diff --git a/.gitignore b/.gitignore index f79d052..2a1f67d 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,5 @@ /openjdk-jdk17u-jdk-17.0.7+7.tar.xz /openjdk-jdk17u-jdk-17.0.8+7.tar.xz /openjdk-17.0.9+9.tar.xz +/openjdk-17.0.10+6-ea.tar.xz +/openjdk-17.0.10+7.tar.xz diff --git a/NEWS b/NEWS index 4edebb8..443d1e0 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,421 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.10 (2024-01-16): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1710 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20932 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8276123, JDK-8316613: ZipFile::getEntry will not return a file entry when there is a directory entry of the same name within a Zip File + - JDK-8308204: Enhanced certificate processing + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-6445283: ProgressMonitorInputStream not large file aware (>2GB) + - JDK-8041447: Test javax/swing/dnd/7171812/bug7171812.java fails with java.lang.RuntimeException: Test failed, scroll on drag doesn't work + - JDK-8061729: Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs + - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException + - JDK-8168469: Memory leak in JceSecurity + - JDK-8176567: nsk/jdi/ReferenceType/instances/instances002: TestFailure: Unexpected size of referenceType.instances(nsk.share.jdi.TestInterfaceImplementer1): 11, expected: 10 + - JDK-8193543: Regression automated test '/open/test/jdk/java/awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java' fails + - JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/isexceeded001/TestDescription.java still failing + - JDK-8202790: DnD test DisposeFrameOnDragTest.java does not clean up + - JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/ChoicePopupLocation.java fails + - JDK-8207166: jdk/jshell/JdiHangingLaunchExecutionControlTest.java - launch timeout + - JDK-8225313: serviceability/jvmti/HeapMonitor/MyPackage/HeapMonitorStatObjectCorrectnessTest.java failed with Unexpected high difference percentage + - JDK-8228990: JFR: TestNetworkUtilizationEvent.java expects 2+ Network interfaces on Linux but finding 1 + - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" + - JDK-8232933: Javac inferred type does not conform to equality constraint + - JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/AccessibleChoiceTest.java fails + - JDK-8244289: fatal error: Possible safepoint reached by thread that does not allow it + - JDK-8247351: [aarch64] NullPointerException during stack walking (clhsdb "where -a") + - JDK-8249826: 5 javax/net/ssl/SSLEngine tests use @ignore w/o bug-id + - JDK-8258951: java/net/httpclient/HandshakeFailureTest.java failed with "RuntimeException: Not found expected SSLHandshakeException in java.io.IOException" + - JDK-8262186: Call X509KeyManager.chooseClientAlias once for all key types + - JDK-8262901: [macos_aarch64] NativeCallTest expected:<-3.8194101E18> but was:<3.02668882E10> + - JDK-8265586: [windows] last button is not shown in AWT Frame with BorderLayout and MenuBar set. + - JDK-8266593: vmTestbase/nsk/jvmti/PopFrame/popframe011 fails with "assert(java_thread == _state->get_thread()) failed: Must be" + - JDK-8268433: serviceability/dcmd/framework/VMVersionTest.java fails with Unable to send object throw not established PipeIO Listener Thread connection + - JDK-8268916: Tests for AffirmTrust roots + - JDK-8269425: 2 jdk/jfr/api/consumer/streaming tests failed to attach + - JDK-8270199: Most SA tests are skipped on macosx-aarch64 because all executables are signed + - JDK-8270447: [IR Framework] Add missing compilation level restriction when using FlipC1C2 stress option + - JDK-8271073: Improve testing with VM option VerifyArchivedFields + - JDK-8271566: DSA signature length value is not accurate in P11Signature + - JDK-8271824: mark hotspot runtime/CompressedOops tests which ignore external VM flags + - JDK-8271826: mark hotspot runtime/condy tests which ignore external VM flags + - JDK-8271828: mark hotspot runtime/classFileParserBug tests which ignore external VM flags + - JDK-8271829: mark hotspot runtime/Throwable tests which ignore external VM flags + - JDK-8271886: mark hotspot runtime/InvocationTests tests which ignore external VM flags + - JDK-8271887: mark hotspot runtime/CDSCompressedKPtrs tests which ignore external VM flags + - JDK-8271890: mark hotspot runtime/Dictionary tests which ignore external VM flags + - JDK-8271891: mark hotspot runtime/Safepoint tests which ignore external VM flags + - JDK-8271892: mark hotspot runtime/PrintStringTableStats/PrintStringTableStatsTest.java test as ignoring external VM flags + - JDK-8271893: mark hotspot runtime/PerfMemDestroy/PerfMemDestroy.java test as ignoring external VM flags + - JDK-8271904: mark hotspot runtime/ClassFile tests which ignore external VM flags + - JDK-8271905: mark hotspot runtime/Metaspace tests which ignore external VM flags + - JDK-8272099: mark hotspot runtime/Monitor tests which ignore external VM flags + - JDK-8272291: mark hotspot runtime/logging tests which ignore external VM flags + - JDK-8272551: mark hotspot runtime/modules tests which ignore external VM flags + - JDK-8272552: mark hotspot runtime/cds tests which ignore external VM