April 2022 security update to jdk 17.0.3+7

Update to jdk-17.0.3.0+7 tarball Update release notes to 17.0.3.0+7 Add missing README.md and generate_source_tarball.sh Switch to GA mode for release JDK-8283911 patch no longer needed now we're GA... Resolves: rhbz#2073579
2022-04-20 20:27:04 +01:00 · 2022-04-20 20:27:04 +01:00 · 30b21c5259
commit 30b21c5259
parent cbd2e1ee1d
7 changed files with 211 additions and 27 deletions
--- a/.gitignore
+++ b/.gitignore
@ -11,3 +11,5 @@
 /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+5.tar.xz
+/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
+/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
--- a/24
+++ b/24
@ -9,6 +9,25 @@ Live versions of these release notes can be found at:
  * https://bitly.com/openjdk1703
  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt

+* Security fixes
+  - JDK-8269938: Enhance XML processing passes redux
+  - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+  - JDK-8272255: Completely handle MIDI files
+  - JDK-8272261: Improve JFR recording file processing
+  - JDK-8272588: Enhanced recording parsing
+  - JDK-8272594: Better record of recordings
+  - JDK-8274221: More definite BER encodings
+  - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
+  - JDK-8275151, CVE-2022-21443: Improved Object Identification
+  - JDK-8277227: Better identification of OIDs
+  - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
+  - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+  - JDK-8278356: Improve file creation
+  - JDK-8278449: Improve keychain support
+  - JDK-8278798: Improve supported intrinsic
+  - JDK-8278805: Enhance BMP image loading
+  - JDK-8278972, CVE-2022-21496: Improve URL supports
+  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
 * Other changes
  - JDK-8177814: jdk/editpad is not in jdk TEST.groups
  - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
@ -79,7 +98,6 @@ Live versions of these release notes can be found at:
  - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
  - JDK-8274935: dumptime_table has stale entry
  - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
-  - JDK-8275082: Update XML Security for Java to 2.3.0
  - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
  - JDK-8275330: C2:  assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
  - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
@ -175,7 +193,11 @@ Live versions of these release notes can be found at:
  - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
  - JDK-8281460: Let ObjectMonitor have its own NMT category
  - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
  - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
+  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+  - JDK-8284920: Incorrect Token type causes XPath expression to return empty result

