diff --git a/.gitignore b/.gitignore index 1bb5ca3..32a0cd5 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ /openjdk-21.0.5+1-ea.tar.xz /openjdk-21.0.5+5-ea.tar.xz /openjdk-21.0.5+9-ea.tar.xz +/openjdk-21.0.5+10.tar.xz diff --git a/NEWS b/NEWS index 876a37c..a98df8b 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,20 @@ New in release OpenJDK 21.0.5 (2024-10-15): Live versions of these release notes can be found at: * https://bit.ly/openjdk2105 +* CVEs + - CVE-2024-21208 + - CVE-2024-21210 + - CVE-2024-21217 + - CVE-2024-21235 +* Security fixes + - JDK-8307383: Enhance DTLS connections + - JDK-8311208: Improve CDS Support + - JDK-8328286: Enhance HTTP client + - JDK-8328544: Improve handling of vectorization + - JDK-8328726: Better Kerberos support + - JDK-8331446: Improve deserialization support + - JDK-8332644: Improve graph optimizations + - JDK-8335713: Enhance vectorization analysis * Other changes - JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG - JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser @@ -361,6 +375,7 @@ Live versions of these release notes can be found at: - JDK-8339869: [21u] Test CreationTime.java fails with UnsatisfiedLinkError after 8334339 - JDK-8341057: Add 2 SSL.com TLS roots - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024 + - JDK-8341674: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.5 Notes on individual issues: =========================== @@ -528,6 +543,24 @@ Name: SSL.com Alias Name: ssltlsrootrsa2022 Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US +core-libs/java.net: + +JDK-8328286: Enhance HTTP client +================================ +This OpenJDK release limits the maximum header field size accepted by +the HTTP client within the JDK for all supported versions of the HTTP +protocol. The header field size is computed as the sum of the size of +the uncompressed header name, the size of the uncompressed header +value and a overhead of 32 bytes for each field section line. If a +peer sends a field section that exceeds this limit, a +`java.net.ProtocolException` will be raised. + +This release also introduces a new system property, +`jdk.http.maxHeaderSize`. This property can be used to alter the +maximum header field size (in bytes) or disable it by setting the +value to zero or a negative value. The default value is 393,216 bytes +or 384kB. + core-svc/java.lang.management: JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods are inconsistent with their setVerbose methods diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index f0563b9..7d89af0 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -365,8 +365,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 -%global rpmrelease 1 +%global buildver 10 +%global rpmrelease 2 # Settings used by the portable build %global portablerelease 1 # Portable suffix differs between RHEL and CentOS @@ -394,7 +394,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -1420,6 +1420,8 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # OpenJDK patches in need of upstreaming # ############################################# +# Revert backport of JDK-8327501 & JDK-8328366 +Patch2001: jdk8327501-8328366-revert.patch # Currently empty @@ -1895,6 +1897,8 @@ sh %{SOURCE12} %{top_level_dir_name} pushd %{top_level_dir_name} # Add crypto policy and FIPS support %patch -P1001 -p1 +# Backport reversion +%patch -P2001 -p1 popd # openjdk @@ -2532,6 +2536,14 @@ cjc.mainProgram(args) %endif %changelog +* Sat Oct 12 2024 Andrew Hughes - 1:21.0.5.0.10-1 +- Update to jdk-21.0.5+10 (GA) +- Update release notes to 21.0.5+10 +- Switch to GA mode. +- Revert JDK-8327501 & JDK-8328366 backport until more mature. +- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. ** +- Resolves: RHEL-61276 + * Fri Oct 11 2024 Andrew Hughes - 1:21.0.5.0.9-0.1.ea - Update to jdk-21.0.5+9 (EA) - Update release notes to 21.0.5+9 diff --git a/jdk8327501-8328366-revert.patch b/jdk8327501-8328366-revert.patch new file mode 100644 index 0000000..ea5eb16 --- /dev/null +++ b/jdk8327501-8328366-revert.patch @@ -0,0 +1,49 @@ +commit f21b0a990905afe79b56919a5119e2c06e29d61a +Author: Andrew John Hughes +Date: Sat Oct 12 02:31:38 2024 +0100 + + Revert "8327501: Common ForkJoinPool prevents class unloading in some cases" + + This reverts commit eb103b0e1abeeee19779cafc763d3d159030fb48. + +diff --git a/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java b/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java +index 8aafda5312e..5e698b1540f 100644 +--- a/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java ++++ b/src/java.base/share/classes/java/util/concurrent/ForkJoinPool.java +@@ -981,7 +981,9 @@ public class ForkJoinPool extends AbstractExecutorService { + boolean isCommon = (pool.workerNamePrefix == null); + @SuppressWarnings("removal") + SecurityManager sm = System.getSecurityManager(); +- if (sm != null && isCommon) ++ if (sm == null) ++ return new ForkJoinWorkerThread(null, pool, true, false); ++ else if (isCommon) + return newCommonWithACC(pool); + else + return newRegularWithACC(pool); +diff --git a/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java b/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java +index a87aa7b916b..266c2a036fe 100644 +--- a/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java ++++ b/test/jdk/java/util/concurrent/tck/ForkJoinPool9Test.java +@@ -79,9 +79,6 @@ public class ForkJoinPool9Test extends JSR166TestCase { + assertSame(ForkJoinPool.commonPool(), ForkJoinTask.getPool()); + Thread currentThread = Thread.currentThread(); + +- ClassLoader preexistingContextClassLoader = +- currentThread.getContextClassLoader(); +- + Stream.of(systemClassLoader, null).forEach(cl -> { + if (randomBoolean()) + // should always be permitted, without effect +@@ -98,11 +95,6 @@ public class ForkJoinPool9Test extends JSR166TestCase { + () -> System.getProperty("foo"), + () -> currentThread.setContextClassLoader( + classLoaderDistinctFromSystemClassLoader)); +- else { +- currentThread.setContextClassLoader(classLoaderDistinctFromSystemClassLoader); +- assertSame(currentThread.getContextClassLoader(), classLoaderDistinctFromSystemClassLoader); +- currentThread.setContextClassLoader(preexistingContextClassLoader); +- } + // TODO ? + // if (haveSecurityManager + // && Thread.currentThread().getClass().getSimpleName() diff --git a/sources b/sources index 50a48cf..ee521ec 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-21.0.5+9-ea.tar.xz) = 7a4a38fceec86c418ae51c3ebbe37251da75ce857300f8915107d82e649a75e9e28354f6ac20e325284ce940f0d702e3f72d14363ad99030d968236c283d425e +SHA512 (openjdk-21.0.5+10.tar.xz) = 1fe2c4d9137c36171a729343051738177c1e65ad1b50de330115f8ccfa2008611dcb40ca1e158176a9ed77ecea33308ad6034985e0700fd0e96a151cd416f67b