rpms/java-21-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI java-21-openjdk-21.0.7.0.6-1.el8

Browse Source
This commit is contained in:
eabdullin 2025-04-18 08:53:02 +00:00
parent 4f480283d1
commit 653c8e9151
6 changed files with 392 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-21.0.6+7.tar.xz
SOURCES/openjdk-21.0.7+6.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-21-openjdk.metadata
View File

@ -1,2 +1,2 @@
fad71f19631dab375285056d10d08374e869bb35 SOURCES/openjdk-21.0.6+7.tar.xz
f182856ccb90b07e5376a60faed0ba375798dffb SOURCES/openjdk-21.0.7+6.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

352
SOURCES/NEWS
View File

@ -3,6 +3,358 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 21.0.7 (2025-04-15):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk2107
* CVEs
- CVE-2025-21587
- CVE-2025-30691
- CVE-2025-30698
* Changes
- JDK-8198237: [macos] Test java/awt/Frame/ExceptionOnSetExtendedStateTest/ExceptionOnSetExtendedStateTest.java fails
- JDK-8211851: (ch) java/nio/channels/AsynchronousSocketChannel/StressLoopback.java times out (aix)
- JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser
- JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog
- JDK-8227529: With malformed --app-image the error messages are awful
- JDK-8277240: java/awt/Graphics2D/ScaledTransform/ScaledTransform.java dialog does not get disposed
- JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java
- JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native
- JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x
- JDK-8295159: DSO created with -ffast-math breaks Java floating-point arithmetic
- JDK-8302111: Serialization considerations
- JDK-8304701: Request with timeout aborts later in-flight request on HTTP/1.1 cxn
- JDK-8309841: Jarsigner should print a warning if an entry is removed
- JDK-8311546: Certificate name constraints improperly validated with leading period
- JDK-8312570: [TESTBUG] Jtreg compiler/loopopts/superword/TestDependencyOffsets.java fails on 512-bit SVE
- JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action!
- JDK-8313905: Checked_cast assert in CDS compare_by_loader
- JDK-8314752: Use google test string comparison macros
- JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]:
- JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out
- JDK-8315825: Open some swing tests
- JDK-8315882: Open some swing tests 2
- JDK-8315883: Open source several Swing JToolbar tests
- JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests
- JDK-8316056: Open source several Swing JTree tests
- JDK-8316146: Open some swing tests 4
- JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests
- JDK-8316218: Open some swing tests 5
- JDK-8316371: Open some swing tests 6
- JDK-8316627: JViewport Test headless failure
- JDK-8316885: jcmd: Compiler.CodeHeap_Analytics cmd does not inform about missing aggregate
- JDK-8317283: jpackage tests run osx-specific checks on windows and linux
- JDK-8317636: Improve heap walking API tests to verify correctness of field indexes
- JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered
- JDK-8317919: pthread_attr_init handle return value and destroy pthread_attr_t object
- JDK-8319233: AArch64: Build failure with clang due to -Wformat-nonliteral warning
- JDK-8320372: test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed
- JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1
- JDK-8320691: Timeout handler on Windows takes 2 hours to complete
- JDK-8320706: RuntimePackageTest.testUsrInstallDir test fails on Linux
- JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded"
- JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "<local4>" is null'
- JDK-8322983: Virtual Threads: exclude 2 tests
- JDK-8324672: Update jdk/java/time/tck/java/time/TCKInstant.java now() to be more robust
- JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2
- JDK-8324838: test_nmt_locationprinting.cpp broken in the gcc windows build
- JDK-8325042: Remove unused JVMDITools test files
- JDK-8325529: Remove unused imports from `ModuleGenerator` test file
- JDK-8325659: Normalize Random usage by incubator vector tests
- JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64
- JDK-8326421: Add jtreg test for large arrayCopy disjoint case.