flags + - JDK-8272998: ImageIO.read() throws incorrect exception type + - JDK-8273456: Do not hold ttyLock around stack walking + - JDK-8273522: Rename test property vm.cds.archived.java.heap to vm.cds.write.archived.java.heap + - JDK-8273629: compiler/uncommontrap/TestDeoptOOM.java fails with release VMs + - JDK-8273831: PrintServiceLookup spawns 2 threads in the current classloader, getting orphaned + - JDK-8273921: Refactor NSK/JDI tests to create thread using factory + - JDK-8274211: Test man page that options are documented + - JDK-8274345: make build-test-lib is broken + - JDK-8275329: ZGC: vmTestbase/gc/gctests/SoftReference/soft004/soft004.java fails with assert(_phases->length() <= 1000) failed: Too many recored phases? + - JDK-8275333: Print count in "Too many recored phases?" assert + - JDK-8275440: Remove VirtualSpaceList::is_full() + - JDK-8275509: ModuleDescriptor.hashCode isn't reproducible across builds + - JDK-8276036: The value of full_count in the message of insufficient codecache is wrong + - JDK-8276054: JMH benchmarks for Fences + - JDK-8276711: compiler/codecache/cli tests failing when SegmentedCodeCache used with -Xint + - JDK-8276819: javax/print/PrintServiceLookup/FlushCustomClassLoader.java fails to free + - JDK-8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions + - JDK-8279856: Parallel: Use PreservedMarks to record promotion-failed objects + - JDK-8281015: Further simplify NMT backend + - JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails with java.lang.RuntimeException: values differ by more than 1GB + - JDK-8281874: Can't unpack msi installers from test/jdk/tools/jpackage/windows/test/jdk/tools/jpackage/windows/WinShortcutPromptTest.java test + - JDK-8282011: test/jdk/tools/jpackage/windows/WinL10nTest.java test fails if light.exe is not in %PATH% + - JDK-8282017: sun/net/www/protocol/https/HttpsURLConnection/B6216082.java fails with "SocketException: Unexpected end of file from server" + - JDK-8283670: gtest os.release_multi_mappings_vm is still racy + - JDK-8284047: Harmonize/Standardize the SSLSocket/SSLEngine/SSLSocketSSLEngine test templates + - JDK-8285516: clearPassword should be called in a finally try block + - JDK-8285785: CheckCleanerBound test fails with PasswordCallback object is not released + - JDK-8285867: Convert applet manual tests SelectionVisible.java to Frame and automate + - JDK-8286430: make test TEST="gtest:" exits with error when it shouldn't + - JDK-8286473: Drop --enable-preview from Record related tests + - JDK-8286474: Drop --enable-preview from Sealed Classes related tests + - JDK-8286475: Drop --enable-preview from instanceof pattern matching related tests + - JDK-8286969: Add a new test library API to execute kinit in SecurityTools.java + - JDK-8287596: Reorg jdk.test.lib.util.ForceGC + - JDK-8287671: Adjust ForceGC to invoke System::gc fewer times for negative case + - JDK-8287867: Bad merge of jdk/test/lib/util/ForceGC.java causing test compilation error + - JDK-8288325: [windows] Actual and Preferred Size of AWT Non-resizable frame are different + - JDK-8288961: jpackage: test MSI installation fix + - JDK-8288993: Make AwtFramePackTest generic by removing @requires tag + - JDK-8289584: (fs) Print size values in java/nio/file/FileStore/Basic.java when they differ by > 1GiB + - JDK-8289745: JfrStructCopyFailed uses heap words instead of bytes for object sizes + - JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests failed with "isUsageThresholdExceeded() returned false, and is still false, while threshold = MMMMMMM and used peak = NNNNNNN" + - JDK-8291154: Create a non static nested class without enclosing class throws VerifyError + - JDK-8291550: RISC-V: jdk uses misaligned memory access when AvoidUnalignedAccess enabled + - JDK-8291911: java/io/File/GetXSpace.java fails with "53687091200 != 161051996160" + - JDK-8292067: Convert test/sun/management/jmxremote/bootstrap shell tests to java version + - JDK-8292072: NMT: repurpose Tracking overhead counter as global malloc counter + - JDK-8292261: adjust timeouts in JLI GetObjectSizeIntrinsicsTest.java + - JDK-8292381: java/net/httpclient/SpecialHeadersTest.java fails with "ERROR: Shutting down connection: HTTP/2 client stopped" + - JDK-8292636: (dc) Problem listing of java/nio/channels/DatagramChannel/Unref.java has incorrect issue ID + - JDK-8292717: Clean up checking of testing requirements in configure + - JDK-8293156: Dcmd VM.classloaders fails to print the full hierarchy + - JDK-8293335: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1failed with "Agent communication error: java.io.EOFException" + - JDK-8293343: sun/management/jmxremote/bootstrap/RmiSslNoKeyStoreTest.java failed with "Agent communication error: java.io.EOFException" + - JDK-8293563: [macos-aarch64] SA core file tests failing with sun.jvm.hotspot.oops.UnknownOopException + - JDK-8293579: tools/jpackage/share/jdk/jpackage/tests/UnicodeArgsTest.java fails on Japanese Windows platform + - JDK-8294402: Add diagnostic logging to VMProps.checkDockerSupport + - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env + - JDK-8294881: test/hotspot/jtreg/vmTestbase/nsk/jdi/VirtualMachine/dispose/dispose003/TestDescription.java fails + - JDK-8295229: Try to verify gtest