Compare commits

..

No commits in common. "c8-beta" and "imports/c9/java-17-openjdk-17.0.6.0.10-3.el9_1" have entirely different histories.

5 changed files with 316 additions and 203 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz fc29dd4013a289be075afdcb29c8df29d1349c0d SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -9,6 +9,21 @@ Live versions of these release notes can be found at:
* https://bitly.com/openjdk1706 * https://bitly.com/openjdk1706
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
* CVEs
- CVE-2023-21835
- CVE-2023-21843
* Security fixes
- JDK-8286070: Improve UTF8 representation
- JDK-8286496: Improve Thread labels
- JDK-8287411: Enhance DTLS performance
- JDK-8288516: Enhance font creation
- JDK-8289350: Better media supports
- JDK-8293554: Enhanced DH Key Exchanges
- JDK-8293598: Enhance InetAddress address handling
- JDK-8293717: Objective view of ObjectView
- JDK-8293734: Improve BMP image handling
- JDK-8293742: Better Banking of Sounds
- JDK-8295687: Better BMP bounds
* Other changes * Other changes
- JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
- JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
@ -252,10 +267,12 @@ Live versions of these release notes can be found at:
- JDK-8295554: Move the "sizecalc.h" to the correct location - JDK-8295554: Move the "sizecalc.h" to the correct location
- JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
- JDK-8295714: GHA ::set-output is deprecated and will be removed - JDK-8295714: GHA ::set-output is deprecated and will be removed
- JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
- JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
- JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
- JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
- JDK-8296108: (tz) Update Timezone Data to 2022f - JDK-8296108: (tz) Update Timezone Data to 2022f
- JDK-8296239: ISO 4217 Amendment 174 Update
- JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
- JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
- JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
@ -278,10 +295,33 @@ Live versions of these release notes can be found at:
- JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
- JDK-8297656: AArch64: Enable AES/GCM Intrinsics - JDK-8297656: AArch64: Enable AES/GCM Intrinsics
- JDK-8297804: (tz) Update Timezone Data to 2022g - JDK-8297804: (tz) Update Timezone Data to 2022g
- JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6
- JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
- JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
Notes on individual issues: Notes on individual issues:
=========================== ===========================
client-libs/javax.imageio:
JDK-8295687: Better BMP bounds
==============================
Loading a linked ICC profile within a BMP image is now disabled by
default. To re-enable it, set the new system property
`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property
replaces the old property,
`sun.imageio.plugins.bmp.disableLinkedProfiles`.
client-libs/javax.sound:
JDK-8293742: Better Banking of Sounds
=====================================
Previously, the SoundbankReader implementation,
`com.sun.media.sound.JARSoundbankReader`, would download a JAR
soundbank from a URL. This behaviour is now disabled by default. To
re-enable it, set the new system property `jdk.sound.jarsoundbank` to
`true`.
security-libs/java.security: security-libs/java.security:
JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
@ -302,6 +342,14 @@ the same change is made in third party modules. Developers of third
party modules are advised to verify that their logout() method does not party modules are advised to verify that their logout() method does not
throw a NullPointerException. throw a NullPointerException.
security-libs/javax.net.ssl:
JDK-8287411: Enhance DTLS performance
=====================================
The JDK now exchanges DTLS cookies for all handshakes, new and
resumed. The previous behaviour can be re-enabled by setting the new
system property `jdk.tls.enableDtlsResumeCookie` to `false`.