- JDK-8326525: com/sun/tools/attach/BasicTests.java does not verify AgentLoadException case
- JDK-8327098: GTest needs larger combination limit
- JDK-8327390: JitTester: Implement temporary folder functionality
- JDK-8327460: Compile tests with the same visibility rules as product code
- JDK-8327476: Upgrade JLine to 3.26.1
- JDK-8327505: Test com/sun/jmx/remote/NotificationMarshalVersions/TestSerializationMismatch.java fails
- JDK-8327857: Remove applet usage from JColorChooser tests Test4222508
- JDK-8327859: Remove applet usage from JColorChooser tests Test4319113
- JDK-8327986: ASAN reports use-after-free in DirectivesParserTest.empty_object_vm
- JDK-8327994: Update code gen in CallGeneratorHelper
- JDK-8328005: Convert java/awt/im/JTextFieldTest.java applet test to main
- JDK-8328085: C2: Use after free in PhaseChaitin::Register_Allocate()
- JDK-8328121: Remove applet usage from JColorChooser tests Test4759306
- JDK-8328130: Remove applet usage from JColorChooser tests Test4759934
- JDK-8328185: Convert java/awt/image/MemoryLeakTest/MemoryLeakTest.java applet test to main
- JDK-8328227: Remove applet usage from JColorChooser tests Test4887836
- JDK-8328368: Convert java/awt/image/multiresolution/MultiDisplayTest/MultiDisplayTest.java applet test to main
- JDK-8328370: Convert java/awt/print/Dialog/PrintApplet.java applet test to main
- JDK-8328380: Remove applet usage from JColorChooser tests Test6348456
- JDK-8328387: Convert java/awt/Frame/FrameStateTest/FrameStateTest.html applet test to main
- JDK-8328403: Remove applet usage from JColorChooser tests Test6977726
- JDK-8328553: Get rid of JApplet in test/jdk/sanity/client/lib/SwingSet2/src/DemoModule.java
- JDK-8328558: Convert javax/swing/JCheckBox/8032667/bug8032667.java applet test to main
- JDK-8328717: Convert javax/swing/JColorChooser/8065098/bug8065098.java applet test to main
- JDK-8328719: Convert java/awt/print/PageFormat/SetOrient.html applet test to main
- JDK-8328730: Convert java/awt/print/bug8023392/bug8023392.html applet test to main
- JDK-8328753: Open source few Undecorated Frame tests
- JDK-8328819: Remove applet usage from JFileChooser tests bug6698013
- JDK-8328827: Convert java/awt/print/PrinterJob/PrinterDialogsModalityTest/PrinterDialogsModalityTest.html applet test to main
- JDK-8329210: Delete Redundant Printer Dialog Modality Test
- JDK-8329320: Simplify awt/print/PageFormat/NullPaper.java test
- JDK-8329322: Convert PageFormat/Orient.java to use PassFailJFrame
- JDK-8329692: Add more details to FrameStateTest.java test instructions
- JDK-8330647: Two CDS tests fail with -UseCompressedOops and UseSerialGC/UseParallelGC
- JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty
- JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor
- JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1
- JDK-8331977: Crash: SIGSEGV in dlerror()
- JDK-8331993: Add counting leading/trailing zero tests for Integer
- JDK-8332158: [XWayland] test/jdk/java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java
- JDK-8332494: java/util/zip/EntryCount64k.java failing with java.lang.RuntimeException: '\\A\\Z' missing from stderr
- JDK-8332917: failure_handler should execute gdb "info threads" command on linux
- JDK-8333116: test/jdk/tools/jpackage/share/ServiceTest.java test fails
- JDK-8333360: PrintNullString.java doesn't use float arguments
- JDK-8333391: Test com/sun/jdi/InterruptHangTest.java failed: Thread was never interrupted during sleep
- JDK-8333403: Write a test to check various components events are triggered properly
- JDK-8333647: C2 SuperWord: some additional PopulateIndex tests
- JDK-8334305: Remove all code for nsk.share.Log verbose mode
- JDK-8334371: [AIX] Beginning with AIX 7.3 TL1 mmap() supports 64K memory pages
- JDK-8334490: Normalize string with locale invariant `toLowerCase()`