version + - JDK-8295424: adjust timeout for another JLI GetObjectSizeIntrinsicsTest.java subtest + - JDK-8296275: Write a test to verify setAccelerator method of JMenuItem + - JDK-8296437: NMT incurs costs if disabled + - JDK-8296821: compiler/jvmci/jdk.vm.ci.code.test/src/jdk/vm/ci/code/test/NativeCallTest.java fails after JDK-8262901 + - JDK-8297142: jdk/jfr/event/runtime/TestShutdown.java fails on Linux ppc64le and Linux aarch64 + - JDK-8297296: java/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with "No MouseReleased event on label!" + - JDK-8297367: disable TestRedirectLinks.java in slowdebug mode + - JDK-8297640: Increase buffer size for buf (insert_features_names) in Abstract_VM_Version::insert_features_names + - JDK-8297798: Timeout with DTLSOverDatagram test template + - JDK-8297958: NMT: Display peak values + - JDK-8298298: NMT: count deltas are printed with 32-bit signed size + - JDK-8298619: java/io/File/GetXSpace.java is failing + - JDK-8298735: Some tools/jpackage/windows/* tests fails with jtreg test timeout + - JDK-8298867: Basics.java fails with SSL handshake exception + - JDK-8298868: Update EngineCloseOnAlert.java for changes to TLS implementation + - JDK-8298869: Update ConnectionTest.java for changes to TLS implementation + - JDK-8298872: Update CheckStatus.java for changes to TLS implementation + - JDK-8298873: Update IllegalRecordVersion.java for changes to TLS implementation + - JDK-8298874: Update TestAllSuites.java for TLS v1.2 and 1.3 + - JDK-8298905: Test "java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java" fails because the frames of instruction does not display + - JDK-8299075: TestStringDeduplicationInterned.java fails because extra deduplication + - JDK-8299207: [Testbug] Add back test/jdk/java/awt/Graphics2D/DrawPrimitivesTest.java + - JDK-8299241: jdk/jfr/api/consumer/streaming/TestJVMCrash.java generates unnecessary core file + - JDK-8299255: Unexpected round errors in FreetypeFontScaler + - JDK-8299677: Formatter.format might take a long time to format an integer or floating-point + - JDK-8299748: java/util/zip/Deinflate.java failing on s390x + - JDK-8300259: Add test coverage for processing of pending block files in signed JARs + - JDK-8300272: Improve readability of the test JarWithOneNonDisabledDigestAlg + - JDK-8300727: java/awt/List/ListGarbageCollectionTest/AwtListGarbageCollectionTest.java failed with "List wasn't garbage collected" + - JDK-8300997: Add curl support to createJMHBundle.sh + - JDK-8301065: Handle control characters in java_lang_String::print + - JDK-8301189: validate-source fails after JDK-8298873 + - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ + - JDK-8301377: adjust timeout for JLI GetObjectSizeIntrinsicsTest.java subtest again + - JDK-8301455: comments in TestTypeAnnotations still refer to resolved JDK-8068737 + - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed + - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs + - JDK-8301570: Test runtime/jni/nativeStack/ needs to detach the native thread + - JDK-8301701: java/net/DatagramSocket/DatagramSocketMulticasting.java should be hardened + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8302109: Trivial fixes to btree tests + - JDK-8302525: Write a test to check various components send Events while mouse and key are used simultaneously + - JDK-8302607: increase timeout for ContinuousCallSiteTargetChange.java + - JDK-8303607: SunMSCAPI provider leaks memory and keys + - JDK-8303922: build-test-lib target is broken + - JDK-8304174: Remove delays from httpserver tests + - JDK-8304954: SegmentedCodeCache fails when using large pages + - JDK-8305502: adjust timeouts in three more M&M tests + - JDK-8305505: NPE in javazic compiler + - JDK-8305646: compile error on Alpine with gcc12 after 8298619 in libGetXSpace.c + - JDK-8306280: Open source several choice AWT tests + - JDK-8307123: Fix deprecation warnings in DPrinter + - JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing JTableHeader tests + - JDK-8307403: java/util/zip/DeInflate.java timed out + - JDK-8307732: build-test-lib is broken + - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors + - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 + - JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler.compile does not close files + - JDK-8308223: failure handler missed jcmd.vm.info command + - JDK-8308592: Framework for CA interoperability testing + - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows + - JDK-8308910: Allow executeAndLog to accept running process + - JDK-8309032: jpackage does not work for module projects unless --module-path is specified + - JDK-8309104: [JVMCI] compiler/unsafe/UnsafeGetStableArrayElement test asserts wrong values with Graal + - JDK-8309216: Cast from jchar* to char* in test java/io/GetXSpace.java + - JDK-8309258: RISC-V: Add riscv_hwprobe syscall + - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads + - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI + - JDK-8310233: Fix THP detection on Linux + - JDK-8310265: (process) jspawnhelper should not use argv[0] + - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic + - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + - JDK-8310656: RISC-V: __builtin___clear_cache