index 421c4212361..4e6520e70a1 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; @@ -4924,12 +4912,12 @@ index 5c0aacd1a67..5fbf8addcba 100644 private long pNativeData; -+ private CK_INFO pInfo; ++ private volatile CK_INFO pInfo; + /** * This method does the initialization of the native library. It is called * exactly once for this class. -@@ -145,23 +150,49 @@ public class PKCS11 { +@@ -145,23 +150,48 @@ public class PKCS11 { * @postconditions */ PKCS11(String pkcs11ModulePath, String functionListName) @@ -4937,9 +4925,8 @@ index 5c0aacd1a67..5fbf8addcba 100644 + throws IOException, PKCS11Exception { connect(pkcs11ModulePath, functionListName); this.pkcs11ModulePath = pkcs11ModulePath; -+ pInfo = C_GetInfo(); -+ } -+ + } + + /* + * Compatibility wrapper to allow this method to work as before + * when FIPS mode support is not active. @@ -4949,8 +4936,8 @@ index 5c0aacd1a67..5fbf8addcba 100644 + boolean omitInitialize) throws IOException, PKCS11Exception { + return getInstance(pkcs11ModulePath, functionList, + pInitArgs, omitInitialize, null, null); - } - ++ } ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { @@ -4983,7 +4970,7 @@ index 5c0aacd1a67..5fbf8addcba 100644 } if (omitInitialize == false) { try { -@@ -179,6 +210,14 @@ public class PKCS11 { +@@ -179,6 +209,28 @@ public class PKCS11 { return pkcs11; } @@ -4992,13 +4979,27 @@ index 5c0aacd1a67..5fbf8addcba 100644 + * C_GetInfo. This structure represent Cryptoki library information. + */ + public CK_INFO getInfo() { -+ return pInfo; ++ CK_INFO lPInfo = pInfo; ++ if (lPInfo == null) { ++ synchronized (this) { ++ lPInfo = pInfo; ++ if (lPInfo == null) { ++ try { ++ lPInfo = C_GetInfo(); ++ pInfo = lPInfo; ++ } catch (PKCS11Exception e) { ++ // Some PKCS #11 tokens require initialization first. ++ } ++ } ++ } ++ } ++ return lPInfo; + } + /** * Connects this object to the specified PKCS#11 library. This method is for * internal use only. -@@ -1625,7 +1664,7 @@ public class PKCS11 { +@@ -1661,7 +1713,7 @@ public class PKCS11 { static class SynchronizedPKCS11 extends PKCS11 { SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) @@ -5007,7 +5008,7 @@ index 5c0aacd1a67..5fbf8addcba 100644 super(pkcs11ModulePath, functionListName); } -@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -1947,4 +1999,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } @@ -5265,10 +5266,10 @@ index 0d65ee26805..38fd4aff1f3 100644 + /* (CKM_NSS + 32) */ = 0xCE534370L; } diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c -index d941b574cc7..e2de13648be 100644 +index 376fd999261..d2b2b2e8013 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c -@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, +@@ -1517,6 +1517,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, case CKM_PBE_SHA1_DES3_EDE_CBC: case CKM_PBE_SHA1_DES2_EDE_CBC: case CKM_PBA_SHA1_WITH_SHA1_HMAC: @@ -5279,7 +5280,7 @@ index d941b574cc7..e2de13648be 100644 ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength); break; case CKM_PKCS5_PBKD2: -@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) +@@ -1660,13 +1664,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) // retrieve java values jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); if (jPbeParamsClass == NULL) { return NULL; } @@ -5295,7 +5296,7 @@ index d941b574cc7..e2de13648be 100644 if (fieldID == NULL) { return NULL; } jSalt = (*env)->GetObjectField(env, jParam, fieldID); fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J"); -@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) +@@ -1682,15 +1686,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) // populate using java values ckParamPtr->ulIteration = jLongToCKULong(jIteration); @@ -5314,7 +5315,7 @@ index d941b574cc7..e2de13648be 100644 if ((*env)->ExceptionCheck(env)) { goto cleanup; } -@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job +@@ -1769,31 +1773,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job } } @@ -5383,7 +5384,7 @@ index d941b574cc7..e2de13648be 100644 fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J"); if (fieldID == NULL) { return NULL; } jSaltSource = (*env)->GetLongField(env, jParam, fieldID); -@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL +@@ -1809,36 +1841,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B"); if (fieldID == NULL) { return NULL; } jPrfData = (*env)->GetObjectField(env, jParam, fieldID); @@ -5457,7 +5458,7 @@ index d941b574cc7..e2de13648be 100644 return NULL; diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c -index 520bd52a2cd..aa76945283d 100644 +index 537bab224a0..3fd23558d3b 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c @@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) { @@ -5489,7 +5490,7 @@ index 520bd52a2cd..aa76945283d 100644 // PBE mechs, WTLS mechs, CMS mechs, // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP, // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_* -@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO +@@ -528,12 +544,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO jboolean* jpTemp; CK_ULONG i; @@ -5504,7 +5505,7 @@ index 520bd52a2cd..aa76945283d 100644 jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean)); if (jpTemp == NULL) { throwOutOfMemoryError(env, 0); -@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR * +@@ -570,12 +585,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR * jbyte* jpTemp; CK_ULONG i; @@ -5519,7 +5520,7 @@ index 520bd52a2cd..aa76945283d 100644 jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte)); if (jpTemp == NULL) { throwOutOfMemoryError(env, 0); -@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR +@@ -617,12 +631,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR jlong* jTemp; CK_ULONG i; @@ -5534,7 +5535,7 @@ index 520bd52a2cd..aa76945283d 100644 jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong)); if (jTemp == NULL) { throwOutOfMemoryError(env, 0); -@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR * +@@ -659,12 +672,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR * jchar* jpTemp; CK_ULONG i; @@ -5549,7 +5550,7 @@ index 520bd52a2cd..aa76945283d 100644 jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar)); if (jpTemp == NULL) { throwOutOfMemoryError(env, 0); -@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH +@@ -701,12 +713,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH jchar* jTemp; CK_ULONG i; @@ -5909,3 +5910,1318 @@ index 8c9e4f9dbe6..883dc04758e 100644 } } +diff --git a/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java +new file mode 100644 +index 00000000000..a184a169732 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java +@@ -0,0 +1,233 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.math.BigInteger; ++import java.security.AlgorithmParameters; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.Security; ++import java.util.Map; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.interfaces.PBEKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test password based encryption on SunPKCS11's Cipher service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @run main/othervm/timeout=30 PBECipher ++ */ ++ ++public final class PBECipher { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ PBECipher2.main(args); ++ } ++} ++ ++final class PBECipher2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final byte[] iv = new byte[16]; ++ private static final int iterations = 1000; ++ private static final String plainText = "This is a know plain text!"; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static enum Configuration { ++ // Provide salt and iterations through a PBEParameterSpec instance ++ PBEParameterSpec, ++ ++ // Provide salt and iterations through a AlgorithmParameters instance ++ AlgorithmParameters, ++ ++ // Provide salt and iterations through an anonymous class implementing ++ // the javax.crypto.interfaces.PBEKey interface ++ AnonymousPBEKey, ++ } ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ // Generated with SunJCE ++ private static final Map assertionData = Map.of( ++ "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" + ++ "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16), ++ "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" + ++ "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16), ++ "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" + ++ "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16), ++ "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" + ++ "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16), ++ "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" + ++ "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16), ++ "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" + ++ "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16), ++ "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" + ++ "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16), ++ "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" + ++ "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16), ++ "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" + ++ "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16), ++ "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" + ++ "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16) ++ ); ++ ++ private static final class NoRandom extends SecureRandom { ++ @Override ++ public void nextBytes(byte[] bytes) { ++ return; ++ } ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ for (Configuration conf : Configuration.values()) { ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private void testWith(Provider sunPKCS11, String algorithm, ++ Configuration conf) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm ++ + " (with " + conf.name() + ")"); ++ ++ Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf); ++ BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal( ++ plainText.getBytes())); ++ printByteArray("Cipher Text", cipherText); ++ ++ BigInteger expectedCipherText = null; ++ if (sunJCE != null) { ++ Cipher c = getCipher(sunJCE, algorithm, conf); ++ if (c != null) { ++ expectedCipherText = new BigInteger(1, c.doFinal( ++ plainText.getBytes())); ++ } else { ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ } ++ if (expectedCipherText == null) { ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ expectedCipherText = assertionData.get(algorithm); ++ } ++ ++ if (!cipherText.equals(expectedCipherText)) { ++ printByteArray("Expected Cipher Text", expectedCipherText); ++ throw new Exception("Expected Cipher Text did not match"); ++ } ++ } ++ ++ private Cipher getCipher(Provider p, String algorithm, ++ Configuration conf) throws Exception { ++ Cipher pbeCipher = null; ++ try { ++ pbeCipher = Cipher.getInstance(algorithm, p); ++ } catch (NoSuchAlgorithmException e) { ++ return null; ++ } ++ switch (conf) { ++ case PBEParameterSpec, AlgorithmParameters -> { ++ SecretKey key = getPasswordOnlyPBEKey(); ++ PBEParameterSpec paramSpec = new PBEParameterSpec( ++ salt, iterations, new IvParameterSpec(iv)); ++ switch (conf) { ++ case PBEParameterSpec -> { ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); ++ } ++ case AlgorithmParameters -> { ++ AlgorithmParameters algoParams = ++ AlgorithmParameters.getInstance("PBES2"); ++ algoParams.init(paramSpec); ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams); ++ } ++ } ++ } ++ case AnonymousPBEKey -> { ++ SecretKey key = getPasswordSaltIterationsPBEKey(); ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom()); ++ } ++ } ++ return pbeCipher; ++ } ++ ++ private static SecretKey getPasswordOnlyPBEKey() throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password); ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE"); ++ SecretKey skey = skFac.generateSecret(keySpec); ++ keySpec.clearPassword(); ++ return skey; ++ } ++ ++ private static SecretKey getPasswordSaltIterationsPBEKey() { ++ return new PBEKey() { ++ public byte[] getSalt() { return salt.clone(); } ++ public int getIterationCount() { return iterations; } ++ public String getAlgorithm() { return "PBE"; } ++ public String getFormat() { return "RAW"; } ++ public char[] getPassword() { return null; } // unused in PBE Cipher ++ public byte[] getEncoded() { ++ byte[] passwdBytes = new byte[password.length]; ++ for (int i = 0; i < password.length; i++) ++ passwdBytes[i] = (byte) (password[i] & 0x7f); ++ return passwdBytes; ++ } ++ }; ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ PBECipher2 test = new PBECipher2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java +new file mode 100644 +index 00000000000..360e11c339d +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java +@@ -0,0 +1,137 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.security.Key; ++import java.security.KeyStore; ++import java.security.KeyStoreException; ++import java.security.MessageDigest; ++import java.security.Provider; ++import java.security.Security; ++ ++import javax.crypto.spec.SecretKeySpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test SunPKCS11's password based privacy and integrity ++ * applied to PKCS#12 keystores ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @modules java.base/sun.security.util ++ * @run main/othervm/timeout=30 -Dcom.redhat.fips=false -DNO_DEFAULT=true ImportKeyToP12 ++ */ ++ ++public final class ImportKeyToP12 { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ ImportKeyToP122.main(args); ++ } ++} ++ ++final class ImportKeyToP122 extends PKCS11Test { ++ private static final String alias = "alias"; ++ private static final char[] password = "123456".toCharArray(); ++ private static final Key key = new SecretKeySpec(new byte[] { ++ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, ++ 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES"); ++ private static final String[] pbeCipherAlgs = new String[] { ++ "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128", ++ "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128", ++ "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256", ++ "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256", ++ "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256" ++ }; ++ private static final String[] pbeMacAlgs = new String[] { ++ "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256", ++ "HmacPBESHA384", "HmacPBESHA512" ++ }; ++ private static final KeyStore p12; ++ private static final String sep = ++ "========================================================================="; ++ ++ static { ++ KeyStore tP12 = null; ++ try { ++ tP12 = KeyStore.getInstance("PKCS12"); ++ } catch (KeyStoreException e) {} ++ p12 = tP12; ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ // Test all privacy PBE algorithms with an integrity algorithm fixed ++ for (String pbeCipherAlg : pbeCipherAlgs) { ++ testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]); ++ } ++ // Test all integrity PBE algorithms with a privacy algorithm fixed ++ for (String pbeMacAlg : pbeMacAlgs) { ++ testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ /* ++ * Consistency test: 1) store a secret key in a PKCS#12 keystore using ++ * PBE algorithms from SunPKCS11 and, 2) read the secret key from the ++ * PKCS#12 keystore using PBE algorithms from other security providers ++ * such as SunJCE. ++ */ ++ private void testWith(Provider sunPKCS11, String pbeCipherAlg, ++ String pbeMacAlg) throws Exception { ++ System.out.println(sep + System.lineSeparator() + ++ "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() + ++ "Mac PBE: " + pbeMacAlg); ++ ++ System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg); ++ System.setProperty("keystore.pkcs12.keyProtectionAlgorithm", ++ pbeCipherAlg); ++ ++ // Create an empty PKCS#12 keystore ++ ByteArrayOutputStream baos = new ByteArrayOutputStream(); ++ p12.load(null, password); ++ ++ // Use PBE privacy and integrity algorithms from SunPKCS11 to store ++ // the secret key ++ Security.insertProviderAt(sunPKCS11, 1); ++ p12.setKeyEntry(alias, key, password, null); ++ p12.store(baos, password); ++ ++ // Use PBE privacy and integrity algorithms from other security ++ // providers, such as SunJCE, to read the secret key ++ Security.removeProvider(sunPKCS11.getName()); ++ p12.load(new ByteArrayInputStream(baos.toByteArray()), password); ++ Key k = p12.getKey(alias, password); ++ ++ if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) { ++ throw new Exception("Keys differ. Consistency check failed."); ++ } ++ System.out.println("Secret key import successful" + System.lineSeparator() + sep); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ main(new ImportKeyToP122()); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/Mac/PBAMac.java b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java +new file mode 100644 +index 00000000000..6b5662f6b4c +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java +@@ -0,0 +1,187 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.math.BigInteger; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Map; ++ ++import javax.crypto.Mac; ++import javax.crypto.SecretKey; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.interfaces.PBEKey; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test password based authentication on SunPKCS11's Mac service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @run main/othervm/timeout=30 PBAMac ++ */ ++ ++public final class PBAMac { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ PBAMac2.main(args); ++ } ++} ++ ++final class PBAMac2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final int iterations = 1000; ++ private static final String plainText = "This is a know plain text!"; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static enum Configuration { ++ // Provide salt & iterations through a PBEParameterSpec instance ++ PBEParameterSpec, ++ ++ // Provide salt & iterations through an anonymous class implementing ++ // the javax.crypto.interfaces.PBEKey interface ++ AnonymousPBEKey, ++ } ++ ++ // Generated with SunJCE ++ private static final Map assertionData = Map.of( ++ "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" + ++ "e2c9c41c", 16), ++ "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" + ++ "bd45f8ec326bcf16e09699063", 16), ++ "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" + ++ "8ff64376fcf6af8d1dca3ec688dfada5c8", 16), ++ "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" + ++ "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" + ++ "35f202cc3452", 16), ++ "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" + ++ "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" + ++ "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16) ++ ); ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ for (Configuration conf : Configuration.values()) { ++ testWith(sunPKCS11, "HmacPBESHA1", conf); ++ testWith(sunPKCS11, "HmacPBESHA224", conf); ++ testWith(sunPKCS11, "HmacPBESHA256", conf); ++ testWith(sunPKCS11, "HmacPBESHA384", conf); ++ testWith(sunPKCS11, "HmacPBESHA512", conf); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private void testWith(Provider sunPKCS11, String algorithm, ++ Configuration conf) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm ++ + " (with " + conf.name() + ")"); ++ ++ BigInteger macResult = computeMac(sunPKCS11, algorithm, conf); ++ printByteArray("HMAC Result", macResult); ++ ++ BigInteger expectedMacResult = computeExpectedMac(algorithm, conf); ++ ++ if (!macResult.equals(expectedMacResult)) { ++ printByteArray("Expected HMAC Result", expectedMacResult); ++ throw new Exception("Expected HMAC Result did not match"); ++ } ++ } ++ ++ private BigInteger computeMac(Provider p, String algorithm, ++ Configuration conf) throws Exception { ++ Mac pbaMac; ++ try { ++ pbaMac = Mac.getInstance(algorithm, p); ++ } catch (NoSuchAlgorithmException e) { ++ return null; ++ } ++ switch (conf) { ++ case PBEParameterSpec -> { ++ SecretKey key = getPasswordOnlyPBEKey(); ++ pbaMac.init(key, new PBEParameterSpec(salt, iterations)); ++ } ++ case AnonymousPBEKey -> { ++ SecretKey key = getPasswordSaltIterationsPBEKey(); ++ pbaMac.init(key); ++ } ++ } ++ return new BigInteger(1, pbaMac.doFinal(plainText.getBytes())); ++ } ++ ++ private BigInteger computeExpectedMac(String algorithm, Configuration conf) ++ throws Exception { ++ if (sunJCE != null) { ++ BigInteger macResult = computeMac(sunJCE, algorithm, conf); ++ if (macResult != null) { ++ return macResult; ++ } ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ return assertionData.get(algorithm); ++ } ++ ++ private static SecretKey getPasswordOnlyPBEKey() throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password); ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE"); ++ SecretKey skey = skFac.generateSecret(keySpec); ++ keySpec.clearPassword(); ++ return skey; ++ } ++ ++ private static SecretKey getPasswordSaltIterationsPBEKey() { ++ return new PBEKey() { ++ public byte[] getSalt() { return salt.clone(); } ++ public int getIterationCount() { return iterations; } ++ public String getAlgorithm() { return "PBE"; } ++ public String getFormat() { return "RAW"; } ++ public char[] getPassword() { return password.clone(); } ++ public byte[] getEncoded() { return null; } // unused in PBA Mac ++ }; ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ PBAMac2 test = new PBAMac2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java +new file mode 100644 +index 00000000000..67c3cee5970 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java +@@ -0,0 +1,296 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Field; ++import java.lang.reflect.Method; ++import java.math.BigInteger; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++ ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.PBEKeySpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test key derivation on SunPKCS11's SecretKeyFactory service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @modules java.base/com.sun.crypto.provider:open ++ * @run main/othervm/timeout=30 TestPBKD ++ */ ++ ++public final class TestPBKD { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ TestPBKD2.main(args); ++ } ++} ++ ++final class TestPBKD2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final int iterations = 1000; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ // Generated with SunJCE ++ private static final Map assertionData = ++ new HashMap<>() {{ ++ put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" + ++ "2fa3facc62e7694", 16)); ++ put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" + ++ "8d283d0afa8fc1d3d227fcb9236c3a035", 16)); ++ put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" + ++ "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16)); ++ put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" + ++ "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" + ++ "741e411de21add8b5718a8", 16)); ++ put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" + ++ "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" + ++ "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" + ++ "e52", 16)); ++ put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" + ++ "244d4d56bf7ec8dd61dd7", 16)); ++ put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" + ++ "df7c355f3b424233a9f24c2", 16)); ++ put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" + ++ "1b4f6baac8f62ff6f22bfb1", 16)); ++ put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" + ++ "d6db88858988ec00153847d", 16)); ++ put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" + ++ "6a4bd5ebea892cd9a7f5043", 16)); ++ put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" + ++ "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" + ++ "98", 16)); ++ put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" + ++ "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" + ++ "f64d", 16)); ++ put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" + ++ "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" + ++ "ab08", 16)); ++ put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" + ++ "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" + ++ "b356", 16)); ++ put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" + ++ "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" + ++ "5482", 16)); ++ put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" + ++ "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16)); ++ put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" + ++ "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" + ++ "736ec1c69eef1c7b2", 16)); ++ put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" + ++ "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" + ++ "add9db34a42ceb2fea8d27adc00f4", 16)); ++ put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" + ++ "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" + ++ "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" + ++ "c99580e2613846b3919af637da", 16)); ++ put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" + ++ "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" + ++ "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" + ++ "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" + ++ "c6c11a4f14649b50d0ade3a", 16)); ++ }}; ++ ++ static interface AssertData { ++ BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception; ++ } ++ ++ static final class P12PBKDAssertData implements AssertData { ++ private final int outLen; ++ private final String kdfAlgo; ++ private final int blockLen; ++ ++ P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) { ++ this.outLen = outLen; ++ this.kdfAlgo = kdfAlgo; ++ this.blockLen = blockLen; ++ } ++ ++ @Override ++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec) ++ throws Exception { ++ // Since we need to access an internal SunJCE API, we use reflection ++ Class PKCS12PBECipherCore = Class.forName( ++ "com.sun.crypto.provider.PKCS12PBECipherCore"); ++ ++ Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY"); ++ macKeyField.setAccessible(true); ++ int MAC_KEY = (int) macKeyField.get(null); ++ ++ Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod( ++ "derive", char[].class, byte[].class, int.class, ++ int.class, int.class, String.class, int.class); ++ deriveMethod.setAccessible(true); ++ ++ return new BigInteger(1, (byte[]) deriveMethod.invoke(null, ++ keySpec.getPassword(), keySpec.getSalt(), ++ keySpec.getIterationCount(), this.outLen, ++ MAC_KEY, this.kdfAlgo, this.blockLen)); ++ } ++ } ++ ++ static final class PBKD2AssertData implements AssertData { ++ private final String kdfAlgo; ++ private final int keyLen; ++ ++ PBKD2AssertData(String kdfAlgo, int keyLen) { ++ // Key length is pinned by the algorithm name (not kdfAlgo, ++ // but the algorithm under test: PBEWithHmacSHA*AndAES_*) ++ this.kdfAlgo = kdfAlgo; ++ this.keyLen = keyLen; ++ } ++ ++ PBKD2AssertData(String kdfAlgo) { ++ // Key length is variable for the algorithm under test ++ // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*) ++ this(kdfAlgo, -1); ++ } ++ ++ @Override ++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec) ++ throws Exception { ++ if (this.keyLen != -1) { ++ keySpec = new PBEKeySpec( ++ keySpec.getPassword(), keySpec.getSalt(), ++ keySpec.getIterationCount(), this.keyLen); ++ } ++ if (sunJCE != null) { ++ try { ++ return new BigInteger(1, SecretKeyFactory.getInstance( ++ this.kdfAlgo, sunJCE).generateSecret(keySpec) ++ .getEncoded()); ++ } catch (NoSuchAlgorithmException e) { ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ } ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ return assertionData.get(pbAlgo); ++ } ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ testWith(sunPKCS11, "HmacPBESHA1", ++ new P12PBKDAssertData(20, "SHA-1", 64)); ++ testWith(sunPKCS11, "HmacPBESHA224", ++ new P12PBKDAssertData(28, "SHA-224", 64)); ++ testWith(sunPKCS11, "HmacPBESHA256", ++ new P12PBKDAssertData(32, "SHA-256", 64)); ++ testWith(sunPKCS11, "HmacPBESHA384", ++ new P12PBKDAssertData(48, "SHA-384", 128)); ++ testWith(sunPKCS11, "HmacPBESHA512", ++ new P12PBKDAssertData(64, "SHA-512", 128)); ++ ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 256)); ++ ++ // Use 1,5 * digest size as the testing derived key length (in bits) ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240, ++ new PBKD2AssertData("PBKDF2WithHmacSHA1")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336, ++ new PBKD2AssertData("PBKDF2WithHmacSHA224")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384, ++ new PBKD2AssertData("PBKDF2WithHmacSHA256")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576, ++ new PBKD2AssertData("PBKDF2WithHmacSHA384")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768, ++ new PBKD2AssertData("PBKDF2WithHmacSHA512")); ++ ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ AssertData assertData) throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations); ++ testWith(sunPKCS11, algorithm, keySpec, assertData); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ int keyLen, AssertData assertData) throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen); ++ testWith(sunPKCS11, algorithm, keySpec, assertData); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ PBEKeySpec keySpec, AssertData assertData) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm); ++ ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance( ++ algorithm, sunPKCS11); ++ BigInteger derivedKey = new BigInteger(1, ++ skFac.generateSecret(keySpec).getEncoded()); ++ printByteArray("Derived Key", derivedKey); ++ ++ BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec); ++ ++ if (!derivedKey.equals(expectedDerivedKey)) { ++ printByteArray("Expected Derived Key", expectedDerivedKey); ++ throw new Exception("Expected Derived Key did not match"); ++ } ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ TestPBKD2 test = new TestPBKD2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/SOURCES/java-17-openjdk-portable.specfile b/SOURCES/java-17-openjdk-portable.specfile new