- JDK-8334777: Test javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java failed with NullPointerException
- JDK-8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms
- JDK-8335468: [XWayland] JavaFX hangs when calling java.awt.Robot.getPixelColor
- JDK-8335789: [TESTBUG] XparColor.java test fails with Error. Parse Exception: Invalid or unrecognized bugid: @
- JDK-8336012: Fix usages of jtreg-reserved properties
- JDK-8336498: [macos] [build]: install-file macro may run into permission denied error
- JDK-8336692: Redo fix for JDK-8284620
- JDK-8336942: Improve test coverage for class loading elements with annotations of different retentions
- JDK-8337222: gc/TestDisableExplicitGC.java fails due to unexpected CodeCache GC
- JDK-8337494: Clarify JarInputStream behavior
- JDK-8337660: C2: basic blocks with only BoxLock nodes are wrongly treated as empty
- JDK-8337692: Better TLS connection support
- JDK-8337886: java/awt/Frame/MaximizeUndecoratedTest.java fails in OEL due to a slight color difference
- JDK-8337951: Test sun/security/validator/samedn.sh CertificateNotYetValidException: NotBefore validation
- JDK-8337994: [REDO] Native memory leak when not recording any events
- JDK-8338100: C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop
- JDK-8338303: Linux ppc64le with toolchain clang - detection failure in early JVM startup
- JDK-8338426: Test java/nio/channels/Selector/WakeupNow.java failed
- JDK-8338430: Improve compiler transformations
- JDK-8338571: [TestBug] DefaultCloseOperation.java test not working as expected wrt instruction after JDK-8325851 fix
- JDK-8338595: Add more linesize for MIME decoder in macro bench test Base64Decode
- JDK-8338668: Test javax/swing/JFileChooser/8080628/bug8080628.java doesn't test for GTK L&F
- JDK-8339154: Cleanups and JUnit conversion of test/jdk/java/util/zip/Available.java
- JDK-8339261: Logs truncated in test javax/net/ssl/DTLS/DTLSRehandshakeTest.java
- JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine
- JDK-8339475: Clean up return code handling for pthread calls in library coding
- JDK-8339524: Clean up a few ExtendedRobot tests
- JDK-8339542: compiler/codecache/CheckSegmentedCodeCache.java fails
- JDK-8339687: Rearrange reachabilityFence()s in jdk.test.lib.util.ForceGC
- JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class
- JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
- JDK-8339834: Replace usages of -mx and -ms in some tests
- JDK-8339883: Open source several AWT/2D related tests
- JDK-8339902: Open source couple TextField related tests
- JDK-8339943: Frame not disposed in java/awt/dnd/DropActionChangeTest.java
- JDK-8340078: Open source several 2D tests
- JDK-8340116: test/jdk/sun/security/tools/jarsigner/PreserveRawManifestEntryAndDigest.java can fail due to regex
- JDK-8340313: Crash due to invalid oop in nmethod after C1 patching
- JDK-8340411: open source several 2D imaging tests
- JDK-8340480: Bad copyright notices in changes from JDK-8339902
- JDK-8340687: Open source closed frame tests #1
- JDK-8340719: Open source AWT List tests
- JDK-8340824: C2: Memory for TypeInterfaces not reclaimed by hashcons()
- JDK-8340969: jdk/jfr/startupargs/TestStartDuration.java should be marked as flagless
- JDK-8341037: Use standard layouts in DefaultFrameIconTest.java and MenuCrash.java
- JDK-8341111: open source several AWT tests including menu shortcut tests
- JDK-8341135: Incorrect format string after JDK-8339475
- JDK-8341194: [REDO] Implement C2 VectorizedHashCode on AArch64
- JDK-8341316: [macos] javax/swing/ProgressMonitor/ProgressMonitorEscapeKeyPress.java fails sometimes in macos
- JDK-8341412: Various test failures after JDK-8334305
- JDK-8341424: GHA: Collect hs_errs from build time failures
- JDK-8341453: java/awt/a11y/AccessibleJTableTest.java fails in some cases where the test tables are not visible
- JDK-8341715: PPC64: ObjectMonitor::_owner should be reset unconditionally in nmethod unlocking
