diff --git a/.gitignore b/.gitignore index d0f8b66..4663d5a 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /openjdk-jdk17u-jdk-17.0.5+8.tar.xz /openjdk-jdk17u-jdk-17.0.6+1.tar.xz /openjdk-jdk17u-jdk-17.0.6+9.tar.xz +/openjdk-jdk17u-jdk-17.0.6+10.tar.xz diff --git a/NEWS b/NEWS index cce7454..5a69f0d 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,21 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk1706 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html +* CVEs + - CVE-2023-21835 + - CVE-2023-21843 +* Security fixes + - JDK-8286070: Improve UTF8 representation + - JDK-8286496: Improve Thread labels + - JDK-8287411: Enhance DTLS performance + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds * Other changes - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails @@ -252,10 +267,12 @@ Live versions of these release notes can be found at: - JDK-8295554: Move the "sizecalc.h" to the correct location - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation @@ -278,10 +295,33 @@ Live versions of these release notes can be found at: - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java Notes on individual issues: =========================== +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + security-libs/java.security: JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set @@ -302,6 +342,14 @@ the same change is made in third party modules. Developers of third party modules are advised to verify that their logout() method does not throw a NullPointerException. +security-libs/javax.net.ssl: + +JDK-8287411: Enhance DTLS performance +===================================== +The JDK now exchanges DTLS cookies for all handshakes, new and +resumed. The previous behaviour can be re-enabled by setting the new +system property `jdk.tls.enableDtlsResumeCookie` to `false`. + New in release OpenJDK 17.0.5 (2022-10-18): =========================================== Live versions of these release notes can be found at: diff --git a/fips-17u-72d08e3226f.patch b/fips-17u-257d544b594.patch similarity index 98% rename from fips-17u-72d08e3226f.patch rename to fips-17u-257d544b594.patch index a3daa18..6c03d6f 100644 --- a/fips-17u-72d08e3226f.patch +++ b/fips-17u-257d544b594.patch @@ -2644,7 +2644,7 @@ index 00000000000..55bbba98b7a +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..3ee2ce6ea88 100644 +index b22f26947af..02bea84e210 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy @@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { @@ -2663,6 +2663,15 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; +@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c new file mode 100644 index 00000000000..ddf9befe5bc @@ -4120,7 +4129,7 @@ index 262cfc062ad..72b64f72c0a 100644 Provider p = sun; if (p == null) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index aa35e8fa668..f4d7c9cc201 100644 +index aa35e8fa668..1855e5631bd 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -4186,7 +4195,7 @@ index aa35e8fa668..f4d7c9cc201 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider { +@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { @Override public SunPKCS11 run() throws Exception { @@ -4197,15 +4206,26 @@ index aa35e8fa668..f4d7c9cc201 100644 + * fips.nssdb.path System property after expansion. + * Security properties expansion is unsupported. + */ -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, ++ String nssdbPath = + SecurityProperties.privilegedGetOverridable( -+ FIPS_NSSDB_PATH_PROP)); ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } + } return new SunPKCS11(new Config(newConfigName)); } }); -@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -4226,7 +4246,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider { +@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -4241,7 +4261,7 @@ index aa35e8fa668..f4d7c9cc201 100644 if (p11Info.cryptokiVersion.major < 2) { throw new ProviderException("Only PKCS#11 v2.0 and later " + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { final String className; final List aliases; final int[] mechanisms; @@ -4262,7 +4282,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } private P11Service service(Token token, int mechanism) { return new P11Service -@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider { +@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { private static void d(String type, String algorithm, String className, int[] m) { @@ -4295,7 +4315,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } private static void register(Descriptor d) { -@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider { +@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; @@ -4303,7 +4323,7 @@ index aa35e8fa668..f4d7c9cc201 100644 String P11Signature = "sun.security.pkcs11.P11Signature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; -@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider { +@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { d(MAC, "SslMacSHA1", P11Mac, m(CKM_SSL3_SHA1_MAC)); @@ -4334,7 +4354,7 @@ index aa35e8fa668..f4d7c9cc201 100644 d(KPG, "RSA", P11KeyPairGenerator, getAliases("PKCS1"), m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider { +@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { d(SKF, "ChaCha20", P11SecretKeyFactory, m(CKM_CHACHA20_POLY1305)); @@ -4401,7 +4421,7 @@ index aa35e8fa668..f4d7c9cc201 100644 // XXX attributes for Ciphers (supported modes, padding) dA(CIP, "ARCFOUR", P11Cipher, m(CKM_RC4)); -@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider { +@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { d(CIP, "RSA/ECB/NoPadding", P11RSACipher, m(CKM_RSA_X_509)); @@ -4448,7 +4468,7 @@ index aa35e8fa668..f4d7c9cc201 100644 d(SIG, "RawDSA", P11Signature, List.of("NONEwithDSA"), m(CKM_DSA)); -@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { if (ds == null) { continue; } @@ -4470,7 +4490,13 @@ index aa35e8fa668..f4d7c9cc201 100644 supportedAlgs.put(d, integerMech); continue; } -@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { if (token.isValid() == false) { throw new NoSuchAlgorithmException("Token has been removed"); } @@ -4488,7 +4514,26 @@ index aa35e8fa668..f4d7c9cc201 100644 + * property. + */ + try { -+ token.ensureLoggedIn(null); ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } + } catch (PKCS11Exception | LoginException e) { + throw new ProviderException("FIPS: error during the Token" + + " login required for the " + getType() + @@ -4498,7 +4543,7 @@ index aa35e8fa668..f4d7c9cc201 100644 try { return newInstance0(param); } catch (PKCS11Exception e) { -@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { } else if (algorithm.endsWith("GCM/NoPadding") || algorithm.startsWith("ChaCha20-Poly1305")) { return new P11AEADCipher(token, algorithm, mechanism); @@ -4507,7 +4552,7 @@ index aa35e8fa668..f4d7c9cc201 100644 } else { return new P11Cipher(token, algorithm, mechanism); } -@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { try { session = token.getOpSession(); p11.C_Logout(session.id()); diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index add85d5..bb16ba8 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -384,14 +384,14 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 72d08e3226f +%global fipsver 257d544b594 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 +%global buildver 10 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -418,7 +418,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -554,7 +554,7 @@ ExcludeArch: %{ix86} Name: java-%{javaver}-%{origin}-portable Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -687,6 +687,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # Add nss.fips.cfg support to OpenJDK tree # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode # Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -1581,6 +1582,15 @@ done %endif %changelog +* Thu Jan 26 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Switch to GA mode for release + +* Thu Jan 19 2023 Andrew Hughes - 1:17.0.6.0.9-0.2.ea +- Update FIPS support to bring in latest changes +- * OJ1357: Fix issue on FIPS with a SecurityManager in place + * Thu Jan 19 2023 Andrew Hughes - 1:17.0.6.0.9-0.1.ea - Update to jdk-17.0.6+9 - Update release notes to 17.0.6+9 diff --git a/sources b/sources index 861eb78..bf52ee4 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.6+9.tar.xz) = bad612ec3b5cf9287b4fdfa4ae6618751e9d50e9347c66c87af9d9eba06276ef1c95abb1b72f381bc629d0e7f2a520fdd26cb6d7f782c517a16102c7dd236ca2 +SHA512 (openjdk-jdk17u-jdk-17.0.6+10.tar.xz) = 2878aae52e2f49146b9631e3b0379370dce1a0a620dc5c5b763d1432b82e705e3aa33a83008391b4845bf0cb493b08179e7ac3419f597fb80fd65df393e12cf1