file mode 100644 index 0000000..0aa8141 --- /dev/null +++ b/SOURCES/java-17-openjdk-portable.specfile @@ -0,0 +1,2731 @@ +# debug_package %%{nil} is portable-jdks specific +%define debug_package %{nil} + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-*-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-*-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# NOTE - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libjsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else +%global gdb_arches %{jit_arches} %{zero_arches} +%endif +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 + +# By default, we build a slowdebug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. +%global bootstrap_targets images %{static_libs_target} legacy-jre-image +%global release_targets images docs-zip %{static_libs_target} legacy-jre-image +# No docs nor bootcycle for debug builds +%global debug_targets images %{static_libs_target} legacy-jre-image +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 17 +%global interimver 0 +%global updatever 18 +%global patchver 0 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver %{featurever} +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +# This will only work where the bootstrap JDK is the same major version +# as the JDK being built +%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver e1780dd5d39 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 8 +%global rpmrelease 2 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# portable only declarations +%global jreimage jre +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\+\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\+\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\+\\)*;portable%{1}.static-libs;g") +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on +# top of the JDK archive +%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\+\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\+\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +# This is always 'server' on 17u which doesn't have JDK-8273494 +%global vm_variant server + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +# x86 is not supported by OpenJDK 17 +ExcludeArch: %{ix86} + +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +} + +%define java_devel_rpo() %{expand: +} + +%define java_static_libs_rpo() %{expand: +} + +%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +# portables have grown out of its component, moving back to java-x-vendor +# this expression, when declared as global, filled component with java-x-vendor portable +%define component %(echo %{name} | sed "s;-portable;;g") + +Name: java-%{javaver}-%{origin}-portable +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +# Disabled in portables +#Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# This patch is probably not necessary anymore. I will revisit +# removing it if I find that QE performs AWT testing on a per-release +# basis. +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# This patch is almost certainly not needed, but I am keeping it +# forever because java.security has shipped to customers already, and +# is marked %%config(noreplace). I do not want to risk +# warnings/confusion/conflict by changing its default contents +# mid-lifecycle. +# NSS via SunPKCS11 Provider (commented out due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +Patch600: rh1750419-redhat_alt_java.patch +# gnu_andrew is working on backporting a fix for this patch to 17u. +# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo +Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch + +# Crypto policy and FIPS support patches +# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u +# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# The following list is generated by: +# git log %%{vcstag}.. --no-merges --format=%%s --reverse +# Fixes currently included: +# PR3183, RH1340845: Support Fedora & RHEL system crypto policy +# PR3695: Allow system crypto policy enforcement to be toggled on/off +# RH1655466: Support global RHEL crypto policy +# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode +# RH1860986: Disable TLSv1.3 in FIPS mode +# RH1915071: Always initialise configurator access.patch +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers +# RH1996182: Login to the NSS Software Token in FIPS Mode +# RH1929465: Don't define unused throwIOException function when using NSS detection +# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access +# RH1991003: Enable the import of plain keys into the NSS software token. +# RH2021263: Return in C code after having generated Java exception +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export (#1) +# Run workflows on pull request, as we are not using SKARA. +# RH2094027: SunEC runtime permission for FIPS (#5) +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8) +# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4) +# Use encoded space rather than quoting for JTReg JAVA_OPTIONS +# RH2104724: Avoid import/export of DH private keys (#14) +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16) +# Build the systemconf library on all platforms (#7) +# RH2048582: Support PKCS#12 keystores (#2) +# RH2020290: Support TLS 1.3 in FIPS mode (#13) +# Add nss.fips.cfg support to OpenJDK tree (#22) +# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17) +# Remove forgotten dead code from #13 and #14 (#21) +# Fix issue on FIPS with a SecurityManager in place (#25) +# RH2134669: Add missing attributes when registering services in FIPS mode. (#19) +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27) +# RH1940064: Enable XML Signature provider in FIPS mode (#24) +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26) +# OPENJDK-4398: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY (#44) +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +# Currently empty + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: file +BuildRequires: fontconfig-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.cfg +BuildRequires: nss-devel +# Requirement for system security property test +# N/A for portable. RHEL7 doesn't provide them +#BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +# to pack portable tarballs +BuildRequires: tar +BuildRequires: unzip +# Define _jvmdir macro +BuildRequires: javapackages-filesystem +BuildRequires: java-%{buildjdkver}-openjdk-devel +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# Full documentation build requirements +# pandoc is only available on RHEL/CentOS 8 +%if 0%{?rhel} == 8 +BuildRequires: graphviz +BuildRequires: pandoc +%endif +# cacerts build requirement in portable mode +BuildRequires: ca-certificates +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: zlib-devel +%else +# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.13.3 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.2 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 11.2.0 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.17.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.51 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment - portable edition. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment portable edition +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools - portable edition. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking - portable edition. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} + +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. + +%prep + +echo "Preparing %{oj_vendor_version}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +%if %{with fresh_libjvm} && ! %{build_hotspot_first} +echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" +echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" +%endif + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +pushd %{top_level_dir_name} +# This syntax is deprecated: +# %%patchN [...] +# and should be replaced with: +# %%patch -PN [...] +# For example: +# %%patch1001 -p1 +# becomes: +# %%patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %%patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +%patch -P1 -p1 +%patch -P6 -p1 +# Add crypto policy and FIPS support +%patch -P1001 -p1 +# nss.cfg PKCS11 support; must come last as it also alters java.security +%patch -P1000 -p1 +# alt-java support +%patch -P600 -p1 +popd # openjdk + + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "ERROR: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# Portables do not have desktop integration + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +%build + +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif +export XZ_OPT="-T0" + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +# Set modification times (mtimes) of files within JAR files generated +# by the OpenJDK build to a timestamp that is constant across RPM +# rebuilds. OpenJDK provides the --with-source-date configure option +# for this purpose. Potential arguments in the RPM build context are: +# +# A) --with-source-date="${SOURCE_DATE_EPOCH}" +# B) --with-source-date=version +# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}" +# +# Consider Option A. Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3) +# have different support for SOURCE_DATE_EPOCH. To keep +# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the +# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and +# RHEL-8. However, on RHEL-8, this results in the RPM build times +# being set to the timestamp of the most recent changelog. This is +# bad for tracing when RPMs were actually built. Fedora 38 supports a +# better behaviour via the introduction of the +# use_source_date_epoch_as_buildtime macro, set to 0 by default. +# There is no way to make this work on RHEL-8 as well though, so +# option A is suboptimal. +# +# Option B uses the value of the DEFAULT_VERSION_DATE field from +# make/conf/version-numbers.conf. DEFAULT_VERSION_DATE represents the +# aspirational eventual JDK general availability (GA) release date. +# When the RPM build occurs prior to GA, generated JAR files will have +# payload mtimes in the future relative to the RPM build time. +# Whereas for tarballs some tools will issue warnings about future +# mtimes, per OPENJDK-2583 apparently this is no problem for Java and +# JAR files. +# +# Option C uses the modification timestamp of files in the source +# tarball. The reproducibility logic in generate_source_tarball.sh +# sets them all to the commit time of the release-tagged OpenJDK +# commit, as archived in the tarball. This timestamp is deterministic +# across RPM rebuilds and is reliably in the past. Any file's mtime +# will do, so use version-numbers.conf's. +# +# Use option B for JAR files, based on the discussion in OPENJDK-2583. +# +# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for +# the modification times of all files in the portable tarballs. Doing +# so eliminates one source of variability across RPM rebuilds. +VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf +OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")" + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + local debug_symbols=${6} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + # Note: zlib and freetype use %%{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif + --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts) \ + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt="%{lts_designator}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="${debug_symbols}" \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --with-source-date=version \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + + cat spec.gmk + make LOG=trace $maketargets || \ + ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + + popd +} + +function stripjdk() { + local outputdir=${1} + local jdkimagepath=images/%{jdkimage} + local jreimagepath=images/%{jreimage} + local jmodimagepath=images/jmods + local modulefile=lib/modules + local supportdir=${outputdir}/support + local modulebuildpath=${outputdir}/jdk/modules + local jdkoutdir=${outputdir}/${jdkimagepath} + local jreoutdir=${outputdir}/${jreimagepath} + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + cp -a ${jdkoutdir}{,.unstripped} + + # Strip the files + for file in $(find ${jdkoutdir} ${jreoutdir} ${supportdir} ${modulebuildpath} -type f) ; do + if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then + noextfile=${file/.so/}; + objcopy --only-keep-debug ${file} ${noextfile}.debuginfo; + objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + strip -g ${file}; + fi + done + + # Rebuild jmod files against the stripped binaries + if [ ! -d ${supportdir} ] ; then + echo "Support directory missing."; + exit 15 + fi + # Build the java.base jmod a third time to fix the hashes of dependent jmods + for cmd in $(find ${supportdir}/${jmodimagepath} -name '*.jmod_exec.cmdline') \ + ${supportdir}/${jmodimagepath}/*java.base*exec.cmdline ; do + pre=${cmd/_exec/_pre}; + post=${cmd/_exec/_post}; + jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##') + echo "Rebuilding ${jmod} against stripped binaries..."; + if [ -e ${pre} ] ; then + echo -e "Executing ${pre}...\n$(cat ${pre})"; + cat ${pre} | sh -s ; + fi + echo "Executing ${cmd}...$(cat ${cmd})"; + cat ${cmd} | sh -s ; + if [ -e ${post} ] ; then + echo -e "Executing ${post}...\n$(cat ${post})"; + cat ${post} | sh -s ; + fi + done + + # Rebuild the image with the stripped modules + for image in ${jdkimagepath} ${jreimagepath} ; do + outdir=${outputdir}/${image}; + jlink=${supportdir}/${image}/_jlink*_exec.cmdline; + # Backup the existing image as it contains + # files not generated by jlink + mv ${outdir}{,.bak}; + # Regenerate the image using the command + # generated using the initial build + echo -e "Executing ${jlink}...\n$(cat ${jlink})"; + cat ${jlink} | sh -s; + # Move the new jmods and module file from the new + # image to the old one + if [ -e ${outdir}.bak/jmods ] ; then + rm -rf ${outdir}.bak/jmods; + mv ${outdir}/jmods ${outdir}.bak; + fi + rm -f ${outdir}.bak/${modulefile}; + mv ${outdir}/${modulefile} ${outdir}.bak/$(dirname ${modulefile}); + # Restore the original image + rm -rf ${outdir}; + mv ${outdir}{.bak,}; + # Update the CDS archives + for cmd in ${supportdir}/${image}/*_gen_cds*_exec.cmdline ; do + echo -e "Executing ${cmd}...