- JDK-8341820: Check return value of hcreate_r
- JDK-8341862: PPC64: C1 unwind_handler fails to unlock synchronized methods with LM_MONITOR
- JDK-8341881: [REDO] java/nio/file/attribute/BasicFileAttributeView/CreationTime.java#tmp fails on alinux3
- JDK-8341978: Improve JButton/bug4490179.java
- JDK-8341982: Simplify JButton/bug4323121.java
- JDK-8342098: Write a test to compare the images
- JDK-8342145: File libCreationTimeHelper.c compile fails on Alpine
- JDK-8342270: Test sun/security/pkcs11/Provider/RequiredMechCheck.java needs write access to src tree
- JDK-8342498: Add test for Allocation elimination after use as alignment reference by SuperWord
- JDK-8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay
- JDK-8342541: Exclude List/KeyEventsTest/KeyEventsTest.java from running on macOS
- JDK-8342562: Enhance Deflater operations
- JDK-8342602: Remove JButton/PressedButtonRightClickTest test
- JDK-8342609: jpackage test helper function incorrectly removes a directory instead of its contents only
- JDK-8342634: javax/imageio/plugins/wbmp/WBMPStreamTruncateTest.java creates temp file in src dir
- JDK-8342635: javax/swing/JFileChooser/FileSystemView/WindowsDefaultIconSizeTest.java creates tmp file in src dir
- JDK-8342704: GHA: Report truncation is broken after JDK-8341424
- JDK-8342811: java/net/httpclient/PlainProxyConnectionTest.java failed: Unexpected connection count: 5
- JDK-8342858: Make target mac-jdk-bundle fails on chmod command
- JDK-8342988: GHA: Build JTReg in single step
- JDK-8343007: Enhance Buffered Image handling
- JDK-8343100: Consolidate EmptyFolderTest and EmptyFolderPackageTest jpackage tests into single java file
- JDK-8343101: Rework BasicTest.testTemp test cases
- JDK-8343102: Remove `--compress` from jlink command lines from jpackage tests
- JDK-8343118: [TESTBUG] java/awt/PrintJob/PrintCheckboxTest/PrintCheckboxManualTest.java fails with rror. Can't find HTML file PrintCheckboxManualTest.html
- JDK-8343128: PassFailJFrame.java test result: Error. Bad action for script: build}
- JDK-8343129: Disable unstable check of ThreadsListHandle.sanity_vm ThreadList values
- JDK-8343144: UpcallLinker::on_entry racingly clears pending exception with GC safepoints
- JDK-8343149: Cleanup os::print_tos_pc on AIX
- JDK-8343178: Test BasicTest.java javac compile fails cannot find symbol
- JDK-8343205: CompileBroker::possibly_add_compiler_threads excessively polls available memory
- JDK-8343314: Move common properties from jpackage jtreg test declarations to TEST.properties file
- JDK-8343343: Misc crash dump improvements on more platforms after JDK-8294160
- JDK-8343378: Exceptions in javax/management DeadLockTest.java do not cause test failure
- JDK-8343396: Use OperatingSystem, Architecture, and OSVersion in jpackage tests
- JDK-8343491: javax/management/remote/mandatory/connection/DeadLockTest.java failing with NoSuchObjectException: no such object in table
- JDK-8343599: Kmem limit and max values swapped when printing container information
- JDK-8343882: BasicAnnoTests doesn't handle multiple annotations at the same position
- JDK-8344275: tools/jpackage/windows/Win8301247Test.java fails on localized Windows platform
- JDK-8344326: Move jpackage tests from "jdk.jpackage.tests" package to the default package
- JDK-8344581: [TESTBUG] java/awt/Robot/ScreenCaptureRobotTest.java failing on macOS
- JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19
- JDK-8344646: The libjsig deprecation warning should go to stderr not stdout
- JDK-8345296: AArch64: VM crashes with SIGILL when prctl is disallowed
- JDK-8345368: java/io/File/createTempFile/SpecialTempFile.java fails on Windows Server 2025
- JDK-8345370: Bump update version for OpenJDK: jdk-21.0.7
- JDK-8345375: Improve debuggability of test/jdk/java/net/Socket/CloseAvailable.java