New in release OpenJDK 17.0.5 (2022-10-18): New in release OpenJDK 17.0.5 (2022-10-18):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:

View File

@ -2644,7 +2644,7 @@ index 00000000000..55bbba98b7a
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+ +
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
index b22f26947af..3ee2ce6ea88 100644 index b22f26947af..02bea84e210 100644
--- a/src/java.base/share/lib/security/default.policy --- a/src/java.base/share/lib/security/default.policy
+++ b/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy
@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { @@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
@ -2663,6 +2663,15 @@ index b22f26947af..3ee2ce6ea88 100644
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*"; "accessClassInPackage.sun.security.*";
@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
+ permission java.util.PropertyPermission "fips.nssdb.pin", "read";
permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*";
diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
new file mode 100644 new file mode 100644
index 00000000000..ddf9befe5bc index 00000000000..ddf9befe5bc
@ -4120,7 +4129,7 @@ index 262cfc062ad..72b64f72c0a 100644
Provider p = sun; Provider p = sun;
if (p == null) { if (p == null) {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index aa35e8fa668..f4d7c9cc201 100644 index aa35e8fa668..1855e5631bd 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@ @@ -26,6 +26,9 @@
@ -4186,7 +4195,7 @@ index aa35e8fa668..f4d7c9cc201 100644
private static final long serialVersionUID = -1354835039035306505L; private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider { @@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider {
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
@Override @Override
public SunPKCS11 run() throws Exception { public SunPKCS11 run() throws Exception {
@ -4197,15 +4206,26 @@ index aa35e8fa668..f4d7c9cc201 100644
+ * fips.nssdb.path System property after expansion. + * fips.nssdb.path System property after expansion.
+ * Security properties expansion is unsupported. + * Security properties expansion is unsupported.
+ */ + */
+ String nssdbPath =
+ SecurityProperties.privilegedGetOverridable(
+ FIPS_NSSDB_PATH_PROP);
+ if (System.getSecurityManager() != null) {
+ AccessController.doPrivileged(
+ (PrivilegedAction<Void>) () -> {
+ System.setProperty( + System.setProperty(
+ FIPS_NSSDB_PATH_PROP, + FIPS_NSSDB_PATH_PROP,
+ SecurityProperties.privilegedGetOverridable( + nssdbPath);
+ FIPS_NSSDB_PATH_PROP)); + return null;
+ });
+ } else {
+ System.setProperty(
+ FIPS_NSSDB_PATH_PROP, nssdbPath);
+ }
+ } + }
return new SunPKCS11(new Config(newConfigName)); return new SunPKCS11(new Config(newConfigName));
} }
}); });
@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider { @@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first // request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK; initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11; PKCS11 tmpPKCS11;
@ -4226,7 +4246,7 @@ index aa35e8fa668..f4d7c9cc201 100644
} catch (PKCS11Exception e) { } catch (PKCS11Exception e) {
if (debug != null) { if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e); debug.println("Multi-threaded initialization failed: " + e);
@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider { @@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0; initArgs.flags = 0;
} }
tmpPKCS11 = PKCS11.getInstance(library, tmpPKCS11 = PKCS11.getInstance(library,
@ -4241,7 +4261,7 @@ index aa35e8fa668..f4d7c9cc201 100644
if (p11Info.cryptokiVersion.major < 2) { if (p11Info.cryptokiVersion.major < 2) {
throw new ProviderException("Only PKCS#11 v2.0 and later " throw new ProviderException("Only PKCS#11 v2.0 and later "
+ "supported, library version is v" + p11Info.cryptokiVersion); + "supported, library version is v" + p11Info.cryptokiVersion);
@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider { @@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider {
final String className; final String className;
final List<String> aliases; final List<String> aliases;
final int[] mechanisms; final int[] mechanisms;
@ -4262,7 +4282,7 @@ index aa35e8fa668..f4d7c9cc201 100644
} }
private P11Service service(Token token, int mechanism) { private P11Service service(Token token, int mechanism) {
return new P11Service return new P11Service
@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider { @@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider {
private static void d(String type, String algorithm, String className, private static void d(String type, String algorithm, String className,