\n$(cat ${cmd})"; + cat ${cmd} | sh -s; + done + done + fi +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + local unstripped=${jdkimagepath}.unstripped + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + # legacy-jre-image target does not install any man pages for the JRE + # We copy the jdk man directory and then remove pages for binaries that + # don't exist in the JRE + cp -a ${jdkimagepath}/man ${jreimagepath} + for manpage in $(find ${jreimagepath}/man -name '*.1'); do + filename=$(basename ${manpage}); + binary=${filename/.1/}; + if [ ! -f ${jreimagepath}/bin/${binary} ] ; then + echo "Removing ${manpage} from JRE for which no binary ${binary} exists"; + rm -f ${manpage}; + fi; + done + + for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + + # Print release information + cat ${imagepath}/release + fi + done +} + +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset + # See https://reproducible-builds.org/docs/archives/ + # RHEL-7 has tar 1.26 which does not support --sort=name, so use + # find-piped-through-sort instead. Omit --pax-option since it + # made the docs package not reproducible due to PaxHeaders + # timestamp differences. + local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \ + --owner=0 \ + --group=0 \ + --numeric-owner \ + --no-recursion \ + --null \ + --files-from - \ + --create \ + --xz \ + --file" + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + + if [ "x$suffix" = "x" ] ; then + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + + # Keep the unstripped version for consumption by RHEL RPMs + mv %{jdkimage}.unstripped ${jdkname} + find ${jdkname} -print0 | LC_ALL=C sort -z | tar ${tar_opts} ${unstrippedarchive} + genchecksum ${unstrippedarchive} + mv ${jdkname} %{jdkimage}.unstripped + fi + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + find ${jdkname} -name \*.debuginfo -print0 | LC_ALL=C sort -z | tar ${tar_opts} ${debugarchive} + genchecksum ${debugarchive} + + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + find ${docname} -print0 | LC_ALL=C sort -z | tar ${tar_opts} ${docarchive} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done + cp -a ${srcdir}/src/sample ${miscname} +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif + find ${miscname} -print0 | LC_ALL=C sort -z | tar ${tar_opts} ${miscarchive} + genchecksum ${miscarchive} + fi + + find ${jdkname} -print0 | LC_ALL=C sort -z | tar --exclude='**.debuginfo' ${tar_opts} ${jdkarchive} + genchecksum ${jdkarchive} + + find ${jrename} -print0 | LC_ALL=C sort -z | tar --exclude='**.debuginfo' ${tar_opts} ${jrearchive} + genchecksum ${jrearchive} + +%if %{include_staticlibs} + # Static libraries (needed for building graal vm with native image) + # Tar as overlay. Transform to the JDK name, since we just want to "add" + # static libraries to that folder + find "%{static_libs_image}/lib" -print0 | LC_ALL=C sort -z \ + | tar --transform "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" ${tar_opts} ${staticarchive} + genchecksum ${staticarchive} +%endif + + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage} + + popd #images + +} + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Pre-test setup + +# System security properties are disabled by default on portable. +# Turn on system security properties +#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ +#${JAVA_HOME}/conf/security/java.security + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +# Specific to portable:System security properties to be off by default +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +%if ! 0%{?flatpak} +# Check translations are available for new timezones (during flatpak builds, the +# tzdb.dat used by this test is not where the test expects it, so this is +# disabled for flatpak builds) +# Disable test until we are on the latest JDK +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + +# Check blocked.certs is valid (OPENJDK-4362) +jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java +jtreg_dir=$(dirname ${jtreg_test}) +$JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test} + +# Check src.zip has all sources. See RHBZ#1130490 +unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + +# Just run a basic java -version test on other architectures +$JAVA_HOME/bin/java -version + +%endif + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < - 1:17.0.18.0.8-2 +- Add test to ensure blocked.certs is valid (OPENJDK-4362) +- Handle 'upgrade' as an alternative to 'update' in openjdk_news.sh + +* Wed Feb 11 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-2 +- Set rpmrelease to 2 +- Set fipsver to e1780dd5d39 + +* Fri Jan 16 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-1 +- Update to jdk-17.0.18+8 (GA) +- Add to .gitignore openjdk-17.0.18+8.tar.xz +- Set buildver to 8 +- Set is_ga to 1 +- Update sources to openjdk-17.0.18+8.tar.xz +- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** +- Update NEWS for jdk-17.0.18+8 (GA) + +* Tue Jan 13 2026 Thomas Fitzsimmons - 1:17.0.18.0.7-0.1.ea +- Update to jdk-17.0.18+7 (EA) +- Add to .gitignore openjdk-17.0.18+7-ea.tar.xz +- Set updatever to 18 +- Set buildver to 7 +- Set is_ga to 0 +- Update sources to openjdk-17.0.18+7-ea.tar.xz +- Set bundled libpng version to 1.6.51 +- Adjust attributes in nss.fips.cfg.in in fips-17u-df4c415ac9a.patch +- Related: OPENJDK-4013 +- Related: RHEL-122136 +- Update NEWS for jdk-17.0.18+7 (EA) + +* Thu Oct 16 2025 Andrew Hughes - 1:17.0.17.0.10-1 +- Update NEWS for jdk-17.0.17+10 (GA) +- Move prior JDK-8309841 release note to appropriate section + +* Tue Oct 14 2025 Thomas Fitzsimmons - 1:17.0.17.0.10-1 +- Update to jdk-17.0.17+10 (GA) +- Add to .gitignore openjdk-17.0.17+10.tar.xz +- Set buildver to 10 +- Set is_ga to 1 +- Update sources to openjdk-17.0.17+10.tar.xz +- ** This tarball is embargoed until 2025-10-21 @ 1pm PT. ** + +* Thu Sep 18 2025 Thomas Fitzsimmons - 1:17.0.17.0.7-0.1.ea +- Update to jdk-17.0.17+7 (EA) +- Add to .gitignore openjdk-17.0.17+7-ea.tar.xz +- Set updatever to 17 +- Set buildver to 7 +- Set is_ga to 0 +- Update sources to openjdk-17.0.17+7-ea.tar.xz +- Set bundled harfbuzz version to 11.2.0 +- Update NEWS for jdk-17.0.17+7 (EA) + +* Mon Jul 21 2025 Thomas Fitzsimmons - 1:17.0.16.0.8-1 +- Synchronize openjdk_news.sh from java-21-openjdk vanilla branch +- Resolves: OPENJDK-3950 + +* Wed Jul 09 2025 Andrew Hughes - 1:17.0.16.0.8-1 +- Update NEWS for jdk-17.0.16+8 (GA) + +* Wed Jul 09 2025 Thomas Fitzsimmons - 1:17.0.16.0.8-1 +- Report timezone data (tz) updates in openjdk_news.sh +- Related: OPENJDK-3950 + +* Wed Jul 09 2025 Andrew Hughes - 1:17.0.16.0.8-1 +- Update get_bundle_versions.sh to match other scripts +- * get_bundle_versions.sh: Add license +- * get_bundle_versions.sh: Set compile-command in Emacs +- * get_bundle_versions.sh: Use different error codes for different failures +- * get_bundle_versions.sh: Remove unneeded '.' in JPEG version +- * get_bundle_versions.sh: shellcheck: Double-quote variable references (SC2086) +- * get_bundle_versions.sh: shellcheck: Drop use of cat and pass file to awk directly (SC2002) +- Add OpenJDK 8u support to get_bundle_versions.sh +- Print bundle updates and backouts at end of openjdk_news.sh output +- Refer user to get_bundle_versions.sh when bundle updates are found by openjdk_news.sh +- Related: OPENJDK-3950 + +* Wed Jul 09 2025 Antonio Vieiro - 1:17.0.16.0.8-1 +- Add script to obtain bundled library versions from OpenJDK sources +- Related: OPENJDK-3950 + +* Wed Jul 09 2025 Thomas Fitzsimmons - 1:17.0.16.0.8-1 +- Update to jdk-17.0.16+8 +- Add to .gitignore openjdk-17.0.16+8.tar.xz +- Set buildver to 8 +- Set is_ga to 1 +- Update sources to openjdk-17.0.16+8.tar.xz +- ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** + +* Tue Jun 24 2025 Thomas Fitzsimmons - 1:17.0.16.0.7-0.1.ea +- Update to jdk-17.0.16+7 (EA) +- Add to .gitignore openjdk-17.0.16+7-ea.tar.xz +- Set updatever to 16 +- Set buildver to 7 +- Set is_ga to 0 +- Update sources to openjdk-17.0.16+7-ea.tar.xz +- Set bundled lcms2 version to 2.17.0 +- Set bundled freetype version to 2.13.3 +- Set bundled harfbuzz version to 10.4.0 +- Set bundled libpng version to 1.6.47 +- Update NEWS for jdk-17.0.16+7 (EA) + +* Thu Apr 10 2025 Andrew Hughes - 1:17.0.15.0.6-1 +- Update NEWS for jdk-17.0.15+6 (GA) + +* Thu Apr 10 2025 Thomas Fitzsimmons - 1:17.0.15.0.6-1 +- Update to jdk-17.0.15+6 (GA) +- Add to .gitignore openjdk-17.0.15+6.tar.xz +- Set buildver to 6 +- Set rpmrelease to 1 +- Set is_ga to 1 +- Update sources to openjdk-17.0.15+6.tar.xz +- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. ** + +* Mon Apr 7 2025 Andrew Hughes - 1:17.0.15.0.5-0.2.ea +- Add missing jdk-17.0.15+5 (EA) NEWS entries +- Add release note for JDK-8346587 to NEWS +- Set rpmrelease to 2 + +* Sun Apr 6 2025 Thomas Fitzsimmons - 1:17.0.15.0.5-0.1.ea +- Update FIPS patch + +* Fri Apr 4 2025 Andrew Hughes - 1:17.0.15.0.5-0.1.ea +- Update NEWS for jdk-17.0.15+5 (EA) + +* Fri Apr 4 2025 Thomas Fitzsimmons - 1:17.0.15.0.5-0.1.ea +- Update to jdk-17.0.15+5 (EA) +- Add to .gitignore openjdk-17.0.15+5-ea.tar.xz +- Set updatever to 15 +- Set buildver to 5 +- Set is_ga to 0 +- Update sources to openjdk-17.0.15+5-ea.tar.xz + +* Mon Jan 13 2025 Thomas Fitzsimmons - 1:17.0.14.0.7-1 +- Update to jdk-17.0.14+7 (GA) +- Add to .gitignore openjdk-17.0.14+7.tar.xz +- Set buildver to 7 +- Set is_ga to 1 +- Update sources to openjdk-17.0.14+7.tar.xz +- Sync NEWS from private-gnu_andrew-rhel-8.5-vanilla +- ** This tarball is embargoed until 2025-01-21 @ 1pm PT. ** + +* Fri Nov 29 2024 Andrew Hughes - 1:17.0.14.0.1-0.1.ea +- Move unstripped, misc and doc tarball handling into normal build / no suffix blocks +- Resolves: OPENJDK-3218 +- Limit Java only tests to one architecture using jdk_test_arch +- Resolves: OPENJDK-3185 + +* Fri Nov 29 2024 Thomas Fitzsimmons - 1:17.0.14.0.1-0.1.ea +- Update to jdk-17.0.14+1 (EA) +- Add to .gitignore openjdk-17.0.14+1-ea.tar.xz +- Set updatever to 14 +- Set buildver to 1 +- Set is_ga to 0 +- Update sources to openjdk-17.0.14+1-ea.tar.xz +- Update NEWS for jdk-17.0.14+1 (EA) +- Double percent signs consistently throughout comments +- Set bundled giflib provide version to 5.2.2 +- Set bundled libpng provide version to 1.6.43 +- Warn about bundled provide version bumps and backouts in openjdk_news.sh +- Support two digit suffixes in portablename macro sed expressions +- Remove 0001-8332174-Remove-2-unpaired-RLO-Unicode-characters-in-.patch file +- Revert: Use component in EPEL and Fedora bug URLs + +* Tue Oct 8 2024 Thomas Fitzsimmons - 1:17.0.13.0.11-1 +- Update NEWS for jdk-17.0.13+11 (GA) + +* Mon Oct 7 2024 Thomas Fitzsimmons - 1:17.0.13.0.11-1 +- Update to jdk-17.0.13+11 (GA) +- Add to .gitignore openjdk-17.0.13+11.tar.xz +- Set buildver to 11 +- Set is_ga to 1 +- Update sources to openjdk-17.0.13+11.tar.xz +- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** + +* Thu Oct 3 2024 Thomas Fitzsimmons - 1:17.0.13.0.10-0.1.ea +- Update to jdk-17.0.13+10 (EA) +- Add to .gitignore openjdk-17.0.13+10-ea.tar.xz +- Set buildver to 10 +- Update sources to openjdk-17.0.13+10-ea.tar.xz +- Update NEWS for jdk-17.0.13+10 + +* Wed Oct 2 2024 Thomas Fitzsimmons - 1:17.0.13.0.9-0.1.ea +- Update to jdk-17.0.13+9 (EA) +- Add to .gitignore openjdk-17.0.13+9-ea.tar.xz +- Set buildver to 9 +- Set rpmrelease to 1 +- Update sources to openjdk-17.0.13+9-ea.tar.xz +- Update NEWS for jdk-17.0.13+9 + +* Tue Sep 17 2024 Thomas Fitzsimmons - 1:17.0.13.0.1-0.2.ea +- Set rpmrelease to 2 + +* Fri Aug 2 2024 Thomas Fitzsimmons - 1:17.0.13.0.1-0.1.ea +- Update to jdk-17.0.13+1 (EA) +- Update .gitignore to ignore openjdk-17.0.13+1-ea.tar.xz +- Set updatever to 13 +- Set buildver to 1 +- Set is_ga to 0 +- Update sources to openjdk-17.0.13+1-ea.tar.xz +- Update NEWS for 17.0.13+1 (EA) +- Remove 0001-8332174-Remove-2-unpaired-RLO-Unicode-characters-in-.patch +- Related: OPENJDK-2904 + +* Fri Aug 02 2024 Andrew Hughes - 1:17.0.12.0.7-1 +- Default to without fresh_libjvm now that java-17-openjdk-17.0.11.0.9-2.el9 is in c9s-pending +- Related: CS-2390 + +* Wed Jul 10 2024 Thomas Fitzsimmons - 1:17.0.12.0.7-1 +- Update to jdk-17.0.12+7 (GA) +- Update .gitignore to ignore openjdk-17.0.12+7.tar.xz +- Update NEWS for 17.0.12+7 (GA) +- Set buildver to 7 +- Set rpmrelease to 1 +- Set is_ga to 1 +- Update sources to openjdk-17.0.12+7.tar.xz +- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. ** + +* Mon Jul 08 2024 Andrew Hughes - 1:17.0.12.0.6-0.2.ea +- Adjusted DTLS NEWS entry style to match other entries + +* Mon Jul 8 2024 Andrew Hughes - 1:17.0.12.0.6-0.2.ea +- NEWS: Import 21 entries for JDK-8256660, JDK-8326891, JDK-8325496, + JDK-8281658, and JDK-8315503, use 21 formatting for JDK-8256660, + JDK-8316138 + +* Mon Jul 8 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.2.ea +- Bump rpmrelease to 2 +- NEWS: Reword JDK-8256660 entry, add JDK-8316138 entry + +* Thu Jun 27 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.1.ea +- Update to jdk-17.0.12+6 (EA) +- Update .gitignore to ignore openjdk-17.0.12+6-ea.tar.xz +- Update buildver to 6 +- Reset rpmrelease to 1 +- Update sources to openjdk-17.0.12+6-ea.tar.xz +- Update NEWS for 17.0.12+6 +- Remove --enable-compatible-cds-alignment configure option +- Resolves: OPENJDK-3134 + +* Wed Jun 26 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.3.ea +- Add upstream patch that removes illegal RLO Unicode characters +- Related: OPENJDK-2904 + +* Mon Jun 24 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.3.ea +- Add build requirement for zlib-devel +- Related: OPENJDK-3065 + +* Fri Jun 14 2024 Andrew Hughes - 1:17.0.12.0.5-0.3.ea +- Re-run jlink to regenerate the jmods directory and lib/modules with stripped libraries +- Resolves: OPENJDK-3055 + +* Fri Jun 14 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.3.ea +- Bump rpmrelease to 3 + +* Fri Jun 14 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.2.ea +- Delete fips-17u-d63771ea660.patch +- Use fips-17u-e893be00150.patch, rebased to jdk-17.0.12+2 +- fips-17u-e893be00150.patch was already committed with "Use 2.16.0...lcms2" +- Update fipsver to e893be00150 + +* Thu Jun 6 2024 Anton Bobrov - 1:17.0.12.0.5-0.2.ea +- generate_source_tarball.sh: Use tar exclude options for VCS files +- generate_source_tarball.sh: Improve VCS exclusion + +* Thu Jun 6 2024 Andrew Hughes - 1:17.0.12.0.5-0.2.ea +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck + +* Mon Jun 3 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.2.ea +- Bump rpmrelease to 2 +- Sync generate_source_tarball.sh from Fedora rawhide + +* Wed May 29 2024 Thomas Fitzsimmons - 1:17.0.12.0.5-0.1.ea +- Update to jdk-17.0.12+5 (EA) +- Update .gitignore to ignore openjdk-17.0.12+5-ea.tar.xz +- Update buildver to 5 +- Update sources to openjdk-17.0.12+5-ea.tar.xz +- Update NEWS for 17.0.12+5 + +* Wed May 29 2024 Thomas Fitzsimmons - 1:17.0.12.0.4-0.1.ea +- Change a fix-me comment to a note instead + +* Thu May 23 2024 Thomas Fitzsimmons - 1:17.0.12.0.4-0.1.ea +- Update to jdk-17.0.12+4 (EA) +- Update .gitignore to ignore openjdk-17.0.12+4-ea.tar.xz +- Update buildver to 4 +- Update sources to openjdk-17.0.12+4-ea.tar.xz +- Update NEWS for 17.0.12+4 + +* Wed May 22 2024 Thomas Fitzsimmons - 1:17.0.12.0.3-0.1.ea +- Update to jdk-17.0.12+3 (EA) +- Update .gitignore to ignore openjdk-17.0.12+3-ea.tar.xz +- Update buildver to 3 +- Update sources to openjdk-17.0.12+3-ea.tar.xz +- Update NEWS for 17.0.12+3 + +* Wed May 15 2024 Thomas Fitzsimmons - 1:17.0.12.0.2-0.1.ea +- Use component in EPEL and Fedora bug URLs +- Label as error a designator mismatch + +* Mon May 13 2024 Thomas Fitzsimmons - 