- JDK-8345414: Google CAInterop test failures
- JDK-8345468: test/jdk/javax/swing/JScrollBar/4865918/bug4865918.java fails in ubuntu22.04
- JDK-8345569: [ubsan] adjustments to filemap.cpp and virtualspace.cpp for macOS aarch64
- JDK-8345614: Improve AnnotationFormatError message for duplicate annotation interfaces
- JDK-8345676: [ubsan] ProcessImpl_md.c:561:40: runtime error: applying zero offset to null pointer on macOS aarch64
- JDK-8345684: OperatingSystemMXBean.getSystemCpuLoad() throws NPE
- JDK-8345750: Shenandoah: Test TestJcmdHeapDump.java#aggressive intermittent assert(gc_cause() == GCCause::_no_gc) failed: Over-writing cause
- JDK-8346055: javax/swing/text/StyledEditorKit/4506788/bug4506788.java fails in ubuntu22.04
- JDK-8346108: [21u][BACKOUT] 8337994: [REDO] Native memory leak when not recording any events
- JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI
- JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
- JDK-8346671: java/nio/file/Files/probeContentType/Basic.java fails on Windows 2025
- JDK-8346713: [testsuite] NeverActAsServerClassMachine breaks TestPLABAdaptToMinTLABSize.java TestPinnedHumongousFragmentation.java TestPinnedObjectContents.java
- JDK-8346828: javax/swing/JScrollBar/4865918/bug4865918.java still fails in CI
- JDK-8346847: [s390x] minimal build failure
- JDK-8346880: [aix] java/lang/ProcessHandle/InfoTest.java still fails: "reported cputime less than expected"
- JDK-8346881: [ubsan] logSelection.cpp:154:24 / logSelectionList.cpp:72:94 : runtime error: applying non-zero offset 1 to null pointer
- JDK-8346887: DrawFocusRect() may cause an assertion failure
- JDK-8346972: Test java/nio/channels/FileChannel/LoopingTruncate.java fails sometimes with IOException: There is not enough space on the disk
- JDK-8347038: [JMH] jdk.incubator.vector.SpiltReplicate fails NoClassDefFoundError
- JDK-8347129: cpuset cgroups controller is required for no good reason
- JDK-8347171: (dc) java/nio/channels/DatagramChannel/InterruptibleOrNot.java fails with virtual thread factory
- JDK-8347256: Epsilon: Demote heap size and AlwaysPreTouch warnings to info level
- JDK-8347267: [macOS]: UnixOperatingSystem.c:67:40: runtime error: division by zero
- JDK-8347268: [ubsan] logOutput.cpp:357:21: runtime error: applying non-zero offset 1 to null pointer
- JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test
- JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header
- JDK-8347576: Error output in libjsound has non matching format strings
- JDK-8347740: java/io/File/createTempFile/SpecialTempFile.java failing
- JDK-8347847: Enhance jar file support
- JDK-8347911: Limit the length of inflated text chunks
- JDK-8347965: (tz) Update Timezone Data to 2025a
- JDK-8348562: ZGC: segmentation fault due to missing node type check in barrier elision analysis
- JDK-8348625: [21u, 17u] Revert JDK-8185862 to restore old java.awt.headless behavior on Windows
- JDK-8348675: TrayIcon tests fail in Ubuntu 24.10 Wayland
- JDK-8349039: Adjust exception No type named <ThreadType> in database
- JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates
- JDK-8349729: [21u] AIX jtreg tests fail to compile with qvisibility=hidden
- JDK-8352097: (tz) zone.tab update missed in 2025a backport
- JDK-8353904: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.7
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8309841: Jarsigner should print a warning if an entry is removed
====================================================================
In previous OpenJDK releases, the jarsigner tool did not detect the
case where a file was removed from a signed JAR file but its signature
was still present. With this release, `jarsigner -verify` checks that
every signature has a matching file entry and prints a warning if this
is not the case. The `-verbose` option can also be added to the
command to see the names of the mismatched entries.
