.gitignore

@@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
+SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-17-openjdk.metadata

@@ -1,2 +1,2 @@
-fc29dd4013a289be075afdcb29c8df29d1349c0d SOURCES/openjdk-jdk17u-jdk-17.0.6+10.tar.xz
+95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/NEWS

@@ -9,21 +9,6 @@ Live versions of these release notes can be found at:
   * https://bitly.com/openjdk1706
   * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
 
-* CVEs
-  - CVE-2023-21835
-  - CVE-2023-21843
-* Security fixes
-  - JDK-8286070: Improve UTF8 representation
-  - JDK-8286496: Improve Thread labels
-  - JDK-8287411: Enhance DTLS performance
-  - JDK-8288516: Enhance font creation
-  - JDK-8289350: Better media supports
-  - JDK-8293554: Enhanced DH Key Exchanges
-  - JDK-8293598: Enhance InetAddress address handling
-  - JDK-8293717: Objective view of ObjectView
-  - JDK-8293734: Improve BMP image handling
-  - JDK-8293742: Better Banking of Sounds
-  - JDK-8295687: Better BMP bounds
 * Other changes
   - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
   - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
@@ -267,12 +252,10 @@ Live versions of these release notes can be found at:
   - JDK-8295554: Move the "sizecalc.h" to the correct location
   - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
   - JDK-8295714: GHA ::set-output is deprecated and will be removed
-  - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
   - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor
   - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
   - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM
   - JDK-8296108: (tz) Update Timezone Data to 2022f
-  - JDK-8296239: ISO 4217 Amendment 174 Update
   - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
   - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
   - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation
@@ -295,33 +278,10 @@ Live versions of these release notes can be found at:
   - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run
   - JDK-8297656: AArch64: Enable AES/GCM Intrinsics
   - JDK-8297804: (tz) Update Timezone Data to 2022g
-  - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6
-  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
-  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
 
 Notes on individual issues:
 ===========================
 
-client-libs/javax.imageio:
-
-JDK-8295687: Better BMP bounds
-==============================
-Loading a linked ICC profile within a BMP image is now disabled by
-default. To re-enable it, set the new system property
-`sun.imageio.bmp.enabledLinkedProfiles` to `true`.  This new property
-replaces the old property,
-`sun.imageio.plugins.bmp.disableLinkedProfiles`.
-
-client-libs/javax.sound:
-
-JDK-8293742: Better Banking of Sounds
-=====================================
-Previously, the SoundbankReader implementation,
-`com.sun.media.sound.JARSoundbankReader`, would download a JAR
-soundbank from a URL.  This behaviour is now disabled by default. To
-re-enable it, set the new system property `jdk.sound.jarsoundbank` to
-`true`.
-
 security-libs/java.security:
 
 JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set
@@ -342,14 +302,6 @@ the same change is made in third party modules.  Developers of third
 party modules are advised to verify that their logout() method does not
 throw a NullPointerException.
 
-security-libs/javax.net.ssl:
-
-JDK-8287411: Enhance DTLS performance
-=====================================
-The JDK now exchanges DTLS cookies for all handshakes, new and
-resumed. The previous behaviour can be re-enabled by setting the new
-system property `jdk.tls.enableDtlsResumeCookie` to `false`.
-
 New in release OpenJDK 17.0.5 (2022-10-18):
 ===========================================
 Live versions of these release notes can be found at:

SOURCES/fips-17u-72d08e3226f.patch

@@ -2644,7 +2644,7 @@ index 00000000000..55bbba98b7a
 +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
 +
 diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
-index b22f26947af..02bea84e210 100644
+index b22f26947af..3ee2ce6ea88 100644
 --- a/src/java.base/share/lib/security/default.policy
 +++ b/src/java.base/share/lib/security/default.policy
 @@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
@@ -2663,15 +2663,6 @@ index b22f26947af..02bea84e210 100644
      permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
      permission java.lang.RuntimePermission
                     "accessClassInPackage.sun.security.*";
-@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
-     permission java.util.PropertyPermission "os.name", "read";
-     permission java.util.PropertyPermission "os.arch", "read";
-     permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
-+    permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
-+    permission java.util.PropertyPermission "fips.nssdb.pin", "read";
-     permission java.security.SecurityPermission "putProviderProperty.*";
-     permission java.security.SecurityPermission "clearProviderProperties.*";
-     permission java.security.SecurityPermission "removeProviderProperty.*";
 diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
 new file mode 100644
 index 00000000000..ddf9befe5bc
@@ -4129,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
          Provider p = sun;
          if (p == null) {
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index aa35e8fa668..1855e5631bd 100644
+index aa35e8fa668..f4d7c9cc201 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 @@ -26,6 +26,9 @@
@@ -4195,7 +4186,7 @@ index aa35e8fa668..1855e5631bd 100644
      private static final long serialVersionUID = -1354835039035306505L;
  
