diff --git a/.gitignore b/.gitignore index 3dfe010..58b2310 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk17u-jdk-17.0.8+7.tar.xz +SOURCES/openjdk-17.0.9+9.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata index d03c67b..2a092d0 100644 --- a/.java-17-openjdk.metadata +++ b/.java-17-openjdk.metadata @@ -1,2 +1,2 @@ -e7d88f78da7625ba448daacff2d9995367eef250 SOURCES/openjdk-jdk17u-jdk-17.0.8+7.tar.xz +a58b92201b1d3e26d8375f67708fe2e740cd39eb SOURCES/openjdk-17.0.9+9.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/fips-17u-bf363eecce3.patch b/SOURCES/fips-17u-51e1d00be4e.patch similarity index 99% rename from SOURCES/fips-17u-bf363eecce3.patch rename to SOURCES/fips-17u-51e1d00be4e.patch index cd8565c..da1df4d 100644 --- a/SOURCES/fips-17u-bf363eecce3.patch +++ b/SOURCES/fips-17u-51e1d00be4e.patch @@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 +index 366682cf044..1f8d782f419 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -33,6 +33,7 @@ m4_include([lib-std.m4]) @@ -2508,7 +2508,7 @@ index 00000000000..dc8bc72fccb + } +} diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index fab52688c04..29337576f37 100644 +index 9be02033877..4dd055a9ccf 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -82,6 +82,17 @@ security.provider.tbd=Apple @@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..5696b904979 100644 +index 0736ce997e4..0a937fef377 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3518,18 +3518,18 @@ index 9b69072280e..5696b904979 100644 private static final long serialVersionUID = -2575874101938349339L; private static final String PUBLIC = "public"; -@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { +@@ -139,9 +144,7 @@ abstract class P11Key implements Key, Length { this.tokenObject = tokenObject; this.sensitive = sensitive; this.extractable = extractable; - char[] tokenLabel = this.token.tokenInfo.label; -- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' +- isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' - && tokenLabel[2] == 'S'); -+ boolean isNSS = P11Util.isNSS(this.token); ++ isNSS = P11Util.isNSS(this.token); boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && extractable && !tokenObject); this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { +@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_SENSITIVE), new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); @@ -3540,13 +3540,13 @@ index 9b69072280e..5696b904979 100644 return new P11PrivateKey (session, keyID, algorithm, keyLength, attributes); } else { -@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { +@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length { } public String getFormat() { token.ensureValid(); -- if (sensitive || (extractable == false)) { +- if (sensitive || !extractable || (isNSS && tokenObject)) { + if (!plainKeySupportEnabled && -+ (sensitive || (extractable == false))) { ++ (sensitive || !extractable || (isNSS && tokenObject))) { return null; } else { return "RAW"; diff --git a/SOURCES/java-17-openjdk-portable.specfile b/SOURCES/java-17-openjdk-portable.specfile index 827767a..3c0ce08 100644 --- a/SOURCES/java-17-openjdk-portable.specfile +++ b/SOURCES/java-17-openjdk-portable.specfile @@ -27,7 +27,7 @@ # Enable static library builds by default. %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK -%bcond_without fresh_libjvm +%bcond_with fresh_libjvm # Build with system libraries %bcond_with system_libs @@ -326,7 +326,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 8 +%global updatever 9 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -355,7 +355,7 @@ %global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} %else %if 0%{?rhel} -%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ %else %global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi %endif @@ -366,14 +366,22 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver bf363eecce3 +%global fipsver 51e1d00be4e +%global javaver %{featurever} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} + +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) + +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 +%global buildver 9 %global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit @@ -388,14 +396,6 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{featurever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -405,7 +405,7 @@ %if %{is_ga} %global build_type GA %global ea_designator "" -%global ea_designator_zip "" +%global ea_designator_zip %{nil} %global extraver %{nil} %global eaprefix %{nil} %else @@ -560,7 +560,7 @@ URL: http://openjdk.java.net/ # The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -659,9 +659,11 @@ Patch1001: fips-17u-%{fipsver}.patch ############################################# # -# OpenJDK patches appearing in 17.0.8 +# OpenJDK patches appearing in 17.0.10 # ############################################# +# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar +Patch2000: jdk8312489-max_sig_default_increase.patch ############################################# # @@ -737,17 +739,17 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.12.1 +Provides: bundled(freetype) = 2.13.0 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 7.0.1 +Provides: bundled(harfbuzz) = 7.2.0 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.15.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.37 +Provides: bundled(libpng) = 1.6.39 # We link statically against libstdc++ to increase portability BuildRequires: libstdc++-static %endif @@ -947,9 +949,12 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# JDK-8312489 backport, coming in 17.0.10 +%patch2000 -p1 +# alt-java support +%patch600 -p1 popd # openjdk -%patch600 # The OpenJDK version file includes the current # upstream version information. For some reason, @@ -1692,6 +1697,29 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Thu Oct 12 2023 Andrew Hughes - 1:17.0.9.0.9-1 +- Update to jdk-17.0.9+9 (GA) +- Update release notes to 17.0.9+9 +- Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398 +- Bump libpng version to 1.6.39 following JDK-8305815 +- Bump HarfBuzz version to 7.2.0 following JDK-8307301 +- Bump freetype version to 2.13.0 following JDK-8306881 +- Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal +- Sync generate_tarball.sh with 11u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Apply all patches using -p1 +- Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425) +- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. ** + +* Sat Sep 02 2023 Andrew Hughes - 1:17.0.8.1.1-1 +- Update to jdk-17.0.8.1+1 (GA) +- Update release notes to 17.0.8.1+1 +- Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095) +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news + * Fri Jul 14 2023 Andrew Hughes - 1:17.0.8.0.7-1 - Update to jdk-17.0.8+7 (GA) - Update release notes to 17.0.8+7 diff --git a/SOURCES/jdk8312489-max_sig_default_increase.patch b/SOURCES/jdk8312489-max_sig_default_increase.patch new file mode 100644 index 0000000..8aeb261 --- /dev/null +++ b/SOURCES/jdk8312489-max_sig_default_increase.patch @@ -0,0 +1,50 @@ +commit 5b613e3ebed6c141146e743e64c894fe4f39421e +Author: Andrew John Hughes +Date: Fri Sep 1 15:53:41 2023 +0000 + + 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + + Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750 + +diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java +index bd538649a4f..70cf99504e4 100644 +--- a/src/java.base/share/classes/java/util/jar/JarFile.java ++++ b/src/java.base/share/classes/java/util/jar/JarFile.java +@@ -803,7 +803,9 @@ private byte[] getBytes(ZipEntry ze) throws IOException { + throw new IOException("Unsupported size: " + uncompressedSize + + " for JarEntry " + ze.getName() + + ". Allowed max size: " + +- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes"); ++ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " + ++ "You can use the jdk.jar.maxSignatureFileSize " + ++ "system property to increase the default value."); + } + int len = (int)uncompressedSize; + int bytesRead; +diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +index 4ea9255ba0a..05acdcb9474 100644 +--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java ++++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +@@ -856,16 +856,16 @@ private static int initializeMaxSigFileSize() { + * the maximum allowed number of bytes for the signature-related files + * in a JAR file. + */ +- Integer tmp = GetIntegerAction.privilegedGetProperty( +- "jdk.jar.maxSignatureFileSize", 8000000); ++ int tmp = GetIntegerAction.privilegedGetProperty( ++ "jdk.jar.maxSignatureFileSize", 16000000); + if (tmp < 0 || tmp > MAX_ARRAY_SIZE) { + if (debug != null) { +- debug.println("Default signature file size 8000000 bytes " + +- "is used as the specified size for the " + +- "jdk.jar.maxSignatureFileSize system property " + ++ debug.println("The default signature file size of 16000000 bytes " + ++ "will be used for the jdk.jar.maxSignatureFileSize " + ++ "system property since the specified value " + + "is out of range: " + tmp); + } +- tmp = 8000000; ++ tmp = 16000000; + } + return tmp; + }