security-libs/javax.net.ssl:
JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
=============================================================================
In accordance with similar plans recently announced by Google,
Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer
Security (TLS) certificates issued after the 15th of April 2025 which
are anchored by Camerfirma root certificates.
Certificates issued on or before April 15th, 2025 will continue to
be trusted until they expire.
If a server's certificate chain is anchored by an affected
certificate, attempts to negotiate a TLS session will fail with an
Exception that indicates the trust anchor is not trusted. For example,
"TLS server certificate issued after 2025-04-15 and anchored by a
distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root -
2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see
current address at www.camerfirma.com/address), C=EU"
To check whether a certificate in a JDK keystore is affected by this
change, you can the `keytool` utility:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are affected by this change,
then you will need to update the certificate or contact the
organisation responsible for managing the certificate.
These restrictions apply to the following Camerfirma root certificates
included in the JDK:
Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
Alias name: camerfirmachambersca [jdk]
CN=Chambers of Commerce Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "CAMERFIRMA_TLS" is no
longer listed in the `jdk.security.caDistrustPolicies` security
property.
security-libs/javax.crypto:pkcs11:
JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
==========================================================================
In OpenJDK 14, the notion of legacy mechanisms was introduced into the
SunPKCS11 provider. If a mechanism was found to be using a weak
algorithm, it was determined to be legacy and disabled.
However, this approach has proved inflexible. There was no way for the
user to override the legacy determination and enable the mechanism
anyway. Also, a mechanism being used for signing would be declared
legacy and disabled if it had a weak encryption algorithm, even though
encryption was not being used. Similarly, a weak signing algorithm
would prevent the mechanism's use as a cipher for encryption or
decryption.
This OpenJDK release resolves these issues. It introduces the PKCS11
provider configuration attribute "allowLegacy" which can be set to
`true` if the user wishes to override the legacy determination. By
default, it is set to `false`. The legacy determination now also
considers the service type and will only check encryption algorithms
for Ciphers and only signature algorithms for Signatures.
New in release OpenJDK 21.0.6 (2025-01-21):
===========================================
Live versions of these release notes can be found at:

22
SOURCES/fips-21u-0a42e29b391.patch → SOURCES/fips-21u-9203d50836c.patch
View File

@ -1979,7 +1979,7 @@ index 539ef1e8ee8..435f57e3ff2 100644
"sun.security.rsa.PSSParameters", null);
}
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 5149edba0e5..8227d650a03 100644
index f8b01a4ea1e..b325bf7e9fc 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -85,6 +85,17 @@ security.provider.tbd=Apple
@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815
+}
\ No newline at end of file
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index c3b412885a6..0e7ce73b158 100644
index 01fc06ae283..e3ca000d309 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -37,6 +37,8 @@ import javax.crypto.*;
@ -2981,7 +2981,7 @@ index c3b412885a6..0e7ce73b158 100644
private static final String PUBLIC = "public";
private static final String PRIVATE = "private";
private static final String SECRET = "secret";
@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length {
@@ -414,9 +419,10 @@ abstract class P11Key implements Key, Length {
new CK_ATTRIBUTE(CKA_EXTRACTABLE),
});
@ -2995,7 +2995,7 @@ index c3b412885a6..0e7ce73b158 100644
return switch (algorithm) {
case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length {
@@ -468,7 +474,8 @@ abstract class P11Key implements Key, Length {
public String getFormat() {
token.ensureValid();
@ -3005,13 +3005,13 @@ index c3b412885a6..0e7ce73b158 100644
return null;
} else {