      static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
              return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
                  @Override
                  public SunPKCS11 run() throws Exception {
@@ -4206,26 +4197,15 @@ index aa35e8fa668..1855e5631bd 100644
 +                         * fips.nssdb.path System property after expansion.
 +                         * Security properties expansion is unsupported.
 +                         */
-+                        String nssdbPath =
++                        System.setProperty(
++                                FIPS_NSSDB_PATH_PROP,
 +                                SecurityProperties.privilegedGetOverridable(
-+                                        FIPS_NSSDB_PATH_PROP);
++                                        FIPS_NSSDB_PATH_PROP));
-+                        if (System.getSecurityManager() != null) {
-+                            AccessController.doPrivileged(
-+                                    (PrivilegedAction<Void>) () -> {
-+                                        System.setProperty(
-+                                                FIPS_NSSDB_PATH_PROP,
-+                                                nssdbPath);
-+                                        return null;
-+                                    });
-+                        } else {
-+                            System.setProperty(
-+                                    FIPS_NSSDB_PATH_PROP, nssdbPath);
-+                        }
 +                    }
                      return new SunPKCS11(new Config(newConfigName));
                  }
              });
-@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
              // request multithreaded access first
              initArgs.flags = CKF_OS_LOCKING_OK;
              PKCS11 tmpPKCS11;
@@ -4246,7 +4226,7 @@ index aa35e8fa668..1855e5631bd 100644
              } catch (PKCS11Exception e) {
                  if (debug != null) {
                      debug.println("Multi-threaded initialization failed: " + e);
-@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
                      initArgs.flags = 0;
                  }
                  tmpPKCS11 = PKCS11.getInstance(library,
@@ -4261,7 +4241,7 @@ index aa35e8fa668..1855e5631bd 100644
              if (p11Info.cryptokiVersion.major < 2) {
                  throw new ProviderException("Only PKCS#11 v2.0 and later "
                  + "supported, library version is v" + p11Info.cryptokiVersion);
-@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
          final String className;
          final List<String> aliases;
          final int[] mechanisms;
@@ -4282,7 +4262,7 @@ index aa35e8fa668..1855e5631bd 100644
          }
          private P11Service service(Token token, int mechanism) {
              return new P11Service
-@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
  
      private static void d(String type, String algorithm, String className,
              int[] m) {
@@ -4315,7 +4295,7 @@ index aa35e8fa668..1855e5631bd 100644
      }
  
      private static void register(Descriptor d) {
-@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
          String P11Cipher           = "sun.security.pkcs11.P11Cipher";
          String P11RSACipher        = "sun.security.pkcs11.P11RSACipher";
          String P11AEADCipher       = "sun.security.pkcs11.P11AEADCipher";
@@ -4323,7 +4303,7 @@ index aa35e8fa668..1855e5631bd 100644
          String P11Signature        = "sun.security.pkcs11.P11Signature";
          String P11PSSSignature     = "sun.security.pkcs11.P11PSSSignature";
  
-@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
          d(MAC, "SslMacSHA1",    P11Mac,
                  m(CKM_SSL3_SHA1_MAC));
  
@@ -4354,7 +4334,7 @@ index aa35e8fa668..1855e5631bd 100644
          d(KPG, "RSA",           P11KeyPairGenerator,
                  getAliases("PKCS1"),
                  m(CKM_RSA_PKCS_KEY_PAIR_GEN));
-@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
          d(SKF, "ChaCha20",      P11SecretKeyFactory,
                  m(CKM_CHACHA20_POLY1305));
  