1:17.0.12.0.2-0.1.ea +- Use lcms2.h for bundled provides version reference +- Use 2.16.0, not 2.16, for lcms2 version +- Use zlib.h for bundled provides version reference +- Use freetype.h for bundled provides version reference +- Remove remove-test-left-to-right-override-character.patch + +* Fri May 10 2024 Thomas Fitzsimmons - 1:17.0.12.0.2-0.1.ea +- Update to jdk-17.0.12+2 (EA) +- Update .gitignore to ignore openjdk-17.0.12+2-ea.tar.xz +- Update buildver to 2 +- Update sources to openjdk-17.0.12+2-ea.tar.xz +- Update NEWS for 17.0.12+2 +- Add --enable-compatible-cds-alignment configure option (OPENJDK-3007) +- Add remove-test-left-to-right-override-character.patch +- Add remove-test-left-to-right-override-character.patch file +- Remove tzdata build requires (OPENJDK-2843) + +* Fri May 10 2024 Thomas Fitzsimmons - 1:17.0.12.0.1-0.1.ea +- Update lcms2 version location comment +- Update lcms2 bundled provides to 2.16 +- Add zlib 1.3.1 bundled provides + +* Thu May 9 2024 Thomas Fitzsimmons - 1:17.0.12.0.1-0.1.ea +- Update to jdk-17.0.12+1 (EA) +- Update .gitignore to ignore openjdk-17.0.12+1-ea.tar.xz +- Bump updatever to 12 +- Reset buildver to 1 +- Reset rpmrelease to 1 +- Reset is_ga to 0 +- Update sources to openjdk-17.0.12+1-ea.tar.xz +- Update NEWS for 17.0.12+1 +- Fix fips-17u-d63771ea660.patch so that it applies to 17.0.12+1 + +* Thu Apr 18 2024 Andrew Hughes - 1:17.0.11.0.9-5 +- Bump rpmrelease to rebuild for CentOS 9 + +* Thu Apr 18 2024 Andrew Hughes - 1:17.0.11.0.9-4 +- Sync release notes with upstream version: https://bit.ly/openjdk17011 +- Turn off 'fresh_libjvm' until jdk-17.0.9 or later is in the CentOS buildroot + +* Wed Apr 10 2024 Thomas Fitzsimmons - 1:17.0.11.0.9-3 +- BuildRequires tzdata-java >= 2024a (JDK-8325150) + +* Wed Apr 10 2024 Thomas Fitzsimmons - 1:17.0.11.0.9-2 +- NEWS: Add CVEs +- NEWS: Remove backed out items from changes section +- NEWS: Remove release note for JDK-8225377, which was backed out + +* Tue Apr 9 2024 Thomas Fitzsimmons - 1:17.0.11.0.9-1 +- Update to jdk-17.0.11+9 (GA) +- Update NEWS for 17.0.11+9 +- Switch to GA mode for release +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** + +* Thu Apr 4 2024 Thomas Fitzsimmons - 1:17.0.11.0.7-0.1.ea +- Import like NEWS entries verbatim from 21.0.3 + +* Thu Mar 28 2024 Thomas Fitzsimmons - 1:17.0.11.0.7-0.1.ea +- Update to jdk-17.0.11+7 (EA) + +* Mon Mar 11 2024 Thomas Fitzsimmons - 1:17.0.11.0.6-0.1.ea +- Update to jdk-17.0.11+6 (EA) + +* Fri Mar 8 2024 Thomas Fitzsimmons - 1:17.0.11.0.5-0.1.ea +- Update to jdk-17.0.11+5 (EA) + +* Mon Feb 26 2024 Thomas Fitzsimmons - 1:17.0.11.0.4-0.1.ea +- Revert: Remove ExcludeArch to match java-21-openjdk + +* Wed Feb 21 2024 Thomas Fitzsimmons - 1:17.0.11.0.4-0.1.ea +- Update to jdk-17.0.11+4 (EA) + +* Wed Feb 14 2024 Thomas Fitzsimmons - 1:17.0.11.0.3-0.1.ea +- Update to jdk-17.0.11+3 (EA) + +* Fri Feb 9 2024 Thomas Fitzsimmons - 1:17.0.11.0.2-0.1.ea +- Remove RH1649512 patch for libjpeg-turbo FAR macro +- Add some patch commentary + +* Thu Feb 8 2024 Thomas Fitzsimmons - 1:17.0.11.0.2-0.1.ea +- Update to jdk-17.0.11+2 (EA) + +* Thu Feb 8 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.2.ea +- generate_source_tarball.sh: Add license +- openjdk_news.sh: Use grep -E instead of egrep + +* Wed Feb 7 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.2.ea +- Fix the quoting of hs_err_pid + +* Tue Feb 6 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.2.ea +- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs +- On RHEL-7 default to building without a fresh libjvm.so + +* Mon Feb 5 2024 Andrew Hughes - 1:17.0.11.0.1-0.2.ea +- Require tzdata 2023d due to local inclusion of JDK-8322725 + +* Mon Feb 5 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.2.ea +- Bump rpmrelease to 2 +- Move _lto_cflags setting to match its java-21-openjdk location +- Remove ExcludeArch to match java-21-openjdk +- Update comment and whitespace to match java-21-openjdk +- Update NEWS +- Remove -T0 argument from systemtap tar invocation +- Indent a line in buildjdk +- Remove extra stripjdk from merge + +* Fri Feb 2 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.1.ea +- Use --with-source-date=version (OPENJDK-2583, OPENJDK-2730) +- Update freetype bundled provides version from 2.13.0 to 2.13.2 +- Update harfbuzz bundled provides version from 7.2.0 to 8.2.2 +- Update libpng bundled provides version from 1.6.39 to 1.6.40 +- Related: OPENJDK-2730 + +* Thu Feb 1 2024 Jiri Vanek - 1:17.0.11.0.1-0.1.ea +- generate_source_tarball.sh: Update version in comment +- generate_source_tarball.sh: Remove trailing period in echo + +* Thu Feb 1 2024 Andrew Hughes - 1:17.0.11.0.1-0.1.ea +- BuildRequires javapackages-filesystem for _jvmdir macro +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Update buildjdkver to match the featurever +- Use featurever macro to specify fips patch +- Check debug symbols in libnet.a static library as a smoke test +- Introduce vm_variant global for consistency with future JDK builds +- Related: rhbz#2203412 +- Introduce tar_opts to shorten tarball creation lines + +* Thu Feb 1 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.1.ea +- NEWS: Add initial changes for 17.0.11 +- Sync whitespace and comments from java-21-openjdk.spec +- Sync macro definition ordering from java-21-openjdk.spec +- Correct rh1649512 patch name +- Fix comment to match RHEL 9.2.0 branch +- Fix icedteaver macro reference syntax +- Remove extra slash in use_shenandoah_hotspot JAVA_HOME expansion +- Explain patchN syntax situation in a comment +- generate_source_tarball.sh: Fix whitespace +- generate_source_tarball.sh: Skip -ga tags +- generate_source_tarball.sh: Get -ea suffix from version-numbers.conf +- generate_source_tarball.sh: Use git archive to generate tarball +- generate_source_tarball.sh: Add indentation instructions for Emacs +- Default to without fresh_libjvm now that 17.0.9.0.9-1 is staged +- double-build.bash: New file +- Parallelize xz across all available cores +- Remove ppc64le --with-jobs=1 workaround +- Make JAR file and portable tarball modification times reproducible + +* Wed Jan 31 2024 Thomas Fitzsimmons - 1:17.0.11.0.1-0.1.ea +- Update to jdk-17.0.11+1 (EA) + +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+7 (GA) +- Update release notes to 17.0.10+7 +- Move to -P usage for patch macro which works on all RPM versions +- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release +- Switch to GA mode for release +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Thu Jan 11 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST +- generate_source_tarball.sh: Remove unneeded fix-me + +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.6-0.1.ea +- Update release notes to 17.0.10+6 +- Revert change to patch macro due to failure on RHEL 8 +- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility + +* Tue Jan 9 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- Update to jdk-17.0.10+6 (EA) +- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash +- generate_source_tarball.sh: shellcheck: Double-quote variable references +- generate_source_tarball.sh: shellcheck: Do not use -a +- generate_source_tarball.sh: shellcheck: Do not use $ in expression +- generate_source_tarball.sh: Remove temporary directory exit conditions + +* Sat Oct 28 2023 Andrew Hughes - 1:17.0.9.0.9-2 +- Add missing CVE and release note to sync local NEWS with upstream release announcements + +* Thu Oct 12 2023 Andrew Hughes - 1:17.0.9.0.9-1 +- Update to jdk-17.0.9+9 (GA) +- Update release notes to 17.0.9+9 +- Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398 +- Bump libpng version to 1.6.39 following JDK-8305815 +- Bump HarfBuzz version to 7.2.0 following JDK-8307301 +- Bump freetype version to 2.13.0 following JDK-8306881 +- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal +- Sync generate_tarball.sh with 11u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Apply all patches using -p1 +- Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425) +- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. ** + +* Sat Sep 02 2023 Andrew Hughes - 1:17.0.8.1.1-2 +- Bump rpmrelease to rebuild for CentOS 9 +- pandoc is only available on RHEL/CentOS 8 + +* Sat Sep 02 2023 Andrew Hughes - 1:17.0.8.1.1-1 +- Update to jdk-17.0.8.1+1 (GA) +- Update release notes to 17.0.8.1+1 +- Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095) +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news + +* Fri Jul 14 2023 Andrew Hughes - 1:17.0.8.0.7-1 +- Update to jdk-17.0.8+7 (GA) +- Update release notes to 17.0.8+7 +- Switch to GA mode for final release. +- * This tarball is embargoed until 2023-07-18 @ 1pm PT. * + +* Thu Jul 13 2023 Andrew Hughes - 1:17.0.8.0.6-0.1.ea +- Update to jdk-17.0.8+6 (EA) +- Update release notes to 17.0.8+6 + +* Thu Jul 13 2023 Andrew Hughes - 1:17.0.8.0.1-0.3.ea +- Make sure the unstripped JDK is customised by the installjdk function + +* Wed Jul 12 2023 Andrew Hughes - 1:17.0.8.0.1-0.2.ea +- Rebuild jmods using the stripped binaries in release builds +- Resolves: OPENJDK-1974 + +* Tue Jul 04 2023 Andrew Hughes - 1:17.0.8.0.1-0.1.ea +- Use absolute path to tapset directory +- Drop unused globals for tapset installation + +* Tue Jul 04 2023 Andrew Hughes - 1:17.0.8.0.1-0.1.ea +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Depend on graphviz & pandoc for full documentation support +- Fix typo which stops the EA designator being included in the build +- Include tapsets in the miscellaneous tarball + +* Mon Jul 03 2023 Andrew Hughes - 1:17.0.8.0.1-0.1.ea +- Update to jdk-17.0.8+1 (EA) +- Update release notes to 17.0.8+1 +- Switch to EA mode +- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1 +- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1. +- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1 + +* Tue Apr 25 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Reintroduce generate_source_tarball.sh from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- Fix trailing '.' in tarball name +- Use rpmrelease in vendor version to avoid inclusion of dist tag +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2134669 +- Resolves: rhbz#1940064 +- Resolves: rhbz#2173781 + +* Thu Apr 20 2023 Andrew Hughes - 1:17.0.6.0.10-7 +- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 +- Restore system bootstrap JDK (RHEL 8 has java-17-openjdk) +- Remove use of devtoolset (RHEL 8 native compilers should be sufficient) +- Explicitly exclude x86, as on RHEL RPMs + +* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Add docs, icons and samples to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a subdirectory of images, so remove confusing separate copying + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Drop unused static library patch +- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago + +* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing +- Workaround missing manpage directory in the JRE image + +* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2118493 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Resolves: rhbz#2160111 + +* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- Related: rhbz#2160111 + +* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode +- Resolves: rhbz#2123579 +- Resolves: rhbz#2123580 +- Resolves: rhbz#2123581 +- Resolves: rhbz#2123583 +- Resolves: rhbz#2123584 + +* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1 +- Added a missing change to portable NEWS file from upstream. + +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119532 + +* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1 +- Commented out: fipsver f8142a23d0a which was from rhel-9-main +- Picked 17.0.4+8 GA tag from rhel-9.0.0 +- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0 + +* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.4.0+8 (GA) +- Update release notes to 17.0.4.0+8 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. ** + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084779 + +* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea +- Tweaked line to print release information for portable + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it +- Related: rhbz#2084218 + +* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8 +- Comment line for portable: System security properties to be off by default + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + +* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. + +* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 + +* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6 +- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + +* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4 +- to pass aqa, fixing genuie failure in : +- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions +- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions +- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch +- this, properly named, patch must go to all our jdk17 builds, and to the fips repo + +* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2 +- Include BOOT_JDK for s390x for portable +- BOOT_JDK downlaoded form hydra as + java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz + and renamed +- Added cosmetic changes to bypass a failure for s390x + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Remove JDK-8284548 and JDK-8284920 they are upstreamed now +- Resolves: rhbz#2073579 + +* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3 +- Add JDK-8284920 fix for XPath regression +- Related: rhbz#2073575 + +* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 +- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit +- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 +- Related: rhbz#2073575 + +* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- JDK-8283911 patch no longer needed now we're GA... +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** +- Resolves: rhbz#2073575 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 + +* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10 +- Update icedtea_sync.sh with suitable message for portable + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +- Correction to previous changelog entry +- Resolves: rhbz#2052070 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2051605 + +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +- January 2022 security update to jdk 17.0.2+8 +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java +- Resolves: rhbz#2039366 +- Minor change to the OUTPUT_FILE value to separate the name from the version with '-' + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- October CPU update to jdk 17.0.1+12 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Add patch to allow plain key import. + +* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started + +* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4 +- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7 diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch deleted file mode 