can fail silently. + - JDK-8310687: JDK-8303215 is incomplete + - JDK-8311511: Improve description of NativeLibrary JFR event + - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers + - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8312065: Socket.connect does not timeout when profiling + - JDK-8312078: [PPC] JcmdScale.java Failing on AIX + - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 + - JDK-8312182: THPs cause huge RSS due to thread start timing issue + - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support + - JDK-8312395: Improve assertions in growableArray + - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node + - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere + - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation + - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update + - JDK-8312612: handle WideCharToMultiByte return values + - JDK-8312620: WSL Linux build crashes after JDK-8310233 + - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased + - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver + - JDK-8312974: Bump update version for OpenJDK: jdk-17.0.10 + - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources + - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + - JDK-8313322: RISC-V: implement MD5 intrinsic + - JDK-8313626: C2 crash due to unexpected exception control flow + - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors + - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv + - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + - JDK-8313781: Add regression tests for large page logging and user-facing error messages + - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used + - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md + - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info + - JDK-8314045: ArithmeticException in GaloisCounterMode + - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection + - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges + - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 + - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores + - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags + - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError + - JDK-8314495: Update to use jtreg 7.3.1 + - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM + - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. + - JDK-8315062: [GHA] get-bootjdk action should return the abolute path + - JDK-8315195: RISC-V: Update hwprobe query for new extensions + - JDK-8315206: RISC-V: hwprobe query is_set return wrong value + - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? + - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + - JDK-8315549: CITime misreports code/total nmethod sizes + - JDK-8315606: Open source few swing text/html tests + - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java + - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java + - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test + - JDK-8315696: SignedLoggerFinderTest.java test failed + - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le + - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test + - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies + - JDK-8315863: [GHA] Update checkout action to use v4 + - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests + - JDK-8316087: Test SignedLoggerFinderTest.java is still failing + - JDK-8316178: Better diagnostic header for CodeBlobs + - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font + - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + - JDK-8316514: Better diagnostic header for VtableStub + - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg + - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b + - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning + - JDK-8316746: Top of lock-stack does not match the unlocked object + - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize + - JDK-8316859: RISC-V: Disable detection of V through HWCAP + - JDK-8316906: Clarify TLABWasteTargetPercent flag + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 + - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 + - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux + - JDK-8317772: NMT: Make peak values available in release builds + - JDK-8317834: java/lang/Thread/IsAlive.java timed out + - JDK-8317920: JDWP-agent sends broken exception event with onthrow option + - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases + - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 + - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java + - JDK-8318759: Add four DigiCert root certificates + - JDK-8318855: Extra file added by mistake during the backport of JDK-8283326 + - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit + - JDK-8319184: RISC-V: improve MD5 intrinsic + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc + - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit + - JDK-8320053: GHA: Cross-compile gtest code + - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all + - JDK-8323422: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.10 + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows +====================================================================== +On Windows 10 version 1709 and above, TCP_KEEPIDLE and +TCP_KEEPINTERVAL are now supported in the +java.net.ExtendedSocketOptions class. Similarly, on Windows 10 +version 1703 and above, TCP_KEEPCOUNT is now supported. + +security-libs/javax.net.ssl: + +JDK-8262186: Call `X509KeyManager.chooseClientAlias` Once for All Key Types +=========================================================================== +The (D)TLS implementation in OpenJDK now makes only one call to the +X509Keymanager.chooseClientAlias method during handshaking for client +authentication, regardless of how many algorithms are requested. + +hotspot/runtime: + +JDK-8317772: NMT: Make peak values available in release builds +============================================================== +The peak value is the highest value for committed memory in a given +Native Memory Tracking (NMT) category over the lifetime of the JVM +process. NMT reports will now show the peak value for all categories. + +If the committed memory for a category is at its peak, NMT will +print "at peak". Otherwise, it prints the peak value. + +For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that +compiler arena memory peaked above 6 MB, but now hovers around 200KB. + +JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used +=========================================================================== +On Linux, the JVM will now print the following message to standard +output if Transparent Huge Pages (THPs) are requested, but are not +supported on the operating system: + +"UseTransparentHugePages disabled; transparent huge pages are not +supported by the operating system." + +security-libs/java.security: + +JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar +=============================================================================================================================== +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 17.0.8 release of OpenJDK by JDK-8300596, with +a default of 8MB. This default proved to be too small for some JAR +files. This release, 17.0.10, increases it to 16MB. + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + New in release OpenJDK 17.0.9 (2023-10-17): =========================================== Live versions of these release notes can be found at: diff --git a/fips-17u-51e1d00be4e.patch b/fips-17u-d63771ea660.patch similarity index 99% rename from fips-17u-51e1d00be4e.patch rename to fips-17u-d63771ea660.patch index da1df4d..4830fb2 100644 --- a/fips-17u-51e1d00be4e.patch +++ b/fips-17u-d63771ea660.patch @@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index 366682cf044..1f8d782f419 100644 +index 62db5b16c31..f0bb4333fc9 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -33,6 +33,7 @@ m4_include([lib-std.m4]) @@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 0736ce997e4..0a937fef377 100644 +index 39bd783dd25..1146e7f9d80 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3529,19 +3529,21 @@ index 0736ce997e4..0a937fef377 100644 boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && extractable && !tokenObject); this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), +@@ -395,8 +398,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); -- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { + +- boolean keySensitive = (attrs[0].getBoolean() || +- attrs[1].getBoolean() || !attrs[2].getBoolean()); + boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ if (!exportable && (attributes[1].getBoolean() || -+ (attributes[2].getBoolean() == false))) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { -@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length { - } ++ boolean keySensitive = (!exportable && ++ (attrs[0].getBoolean() || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -451,7 +456,8 @@ abstract class P11Key implements Key, Length { + public String getFormat() { token.ensureValid(); - if (sensitive || !extractable || (isNSS && tokenObject)) { @@ -4527,7 +4529,7 @@ index aa35e8fa668..1855e5631bd 100644 debug.println("logout succeeded"); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 +index 1f94fe3e18a..99eec2114e4 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -33,6 +33,7 @@ import java.lang.ref.*; diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 7ff27d6..2150bbf 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -1,51 +1,99 @@ #!/bin/bash # Generates the 'source tarball' for JDK projects. # -# Example: -# When used from local repo set REPO_ROOT pointing to file:// with your repo -# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL +# Example 1: +# When used from local repo set REPO_ROOT pointing to file:// with your repo. +# If your local repo follows upstream forests conventions, it may be enough to +# set OPENJDK_URL. +# +# Example 2: +# This will read the OpenJDK feature version from the spec file, then create a +# tarball from the most recent tag for that version in the upstream Git +# repository. +# +# $ OPENJDK_LATEST=1 ./generate_source_tarball.sh +# [...] +# Tarball is: temp-generated-source-tarball-ujD/openjdk-17.0.10+6-ea.tar.xz +# +# Unless you use OPENJDK_LATEST, you have to set PROJECT_NAME, REPO_NAME and +# VERSION, e.g.: # -# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk # REPO_NAME=jdk17u -# VERSION=jdk-17.0.7+9 -# or to eg prepare systemtap: -# icedtea7's jstack and other tapsets +# VERSION=jdk-17.0.10+7 +# +# or to e.g., prepare systemtap, icedtea7's jstack and other tapsets: +# # VERSION=6327cf1cea9e # REPO_NAME=icedtea7-2.6 # PROJECT_NAME=release # OPENJDK_URL=http://icedtea.classpath.org/hg/ # TO_COMPRESS="*/tapset" # -# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) - -# This script creates a single source tarball out of the repository -# based on the given tag and removes code not allowed in fedora/rhel. For -# consistency, the source tarball will always contain 'openjdk' as the top -# level folder, name is created, based on parameter +# They are used to create correct name and are used in construction of sources +# URL (unless REPO_ROOT is set). # +# This script creates a single source tarball out of the repository based on the +# given tag and removes code not allowed in Fedora/RHEL. set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz -if [ "x$1" = "xhelp" ] ; then - echo -e "Behaviour may be specified by setting the following variables:\n" - echo "VERSION - the version of the specified OpenJDK project" - echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)" - echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)" - echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" - echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" - echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" - echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)" - echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})" - echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" +if [ "$1" = "help" ] ; then + echo "Behaviour may be specified by setting the following variables:" + echo + echo "VERSION - the version of the specified OpenJDK project" + echo " (required unless OPENJDK_LATEST is set)" + echo "PROJECT_NAME - the name of the OpenJDK project being archived" + echo " (needed to compute REPO_ROOT and/or" + echo " FILE_NAME_ROOT automatically;" + echo " optional if they are set explicitly)" + echo "REPO_NAME - the name of the OpenJDK repository" + echo " (needed to compute REPO_ROOT automatically;" + echo " optional if REPO_ROOT is set explicitly)" + echo "OPENJDK_URL - the URL to retrieve code from" + echo " (defaults to ${OPENJDK_URL_DEFAULT})" + echo "COMPRESSION - the compression type to use" + echo " (defaults to ${COMPRESSION_DEFAULT})" + echo "FILE_NAME_ROOT - name of the archive, minus extensions" + echo " (defaults to PROJECT_NAME-VERSION)" + echo "REPO_ROOT - the location of the Git repository to archive" + echo " (defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)" + echo "TO_COMPRESS - what part of clone to pack" + echo " (defaults to ${VERSION})" + echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" + echo " (defaults to packaged JDK version)" + echo "WITH_TEMP - run in a temporary directory" + echo " (defaults to disabled)" + echo "OPENJDK_LATEST - deduce VERSION from most recent upstream tag" + echo " (implies WITH_TEMP, computes everything else" + echo " automatically; Note: accesses network to read" + echo " tag list from remote Git repository)" exit 1; fi +if [ "$OPENJDK_LATEST" != "" ] ; then + FEATURE_VERSION=$(echo '%featurever' \ + | rpmspec --shell ./*.spec 2>/dev/null \ + | grep --after-context 1 featurever \ + | tail --lines 1) + PROJECT_NAME=openjdk + REPO_NAME=jdk"${FEATURE_VERSION}"u + VERSION=$(git ls-remote --tags --refs --sort=-version:refname \ + "${OPENJDK_URL_DEFAULT}/${PROJECT_NAME}/${REPO_NAME}.git" \ + "jdk-${FEATURE_VERSION}*" \ + | head --lines 1 | cut --characters 52-) + FILE_NAME_ROOT=open${VERSION} + WITH_TEMP=1 +fi -if [ "x$VERSION" = "x" ] ; then +if [ "$WITH_TEMP" != "" ] ; then + pushd "$(mktemp --directory temp-generated-source-tarball-XXX)" +fi + +if [ "$VERSION" = "" ] ; then echo "No VERSION specified" exit 2 fi @@ -57,18 +105,18 @@ BUILD_VER=${NUM_VER##*+} MAJOR_VER=${RELEASE_VER%%.*} echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}" -if [ "x$BOOT_JDK" = "x" ] ; then +if [ "$BOOT_JDK" = "" ] ; then echo "No boot JDK specified". BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk; echo -n "Checking for ${BOOT_JDK}..."; - if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + if [ -d "${BOOT_JDK}" ] && [ -x "${BOOT_JDK}"/bin/java ] ; then echo "Boot JDK found at ${BOOT_JDK}"; else echo "Not found"; - PREV_VER=$((${MAJOR_VER} - 1)); + PREV_VER=$((MAJOR_VER - 1)); BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk; echo -n "Checking for ${BOOT_JDK}..."; - if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + if [ -d ${BOOT_JDK} ] && [ -x ${BOOT_JDK}/bin/java ] ; then echo "Boot JDK found at ${BOOT_JDK}"; else echo "Not found"; @@ -79,43 +127,41 @@ else echo "Boot JDK: ${BOOT_JDK}"; fi -# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT -if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then - if [ "x$PROJECT_NAME" = "x" ] ; then - echo "No PROJECT_NAME specified" - exit 1 - fi - echo "Project name: ${PROJECT_NAME}" - if [ "x$REPO_NAME" = "x" ] ; then - echo "No REPO_NAME specified" - exit 3 - fi - echo "Repository name: ${REPO_NAME}" -fi - -if [ "x$OPENJDK_URL" = "x" ] ; then +if [ "$OPENJDK_URL" = "" ] ; then OPENJDK_URL=${OPENJDK_URL_DEFAULT} echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}" else echo "OpenJDK URL: ${OPENJDK_URL}" fi -if [ "x$COMPRESSION" = "x" ] ; then +if [ "$COMPRESSION" = "" ] ; then # rhel 5 needs tar.gz COMPRESSION=${COMPRESSION_DEFAULT} fi echo "Creating a tar.