int[] m) { int[] m) {
@ -4295,7 +4315,7 @@ index aa35e8fa668..f4d7c9cc201 100644
} }
private static void register(Descriptor d) { private static void register(Descriptor d) {
@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider { @@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider {
String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11Cipher = "sun.security.pkcs11.P11Cipher";
String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
@ -4303,7 +4323,7 @@ index aa35e8fa668..f4d7c9cc201 100644
String P11Signature = "sun.security.pkcs11.P11Signature"; String P11Signature = "sun.security.pkcs11.P11Signature";
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider { @@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider {
d(MAC, "SslMacSHA1", P11Mac, d(MAC, "SslMacSHA1", P11Mac,
m(CKM_SSL3_SHA1_MAC)); m(CKM_SSL3_SHA1_MAC));
@ -4334,7 +4354,7 @@ index aa35e8fa668..f4d7c9cc201 100644
d(KPG, "RSA", P11KeyPairGenerator, d(KPG, "RSA", P11KeyPairGenerator,
getAliases("PKCS1"), getAliases("PKCS1"),
m(CKM_RSA_PKCS_KEY_PAIR_GEN)); m(CKM_RSA_PKCS_KEY_PAIR_GEN));
@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider { @@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider {
d(SKF, "ChaCha20", P11SecretKeyFactory, d(SKF, "ChaCha20", P11SecretKeyFactory,
m(CKM_CHACHA20_POLY1305)); m(CKM_CHACHA20_POLY1305));
@ -4401,7 +4421,7 @@ index aa35e8fa668..f4d7c9cc201 100644
// XXX attributes for Ciphers (supported modes, padding) // XXX attributes for Ciphers (supported modes, padding)
dA(CIP, "ARCFOUR", P11Cipher, dA(CIP, "ARCFOUR", P11Cipher,
m(CKM_RC4)); m(CKM_RC4));
@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider { @@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider {
d(CIP, "RSA/ECB/NoPadding", P11RSACipher, d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
m(CKM_RSA_X_509)); m(CKM_RSA_X_509));
@ -4448,7 +4468,7 @@ index aa35e8fa668..f4d7c9cc201 100644
d(SIG, "RawDSA", P11Signature, d(SIG, "RawDSA", P11Signature,
List.of("NONEwithDSA"), List.of("NONEwithDSA"),
m(CKM_DSA)); m(CKM_DSA));
@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider { @@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider {
if (ds == null) { if (ds == null) {
continue; continue;
} }
@ -4470,7 +4490,13 @@ index aa35e8fa668..f4d7c9cc201 100644
supportedAlgs.put(d, integerMech); supportedAlgs.put(d, integerMech);
continue; continue;
} }
@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider { @@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider {
}
@Override
+ @SuppressWarnings("removal")
public Object newInstance(Object param)
throws NoSuchAlgorithmException {
if (token.isValid() == false) { if (token.isValid() == false) {
throw new NoSuchAlgorithmException("Token has been removed"); throw new NoSuchAlgorithmException("Token has been removed");
} }
@ -4488,7 +4514,26 @@ index aa35e8fa668..f4d7c9cc201 100644
+ * property. + * property.
+ */ + */
+ try { + try {
+ if (System.getSecurityManager() != null) {
+ try {
+ AccessController.doPrivileged(
+ (PrivilegedExceptionAction<Void>) () -> {
+ token.ensureLoggedIn(null); + token.ensureLoggedIn(null);
+ return null;
+ });
+ } catch (PrivilegedActionException pae) {
+ Exception e = pae.getException();
+ if (e instanceof LoginException le) {
+ throw le;
+ } else if (e instanceof PKCS11Exception p11e) {
+ throw p11e;
+ } else {
+ throw new RuntimeException(e);
+ }
+ }
+ } else {
+ token.ensureLoggedIn(null);
+ }
+ } catch (PKCS11Exception | LoginException e) { + } catch (PKCS11Exception | LoginException e) {
+ throw new ProviderException("FIPS: error during the Token" + + throw new ProviderException("FIPS: error during the Token" +
+ " login required for the " + getType() + + " login required for the " + getType() +
@ -4498,7 +4543,7 @@ index aa35e8fa668..f4d7c9cc201 100644
try { try {
return newInstance0(param); return newInstance0(param);
} catch (PKCS11Exception e) { } catch (PKCS11Exception e) {
@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider { @@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider {
} else if (algorithm.endsWith("GCM/NoPadding") || } else if (algorithm.endsWith("GCM/NoPadding") ||
algorithm.startsWith("ChaCha20-Poly1305")) { algorithm.startsWith("ChaCha20-Poly1305")) {
return new P11AEADCipher(token, algorithm, mechanism); return new P11AEADCipher(token, algorithm, mechanism);
@ -4507,7 +4552,7 @@ index aa35e8fa668..f4d7c9cc201 100644
} else { } else {
return new P11Cipher(token, algorithm, mechanism); return new P11Cipher(token, algorithm, mechanism);
} }
@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider { @@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider {
try { try {