100644 index 1b706a1..0000000 --- a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +++ /dev/null @@ -1,19 +0,0 @@ -Remove uses of FAR in jpeg code - -Upstream libjpeg-trubo removed the (empty) FAR macro: -http://sourceforge.net/p/libjpeg-turbo/code/1312/ - -Adjust our code to not use the undefined FAR macro anymore. - -diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -@@ -1385,7 +1385,7 @@ - /* and fill it in */ - dst_ptr = icc_data; - for (seq_no = first; seq_no < last; seq_no++) { -- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; -+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; - unsigned int length = - icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; - diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec index 79000e6..6f9e752 100644 --- a/SPECS/java-17-openjdk.spec +++ b/SPECS/java-17-openjdk.spec @@ -1,3 +1,8 @@ +# To rebuild this RPM, you must first rebuild the portable +# RPM using the java-17-openjdk-portable.specfile, install +# it and then adjust portablerelease and portablesuffix +# to match the new portable. + # RPM conditionals so as to be able to dynamically produce # slowdebug/release builds. See: # http://rpm.org/user_doc/conditional_builds.html @@ -22,7 +27,7 @@ # Enable static library builds by default. %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK -%bcond_without fresh_libjvm +%bcond_with fresh_libjvm # Build with system libraries %bcond_with system_libs @@ -54,6 +59,10 @@ # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +# To silence rpminspect's .symtab warnings due to this option, our +# rpminspect.yaml needs: +# debuginfo: +# debuginfo_sections: .debug_info .gdb_index %global _find_debuginfo_opts -g # With LTO flags enabled, debuginfo checks fail for some reason. Disable @@ -67,14 +76,10 @@ # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug %global fastdebug_suffix_unquoted -fastdebug -%global main_suffix_unquoted -main -%global staticlibs_suffix_unquoted -staticlibs # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" %global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" -%global main_suffix "%{main_suffix_unquoted}" -%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. @@ -102,7 +107,7 @@ # you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages -# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# NOTE - if you are moving jshell or jlink or similar, always modify all three sections # you can check via headless and devels: # rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin @@ -110,9 +115,9 @@ # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} %define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) -# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 -# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) -%global is_system_jdk 0 +# Indicates whether this is the default JDK on this version of RHEL +# Only the default/system JDK provides unversioned Provides like 'java', 'jre' and 'java-devel' +%global is_system_jdk 1 %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 @@ -137,9 +142,9 @@ # Set of architectures which support the serviceability agent %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} # Set of architectures which support class data sharing -# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 -# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT -%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} # Set of architectures for which we build the Shenandoah garbage collector %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector @@ -150,6 +155,8 @@ %global svml_arches x86_64 # Set of architectures where we verify backtraces with gdb %global gdb_arches %{jit_arches} %{zero_arches} +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -196,12 +203,6 @@ # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} -%if %{include_staticlibs} -%global staticlibs_loop %{staticlibs_suffix} -%else -%global staticlibs_loop %{nil} -%endif - %if 0%{?flatpak} %global bootstrap_build false %else @@ -236,6 +237,12 @@ # JDK to use for bootstrapping %global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# VM variant being built +# This is always 'server' on 17u which doesn't have JDK-8273494 +%global vm_variant server + +# debugedit tool for rewriting ELF file paths +%global debugedit %{_rpmconfigdir}/debugedit # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -321,12 +328,12 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 6 +%global updatever 18 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 17 +%global buildjdkver %{featurever} # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -350,26 +357,44 @@ %global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} %else %if 0%{?rhel} -%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ %else %global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi %endif %endif %endif -%global oj_vendor_version (Red_Hat-%{version}-%{release}) +%global oj_vendor_version (Red_Hat-%{version}-%{portablerelease}) # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 72d08e3226f +%global fipsver e1780dd5d39 +%global javaver %{featurever} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} + +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) + +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 -%global rpmrelease 3 +%global buildver 8 +%global rpmrelease 2 +# Settings used by the portable build +%global portablerelease 2 +# Portable suffix differs between RHEL and CentOS +%if 0%{?centos} == 0 +%global portablesuffix el8 +%else +%global portablesuffix el9 +%endif +%global portablebuilddir /builddir/build/BUILD + # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -382,24 +407,16 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{featurever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" -%global ea_designator_zip "" +%global ea_designator_zip %{nil} %global extraver %{nil} %global eaprefix %{nil} %else @@ -417,7 +434,7 @@ %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -551,12 +568,15 @@ alternatives \\ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ @@ -576,10 +596,6 @@ alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jre } %define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -645,7 +661,6 @@ alternatives \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ - --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ @@ -672,8 +687,6 @@ alternatives \\ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ - %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ @@ -801,6 +814,8 @@ exit 0 %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile %dir %{_sysconfdir}/.java/.systemPrefs %dir %{_sysconfdir}/.java %dir %{_jvmdir}/%{sdkdir -- %{?1}} @@ -809,6 +824,7 @@ exit 0 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java %{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib @@ -872,11 +888,15 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/ %ifarch %{share_arches} -%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes.jsa +%ifnarch %{ix86} %{arm32} +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes_nocoops.jsa +%endif %endif %dir %{etcjavasubdir} %dir %{etcjavadir -- %{?1}} @@ -916,13 +936,11 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_bindir}/java -%ghost %{_bindir}/%{alt_java_name} %ghost %{_jvmdir}/jre +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_bindir}/jcmd %ghost %{_bindir}/keytool -%ghost %{_bindir}/pack200 -%ghost %{_bindir}/rmid %ghost %{_bindir}/rmiregistry -%ghost %{_bindir}/unpack200 %ghost %{_jvmdir}/jre-%{origin} %ghost %{_jvmdir}/jre-%{javaver} %ghost %{_jvmdir}/jre-%{javaver}-%{origin} @@ -942,7 +960,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan @@ -979,7 +996,6 @@ exit 0 %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* @@ -1007,7 +1023,6 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java -%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod %ghost %{_bindir}/jhsdb @@ -1015,15 +1030,16 @@ exit 0 %ghost %{_bindir}/jarsigner %ghost %{_bindir}/javadoc %ghost %{_bindir}/javap -%ghost %{_bindir}/jcmd %ghost %{_bindir}/jconsole %ghost %{_bindir}/jdb %ghost %{_bindir}/jdeps %ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jfr %ghost %{_bindir}/jimage %ghost %{_bindir}/jinfo %ghost %{_bindir}/jmap %ghost %{_bindir}/jps +%ghost %{_bindir}/jpackage %ghost %{_bindir}/jrunscript %ghost %{_bindir}/jshell %ghost %{_bindir}/jstack @@ -1097,6 +1113,9 @@ OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release %if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Recommends: gtk3%{?_isa} %endif +%if 0%{?rhel} >= 9 +Recommends: pipewire%{?_isa} +%endif Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -1118,8 +1137,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2022g required as of JDK-8297804 -Requires: tzdata-java >= 2022g +# 2025b required as of JDK-8352716 +Requires: tzdata-java >= 2025b # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1244,6 +1263,8 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{javaver}-%{origin} Version: %{newjavaver}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# Equivalent for the portable build +%global prelease %{?eaprefix}%{portablerelease}%{?extraver} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1280,7 +1301,7 @@ URL: http://openjdk.java.net/ # The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1290,9 +1311,6 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea Source9: jconsole.desktop.in -# Release notes -Source10: NEWS - # nss configuration file Source11: nss.cfg.in @@ -1314,6 +1332,21 @@ Source16: CheckVendor.java # Ensure translations are available for new timezones Source18: TestTranslations.java +# Include portable spec and instructions on how to rebuild +Source19: README.md +Source20: java-%{featurever}-openjdk-portable.specfile +Source21: NEWS + +# Setup variables to reference correct sources +%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz +%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz + ############################################ # # RPM/distribution specific patches @@ -1328,44 +1361,52 @@ Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u -# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes +# The following list is generated by: +# git log %%{vcstag}.. --no-merges --format=%%s --reverse # Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# PR3183, RH1340845: Support Fedora & RHEL system crypto policy +# PR3695: Allow system crypto policy enforcement to be toggled on/off +# RH1655466: Support global RHEL crypto policy +# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode +# RH1860986: Disable TLSv1.3 in FIPS mode +# RH1915071: Always initialise configurator access.patch # RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection +# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers +# RH1996182: Login to the NSS Software Token in FIPS Mode +# RH1929465: Don't define unused throwIOException function when using NSS detection +# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access +# RH1991003: Enable the import of plain keys into the NSS software token. +# RH2021263: Return in C code after having generated Java exception +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -# RH2104724: Avoid import/export of DH private keys -# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores -# RH2020290: Support TLS 1.3 in FIPS mode -# Add nss.fips.cfg support to OpenJDK tree -# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -# Remove forgotten dead code from RH2020290 and RH2104724 -Patch1001: fips-17u-%{fipsver}.patch +# RH2023467: Enable FIPS keys export (#1) +# Run workflows on pull request, as we are not using SKARA. +# RH2094027: SunEC runtime permission for FIPS (#5) +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8) +# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4) +# Use encoded space rather than quoting for JTReg JAVA_OPTIONS +# RH2104724: Avoid import/export of DH private keys (#14) +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16) +# Build the systemconf library on all platforms (#7) +# RH2048582: Support PKCS#12 keystores (#2) +# RH2020290: Support TLS 1.3 in FIPS mode (#13) +# Add nss.fips.cfg support to OpenJDK tree (#22) +# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17) +# Remove forgotten dead code from #13 and #14 (#21) +# Fix issue on FIPS with a SecurityManager in place (#25) +# RH2134669: Add missing attributes when registering services in FIPS mode. (#19) +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27) +# RH1940064: Enable XML Signature provider in FIPS mode (#24) +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26) +# OPENJDK-4398: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY (#44) +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1373,18 +1414,17 @@ Patch1001: fips-17u-%{fipsver}.patch # ############################################# -############################################# -# -# OpenJDK patches appearing in 17.0.3 -# -############################################# +# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo +Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch ############################################# # -# OpenJDK patches targetted for 17.0.6 +# OpenJDK patches which missed last update # ############################################# +# Currently empty + BuildRequires: autoconf BuildRequires: automake BuildRequires: alsa-lib-devel @@ -1412,13 +1452,26 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem -BuildRequires: java-17-openjdk-devel +%if %{include_normal_build} +BuildRequires: java-%{featurever}-openjdk-portable-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_fastdebug_build} +BuildRequires: java-%{featurever}-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_debug_build} +BuildRequires: java-%{featurever}-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +BuildRequires: java-%{featurever}-openjdk-portable-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix} # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022g required as of JDK-8297804 -BuildRequires: tzdata-java >= 2022g +# 2025b required as of JDK-8352716 +BuildRequires: tzdata-java >= 2025b # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1434,21 +1487,22 @@ BuildRequires: harfbuzz-devel BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel +BuildRequires: zlib-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.12.1 +Provides: bundled(freetype) = 2.13.3 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h -Provides: bundled(giflib) = 5.2.1 +Provides: bundled(giflib) = 5.2.2 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 4.4.1 +Provides: bundled(harfbuzz) = 11.2.0 # Version in src/java.desktop/share/native/liblcms/lcms2.h -Provides: bundled(lcms2) = 2.12.0 +Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.37 -# We link statically against libstdc++ to increase portability -BuildRequires: libstdc++-static +Provides: bundled(libpng) = 1.6.51 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 %endif # this is always built, also during debug-only build @@ -1808,18 +1862,29 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 +# This syntax is deprecated: +# %%patchN [...] +# and should be replaced with: +# %%patch -PN [...] +# For example: +# %%patch1001 -p1 +# becomes: +# %%patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %%patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +%patch -P1 -p1 +%patch -P6 -p1 # Add crypto policy and FIPS support -%patch1001 -p1 +%patch -P1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 +%patch -P1000 -p1 +# alt-java support +%patch -P600 -p1 popd # openjdk -%patch600 - # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -1834,41 +1899,12 @@ else exit 16 fi if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then - echo "WARNING: Designator mismatch"; + echo "ERROR: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; exit 17 fi -# Extract systemtap tapsets -%if %{with_systemtap} -tar --strip-components=1 -x -I xz -f %{SOURCE8} -%if %{include_debug_build} -cp -r tapset tapset%{debug_suffix} -%endif -%if %{include_fastdebug_build} -cp -r tapset tapset%{fastdebug_suffix} -%endif - -for suffix in %{build_loop} ; do - for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 - sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 -# TODO find out which architectures other than i686 have a client vm -%ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE -%else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE -%endif - sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE - sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE - done -done -# systemtap tapsets ends -%endif - # Prepare desktop files # The _X_ syntax indicates variables that are replaced by make upstream # The @X@ syntax indicates variables that are replaced by configure upstream @@ -1890,227 +1926,80 @@ done sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg %build -# How many CPU's do we have? -export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) -export NUM_PROC=${NUM_PROC:-1} -%if 0%{?