return "RAW";
@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
this.clear();
}
}
-
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5cd6828d293..bae49c4e8a9 100644
index 0a62021633f..0723b69c2bc 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -3022,7 +3022,7 @@ index 5cd6828d293..bae49c4e8a9 100644
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.util.stream.Collectors;
import java.security.*;
@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
@ -3141,7 +3141,7 @@ index 5cd6828d293..bae49c4e8a9 100644
}
p11 = tmpPKCS11;
@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider {
@@ -1388,11 +1460,52 @@ public final class SunPKCS11 extends AuthProvider {
}
@Override
@ -3194,7 +3194,7 @@ index 5cd6828d293..bae49c4e8a9 100644
try {
return newInstance0(param);
} catch (PKCS11Exception e) {
@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider {
@@ -1749,6 +1862,9 @@ public final class SunPKCS11 extends AuthProvider {
try {
session = token.getOpSession();
p11.C_Logout(session.id());
@ -3252,7 +3252,7 @@ index a6f5f0a8764..9a07c96ca4e 100644
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 4b06daaf264..55e14945469 100644
index 0fd13fd6fa6..3c959c942a1 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@ -3312,7 +3312,7 @@ index 4b06daaf264..55e14945469 100644
}
if (omitInitialize == false) {
try {
@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
@@ -2012,4 +2040,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}

13
SOURCES/java-21-openjdk-portable.specfile
View File

@ -325,7 +325,7 @@
# New Version-String scheme-style defines
%global featurever 21
%global interimver 0
%global updatever 6
%global updatever 7
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
@ -375,7 +375,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 0a42e29b391
%global fipsver 9203d50836c
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@ -389,7 +389,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
%global buildver 6
%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@ -1935,6 +1935,13 @@ done
%endif
%changelog
* Fri Apr 11 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.7.0.6-1
- Update to jdk-21.0.7+6 (GA)
- Update release notes to 21.0.7+6
- Rebase FIPS support against 21.0.7+5
- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. **
- Resolves: OPENJDK-3789
* Sat Jan 11 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.6.0.7-1
- Update to jdk-21.0.6+7 (GA)
- Update release notes to 21.0.6+7

24
SPECS/java-21-openjdk.spec
View File

@ -308,7 +308,7 @@
# New Version-String scheme-style defines
%global featurever 21
%global interimver 0
%global updatever 6
%global updatever 7
%global patchver 0
# We don't add any LTS designator for STS packages (Fedora and EPEL).
# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
@ -344,7 +344,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 0a42e29b391
%global fipsver 9203d50836c
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@ -365,7 +365,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
%global buildver 6
%global rpmrelease 1
# Settings used by the portable build
%global portablerelease 1
@ -1159,8 +1159,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
# 2024a required as of JDK-8325150
Requires: tzdata-java >= 2024a
# 2025a required as of JDK-8347965
Requires: tzdata-java >= 2025a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1507,8 +1507,8 @@ BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portables
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# 2024a required as of JDK-8325150
BuildRequires: tzdata-java >= 2024a
# 2025a required as of JDK-8347965
BuildRequires: tzdata-java >= 2025a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -2560,6 +2560,16 @@ require "copy_jdk_configs.lua"
%endif
%changelog
* Fri Apr 11 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.7.0.6-1
- Update to jdk-21.0.7+6 (GA)
- Update release notes to 21.0.7+6
- Rebase FIPS support against 21.0.7+5
- Require tzdata 2025a due to upstream inclusion of JDK-8347965
- Sync the copy of the portable specfile with the latest update
- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. **
- Resolves: RHEL-86981
- Resolves: RHEL-86632
* Sat Jan 18 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.6.0.7-1
- Update to jdk-21.0.6+7 (GA)
- Update release notes to 21.0.6+7