${COMPRESSION} archive" -if [ "x$FILE_NAME_ROOT" = "x" ] ; then - FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION} +if [ "$FILE_NAME_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by FILE_NAME_ROOT" + exit 1 + fi + FILE_NAME_ROOT=${PROJECT_NAME}-${VERSION} echo "No file name root specified; default to ${FILE_NAME_ROOT}" fi -if [ "x$REPO_ROOT" = "x" ] ; then +if [ "$REPO_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by REPO_ROOT" + exit 1 + fi + if [ "$REPO_NAME" = "" ] ; then + echo "No REPO_NAME specified, needed by REPO_ROOT" + exit 3 + fi REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git" echo "No repository root specified; default to ${REPO_ROOT}" fi; -if [ "x$TO_COMPRESS" = "x" ] ; then +if [ "$TO_COMPRESS" = "" ] ; then TO_COMPRESS="${VERSION}" echo "No targets to be compressed specified ; default to ${TO_COMPRESS}" fi; @@ -131,23 +177,31 @@ echo -e "\tREPO_ROOT: ${REPO_ROOT}" echo -e "\tTO_COMPRESS: ${TO_COMPRESS}" echo -e "\tBOOT_JDK: ${BOOT_JDK}" -if [ -d ${FILE_NAME_ROOT} ] ; then +if [ -d "${FILE_NAME_ROOT}" ] ; then echo "exists exists exists exists exists exists exists " echo "reusing reusing reusing reusing reusing reusing " - echo ${FILE_NAME_ROOT} + echo "${FILE_NAME_ROOT}" + STAT_TIME="$(stat --format=%Y "${FILE_NAME_ROOT}")" + TAR_TIME="$(date --date=@"${STAT_TIME}" --iso-8601=seconds)" else mkdir "${FILE_NAME_ROOT}" pushd "${FILE_NAME_ROOT}" echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" - git clone -b ${VERSION} ${REPO_ROOT} ${VERSION} + git clone --depth=1 -b "${VERSION}" "${REPO_ROOT}" "${VERSION}" + pushd "${VERSION}" + TAR_TIME="$(git log --max-count 1 --format=%cI)" + popd popd fi - pushd "${FILE_NAME_ROOT}" - # Generate .src-rev so build has knowledge of the revision the tarball was created from + EA_PART="$(git tag --contains "${VERSION}" \ + | grep --quiet '\-ga$' || echo '-ea')" + + # Generate .src-rev so build has knowledge of the revision the tarball was + # created from mkdir build pushd build - sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK} + sh "${PWD}"/../"${VERSION}"/configure --with-boot-jdk="${BOOT_JDK}" make store-source-revision popd rm -rf build @@ -171,13 +225,26 @@ pushd "${FILE_NAME_ROOT}" find ${VERSION} -name '.github' -exec rm -rfv '{}' '+' echo "Compressing remaining forest" - if [ "X$COMPRESSION" = "Xxz" ] ; then + if [ "$COMPRESSION" = "xz" ] ; then SWITCH=cJf else SWITCH=czf fi - TARBALL_NAME=${FILE_NAME_ROOT}.tar.${COMPRESSION} - tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS - mv ${TARBALL_NAME} .. + TARBALL_NAME=${FILE_NAME_ROOT}${EA_PART}.tar.${COMPRESSION} + XZ_OPT=${XZ_OPT-"-T0"} \ + tar --mtime="${TAR_TIME}" --owner=root --group=root --sort=name \ + --exclude-vcs -$SWITCH "${TARBALL_NAME}" "${TO_COMPRESS}" + mv "${TARBALL_NAME}" .. popd -echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." +if [ "$WITH_TEMP" != "" ] ; then + echo "Tarball is: $(realpath --relative-to=.. .)/${TARBALL_NAME}" + popd +else + echo -n "Done. You may want to remove the uncompressed version" + echo " - $FILE_NAME_ROOT" +fi + +# Local Variables: +# compile-command: "shellcheck generate_source_tarball.sh" +# fill-column: 80 +# End: diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index bdc9e11..7893be5 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -324,9 +324,12 @@ %global stapinstall %{nil} %endif -# always off for portable builds %ifarch %{systemtap_arches} +%if (0%{?rhel} > 0) +%global with_systemtap 1 +%else %global with_systemtap 0 +%endif %else %global with_systemtap 0 %endif @@ -334,7 +337,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 9 +%global updatever 10 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -384,7 +387,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 51e1d00be4e +%global fipsver d63771ea660 # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -398,8 +401,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 -%global rpmrelease 4 +%global buildver 7 +%global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -442,7 +445,6 @@ # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} -%global miscinstalloutputdir install %define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} @@ -655,39 +657,46 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u # as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes +# The following list is generated by: +# git log %%{vcstag}.. --no-merges --format=%s --reverse: # Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# PR3183, RH1340845: Support Fedora & RHEL system crypto policy +# PR3695: Allow system crypto policy enforcement to be toggled on/off +# RH1655466: Support global RHEL crypto policy +# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode +# RH1860986: Disable TLSv1.3 in FIPS mode +# RH1915071: Always initialise configurator access.patch # RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection +# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers +# RH1996182: Login to the NSS Software Token in FIPS Mode +# RH1929465: Don't define unused throwIOException function when using NSS detection +# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access +# RH1991003: Enable the import of plain keys into the NSS software token. +# RH2021263: Return in C code after having generated Java exception +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -# RH2104724: Avoid import/export of DH private keys -# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores -# RH2020290: Support TLS 1.3 in FIPS mode -# Add nss.fips.cfg support to OpenJDK tree -# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -# Remove forgotten dead code from RH2020290 and RH2104724 -# OJ1357: Fix issue on FIPS with a SecurityManager in place -# RH2134669: Add missing attributes when registering services in FIPS mode. -# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class -# RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized -Patch1001: fips-%{featurever}u-%{fipsver}.patch +# RH2023467: Enable FIPS keys export (#1) +# Run workflows on pull request, as we are not using SKARA. +# RH2094027: SunEC runtime permission for FIPS (#5) +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8) +# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4) +# Use encoded space rather than quoting for JTReg JAVA_OPTIONS +# RH2104724: Avoid import/export of DH private keys (#14) +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16) +# Build the systemconf library on all platforms (#7) +# RH2048582: Support PKCS#12 keystores (#2) +# RH2020290: Support TLS 1.3 in FIPS mode (#13) +# Add nss.fips.cfg support to OpenJDK tree (#22) +# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17) +# Remove forgotten dead code from #13 and #14 (#21) +# Fix issue on FIPS with a SecurityManager in place (#25) +# RH2134669: Add missing attributes when registering services in FIPS mode. (#19) +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27) +# RH1940064: Enable XML Signature provider in FIPS mode (#24) +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26) +Patch1001: fips-17u-%{fipsver}.patch ############################################# # @@ -702,8 +711,8 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # OpenJDK patches appearing in 17.0.10 # ############################################# -# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar -Patch2000: jdk8312489-max_sig_default_increase.patch + +# Currently empty ############################################# # @@ -733,7 +742,6 @@ BuildRequires: devtoolset-%{dtsversion}-gcc-c++ %else BuildRequires: gcc # gcc-c++ is already needed -BuildRequires: java-%{buildjdkver}-openjdk-devel %endif BuildRequires: gcc-c++ BuildRequires: gdb @@ -1009,18 +1017,18 @@ sh %{SOURCE12} %{top_level_dir_name} %endif # Patch the JDK +# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18 +# -p N: strip N leading slashes from paths pushd %{top_level_dir_name} -%patch1 -p1 -%patch3 -p1 -%patch6 -p1 +%patch -P1 -p1 +%patch -P3 -p1 +%patch -P6 -p1 # Add crypto policy and FIPS support -%patch1001 -p1 +%patch -P1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -# JDK-8312489 backport, coming in 17.0.10 -%patch2000 -p1 +%patch -P1000 -p1 # alt-java support -%patch600 -p1 +%patch -P600 -p1 popd # openjdk @@ -1041,9 +1049,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then echo "WARNING: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; - # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting - # This is fixed in the final upstream version - # exit 17 + exit 17 fi # Systemtap is processed in rpms @@ -1799,6 +1805,46 @@ done %endif %changelog +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+7 (GA) +- Update release notes to 17.0.10+7 +- Move to -P usage for patch macro which works on all RPM versions +- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release +- Switch to GA mode for release +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Thu Jan 11 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST +- generate_source_tarball.sh: Remove unneeded FIXME + +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.6-0.1.ea +- Update release notes to 17.0.10+6 +- Revert change to patch macro due to failure on RHEL 8 +- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility + +* Tue Jan 9 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- Update to jdk-17.0.10+6 (EA) +- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash +- generate_source_tarball.sh: shellcheck: Double-quote variable references +- generate_source_tarball.sh: shellcheck: Do not use -a +- generate_source_tarball.sh: shellcheck: Do not use $ in expression +- generate_source_tarball.sh: Remove temporary directory exit conditions + * Wed Dec 13 2023 Jiri Vanek - 1:17.0.9.0.9-3 - packing generated sources diff --git a/sources b/sources index 0c780d7..0e0ef4a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openjdk-17.0.9+9.tar.xz) = 33225a1070077c9504b4857734305f301e51b93a929274d460ddc3dc042ce15943030f8af928c11962743a928619ea39daa453d8fb1c8ea5a334a4b6490a00ee +SHA512 (openjdk-17.0.10+7.tar.xz) = 066acec5dbc76d753a3aba3a8a85ef477f9e379ebfd6338c5026e2f8b329b0a08f878fcbb7f6fdefba99ec45415ac22e01e7439831749816717adb1a0d8230d1