session = token.getOpSession(); session = token.getOpSession();
p11.C_Logout(session.id()); p11.C_Logout(session.id());

View File

@ -361,14 +361,14 @@
# Define IcedTea version used for SystemTap tapsets and desktop file # Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598 %global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches # Define current Git revision for the FIPS support patches
%global fipsver 72d08e3226f %global fipsver 257d544b594
# Standard JPackage naming and versioning defines # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 9 %global buildver 10
%global rpmrelease 3 %global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -395,7 +395,7 @@
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases # - N%%{?extraver}{?dist} for GA releases
%global is_ga 0 %global is_ga 1
%if %{is_ga} %if %{is_ga}
%global build_type GA %global build_type GA
%global ea_designator "" %global ea_designator ""
@ -1127,7 +1127,7 @@ Requires: lksctp-tools%{?_isa}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression # considered as regression
Requires: copy-jdk-configs >= 3.3 Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs OrderWithRequires: copy-jdk-configs
%endif %endif
# for printing support # for printing support
@ -1365,6 +1365,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# Add nss.fips.cfg support to OpenJDK tree # Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724 # Remove forgotten dead code from RH2020290 and RH2104724
# OJ1357: Fix issue on FIPS with a SecurityManager in place
Patch1001: fips-17u-%{fipsver}.patch Patch1001: fips-17u-%{fipsver}.patch
############################################# #############################################
@ -1375,7 +1376,7 @@ Patch1001: fips-17u-%{fipsver}.patch
############################################# #############################################
# #
# OpenJDK patches appearing in 17.0.5 # OpenJDK patches appearing in 17.0.3
# #
############################################# #############################################
@ -2161,10 +2162,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif %endif
# Check translations are available for new timezones %if ! 0%{?flatpak}
# Check translations are available for new timezones (during flatpak builds, the
# tzdb.dat used by this test is not where the test expects it, so this is
# disabled for flatpak builds)
$JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
%endif
%if %{include_staticlibs} %if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test) # Check debug symbols in static libraries (smoke test)
@ -2423,9 +2428,10 @@ else
return return
end end
end end
-- run content of included file with fake args arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} cjc = require "copy_jdk_configs.lua"
require "copy_jdk_configs.lua" args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
cjc.mainProgram(args)
%post %post
%{post_script %{nil}} %{post_script %{nil}}
@ -2621,15 +2627,35 @@ require "copy_jdk_configs.lua"
%endif %endif
%changelog %changelog
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea * Sat Jan 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
- Add missing release note for JDK-8295687
- Resolves: rhbz#2160111
* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
- Update FIPS support to bring in latest changes
- * OJ1357: Fix issue on FIPS with a SecurityManager in place
- Related: rhbz#2147476
* Fri Jan 13 2023 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.6.0.10-3
- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
- Related: rhbz#2160111
* Wed Jan 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-2
- Update to jdk-17.0.6.0+10
- Update release notes to 17.0.6.0+10
- Switch to GA mode for release
- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. **
- Related: rhbz#2153097
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.2.ea
- Update to jdk-17.0.6+9 - Update to jdk-17.0.6+9
- Update release notes to 17.0.6+9 - Update release notes to 17.0.6+9
- Drop local copy of JDK-8293834 now this is upstream - Drop local copy of JDK-8293834 now this is upstream
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 - Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone - Update TestTranslations.java to test the new America/Ciudad_Juarez zone
- Resolves: rhbz#2150195 - Resolves: rhbz#2153097
* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.3.ea * Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.2.ea
- Update to jdk-17.0.6+1 - Update to jdk-17.0.6+1
- Update release notes to 17.0.6+1 - Update release notes to 17.0.6+1
- Switch to EA mode for 17.0.6 pre-release builds. - Switch to EA mode for 17.0.6 pre-release builds.