 Notes on individual issues:
 ===========================
--- a/README.md
+++ b/README.md
@ -0,0 +1,11 @@
+OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
+
+For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
+release page for OpenJDK 17 and the preceding interim releases:
+
+* 12: https://openjdk.java.net/projects/jdk/12/
+* 13: https://openjdk.java.net/projects/jdk/13/
+* 14: https://openjdk.java.net/projects/jdk/14/
+* 15: https://openjdk.java.net/projects/jdk/15/
+* 16: https://openjdk.java.net/projects/jdk/16/
+* 17: https://openjdk.java.net/projects/jdk/17/
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@ -0,0 +1,156 @@
+#!/bin/bash
+# Generates the 'source tarball' for JDK projects.
+#
+# Example:
+# When used from local repo set REPO_ROOT pointing to file:// with your repo
+# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
+# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable
+#
+# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
+# PROJECT_NAME=openjdk
+# REPO_NAME=jdk17u
+# VERSION=jdk-17.0.3+5
+# or to eg prepare systemtap:
+# icedtea7's jstack and other tapsets
+# VERSION=6327cf1cea9e
+# REPO_NAME=icedtea7-2.6
+# PROJECT_NAME=release
+# OPENJDK_URL=http://icedtea.classpath.org/hg/
+# TO_COMPRESS="*/tapset"
+# 
+# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
+
+# This script creates a single source tarball out of the repository
+# based on the given tag and removes code not allowed in fedora/rhel. For
+# consistency, the source tarball will always contain 'openjdk' as the top
+# level folder, name is created, based on parameter
+#
+
+if [ ! "x$PR3823" = "x" ] ; then
+  if [ ! -f "$PR3823" ] ; then
+    echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting"
+    exit 1
+  fi
+fi
+
+set -e
+
+OPENJDK_URL_DEFAULT=https://github.com
+COMPRESSION_DEFAULT=xz
+
+if [ "x$1" = "xhelp" ] ; then
+    echo -e "Behaviour may be specified by setting the following variables:\n"
+    echo "VERSION - the version of the specified OpenJDK project"
+    echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
+    echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
+    echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
+    echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
+    echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
+    echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
+    echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)"
+    exit 1;
+fi
+
+
+if [ "x$VERSION" = "x" ] ; then
+    echo "No VERSION specified"
+    exit -2
+fi
+echo "Version: ${VERSION}"
+    
+# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
+if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
+  if [ "x$PROJECT_NAME" = "x" ] ; then
+    echo "No PROJECT_NAME specified"
+    exit -1
+  fi
+  echo "Project name: ${PROJECT_NAME}"
+  if [ "x$REPO_NAME" = "x" ] ; then
+    echo "No REPO_NAME specified"
+    exit -3
+  fi
+  echo "Repository name: ${REPO_NAME}"
+fi
+
+if [ "x$OPENJDK_URL" = "x" ] ; then
+    OPENJDK_URL=${OPENJDK_URL_DEFAULT}
+    echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
+else
+    echo "OpenJDK URL: ${OPENJDK_URL}"
+fi
+
+if [ "x$COMPRESSION" = "x" ] ; then
+    # rhel 5 needs tar.gz
+    COMPRESSION=${COMPRESSION_DEFAULT}
+fi
+echo "Creating a tar.${COMPRESSION} archive"
+
+if [ "x$FILE_NAME_ROOT" = "x" ] ; then
+    FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+    echo "No file name root specified; default to ${FILE_NAME_ROOT}"
+fi
+if [ "x$REPO_ROOT" = "x" ] ; then
+    REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
+    echo "No repository root specified; default to ${REPO_ROOT}"
+fi;
+
+if [ "x$TO_COMPRESS" = "x" ] ; then
+    TO_COMPRESS="openjdk"
+    echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}"
+fi;
+
+if [ -d ${FILE_NAME_ROOT} ] ; then
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${FILE_NAME_ROOT}
+else
+  mkdir "${FILE_NAME_ROOT}"
+  pushd "${FILE_NAME_ROOT}"
+    echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
+    git clone -b ${VERSION} ${REPO_ROOT} openjdk
+  popd
+fi
+pushd "${FILE_NAME_ROOT}"
+    if [ -d openjdk/src ]; then 
+        pushd openjdk
+            echo "Removing EC source code we don't build"
+            CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl
+	    rm -vf ${CRYPTO_PATH}/ec2.h
+	    rm -vf ${CRYPTO_PATH}/ec2_163.c
+	    rm -vf ${CRYPTO_PATH}/ec2_193.c
+	    rm -vf ${CRYPTO_PATH}/ec2_233.c
+	    rm -vf ${CRYPTO_PATH}/ec2_aff.c
+	    rm -vf ${CRYPTO_PATH}/ec2_mont.c
+	    rm -vf ${CRYPTO_PATH}/ecp_192.c
+	    rm -vf ${CRYPTO_PATH}/ecp_224.c
+
+            echo "Syncing EC list with NSS"
+            if [ "x$PR3823" = "x" ] ; then
+                # originally for 8:
+                # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
+                # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
+		echo "PR3823 not found. Downloading..."
+		wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+	        echo "Applying ${PWD}/pr3823.patch"
+		patch -Np1 < pr3823.patch
+		rm pr3823.patch
+	    else
+		echo "Applying ${PR3823}"
+		patch -Np1 < $PR3823
+            fi;
+            find . -name '*.orig' -exec rm -vf '{}' ';'
+        popd
+    fi
+
+    echo "Compressing remaining forest"
+    if [ "X$COMPRESSION" = "Xxz" ] ; then
+        SWITCH=cJf
+    else
+        SWITCH=czf
+    fi
+    tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS
+    mv ${FILE_NAME_ROOT}.tar.${COMPRESSION}  ..
+popd
+echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
+
+
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@ -333,7 +333,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        5
+%global buildver        7
 %global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -353,11 +353,14 @@
 # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
 %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})

+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global build_type GA
 %global expected_ea_designator ""
@ -1252,9 +1255,8 @@ License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
 URL:      http://openjdk.java.net/


-# to regenerate source0 (jdk) run update_package.sh
-# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz

 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@ -1345,12 +1347,10 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
 #############################################
 # JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
 Patch2000: jdk8275535-rh2053256-ldap_auth.patch
-# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-Patch2001: jdk8283911-default_promoted_version_pre.patch

 #############################################
 #
-# OpenJDK patches appearing in 17.0.1
+# OpenJDK patches appearing in 17.0.3
 #
 #############################################

@ -1778,7 +1778,6 @@ popd # openjdk
 %patch1018

 %patch2000
-%patch2001

 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -2551,6 +2550,16 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+6
+- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
+- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+- Resolves: rhbz#2073579
+
 * Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
 - Update to jdk-17.0.3.0+5
 - Update release notes to 17.0.3.0+5
--- a/jdk8283911-default_promoted_version_pre.patch
+++ b/jdk8283911-default_promoted_version_pre.patch
@ -1,16 +0,0 @@
-commit 37807a694f89611f60880260d2bb7162908bc0c8
-Author: Andrew Hughes <gnu.andrew@redhat.com>
-Date:   Wed Mar 30 04:19:43 2022 +0100
-
-    8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-
-diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf
-index 71b19762f2e..7378ec67a48 100644
--- openjdk.orig/make/conf/version-numbers.conf
-+++ openjdk/make/conf/version-numbers.conf
-@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
- DEFAULT_VERSION_DOCS_API_SINCE=11
- DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
- DEFAULT_JDK_SOURCE_TARGET_VERSION=17
-DEFAULT_PROMOTED_VERSION_PRE=
-+DEFAULT_PROMOTED_VERSION_PRE=ea
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160
+SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567