@@ -4421,7 +4401,7 @@ index aa35e8fa668..1855e5631bd 100644
          // XXX attributes for Ciphers (supported modes, padding)
          dA(CIP, "ARCFOUR",                      P11Cipher,
                  m(CKM_RC4));
-@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
          d(CIP, "RSA/ECB/NoPadding",             P11RSACipher,
                  m(CKM_RSA_X_509));
  
@@ -4468,7 +4448,7 @@ index aa35e8fa668..1855e5631bd 100644
          d(SIG, "RawDSA",        P11Signature,
                  List.of("NONEwithDSA"),
                  m(CKM_DSA));
-@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
              if (ds == null) {
                  continue;
              }
@@ -4490,13 +4470,7 @@ index aa35e8fa668..1855e5631bd 100644
                      supportedAlgs.put(d, integerMech);
                      continue;
                  }
-@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
-         }
- 
-         @Override
-+        @SuppressWarnings("removal")
-         public Object newInstance(Object param)
-                 throws NoSuchAlgorithmException {
              if (token.isValid() == false) {
                  throw new NoSuchAlgorithmException("Token has been removed");
              }
@@ -4514,26 +4488,7 @@ index aa35e8fa668..1855e5631bd 100644
 +                 * property.
 +                 */
 +                try {
-+                    if (System.getSecurityManager() != null) {
++                    token.ensureLoggedIn(null);
-+                        try {
-+                            AccessController.doPrivileged(
-+                                    (PrivilegedExceptionAction<Void>) () -> {
-+                                        token.ensureLoggedIn(null);
-+                                        return null;
-+                                    });
-+                        } catch (PrivilegedActionException pae) {
-+                            Exception e = pae.getException();
-+                            if (e instanceof LoginException le) {
-+                                throw le;
-+                            } else if (e instanceof PKCS11Exception p11e) {
-+                                throw p11e;
-+                            } else {
-+                                throw new RuntimeException(e);
-+                            }
-+                        }
-+                    } else {
-+                        token.ensureLoggedIn(null);
-+                    }
 +                } catch (PKCS11Exception | LoginException e) {
 +                    throw new ProviderException("FIPS: error during the Token" +
 +                            " login required for the " + getType() +
@@ -4543,7 +4498,7 @@ index aa35e8fa668..1855e5631bd 100644
              try {
                  return newInstance0(param);
              } catch (PKCS11Exception e) {
-@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
                  } else if (algorithm.endsWith("GCM/NoPadding") ||
                             algorithm.startsWith("ChaCha20-Poly1305")) {
                      return new P11AEADCipher(token, algorithm, mechanism);
@@ -4552,7 +4507,7 @@ index aa35e8fa668..1855e5631bd 100644
                  } else {
                      return new P11Cipher(token, algorithm, mechanism);
                  }
-@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
          try {
              session = token.getOpSession();
              p11.C_Logout(session.id());

SPECS/java-17-openjdk.spec

@@ -361,14 +361,14 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 257d544b594
+%global fipsver 72d08e3226f
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        10
+%global buildver        9
 %global rpmrelease      3
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -395,7 +395,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@@ -1365,7 +1365,6 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # Add nss.fips.cfg support to OpenJDK tree
 # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
 # Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
 Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
@@ -2162,14 +2161,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
 if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
 %endif
 
-%if ! 0%{?flatpak}
+# Check translations are available for new timezones
-# Check translations are available for new timezones (during flatpak builds, the
-# tzdb.dat used by this test is not where the test expects it, so this is
-# disabled for flatpak builds)
 $JAVA_HOME/bin/javac -d . %{SOURCE18}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
 $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
-%endif
 
 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
@@ -2626,21 +2621,6 @@ require "copy_jdk_configs.lua"
 %endif
 
 %changelog
-* Fri Jan 20 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
-- Update to jdk-17.0.6.0+10
-- Update release notes to 17.0.6.0+10
-- Switch to GA mode for release
-- Resolves: rhbz#2160111
-
-* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.4.ea
-- Update FIPS support to bring in latest changes
-- * OJ1357: Fix issue on FIPS with a SecurityManager in place
-- Related: rhbz#2117972
-
-* Fri Jan 13 2023 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.6.0.9-0.4.ea
-- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
-- Related: rhbz#2150195
-
 * Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
 - Update to jdk-17.0.6+9
 - Update release notes to 17.0.6+9