@ -2637,55 +2663,38 @@ require "copy_jdk_configs.lua"
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream - Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
- Drop JDK-8275535 local patch now this has been accepted and backported upstream - Drop JDK-8275535 local patch now this has been accepted and backported upstream
- Bump tzdata requirement to 2022e now the package is available in RHEL - Bump tzdata requirement to 2022e now the package is available in RHEL
- Related: rhbz#2150195 - Related: rhbz#2153097
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-5 * Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-4
- Update FIPS support to bring in latest changes - Update FIPS support to bring in latest changes
- * Add nss.fips.cfg support to OpenJDK tree - * Add nss.fips.cfg support to OpenJDK tree
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode - * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
- * Remove forgotten dead code from RH2020290 and RH2104724 - * Remove forgotten dead code from RH2020290 and RH2104724
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build - Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
- Resolves: rhbz#2117972 - Resolves: rhbz#2147476
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2 * Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-1
- Update to jdk-17.0.5+8 (GA) - Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA) - Update release notes to 17.0.5+8 (GA)
- Switch to GA mode for final release. - Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Update CLDR data with Europe/Kyiv (JDK-8293834) - Update CLDR data with Europe/Kyiv (JDK-8293834)
- Drop JDK-8292223 patch which we found to be unnecessary - Drop JDK-8292223 patch which we found to be unnecessary
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream - Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds - The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
- Remove freetype sources along with zlib sources - Remove freetype sources along with zlib sources
- Resolves: rhbz#2132933
- Resolves: rhbz#2133695 - Resolves: rhbz#2133695
* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
- Update to jdk-17.0.5+7
- Update release notes to 17.0.5+7
- Drop JDK-8288985 patch that is now upstream
- Resolves: rhbz#2130617
* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
- Update to jdk-17.0.5+1
- Update release notes to 17.0.5+1
- Switch to EA mode for 17.0.5 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Related: rhbz#2130617
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
- Resolves: rhbz#2006351
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5 * Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
- Switch to static builds, reducing system dependencies and making build more portable - Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121263 - Resolves: rhbz#2121268
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4 * Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
- Fix flatpak builds (catering for their uncompressed manual pages) - Fix flatpak builds (catering for their uncompressed manual pages)
- Fix flatpak builds by exempting them from bootstrap - Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102734 - Resolves: rhbz#2102726
* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3 * Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
- Update FIPS support to bring in latest changes - Update FIPS support to bring in latest changes
@ -2694,23 +2703,23 @@ require "copy_jdk_configs.lua"
- * Build the systemconf library on all platforms - * Build the systemconf library on all platforms
- * RH2048582: Support PKCS#12 keystores - * RH2048582: Support PKCS#12 keystores
- * RH2020290: Support TLS 1.3 in FIPS mode - * RH2020290: Support TLS 1.3 in FIPS mode
- Resolves: rhbz#2104724 - Resolves: rhbz#2104725
- Resolves: rhbz#2092507 - Resolves: rhbz#2117758
- Resolves: rhbz#2048582 - Resolves: rhbz#2115164
- Resolves: rhbz#2020290 - Resolves: rhbz#2029665
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2 * Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
- Update to jdk-17.0.4.1+1 - Update to jdk-17.0.4.1+1
- Update release notes to 17.0.4.1+1 - Update release notes to 17.0.4.1+1
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b - Add patch to provide translations for Europe/Kyiv added in tzdata2022b
- Add test to ensure timezones can be translated - Add test to ensure timezones can be translated
- Resolves: rhbz#2119531 - Resolves: rhbz#2119532
* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3 * Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
- Update to jdk-17.0.4.0+8 - Update to jdk-17.0.4.0+8
- Update release notes to 17.0.4.0+8 - Update release notes to 17.0.4.0+8
- Switch to GA mode for release - Switch to GA mode for release
- Resolves: rhbz#2106522 - Resolves: rhbz#2106524
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea * Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
- Revert the following changes until copy-java-configs has adapted to relative symlinks: - Revert the following changes until copy-java-configs has adapted to relative symlinks:
@ -2720,58 +2729,56 @@ require "copy_jdk_configs.lua"
- * Use relative symlinks so they work within the image - * Use relative symlinks so they work within the image
- * Run debug symbols check during build stage, before the install strips them - * Run debug symbols check during build stage, before the install strips them
- The move of turning on system security properties is retained so we don't ship with them off - The move of turning on system security properties is retained so we don't ship with them off
- Related: rhbz#2100674 - Related: rhbz#2084218
* Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
- retutrned absolute symlinks
- relative symlinks are breaking cjc, and deeper investigations are necessary
-- why cjc intentionally skips relative symllinks
- images have to be workarounded differently
- Related: rhbz#2100674
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea * Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.4.0+7 - Update to jdk-17.0.3.0+7
- Update release notes to 17.0.4.0+7 - Update release notes to 17.0.3.0+7
- Switch to EA mode for 17.0.4 pre-release builds.