_smp_ncpus_max} -# Honor %%_smp_ncpus_max -[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} -%endif -%ifarch s390x sparc64 alpha %{power64} %{aarch64} -export ARCH_DATA_MODEL=64 -%endif -%ifarch alpha -export CFLAGS="$CFLAGS -mieee" -%endif - -# We use ourcppflags because the OpenJDK build seems to -# pass EXTRA_CFLAGS to the HotSpot C++ compiler... -# Explicitly set the C++ standard as the default has changed on GCC >= 6 -EXTRA_CFLAGS="%ourcppflags" -EXTRA_CPP_FLAGS="%ourcppflags" - -%ifarch %{power64} ppc -# fix rpmlint warnings -EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" -%endif -%ifarch %{ix86} -# Align stack boundary on x86_32 -EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" -EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" -%endif -export EXTRA_CFLAGS EXTRA_CPP_FLAGS - -function buildjdk() { - local outputdir=${1} - local buildjdk=${2} - local maketargets="${3}" - local debuglevel=${4} - local link_opt=${5} - - local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} - local top_dir_abs_build_path=$(pwd)/${outputdir} - - # This must be set using the global, so that the - # static libraries still use a dynamic stdc++lib - if [ "x%{link_type}" = "xbundled" ] ; then - libc_link_opt="static"; - else - libc_link_opt="dynamic"; - fi - - echo "Using output directory: ${outputdir}"; - echo "Checking build JDK ${buildjdk} is operational..." - ${buildjdk}/bin/java -version - echo "Using make targets: ${maketargets}" - echo "Using debuglevel: ${debuglevel}" - echo "Using link_opt: ${link_opt}" - echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" - - mkdir -p ${outputdir} - pushd ${outputdir} - - # Note: zlib and freetype use %{link_type} - # rather than ${link_opt} as the system versions - # are always used in a system_libs build, even - # for the static library build - bash ${top_dir_abs_src_path}/configure \ -%ifarch %{zero_arches} - --with-jvm-variants=zero \ -%endif -%ifarch %{ppc64le} - --with-jobs=1 \ -%endif - --with-version-build=%{buildver} \ - --with-version-pre="%{ea_designator}" \ - --with-version-opt=%{lts_designator} \ - --with-vendor-version-string="%{oj_vendor_version}" \ - --with-vendor-name="%{oj_vendor}" \ - --with-vendor-url="%{oj_vendor_url}" \ - --with-vendor-bug-url="%{oj_vendor_bug_url}" \ - --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=${buildjdk} \ - --with-debug-level=${debuglevel} \ - --with-native-debug-symbols="%{debug_symbols}" \ - --disable-sysconf-nss \ - --enable-unlimited-crypto \ - --with-zlib=%{link_type} \ - --with-freetype=%{link_type} \ - --with-libjpeg=${link_opt} \ - --with-giflib=${link_opt} \ - --with-libpng=${link_opt} \ - --with-lcms=${link_opt} \ - --with-harfbuzz=${link_opt} \ - --with-stdc++lib=${libc_link_opt} \ - --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ - --with-extra-cflags="$EXTRA_CFLAGS" \ - --with-extra-ldflags="%{ourldflags}" \ - --with-num-cores="$NUM_PROC" \ - --with-source-date="${SOURCE_DATE_EPOCH}" \ - --disable-javac-server \ -%ifarch %{zgc_arches} - --with-jvm-features=zgc \ -%endif - --disable-warnings-as-errors - - cat spec.gmk - - make \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) - - popd -} - -function installjdk() { +function customisejdk() { local imagepath=${1} if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; - - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ - - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security - - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat fi } -%if %{build_hotspot_first} - # Build a fresh libjvm.so first and use it to bootstrap - cp -LR --preserve=mode,timestamps %{bootjdk} newboot - systemjdk=$(pwd)/newboot - buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" - mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server -%else - systemjdk=%{bootjdk} -%endif +mkdir -p $(dirname %{installoutputdir}) + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv java-%{featurever}-openjdk*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv java-%{featurever}-openjdk*.misc.* ${miscdir} for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then - debugbuild=release - else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` + jdkzip=%{releasezip} + staticlibzip=%{staticlibzip} + elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then + jdkzip=%{fastdebugzip} + staticlibzip=%{fastdebugstaticlibzip} + else # slowdebug + jdkzip=%{slowdebugzip} + staticlibzip=%{slowdebugstaticlibzip} fi + installdir=%{installoutputdir -- ${suffix}} - for loop in %{main_suffix} %{staticlibs_loop} ; do + # TODO: should verify checksums when using packages from buildroot + tar -xJf ${jdkzip} + tar -xJf ${staticlibzip} + mv java-%{featurever}-openjdk* ${installdir} - builddir=%{buildoutputdir -- ${suffix}${loop}} - bootbuilddir=boot${builddir} - - if test "x${loop}" = "x%{main_suffix}" ; then - link_opt="%{link_type}" -%if %{system_libs} - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full -%endif - # Debug builds don't need same targets as release for - # build speed-up. We also avoid bootstrapping these - # slower builds. - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - run_bootstrap=false - else - maketargets="%{release_targets}" - run_bootstrap=%{bootstrap_build} + # Fix build paths in ELF files so it looks like we built them + portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}" + for file in $(find ${installdir} -type f) ; do + if file ${file} | grep -q 'ELF'; then + %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} fi - if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - rm -rf ${bootbuilddir} - else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi -%if %{system_libs} - # Restore original source tree we modified by removing full in-tree sources - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -%endif - else - # Use bundled libraries for building statically - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" - # Always just do the one build for the static libraries - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi + done - done # end of main / staticlibs loop + # Set tapset variables to match this build +%if %{with_systemtap} + for file in ${miscdir}/tapset${suffix}/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > ${OUTPUT_FILE} +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE} +%else + sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE} +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +%endif # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} - installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + customisejdk ${installdir} # Print release information - cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + cat ${installdir}/release # build cycles done # end of release / debug cycle loop @@ -2120,20 +2009,18 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -%if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} -%endif - -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}} # Pre-test setup -#check Shenandoah is enabled +# Check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version %endif +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + # Check unlimited policy has been used $JAVA_HOME/bin/javac -d . %{SOURCE13} $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel @@ -2151,6 +2038,26 @@ export SEC_DEBUG="-Djava.security.debug=properties" $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false +# Check src.zip has all sources. See RHBZ#1130490 +unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + +# Just run a basic java -version test on other architectures +$JAVA_HOME/bin/java -version + +%endif + # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2161,16 +2068,20 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif -# Check translations are available for new timezones +%if ! 0%{?flatpak} +# Check translations are available for new timezones (during flatpak builds, the +# tzdb.dat used by this test is not where the test expects it, so this is +# disabled for flatpak builds) $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c %endif so_suffix="so" @@ -2240,19 +2151,6 @@ EOF grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif -# Check src.zip has all sources. See RHBZ#1130490 -unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' - -# Check class files include useful debugging information -$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable - -# Check generated class files include useful debugging information -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable - # build cycles check done @@ -2261,23 +2159,25 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -%if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} -%endif -jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} +jdk_image=$(pwd)/%{installoutputdir -- ${suffix}} +# Should match same definitions in build section +docdir=$(pwd)/%{installoutputdir -- "-docs"} +miscdir=$(pwd)/%{installoutputdir -- "-misc"} + +# Install release notes and rebuild instructions +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +install -d -m 755 ${commondocdir} +mv ${jdk_image}/NEWS ${commondocdir} +cp -a %{SOURCE19} %{SOURCE20} ${commondocdir} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -pushd ${jdk_image} - %if %{with_systemtap} # Install systemtap support files install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset - # note, that uniquesuffix is in BUILD dir in this case - cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ + cp -a ${miscdir}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ tapsetFiles=`ls *.stp` popd @@ -2302,6 +2202,7 @@ pushd ${jdk_image} # Install man pages install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 + pushd ${jdk_image} for manpage in man/man1/* do # Convert man pages to UTF8 encoding @@ -2312,37 +2213,27 @@ pushd ${jdk_image} done # Remove man pages from jdk image rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man - -popd -# Install static libs artefacts -%if %{include_staticlibs} -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc -cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc -%endif + popd if ! echo $suffix | grep -q "debug" ; then - # Install Javadoc documentation - install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ - $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ + # Install Javadoc documentation + install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} + cp -a ${docdir}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + cp -a ${docdir}/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ + touch $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi -# Install release notes -commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} -install -d -m 755 ${commondocdir} -cp -a %{SOURCE10} ${commondocdir} - # Install icons and menu entries for s in 16 24 32 48 ; do install -D -p -m 644 \ - %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ + ${miscdir}/java-icon${s}.png \ $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png done # Install desktop files +# TODO: provide desktop files via portable install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} for e in jconsole$suffix ; do desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \ @@ -2354,8 +2245,7 @@ done mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs # copy samples next to demos; samples are mostly js files -cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ - +cp -r ${miscdir}/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ # moving config files to /etc mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} @@ -2425,7 +2315,7 @@ else end arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" cjc = require "copy_jdk_configs.lua" -args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} cjc.mainProgram(args) %post @@ -2622,6 +2512,480 @@ cjc.mainProgram(args) %endif %changelog +* Thu Feb 12 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-2 +- Set portablerelease to 2 +- Remove test to ensure blocked.certs is valid, done in portable +- Related: RHEL-122136 +- Related: RHEL-131590 +- Related: RHEL-131601 +- Related: RHEL-139552 +- Related: RHEL-149327 + +* Wed Feb 11 2026 Andrew Hughes - 1:17.0.18.0.8-2 +- Add test to ensure blocked.certs is valid (OPENJDK-4362) +- Restore NEWS file so portable can be rebuilt +- Resolves: RHEL-149327 + +* Wed Feb 11 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-2 +- Set rpmrelease to 2 +- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9 +- Set fipsver to e1780dd5d39 +- Resolves: RHEL-122136 + +* Fri Jan 16 2026 Thomas Fitzsimmons - 1:17.0.18.0.8-1 +- Update to jdk-17.0.18+8 (GA) +- Add to .gitignore openjdk-17.0.18+8.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Set buildver to 8 +- Set is_ga to 1 +- Update sources to openjdk-17.0.18+8.tar.xz +- Resolves: RHEL-139552 +- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** + +* Thu Jan 15 2026 Thomas Fitzsimmons - 1:17.0.18.0.7-0.1.ea +- Update to jdk-17.0.18+7 (EA) +- Add to .gitignore openjdk-17.0.18+7-ea.tar.xz +- Set updatever to 18 +- Set buildver to 7 +- Set is_ga to 0 +- Update sources to openjdk-17.0.18+7-ea.tar.xz +- Set bundled libpng version to 1.6.51 +- Resolves: RHEL-131590 +- Resolves: RHEL-131601 +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 + +* Thu Oct 16 2025 Thomas Fitzsimmons - 1:17.0.17.0.10-1 +- Update to jdk-17.0.17+10 (GA) +- Add to .gitignore openjdk-17.0.17+10.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Set updatever to 17 +- Set buildver to 10 +- Set rpmrelease to 1, remove 'must start at 2' comment +- Set bundled harfbuzz version to 11.2.0 +- Update sources to openjdk-17.0.17+10.tar.xz +- Resolves: RHEL-119458 +- ** This tarball is embargoed until 2025-10-21 @ 1pm PT. ** + +* Wed Jul 09 2025 Thomas Fitzsimmons - 1:17.0.16.0.8-2 +- Update to jdk-17.0.16+8 +- Add to .gitignore openjdk-17.0.16+8.tar.xz +- Set updatever to 16 +- Set buildver to 8 +- Set rpmrelease to 2 +- Update sources to openjdk-17.0.16+8.tar.xz +- Resolves: RHEL-101788 +- Resolves: RHEL-101795 +- Resolves: RHEL-101796 +- Resolves: RHEL-101797 +- Resolves: RHEL-102283 +- Resolves: RHEL-102286 +- Resolves: RHEL-102285 +- Resolves: RHEL-102284 +- Require tzdata-java 2025b at runtime and for build +- Set bundled freetype provide version to 2.13.3 +- Set bundled harfbuzz provide version to 10.4.0 +- Set bundled lcms2 provide version to 2.17.0 +- Set bundled libpng provide version to 1.6.47 +- Recommend pipewire +- Related: RHEL-102667 +- Resolves: RHEL-102669 +- Resolves: RHEL-102670 +- Resolves: RHEL-102672 +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** + +* Sat Jun 14 2025 Andrew Hughes - 1:17.0.15.0.6-3 +- Bump release number to appease 9.6-z erratum +- Related: RHEL-86987 +- Related: RHEL-86630 + +* Thu Apr 10 2025 Thomas Fitzsimmons - 1:17.0.15.0.6-2 +- Update to jdk-17.0.15+6 (GA) +- Add to .gitignore openjdk-17.0.15+6.tar.xz +- Set updatever to 15 +- Set buildver to 6 +- Update sources to openjdk-17.0.15+6.tar.xz +- Set bundled freetype provide version to 2.13.2 +- Set bundled harfbuzz provide version to 8.2.2 +- Require tzdata-java 2025a at runtime and for build +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Update FIPS patch +- Resolves: RHEL-86627 +- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. ** + +* Tue Jan 14 2025 Thomas Fitzsimmons - 1:17.0.14.0.7-2 +- Do not pass nil to _jvmdir macro in cjc logic + +* Mon Jan 13 2025 Thomas Fitzsimmons - 1:17.0.14.0.7-2 +- Update to jdk-17.0.14+7 (GA) +- Add to .gitignore openjdk-17.0.14+7.tar.xz +- Set buildver to 7 +- Set is_ga to 1 +- Update sources to openjdk-17.0.14+7.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Resolves: RHEL-73981 +- Resolves: RHEL-73559 +- ** This tarball is embargoed until 2025-01-21 @ 1pm PT. ** + +* Fri Nov 29 2024 Andrew Hughes - 1:17.0.14.0.1-0.2.ea +- Limit Java only tests to one architecture using jdk_test_arch +- OPENJDK-3185 + +* Fri Nov 29 2024 Thomas Fitzsimmons - 1:17.0.14.0.1-0.2.ea +- Update to jdk-17.0.14+1 (EA) +- Add to .gitignore openjdk-17.0.14+1-ea.tar.xz +- Set updatever to 14 +- Set buildver to 1 +- Set rpmrelease to 2 +- Set is_ga to 0 +- Update sources to openjdk-17.0.14+1-ea.tar.xz +- Double percent signs consistently throughout comments +- Set bundled giflib provide version to 5.2.2 +- Set bundled libpng provide version to 1.6.43 +- Warn about bundled provide version bumps and backouts in openjdk_news.sh +- Remove 0001-8332174-Remove-2-unpaired-RLO-Unicode-characters-in-.patch file +- Revert: Use component in EPEL and Fedora bug URLs + +* Fri Oct 18 2024 Andrew Hughes - 1:17.0.13.0.11-4 +- Set this to be the default/system JDK providing 'java', 'jre', 'java-devel', etc. +- Set rpmrelease to 4 +- Resolves: RHEL-63034 + +* Wed Oct 9 2024 Thomas Fitzsimmons - 1:17.0.13.0.11-3 +- Correct version suffix in "Update to jdk-17.0.13+11 (GA)" changelog entry +- Related: RHEL-58785 + +* Tue Oct 8 2024 Thomas Fitzsimmons - 1:17.0.13.0.11-2 +- Update to jdk-17.0.13+11 (GA) +- Update .gitignore to ignore openjdk-17.0.13+11.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Set buildver to 11 +- Set is_ga to 1 +- Update sources to openjdk-17.0.13+11.tar.xz +- Resolves: RHEL-58785 +- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** + +* Fri Oct 4 2024 Andrew Hughes - 1:17.0.13.0.10-0.2.ea +- Vary portablesuffix depending on whether we are on RHEL ('el8') or CentOS ('el9') +- Set rpmrelease to 2 +- Related: RHEL-58785 + +* Fri Oct 4 2024 Thomas Fitzsimmons - 1:17.0.13.0.10-0.1.ea +- Update to jdk-17.0.13+10 (EA) +- Update .gitignore to ignore openjdk-17.0.13+10-ea.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9 +- Set buildver to 10 +- Update sources to openjdk-17.0.13+10-ea.tar.xz +- Related: RHEL-58785 + +* Thu Oct 3 2024 Thomas Fitzsimmons - 1:17.0.13.0.9-0.1.ea +- Update to jdk-17.0.13+9 (EA) +- Update .gitignore to ignore openjdk-17.0.13+9-ea.tar.xz +- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9 +- Set buildver to 9 +- Set rpmrelease to 1 +- Set portablerelease to 1 +- Update sources to openjdk-17.0.13+9-ea.tar.xz +- Related: RHEL-58785 + +* Thu Oct 3 2024 Thomas Fitzsimmons - 1:17.0.13.0.1-0.4.ea +- Set rpmrelease to 4 +- Set portablerelease to 2 +- Related: RHEL-58785 + +* Thu Oct 3 2024 Thomas Fitzsimmons - 1:17.0.13.0.1-0.3.ea +- Synchronize java-17-openjdk-portable.specfile +- Set rpmrelease to 3 +- Related: RHEL-58785 + +* Thu Oct 3 2024 Thomas Fitzsimmons - 1:17.0.13.0.1-0.2.ea +- Update to jdk-17.0.13+1 (EA) +- Update .gitignore to ignore openjdk-17.0.13+1-ea.tar.xz +- Synchronize java-17-openjdk-portable.specfile +- Set updatever to 13 +- Set buildver to 1 +- Set is_ga to 0 +- Update sources to openjdk-17.0.13+1-ea.tar.xz +- Related: RHEL-58785 +- Remove 0001-8332174-Remove-2-unpaired-RLO-Unicode-characters-in-.patch +- Remove unicode section from rpminspect.yml, fixed instead by + https://gitlab.cee.redhat.com/osci/rpminspect-data-redhat/-/merge_requests/180 + (OPENJDK-2904) +- Related: RHEL-58785 + +* Mon Sep 23 2024 Thomas Fitzsimmons - 1:17.0.12.0.7-3 +- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9 +- Set rpmrelease to 3 +- Set portablesuffix to el9 + +* Wed Jul 10 2024 Thomas Fitzsimmons - 1:17.0.12.0.7-2 +- Update to jdk-17.0.12+7 (GA) +- Update .gitignore to ignore openjdk-17.0.12+7.tar.xz +- Sync java-17-openjdk-portable.specfile +- Set buildver to 7 +- Set portablerelease 1 +- Set is_ga to 1 +- Update sources to openjdk-17.0.12+7.tar.xz +- Resolves: RHEL-46635 +- Resolves: RHEL-47021 +- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. ** + +* Tue Jul 9 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.1.ea +- Add debuginfo section to rpminspect.yaml (OPENJDK-2904) +- Add unicode section to rpminspect.yaml (OPENJDK-2904) + +* Mon Jul 8 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.1.ea +- Add upstream patch that removes illegal RLO Unicode characters (JDK-8332174) +- Sync the copy of the portable specfile with the latest update + +* Mon Jul 8 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.1.ea +- Delete fips-17u-d63771ea660.patch +- Add fips-17u-e893be00150.patch +- Update fipsver to e893be00150 + +* Mon Jul 8 2024 Anton Bobrov - 1:17.0.12.0.6-0.1.ea +- generate_source_tarball.sh: Use tar exclude options for VCS files +- generate_source_tarball.sh: Improve VCS exclusion + +* Mon Jul 8 2024 Andrew Hughes - 1:17.0.12.0.6-0.1.ea +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck + +* Mon Jul 8 2024 Thomas Fitzsimmons - 1:17.0.12.0.6-0.1.ea +- Update to jdk-17.0.12+6 (EA) +- Add openjdk-17.0.12+6-ea.tar.xz to .gitignore +- Set updatever to 12 +- Set buildver to 6 +- Set rpmrelease to 1 +- Set is_ga to 0 +- Update sources to openjdk-17.0.12+6-ea.tar.xz +- Require tzdata-java 2024a at runtime and for build (JDK-8325150) +- Update lcms2 bundled provides to 2.16.0 +- Add zlib 1.3.1 bundled provides and zlib-devel build requirement (OPENJDK-3065) +- Label as error a designator mismatch +- Change a fix-me comment to a note instead +- Sync generate_source_tarball.sh from Fedora rawhide + +* Thu Apr 11 2024 Thomas Fitzsimmons - 1:17.0.11.0.9-2 +- Update to jdk-17.0.11+9 (GA) +- Add openjdk-17.0.11+9.tar.xz to .gitignore +- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8 +- Update buildver from 7 to 9 +- Update portablerelease from 1 to 3 +- Change is_ga from 0 to 1 to enable GA mode for release +- Update tzdata Requires comment to mention that 2024a is not yet in the buildroot +- Update tzdata BuildRequires comment to mention that 2024a is not yet in the buildroot +- Update tzdata BuildRequires from 2023c to 2023d +- Update sources from openjdk-17.0.11+7-ea.tar.xz to openjdk-17.0.11+9.tar.xz +- Resolves: RHEL-30941 +- Resolves: RHEL-32421 +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** + +* Thu Mar 28 2024 Thomas Fitzsimmons - 1:17.0.11.0.7-0.2.ea +- Update to jdk-17.0.11+7 (EA) +- Update buildjdkver to match the featurever +- Use featurever macro to specify fips patch +- Explain patchN syntax situation in a comment +- Sync generate_source_tarball.sh +- Require tzdata 2023d (JDK-8322725) +- openjdk_news.sh: Use grep -E instead of egrep +- Remove RH1649512 patch for libjpeg-turbo FAR macro +- Move pcsc-lite-libs patch to in-need-of-upstreaming section +- Related: RHEL-30941 + +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+7 (GA) +- Sync the copy of the portable specfile with the latest update +- Move to -P usage for patch macro which works on all RPM versions +- Remove RH1648644 patch not in portable build (and so not applied to binary used) +- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release +- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** +- Resolves: RHEL-20997 + +* Thu Jan 11 2024 Thomas Fitzsimmons - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+6 (EA) +- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash +- generate_source_tarball.sh: shellcheck: Double-quote variable references +- generate_source_tarball.sh: shellcheck: Do not use -a +- generate_source_tarball.sh: shellcheck: Do not use $ in expression +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST +- Related: RHEL-20997 + +* Thu Oct 12 2023 Andrew Hughes - 1:17.0.9.0.9-1 +- Update to jdk-17.0.9+9 (GA) +- Sync the copy of the portable specfile with the latest update +- Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398 +- Bump libpng version to 1.6.39 following JDK-8305815 +- Bump HarfBuzz version to 7.2.0 following JDK-8307301 +- Bump freetype version to 2.13.0 following JDK-8306881 +- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal +- Sync generate_tarball.sh with 11u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Apply all patches using -p1 +- Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425) +- Add missing JFR and jpackage alternative ghosts +- Move jcmd to the headless package +- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. ** +- Resolves: RHEL-12228 +- Resolves: RHEL-13660 +- Resolves: RHEL-13665 +- Resolves: RHEL-3494 +- Resolves: RHEL-11317 +- Resolves: RHEL-3461 + +* Mon Sep 04 2023 Andrew Hughes - 1:17.0.8.1.1-2 +- Set portablerelease and portablerhel to use the CentOS 9 build +- Resolves: RHEL-36137 + +* Mon Sep 04 2023 Andrew Hughes - 1:17.0.8.1.1-2 +- Bump release number so we are newer than 9.0 +- Related: rhbz#2236592 + +* Sat Sep 02 2023 Andrew Hughes - 1:17.0.8.1.1-1 +- Update to jdk-17.0.8.1+1 (GA) +- Update release notes to 17.0.8.1+1 +- Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095) +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news +- Synchronise runtime and buildtime tzdata requirements +- Resolves: rhbz#2236592 + +* Wed Jul 19 2023 Andrew Hughes - 1:17.0.8.0.7-2 +- Bump release number so we are newer than 9.0 +- Related: rhbz#2221106 + +* Fri Jul 14 2023 Andrew Hughes - 1:17.0.8.0.7-1 +- Update to jdk-17.0.8+7 (GA) +- Update release notes to 17.0.8+7 +- Switch to GA mode for final release. +- Sync the copy of the portable specfile with the latest update +- Add note at top of spec file about rebuilding +- * This tarball is embargoed until 2023-07-18 @ 1pm PT. * +- Resolves: rhbz#2221106 + +* Thu Jul 13 2023 Andrew Hughes - 1:17.0.8.0.6-0.1.ea +- Update to jdk-17.0.8+6 (EA) +- Sync the copy of the portable specfile with the latest update +- Resolves: rhbz#2217716 + +* Wed Jul 12 2023 Andrew Hughes - 1:17.0.8.0.1-0.1.ea +- Update to jdk-17.0.8+1 (EA) +- Update release notes to 17.0.8+1 +- Switch to EA mode +- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1 +- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1. +- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1 +- Use tapsets from the misc tarball +- Introduce 'prelease' for the portable release versioning, to handle EA builds +- Make sure root installation directory is created first +- Use in-place substitution for all but the first of the tapset changes +- Related: rhbz#2217716 + +* Tue Jul 11 2023 Andrew Hughes - 1:17.0.7.0.7-4 +- Introduce vm_variant global for consistency with future JDK builds +- Related: rhbz#2203412 + +* Mon May 15 2023 Jiri Vanek - 1:17.0.7.0.7-4 +- Exclude classes_nocoops.jsa on i686 and arm32 +- Related: rhbz#2203412 + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-4 +- Following JDK-8005165, class data sharing can be enabled on all JIT architectures +- Related: rhbz#2203412 + +* Wed May 10 2023 Severin Gehwolf - 1:17.0.7.0.7-4 +- Fix packaging of CDS archives +- Resolves: rhbz#2203412 + +* Wed Apr 26 2023 Andrew Hughes - 1:17.0.7.0.7-3 +- Sync portable spec file with current version +- Related: rhbz#2189326 + +* Wed Apr 26 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- Fix trailing '.' in tarball name +- Use portablerelease in vendor version to avoid inclusion of dist tag +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2186803 +- Resolves: rhbz#2186810 +- Resolves: rhbz#2186806 + +* Wed Apr 26 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Include the java-17-openjdk-portable.spec file with instructions on how to rebuild. +- Related: rhbz#2189326 + +* Tue Apr 25 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Replace local copies of JDK portable binaries with build dependencies +- Resolves: rhbz#2189326 + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Replace build section with extraction of existing builds from portables +- Resolves: rhbz#2150200 + +* Fri Jan 20 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Switch to GA mode for release +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.9-0.4.ea +- Update FIPS support to bring in latest changes +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Related: rhbz#2150198 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.9-0.4.ea +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2150198 + * Wed Jan 04 2023 Andrew Hughes - 1:17.0.6.0.9-0.3.ea - Update to jdk-17.0.6+9 - Update release notes to 17.0.6+9