April 2022 security update to jdk 17.0.3+7

Update release notes to 17.0.3.0+7
Update README.md and generate_source_tarball.sh to match CentOS
Switch to GA mode for release
JDK-8283911 patch no longer needed now we're GA...

.gitignore

@@ -23,3 +23,5 @@
 /openjdk-jdk17u-jdk-17.0.2+8.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+5.tar.xz
+/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
+/openjdk-jdk17u-jdk-17.0.3+7.tar.xz

NEWS

@@ -9,6 +9,25 @@ Live versions of these release notes can be found at:
   * https://bitly.com/openjdk1703
   * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
 
+* Security fixes
+  - JDK-8269938: Enhance XML processing passes redux
+  - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+  - JDK-8272255: Completely handle MIDI files
+  - JDK-8272261: Improve JFR recording file processing
+  - JDK-8272588: Enhanced recording parsing
+  - JDK-8272594: Better record of recordings
+  - JDK-8274221: More definite BER encodings
+  - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
+  - JDK-8275151, CVE-2022-21443: Improved Object Identification
+  - JDK-8277227: Better identification of OIDs
+  - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
+  - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+  - JDK-8278356: Improve file creation
+  - JDK-8278449: Improve keychain support
+  - JDK-8278798: Improve supported intrinsic
+  - JDK-8278805: Enhance BMP image loading
+  - JDK-8278972, CVE-2022-21496: Improve URL supports
+  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
 * Other changes
   - JDK-8177814: jdk/editpad is not in jdk TEST.groups
   - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
@@ -79,7 +98,6 @@ Live versions of these release notes can be found at:
   - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
   - JDK-8274935: dumptime_table has stale entry
   - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
-  - JDK-8275082: Update XML Security for Java to 2.3.0
   - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
   - JDK-8275330: C2:  assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
   - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
@@ -175,7 +193,11 @@ Live versions of these release notes can be found at:
   - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
   - JDK-8281460: Let ObjectMonitor have its own NMT category
   - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
   - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
+  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+  - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
 
 Notes on individual issues:
 ===========================

README.md

@@ -1,10 +1,13 @@
-Package of LTS OpenJDK 17
-OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. 
+OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
 
-JDK17 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. 
+* https://fedoraproject.org/wiki/Changes/Java17
 
-See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
-See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
+release page for OpenJDK 17 and the preceding interim releases:
 
-https://fedoraproject.org/wiki/Changes/Java17
-https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview
+* 12: https://openjdk.java.net/projects/jdk/12/
+* 13: https://openjdk.java.net/projects/jdk/13/
+* 14: https://openjdk.java.net/projects/jdk/14/
+* 15: https://openjdk.java.net/projects/jdk/15/
+* 16: https://openjdk.java.net/projects/jdk/16/
+* 17: https://openjdk.java.net/projects/jdk/17/

generate_source_tarball.sh

@@ -8,8 +8,8 @@
 #
 # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
 # PROJECT_NAME=openjdk
-# REPO_NAME=jdk16
-# VERSION=HEAD
+# REPO_NAME=jdk17u
+# VERSION=jdk-17.0.3+5
 # or to eg prepare systemtap:
 # icedtea7's jstack and other tapsets
 # VERSION=6327cf1cea9e
@@ -130,7 +130,7 @@ pushd "${FILE_NAME_ROOT}"
                 # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
                 # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
 		echo "PR3823 not found. Downloading..."
-		wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+		wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
 	        echo "Applying ${PWD}/pr3823.patch"
 		patch -Np1 < pr3823.patch
 		rm pr3823.patch

java-17-openjdk.spec

@@ -333,7 +333,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        5
+%global buildver        7
 %global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -353,11 +353,14 @@
 # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
 %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
 
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global build_type GA
 %global expected_ea_designator ""
@@ -1249,9 +1252,8 @@ License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
 URL:      http://openjdk.java.net/
 
 
-# to regenerate source0 (jdk) run update_package.sh
-# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@@ -1342,8 +1344,6 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
 #############################################
 # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
 Patch7: jdk8282004-x86_32-missing_call_effects.patch
-# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-Patch2001: jdk8283911-default_promoted_version_pre.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -1769,8 +1769,6 @@ popd # openjdk
 %patch1017
 %patch1018
 
-%patch2001
-
 # Extract systemtap tapsets
 %if %{with_systemtap}
 tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -2541,6 +2539,13 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sun Apr 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Update release notes to 17.0.3.0+7
+- Update README.md and generate_source_tarball.sh to match CentOS
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+
 * Wed Apr 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
 - Update to jdk-17.0.3.0+5
 - Update release notes to 17.0.3.0+5

jdk8283911-default_promoted_version_pre.patch

@@ -1,16 +0,0 @@
-commit 37807a694f89611f60880260d2bb7162908bc0c8
-Author: Andrew Hughes <gnu.andrew@redhat.com>
-Date:   Wed Mar 30 04:19:43 2022 +0100
-
-    8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-
-diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf
-index 71b19762f2e..7378ec67a48 100644
---- openjdk.orig/make/conf/version-numbers.conf
-+++ openjdk/make/conf/version-numbers.conf
-@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
- DEFAULT_VERSION_DOCS_API_SINCE=11
- DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
- DEFAULT_JDK_SOURCE_TARGET_VERSION=17
--DEFAULT_PROMOTED_VERSION_PRE=
-+DEFAULT_PROMOTED_VERSION_PRE=ea

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160
+SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567