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 - Need to include the '.S' suffix in debuginfo checks after JDK-8284661
- Explicitly require crypto-policies during build and runtime for system security properties
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
- Resolves: rhbz#2084218
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2084218
* Tue Jul 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.1-0.1.ea
- Update to jdk-17.0.4.0+1
- Update release notes to 17.0.4.0+1
- Switch to EA mode for 17.0.4 pre-release builds.
- Print release file during build, which should now include a correct SOURCE value from .src-rev - Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation - Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes - Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350 - Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier - Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it - Make EA designator check non-fatal while upstream is not maintaining it
- Explicitly require crypto-policies during build and runtime for system security properties - Related: rhbz#2084218
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
- Resolves: rhbz#2083316
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea * Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2083316
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Fix whitespace in spec file - Fix whitespace in spec file
- Related: rhbz#2100674 - Related: rhbz#2100677
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6 * Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5
- Sequence spec file sections as they are run by rpmbuild (build, install then test) - Sequence spec file sections as they are run by rpmbuild (build, install then test)
- Related: rhbz#2100674 - Related: rhbz#2100677
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6 * Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5
- Turn on system security properties as part of the build's install section - Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat - Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image - Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories - Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image - Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them - Run debug symbols check during build stage, before the install strips them
- Related: rhbz#2100674 - Related: rhbz#2100677
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5 * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-4
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2007331 - Resolves: rhbz#2102433
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4 * Wed Jun 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Update FIPS support to bring in latest changes - Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together - * RH2090378: Revert to disabling system security properties and FIPS mode support together
@ -2779,64 +2786,51 @@ require "copy_jdk_configs.lua"
- Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour - Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on - Run security properties test with property debugging on
- Resolves: rhbz#2099840 - Resolves: rhbz#2099844
- Resolves: rhbz#2100674 - Resolves: rhbz#2100677
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2101524
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2 * Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository - Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- RH2023467: Enable FIPS keys export - RH2023467: Enable FIPS keys export
- RH2094027: SunEC runtime permission for FIPS - RH2094027: SunEC runtime permission for FIPS
- Resolves: rhbz#2023467 - Resolves: rhbz#2029657
- Resolves: rhbz#2094027 - Resolves: rhbz#2096117
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1 * Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
- April 2022 security update to jdk 17.0.3+7 - April 2022 security update to jdk 17.0.3+6
- Update to jdk-17.0.3.0+7 release tarball - Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
- Update release notes to 17.0.3.0+6 - Update release notes to 17.0.3.0+6
- Add missing README.md and generate_source_tarball.sh - Add missing README.md and generate_source_tarball.sh
- Switch to GA mode for release - Switch to GA mode for release
- JDK-8283911 patch no longer needed now we're GA... - JDK-8283911 patch no longer needed now we're GA...
- Resolves: rhbz#2073577 - Resolves: rhbz#2073579
* Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea * Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
- Update to jdk-17.0.3.0+5 - Update to jdk-17.0.3.0+5
- Update release notes to 17.0.3.0+5 - Update release notes to 17.0.3.0+5
- Resolves: rhbz#2050456 - Resolves: rhbz#2050460
* Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea * Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
- Update to jdk-17.0.3.0+1 - Update to jdk-17.0.3.0+1
- Update release notes to 17.0.3.0+1 - Update release notes to 17.0.3.0+1
- Switch to EA mode for 17.0.3 pre-release builds. - Switch to EA mode for 17.0.3 pre-release builds.
- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value - Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
- Related: rhbz#2050456 - Related: rhbz#2050460
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-15 * Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-13
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
- Resolves: rhbz#2052070 - Resolves: rhbz#2055383
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-14 * Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2023540
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
- Introduce tests/tests.yml, based on the one in java-11-openjdk - Introduce tests/tests.yml, based on the one in java-11-openjdk
- Resolves: rhbz#2058493 - Resolves: rhbz#2058490
* Sun Feb 27 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-13
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023536
* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-12
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Resolves: rhbz#2051605
* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-11
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053256
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-10
- Storing and restoring alterntives during update manually - Storing and restoring alterntives during update manually
@ -2848,28 +2842,30 @@ require "copy_jdk_configs.lua"
-- the selection in family -- the selection in family
-- Thus this fix, is storing the family of manually selected master, and if -- Thus this fix, is storing the family of manually selected master, and if
-- stored, then it is restoring the family of the master -- stored, then it is restoring the family of the master
- Resolves: rhbz#2008200 - Resolves: rhbz#2008206
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9 * Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-9
- Family extracted to globals - Family extracted to globals
- Resolves: rhbz#2008200 - Related: rhbz#2008206
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-8 * Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
- alternatives creation moved to posttrans - Detect NSS at runtime for FIPS detection
- Thus fixing the old reisntall issue: - Turn off build-time NSS linking and go back to an explicit Requires on NSS
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 - Resolves: rhbz#2052829
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008200
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7 * Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2053521
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2051590 - Resolves: rhbz#2052819
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6 * Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
- Fix FIPS issues in native code and with initialisation of java.security.Security - Fix FIPS issues in native code and with initialisation of java.security.Security
- Resolves: rhbz#2023378 - Resolves: rhbz#2023531
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5 * Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4
- Restructure the build so a minimal initial build is then used for the final build (with docs) - Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
@ -2882,92 +2878,108 @@ require "copy_jdk_configs.lua"
- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. - Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
- Explicitly list JIT architectures rather than relying on those with slowdebug builds - Explicitly list JIT architectures rather than relying on those with slowdebug builds
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported - Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Resolves: rhbz#2022822 - Resolves: rhbz#2022826
* Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-5 * Thu Feb 17 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
- Replaced tabs by sets of spaces to make rpmlint happy - Replaced tabs by sets of spaces to make rpmlint happy
- javadoc-zip gets its own provides next to plain javadoc ones - javadoc-zip gets its own provides next to plain javadoc ones
- Resolves: rhbz#2022822 - Resolves: rhbz#2022826
* Tue Feb 08 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4 * Wed Feb 16 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-3
- Minor cosmetic improvements to make spec more comparable between variants - Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2022822 - Related: rhbz#2022826
* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3 * Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
- Related: rhbz#2022822 - Related: rhbz#2022826
* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2 * Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
- Extend LTS check to exclude EPEL.
- Related: rhbz#2022822
* Thu Feb 03 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-2
- Set LTS designator.
- Related: rhbz#2022822
* Wed Jan 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
- January 2022 security update to jdk 17.0.2+8 - January 2022 security update to jdk 17.0.2+8
- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
- Rename libsvml.so to libjsvml.so following JDK-8276025 - Rename libsvml.so to libjsvml.so following JDK-8276025
- Resolves: rhbz#2039366 - Drop JDK-8276572 patch which is now upstream
- Resolves: rhbz#2039392
* Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3 * Thu Feb 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-3
- Sync desktop files with upstream IcedTea release 3.15.0 using new script - Sync desktop files with upstream IcedTea release 3.15.0 using new script
- Related: rhbz#2013842 - Related: rhbz#2022826
* Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2 * Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-2
- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 - Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
- Resolves: rhbz#2013842 secmod.db file as part of nss
- Resolves: rhbz#2023537
* Wed Oct 20 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-2 * Tue Nov 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-1
- Drop JDK-8272332 patch now included upstream.
- Resolves: rhbz#2013846
* Tue Nov 16 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1
- October CPU update to jdk 17.0.1+12 - October CPU update to jdk 17.0.1+12
- Dropped commented-out source line - Dropped commented-out source line
- Resolves: rhbz#2013842 - Resolves: rhbz#2013846
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6 * Tue Nov 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-8
- Extend LTS check to exclude EPEL.
- Related: rhbz#2013846
* Tue Nov 09 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.35-8
- Set LTS designator.
- Related: rhbz#2013846
* Mon Nov 08 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-7
- alternatives creation moved to posttrans
- Thus fixing the old reinstall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008206
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-6
- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
- Related: rhbz#2013846
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1994661 - Resolves: rhbz#1994682
* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-6 * Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5
- Add patch to allow plain key import. - Add patch to allow plain key import.
- Resolves: rhbz#1994661 - Resolves: rhbz#1994682
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5 * Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4
- Update release notes to document the major changes between OpenJDK 11 & 17. - Update release notes to document the major changes between OpenJDK 11 & 17.
- Resolves: rhbz#2003072 - Resolves: rhbz#2000925
* Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3 * Thu Sep 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3
- Update to jdk-17+35, also known as jdk-17-ga. - Update to jdk-17+35, also known as jdk-17-ga.
- Switch to GA mode. - Switch to GA mode.
- Add JDK-8272332 fix so we actually link against HarfBuzz. - Add JDK-8272332 fix so we actually link against HarfBuzz.
- Resolves: rhbz#2003072 - Resolves: rhbz#2000925
- Resolves: rhbz#2004078
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea * Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
- Resolves: rhbz#1996182 - Resolves: rhbz#1997359
* Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea * Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
- Fix unused function compiler warning found in systemconf.c - Fix unused function compiler warning found in systemconf.c
- Related: rhbz#1995150 - Related: rhbz#1995889
* Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea * Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
- Add patch to login to the NSS software token when in FIPS mode. - Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#1996182 - Resolves: rhbz#1997359
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
- Resolves: rhbz#1995150 - Resolves: rhbz#1995889
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Related: rhbz#1995150 - Related: rhbz#1995889
* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Related: rhbz#1995150 - Related: rhbz#1995889
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.1.ea
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
@ -2978,51 +2990,56 @@ require "copy_jdk_configs.lua"
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
- Related: rhbz#1995150 - Related: rhbz#1995889
* Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea * Thu Aug 26 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.1.ea
- Support the FIPS mode crypto policy (RH1655466) - Support the FIPS mode crypto policy (RH1655466)
- Use appropriate keystore types when in FIPS mode (RH1818909) - Use appropriate keystore types when in FIPS mode (RH1818909)
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
- Related: rhbz#1995150 - Related: rhbz#1995889
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea
- Update to jdk-17+33, including JDWP fix and July 2021 CPU - Update to jdk-17+33, including JDWP fix and July 2021 CPU
- Resolves: rhbz#1959487 - Resolves: rhbz#1870625
* Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea * Thu Aug 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.5.ea
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Resolves: rhbz#1959487 - Resolves: rhbz#1870625
* Wed Aug 25 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:17.0.0.0.26-0.4.ea.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 14 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.4.ea
- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
- Resolves: rhbz#1959487 - Resolves: rhbz#1870625
* Wed Aug 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.3.ea * Tue Jul 13 2021 Jiri Vanek <pmikova@redhat.com> - 1:17.0.0.0.26-0.3.ea
- Re-enable TestSecurityProperties after inclusion of PR3695
- Resolves: rhbz#1959487
* Wed Aug 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.3.ea
- Add PR3695 to allow the system crypto policy to be turned off
- Resolves: rhbz#1959487
* Wed Jul 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
- Resolves: rhbz#1959487
* Wed Jul 14 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Update buildjdkver to 17 so as to build with itself
- Resolves: rhbz#1959487
* Tue Jul 13 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.26-0.1.ea
- Add gating support - Add gating support
- Resolves: rhbz#1959487 - Resolves: rhbz#1870625
* Fri Jun 25 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Re-enable TestSecurityProperties after inclusion of PR3695
- Resolves: rhbz#1870625
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea
- Add PR3695 to allow the system crypto policy to be turned off
- Resolves: rhbz#1870625
* Fri Jun 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.1.ea
- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
- Resolves: rhbz#1870625
* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.1.ea
- Update buildjdkver to 17 so as to build with itself
- Resolves: rhbz#1870625
* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea * Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.0.ea
- Rename as java-17-openjdk and bootstrap using boot JDK in local sources - Rename to java-17-openjdk and bootstrap using boot JDK in local sources
- Exclude x86 as this is not supported by OpenJDK 17 - Exclude x86 as this is not supported by OpenJDK 17
- Resolves: rhbz#1959487 - Use unzip to test src.zip to avoid looking for jar on path
- Resolves: rhbz#1870625
* Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling * Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
- update sources to jdk 17.0.0+26 - update sources to jdk 17.0.0+26
@ -3036,6 +3053,9 @@ require "copy_jdk_configs.lua"
- add lib/libsvml.so for intel - add lib/libsvml.so for intel
- skip debuginfo check for libsyslookup.so on s390x - skip debuginfo check for libsyslookup.so on s390x
* Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
* Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling * Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
- adapted to debug handling in newer cjc - adapted to debug handling in newer cjc
- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution - The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution