From fffa4e0c72e89df6978a6a78cf6f8a454d87cb3e Mon Sep 17 00:00:00 2001 From: panxuefeng Date: Wed, 9 Aug 2023 14:24:38 +0800 Subject: [PATCH 1/4] init package --- CheckVendor.java | 65 + NEWS | 4303 +++++++++++++++++ README.md | 11 - TestCryptoLevel.java | 72 + TestECDSA.java | 49 + TestSecurityProperties.java | 84 + TestTranslations.java | 160 + fips-11u-9087e80d0ab.patch | 1610 ++++++ java-11-openjdk.spec | 3920 +++++++++++++++ jconsole.desktop.in | 10 + nss.cfg.in | 5 + nss.fips.cfg.in | 8 + remove-intree-libraries.sh | 166 + ...sible_toolkit_crash_do_not_break_jvm.patch | 18 + ...ut_nss_cfg_provider_to_java_security.patch | 12 + ...va_access_bridge_privileged_security.patch | 20 + rh1750419-redhat_alt_java.patch | 116 + rh1842572-rsa_default_for_keytool.patch | 12 + ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 + 19 files changed, 10649 insertions(+), 11 deletions(-) create mode 100644 CheckVendor.java create mode 100644 NEWS delete mode 100644 README.md create mode 100644 TestCryptoLevel.java create mode 100644 TestECDSA.java create mode 100644 TestSecurityProperties.java create mode 100644 TestTranslations.java create mode 100644 fips-11u-9087e80d0ab.patch create mode 100644 java-11-openjdk.spec create mode 100644 jconsole.desktop.in create mode 100644 nss.cfg.in create mode 100644 nss.fips.cfg.in create mode 100644 remove-intree-libraries.sh create mode 100644 rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch create mode 100644 rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch create mode 100644 rh1648644-java_access_bridge_privileged_security.patch create mode 100644 rh1750419-redhat_alt_java.patch create mode 100644 rh1842572-rsa_default_for_keytool.patch create mode 100644 rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..e03d474 --- /dev/null +++ b/NEWS @@ -0,0 +1,4303 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 11.0.18 (2023-01-17): +============================================= +Live versions of these release notes can be found at: + * https://bit.ly/openjdk11018 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.18.html + +* CVEs + - CVE-2023-21835 + - CVE-2023-21843 +* Security fixes + - JDK-8286070: Improve UTF8 representation + - JDK-8286496: Improve Thread labels + - JDK-8287411: Enhance DTLS performance + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds +* Other changes + - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException + - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider + - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows + - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails + - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed + - JDK-8029633: Raw inner class constructor ref should not perform diamond inference + - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails + - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails + - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails + - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java + - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java + - JDK-8172269: When checking the default behaviour for a scroll tab layout and checking the 'opaque' checkbox, the area behind tabs is not red. + - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout + - JDK-8193942: Regression automated test '/open/test/jdk/javax/swing/JFrame/8175301/ScaledFrameBackgroundTest.java' fails + - JDK-8194126: Regression automated Test '/open/test/jdk/javax/swing/JColorChooser/Test7194184.java' fails + - JDK-8198343: Test java/awt/print/PrinterJob/TestPgfmtSetMPA.java may fail w/o printer + - JDK-8199290: [TESTBUG] sun.hotspot.WhiteBox$WhiteBoxPermission is not copied + - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails + - JDK-8206125: [windows] cannot pass relative path to --with-boot-jdk + - JDK-8210047: some pages contain content outside of landmark region + - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values + - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch + - JDK-8213239: Configure cannot handle command overrides with arguments + - JDK-8215571: jdb does not include jdk.* in the default class filter + - JDK-8217032: Check pandoc capabilities in configure + - JDK-8222091: Javadoc does not handle package annotations correctly on package-info.java + - JDK-8222251: preflow visitor is not visiting lambda expressions + - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails + - JDK-8227179: Test for new gc+metaspace=info output format + - JDK-8227651: Tests fail with SSLProtocolException: Input record too big + - JDK-8228672: [TESTBUG] gc/metaspace/TestSizeTransitions.java fails on 32-bit platforms + - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs + - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos + - JDK-8233565: [TESTBUG] NullModalityDialogTest.java fails on MacOS + - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos + - JDK-8239708: Split basics.m4 into basic.m4 and util.m4 + - JDK-8240281: Remove failing assertion code when selecting first memory state in SuperWord::co_locate_pack + - JDK-8242468: VS2019 build missing vcruntime140_1.dll + - JDK-8243565: some gc tests use 'test.java.opts' and not 'test.vm.opts' + - JDK-8243568: serviceability/logging/TestLogRotation.java uses 'test.java.opts' and not 'test.vm.opts' + - JDK-8244010: Simplify usages of ProcessTools.createJavaProcessBuilder in our tests + - JDK-8244557: test/jdk/javax/swing/JTabbedPane/TestBackgroundScrollPolicy.java failed + - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows + - JDK-8249694: java/lang/StringBuffer/HugeCapacity.java and j/l/StringBuilder/HugeCapacity.java tests shouldn't be @ignore-d + - JDK-8253877: gc/g1/TestGCLogMessages.java fails - missing "Evacuation failure" message + - JDK-8254874: ZGC: JNIHandleBlock verification failure in stack watermark processing + - JDK-8254976: Re-enable swing jtreg tests which were broken due to samevm mode + - JDK-8255439: System Tray icons get corrupted when Windows scaling changes + - JDK-8256109: Create implementation for NSAccessibilityButton protocol + - JDK-8257679: Improved unix compatibility layer in Windows build (winenv) + - JDK-8257722: Improve "keytool -printcert -jarfile" output + - JDK-8258005: JDK build fails with incorrect fixpath script + - JDK-8259485: Document need for short paths when building on Windows + - JDK-8260272: bash configure --prefix does not work after JDK-8257679 + - JDK-8261336: IGV: enhance default filters + - JDK-8261445: Use memory_order_relaxed for os::random(). + - JDK-8261758: [TESTBUG] gc/g1/TestGCLogMessages.java fails if ergonomics detect too small InitialHeapSize + - JDK-8263326: Remove ReceiverTypeData check from serviceability/sa/TestPrintMdo.java + - JDK-8263871: On sem_destroy() failing we should assert + - JDK-8264593: debug.cpp utilities should be available in product builds. + - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class + - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint + - JDK-8266967: debug.cpp utility find() should print Java Object fields. + - JDK-8268361: Fix the infinite loop in next_line + - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions + - JDK-8268893: jcmd to trim the glibc heap + - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs + - JDK-8269873: serviceability/sa/Clhsdb tests are using a C2 specific VMStruct field + - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 + - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints + - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 + - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 + - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction + - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java + - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI + - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS + - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java + - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + - JDK-8274597: Some of the dnd tests time out and fail intermittently + - JDK-8275170: Some jtreg sound tests should be marked with sound keyword + - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + - JDK-8276841: Add support for Visual Studio 2022 + - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points + - JDK-8277497: Last column cell in the JTable row is read as empty cell + - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" + - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore + - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also + - JDK-8280158: New test from JDK-8274736 failed with/without patch in JDK11u + - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound + - JDK-8280863: Update build README to reflect that MSYS2 is supported + - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR + - JDK-8280948: Write a regression test for JDK-4659800 + - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix + - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 + - JDK-8281296: Create a regression test for JDK-4515999 + - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) + - JDK-8282046: Create a regression test for JDK-8000326 + - JDK-8282276: Problem list failing two Robot Screen Capture tests + - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282402: Create a regression test for JDK-4666101 + - JDK-8282640: Create a test for JDK-4740761 + - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 + - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure + - JDK-8282777: Create a Regression test for JDK-4515031 + - JDK-8282778: Create a regression test for JDK-4699544 + - JDK-8282857: Create a regression test for JDK-4702690 + - JDK-8282936: Write a regression test for JDK-4615365 + - JDK-8282937: Write a regression test for JDK-4820080 + - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup + - JDK-8283422: Create a new test for JDK-8254790 + - JDK-8284294: Create an automated regression test for RFE 4138746 + - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph + - JDK-8284521: Write an automated regression test for RFE 4371575 + - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X + - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation + - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" + - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + - JDK-8285305: Create an automated test for JDK-4495286 + - JDK-8285373: Create an automated test for JDK-4702233 + - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" + - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test + - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox + - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment + - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" + - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine + - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 + - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray + - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows + - JDK-8286872: Refactor add/modify notification icon (TrayIcon) + - JDK-8287076: Document.normalizeDocument() produces different results + - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn + - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path + - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative + - JDK-8287724: Fix various issues with msys2 + - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile + - JDK-8287895: Some langtools tests fail on msys2 + - JDK-8287896: PropertiesTest.sh fail on msys2 + - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows + - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier + - JDK-8288132: Update test artifacts in QuoVadis CA interop tests + - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces + - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable + - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding + - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... + - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 + - JDK-8289043: C2: Vector constant materialization attempt + - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output + - JDK-8290207: Missing notice in dom.md + - JDK-8290209: jcup.md missing additional text + - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 + - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure + - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" + - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize + - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses + - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) + - JDK-8291461: assert(false) failed: bad AD file + - JDK-8292083: Detected container memory limit may exceed physical machine memory + - JDK-8292158: AES-CTR cipher state corruption with AVX-512 + - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update + - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free + - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures + - JDK-8292887: Bump update version for OpenJDK: jdk-11.0.18 + - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform + - JDK-8293044: C1: Missing access check on non-accessible class + - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + - JDK-8293578: Duplicate ldc generated by javac + - JDK-8293672: Update freetype md file + - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent + - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 + - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + - JDK-8293834: Update CLDR data following tzdata 2022c update + - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8294138: [11u] Revert change from JDK-8210962 in basic.m4 + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294357: (tz) Update Timezone Data to 2022d + - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode + - JDK-8294740: Add cgroups keyword to TestDockerBasic.java + - JDK-8295173: (tz) Update Timezone Data to 2022e + - JDK-8295288: Some vm_flags tests associate with a wrong BugID + - JDK-8295322: Tests for JDK-8271459 were not backported to 11u + - JDK-8295429: Update harfbuzz md file + - JDK-8295469: S390X: Optimized builds are broken + - JDK-8295554: Move the "sizecalc.h" to the correct location + - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error + - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor + - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 + - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing + - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException + - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent + - JDK-8296652: Restore windows aarch64 fixpath patch that was removed in 8239708 + - JDK-8296715: CLDR v42 update for tzdata 2022f + - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 + - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used + - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again + - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java + - JDK-8297481: Create a regression test for JDK-4424517 + - JDK-8297656: AArch64: Enable AES/GCM Intrinsics + - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8298737: 8296772 backport to jdk11u caused build error on sparc + - JDK-8299393: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.18 + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299616: [11u] Bootcycle build fails after JDK-8257679 backport + +Notes on individual issues: +=========================== + +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + +security-libs/javax.crypto: + +JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location +===================================================================================== +The Windows KeyStore support in the SunMSCAPI provider has been +expanded to include access to the local machine location. The new +keystore types are: + +* "Windows-MY-LOCALMACHINE" +* "Windows-ROOT-LOCALMACHINE" + +The following keystore types were also added, allowing developers to +make it clear they map to the current user: + +* "Windows-MY-CURRENTUSER" (same as "Windows-MY") +* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") + +security-libs/java.security: + +JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set +========================================================================================================== +Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to +hold principals and credentials so that it rejected null +values. Attempts to call add(null), contains(null) or remove(null) +were changed to throw a NullPointerException. + +However, the logout() methods in the LoginModule implementations +within the JDK were not updated to check for null values, which may +occur in the event of a failed login. As a result, a logout() call may +throw a NullPointerException. + +The LoginModule implementations have now been updated with such checks +and an implementation note added to the specification to suggest that +the same change is made in third party modules. Developers of third +party modules are advised to verify that their logout() method does not +throw a NullPointerException. + +security-libs/javax.net.ssl: + +JDK-8287411: Enhance DTLS performance +===================================== +The JDK now exchanges DTLS cookies for all handshakes, new and +resumed. The previous behaviour can be re-enabled by setting the new +system property `jdk.tls.enableDtlsResumeCookie` to `false`. + +New in release OpenJDK 11.0.17 (2022-10-18): +============================================= +Live versions of these release notes can be found at: + * https://bit.ly/openjdk11017 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.17.html + +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286533, CVE-2022-21626: Key X509 usages + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8287446: Enhance icon presentations + - JDK-8288508: Enhance ECDSA usage + - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage + - JDK-8289853: Update HarfBuzz to 4.4.1 + - JDK-8290334: Update FreeType to 2.12.1 + - JDK-8293429: [11u] minor update in attribute style +* Other changes + - JDK-6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM") + - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + - JDK-7131823: bug in GIFImageReader + - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java to use jtreg @requires + - JDK-8139348: Deprecate 3DES and RC4 in Kerberos + - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + - JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java makes not reliable time assumption + - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + - JDK-8183372: Refactor java/lang/Class shell tests to java + - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names + - JDK-8193462: Fix Filer handling of package-info initial elements + - JDK-8203277: preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body + - JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds" + - JDK-8209052: Low contrast in docs/api/constant-values.html + - JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails with NullPointerException when running in CDS mode + - JDK-8210107: vmTestbase/nsk/stress/network tests fail with Cannot assign requested address (Bind failed) + - JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 generate incorrect messages upon failure + - JDK-8210960: Allow --with-boot-jdk-jvmargs to work during configure + - JDK-8212904: JTextArea line wrapping incorrect when using UI scale + - JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in some configs + - JDK-8214078: (fs) SecureDirectoryStream not supported on arm32 + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8215291: Broken links when generating from project without modules + - JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java timed out + - JDK-8217332: JTREG: Clean up, use generics instead of raw types + - JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003 and 004 use wrong path to test classes + - JDK-8218413: make reconfigure ignores configure-time AUTOCONF environment variable + - JDK-8219074: [TESTBUG] runtime/containers/docker/TestCPUAwareness.java typo of printing parameters (period should be shares) + - JDK-8219149: ProcessTools.ProcessBuilder should print timing info for subprocesses + - JDK-8220744: [TESTBUG] Move RedefineTests from runtime to serviceability + - JDK-8221871: javadoc should not set role=region on
elements + - JDK-8221907: make reconfigure breaks when configured with relative paths + - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues + - JDK-8223575: add subspace transitions to gc+metaspace=info log lines + - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + - JDK-8226976: SessionTimeOutTests uses == operator for String value check + - JDK-8230708: Hotspot fails to build on linux-sparc with gcc-9 + - JDK-8233712: Limit default tests jobs based on ulimit -u setting + - JDK-8235870: C2 crashes in IdealLoopTree::est_loop_flow_merge_sz() + - JDK-8236490: Compiler bug relating to @NonNull annotation + - JDK-8236823: Ensure that API documentation uses minified libraries + - JDK-8238196: tests that use SA Attach should not be allowed to run against signed binaries on Mac OS X 10.14.5 and later + - JDK-8238203: Return value of GetUserDefaultUILanguage() should be handled as LANGID + - JDK-8238268: Many SA tests are not running on OSX because they do not attempt to use sudo when available + - JDK-8238586: [TESTBUG] vmTestbase/jit/tiered/Test.java failed when TieredCompilation is disabled + - JDK-8239265: JFR: Test cleanup of jdk.jfr.api.consumer package + - JDK-8239379: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java on OSX + - JDK-8239423: jdk/jfr/jvm/TestJFRIntrinsic.java failed with -XX:-TieredCompilation + - JDK-8239902: [macos] Remove direct usage of JSlider, JProgressBar classes in CAccessible class + - JDK-8240903: Add test to check that jmod hashes are reproducible + - JDK-8242188: error in jtreg test jdk/jfr/api/consumer/TestRecordedFrame.java on linux-aarch64 + - JDK-8247546: Pattern matching does not skip correctly over supplementary characters + - JDK-8247907: XMLDsig logging does not work + - JDK-8247964: All log0() in com/sun/org/slf4j/internal/Logger.java should be private + - JDK-8249623: test @ignore-d due to 7013634 should be returned back to execution + - JDK-8251152: ARM32: jtreg c2 Test8202414 test crash + - JDK-8251551: Use .md filename extension for README + - JDK-8252145: Unify Info.plist files with correct version strings + - JDK-8253829: Wrong length compared in SSPI bridge + - JDK-8253916: ResourceExhausted/resexhausted001 crashes on Linux-x64 + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + - JDK-8255729: com.sun.tools.javac.processing.JavacFiler.FilerOutputStream is inefficient + - JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted001/TestDescription.java shouldn't use timeout + - JDK-8258946: Fix optimization-unstable code involving signed integer overflow + - JDK-8261160: Add a deserialization JFR event + - JDK-8262085: Hovering Metal HTML Tooltips in different windows cause IllegalArgExc on Linux + - JDK-8264400: (fs) WindowsFileStore equality depends on how the FileStore was constructed + - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + - JDK-8265020: tests must be updated for new TestNG module name + - JDK-8265100: (fs) WindowsFileStore.hashCode() should read cached hash code once + - JDK-8265531: doc/building.md should mention homebrew install freetype + - JDK-8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List, List) + - JDK-8266254: Update to use jtreg 6 + - JDK-8266460: java.io tests fail on null stream with upgraded jtreg/TestNG + - JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static @Test methods + - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + - JDK-8266675: Optimize IntHashTable for encapsulation and ease of use + - JDK-8266774: System property values for stdout/err on Windows UTF-8 + - JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java + - JDK-8267180: Typo in copyright header for HashesTest + - JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java expectedNewSize calculation + - JDK-8267880: Upgrade the default PKCS12 MAC algorithm + - JDK-8268185: Update GitHub Actions for jtreg 6 + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269517: compiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges + - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + - JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently + - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + - JDK-8271512: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java due to 8270326 + - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8273526: Extend the OSContainer API pids controller with pids.current + - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend + - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 + - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + - JDK-8277893: Arraycopy stress tests + - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 + - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 + - JDK-8279622: C2: miscompilation of map pattern as a vector reduction + - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + - JDK-8281181: Do not use CPU Shares to compute active processor count + - JDK-8281535: Create a regression test for JDK-4670051 + - JDK-8281569: Create tests for Frame.setMinimumSize() method + - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + - JDK-8281745: Create a regression test for JDK-4514331 + - JDK-8281988: Create a regression test for JDK-4618767 + - JDK-8282214: Upgrade JQuery to version 3.6.0 + - JDK-8282234: Create a regression test for JDK-4532513 + - JDK-8282280: Update Xerces to Version 2.12.2 + - JDK-8282343: Create a regression test for JDK-4518432 + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8282548: Create a regression test for JDK-4330998 + - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + - JDK-8282860: Write a regression test for JDK-4164779 + - JDK-8282933: Create a test for JDK-4529616 + - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + - JDK-8283015: Create a test for JDK-4715496 + - JDK-8283017: GHA: Workflows break with update release versions + - JDK-8283087: Create a test or JDK-4715503 + - JDK-8283245: Create a test for JDK-4670319 + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + - JDK-8283493: Create an automated regression test for RFE 4231298 + - JDK-8283507: Create a regression test for RFE 4287690 + - JDK-8283621: Write a regression test for CCC4400728 + - JDK-8283623: Create an automated regression test for JDK-4525475 + - JDK-8283624: Create an automated regression test for RFE-4390885 + - JDK-8283712: Create a manual test framework class + - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + - JDK-8284077: Create an automated test for JDK-4170173 + - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception + - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284882: SIGSEGV in Node::verify_edges due to compilation bailout + - JDK-8284898: Enhance PassFailJFrame + - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + - JDK-8284950: CgroupV1 detection code should consider memory.swappiness + - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + - JDK-8285081: Improve XPath operators count accuracy + - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + - JDK-8285380: Fix typos in security + - JDK-8285398: Cache the results of constraint checks + - JDK-8285693: Create an automated test for JDK-4702199 + - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17 + - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287366: Improve test failure reporting in GHA + - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + - JDK-8287463: JFR: Disable TestDevNull.java on Windows + - JDK-8287663: Add a regression test for JDK-8287073 + - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run + - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + - JDK-8288467: remove memory_operand assert for spilled instructions + - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041) + - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java + - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + - JDK-8289486: Improve XSLT XPath operators count efficiency + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8290198: Shenandoah: a few Shenandoah tests failure after JDK-8214799 11u backport + - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + - JDK-8290813: jdk/nashorn/api/scripting/test/ScriptObjectMirrorTest.java fails: assertEquals is ambiguous + - JDK-8290886: [11u]: Backport of JDK-8266250 introduced test failures + - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u + - JDK-8291713: assert(!phase->exceeding_node_budget()) failed: sanity after JDK-8223389 + - JDK-8291794: [11u] Corrections after backport of JDK-8212028 + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8292852: [11u] TestMemoryWithCgroupV1 fails after JDK-8292768 + - JDK-8295057: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.17 + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable +=========================================================================== +Two system properties have been added which control the keep alive +behavior of HttpURLConnection in the case where the server does not +specify a keep alive time. Two properties are defined for controlling +connections to servers and proxies separately. They are: + +* `http.keepAlive.time.server` +* `http.keepAlive.time.proxy` + +respectively. More information about them can be found on the +Networking Properties page: +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +hotspot/runtime: + +JDK-8281181: CPU Shares Ignored When Computing Active Processor Count +===================================================================== +Previous JDK releases used an incorrect interpretation of the Linux +cgroups parameter "cpu.shares". This might cause the JVM to use fewer +CPUs than available, leading to an under utilization of CPU resources +when the JVM is used inside a container. + +Starting from this JDK release, by default, the JVM no longer +considers "cpu.shares" when deciding the number of threads to be used +by the various thread pools. The `-XX:+UseContainerCpuShares` +command-line option can be used to revert to the previous +behavior. This option is deprecated and may be removed in a future JDK +release. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + +JDK-8267880: Upgrade the default PKCS12 MAC algorithm +===================================================== + +The default MAC algorithm used in a PKCS #12 keystore has been +updated. The new algorithm is based on SHA-256 and is stronger than +the old one based on SHA-1. See the security properties starting with +`keystore.pkcs12` in the `java.security` file for detailed +information. + +The new SHA-256 based MAC algorithms were introduced in the 11.0.12 +release. Keystores created using this newer, stronger, MAC algorithm +cannot be opened in versions of OpenJDK 11 earlier than 11.0.12. A +'java.security.NoSuchAlgorithmException' exception will be thrown in +such circumstances. + +For compatibility, use the `keystore.pkcs12.legacy` system property, +which will revert the algorithms to use the older, weaker +algorithms. There is no value defined for this property. + +core-libs/java.io:serialization: + +JDK-8261160: JDK Flight Recorder Event for Deserialization +========================================================== +It is now possible to monitor deserialization of objects using JDK +Flight Recorder (JFR). When JFR is enabled and the JFR configuration +includes deserialization events, JFR will emit an event whenever the +running program attempts to deserialize an object. The deserialization +event is named `jdk.Deserialization`, and it is disabled by +default. The deserialization event contains information that is used +by the serialization filter mechanism; see the ObjectInputFilter API +specification for details. + +Additionally, if a filter is enabled, the JFR event indicates whether +the filter accepted or rejected deserialization of the object. For +further information about how to use the JFR deserialization event, +see the article "Monitoring Deserialization to Improve Application +Security" +(https://inside.java/2021/03/02/monitoring-deserialization-activity-in-the-jdk/). + +For reference information about using and configuring JFR, see the +"JFR Runtime Guide" +(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/preface_jfrrt.htm#JFRRT165) +and "JFR Command Reference" +(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-command-reference/command-line-options.htm#JFRCR-GUID-FE61CA60-E1DF-460E-A8E0-F4FF5D58A7A0) +sections of the JDK Mission Control documentation. + +security-libs/org.ietf.jgss:krb5: + +JDK-8139348: Deprecate 3DES and RC4 in Kerberos +=============================================== +The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes) +are now deprecated and disabled by default. Users can set +`allow_weak_crypto = true` in the `krb5.conf` configuration file to +re-enable them (along with other weak etypes including `des-cbc-crc` +and `des-cbc-md5`) at their own risk. To disable a subset of the weak +etypes, users can list preferred etypes explicitly in any of the +`default_tkt_enctypes`, `default_tgs_enctypes`, or +`permitted_enctypes` settings. + +New in release OpenJDK 11.0.16.1 (2022-08-12): +============================================= +Live versions of these release notes can be found at: + * https://bit.ly/openjdk110161 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.1.txt + +* Other changes + - JDK-8292255: Bump update version for OpenJDK: jdk-11.0.16.1 + - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM +============================================================ +Fixes a regression in the C2 JIT compiler which caused the Java +Runtime to crash unpredictably. + +New in release OpenJDK 11.0.16 (2022-07-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11016 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt + +* Security fixes + - JDK-8277608: Address IP Addressing + - JDK-8272243: Improve DER parsing + - JDK-8272249: Better properties of loaded Properties + - JDK-8281859, CVE-2022-21540: Improve class compilation + - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations + - JDK-8283190: Improve MIDI processing + - JDK-8284370: Improve zlib usage + - JDK-8285407, CVE-2022-34169: Improve Xalan supports +* Other changes + - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException + - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders. + - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements. + - JDK-8133713: [macosx] Accessible JTables always reported as empty + - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph + - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + - JDK-8163498: Many long-running security libs tests + - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28 + - JDK-8169004: Fix redundant @requires tags in tests + - JDK-8181571: printing to CUPS fails on mac sandbox app + - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher + - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests + - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException + - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10" + - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS + - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java + - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test + - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use + - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java + - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start + - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location + - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests + - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names + - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace + - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test + - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test + - JDK-8209883: ZGC: Compile without C1 broken + - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC + - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun + - JDK-8210039: move OSInfo to top level testlibrary + - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022 + - JDK-8210112: remove jdk.testlibrary.ProcessTools + - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244) + - JDK-8210732: remove jdk.testlibrary.Utils + - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458 + - JDK-8211822: Some tests fail after JDK-8210039 + - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound + - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64 + - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp + - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type" + - JDK-8214799: Add package declaration to each JTREG test case in the gc folder + - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5 + - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests. + - JDK-8216366: Add rationale to PER_CPU_SHARES define + - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265 + - JDK-8217233: Update build settings for AIX/xlc + - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java + - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers + - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX + - JDK-8218751: Do not store original classfiles inside the CDS archive + - JDK-8218965: aix: support xlclang++ in the compiler detection + - JDK-8220658: Improve the readability of container information in the error log + - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X + - JDK-8222799: java.beans.Introspector uses an obsolete methods cache + - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1 + - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'. + - JDK-8223363: Bad node estimate assertion failure + - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget()) + - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp + - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate + - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw + - JDK-8225475: Node budget asserts on x86_32/64 + - JDK-8227171: provide function names in native stack trace on aix with xlc16 + - JDK-8227389: Remove unsupported xlc16 compile options on aix + - JDK-8229202: Docker reporting causes secondary crashes in error handling + - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress + - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21 + - JDK-8229499: Node budget assert in fuzzed test + - JDK-8230305: Cgroups v2: Container awareness + - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target + - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy + - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo + - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare" + - JDK-8231565: More node budget asserts in fuzzed tests + - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS + - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap + - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101" + - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak + - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException + - JDK-8235385: Crash on aarch64 JDK due to long offset + - JDK-8237479: 8230305 causes slowdebug build failure + - JDK-8239559: Cgroups: Incorrect detection logic on some systems + - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot + - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java + - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111 + - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8240734: ModuleHashes attribute not reproducible between builds + - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled + - JDK-8241707: introduce randomness k/w to hotspot test suite + - JDK-8242310: use reproducible random in hotspot compiler tests + - JDK-8242311: use reproducible random in hotspot runtime tests + - JDK-8242312: use reproducible random in hotspot gc tests + - JDK-8242313: use reproducible random in hotspot svc tests + - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows + - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress + - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps + - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java + - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test + - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible) + - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c + - JDK-8246494: introduce vm.flagless at-requires property + - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed + - JDK-8247589: Implementation of Alpine Linux/x64 Port + - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide + - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java + - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out + - JDK-8248876: LoadObject with bad base address created for exec file on linux + - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect" + - JDK-8252248: __SIGRTMAX is not declared in musl libc + - JDK-8252250: isnanf is obsolete + - JDK-8252359: HotSpot Not Identifying it is Running in a Container + - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota + - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist + - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high + - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly + - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems + - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp + - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code + - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection + - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop + - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes + - JDK-8255266: Update Public Suffix List to 3c213aa + - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect + - JDK-8255787: Tag container tests that use cGroups with cgroups keyword + - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java + - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 + - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11 + - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result + - JDK-8259517: Incorrect test path in test cases + - JDK-8260518: Change default -mmacosx-version-min to 10.12 + - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0 + - JDK-8262379: Add regression test for JDK-8257746 + - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream + - JDK-8263718: unused-result warning happens at os_linux.cpp + - JDK-8263856: Github Actions for macos/aarch64 cross-build + - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2 + - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset" + - JDK-8265343: Update Debian-based cross-compilation recipes + - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM + - JDK-8266318: Switch to macos prefix for macOS bundles + - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics + - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8 + - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) + - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available" + - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + - JDK-8270797: ShortECDSA.java test is not complete + - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories + - JDK-8272358: Some tests may fail when executed with other locales than the US + - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8273176: handle latest VS2019 in abstract_vm_version + - JDK-8273655: content-types.properties files are missing some common types + - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches + - JDK-8274233: Minor cleanup for ToolBox + - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + - JDK-8274751: Drag And Drop hangs on Windows + - JDK-8275082: Update XML Security for Java to 2.3.0 + - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions + - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8276657: XSLT compiler tries to define a class with empty name + - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element + - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + - JDK-8278065: Refactor subclassAudits to use ClassValue + - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine + - JDK-8278472: Invalid value set to CANDIDATEFORM structure + - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 + - JDK-8279219: [REDO] C2 crash when allocating array of size too large + - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 + - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java + - JDK-8279668: x86: AVX2 versions of vpxor should be asserted + - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + - JDK-8279958: Provide configure hints for Alpine/apk package managers + - JDK-8280041: Retry loop issues in java.io.ClassCache + - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 + - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + - JDK-8281615: Deadlock caused by jdwp agent + - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder + - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + - JDK-8282225: GHA: Allow one concurrent run per PR only + - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale + - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16 + - JDK-8282583: Update BCEL md to include the copyright notice + - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11 + - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11 + - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8283018: 11u GHA: Update GCC 9 minor versions + - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + - JDK-8283323: libharfbuzz optimization level results in extreme build times + - JDK-8283350: (tz) Update Timezone Data to 2022a + - JDK-8283408: Fix a C2 crash when filling arrays with unsafe + - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean; + - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions + - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak + - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + - JDK-8283614: [11] Repair compiler versions handling after 8233787 + - JDK-8283641: Large value for CompileThresholdScaling causes assert + - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284094: Memory leak in invoker_completeInvokeRequest() + - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124 + - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284458: CodeHeapState::aggregate() leaks blob_name + - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member + - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195 + - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1 + - JDK-8284620: CodeBuffer may leak _overflow_arena + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem + - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode + - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 + - JDK-8285445: cannot open file "NUL:" + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + - JDK-8285591: [11] add signum checks in DSA.java engineVerify + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655 + - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + - JDK-8286198: [linux] Fix process-memory information + - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows + - JDK-8286855: javac error on invalid jar should only print filename + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287119: Add Distrust.java to ProblemList + - JDK-8287362: FieldAccessWatch testcase failed on AIX platform + - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows + - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java + +Notes on individual issues: +=========================== + +core-libs/java.io:serialization: + +JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element +========================================================================================= +`java.util.Vector` is updated to correctly report +`ClassNotFoundException that occurs during deserialization using +`java.io.ObjectInputStream.GetField.get(name, object)` when the class +of an element of the Vector is not found. Without this fix, a +`StreamCorruptedException` is thrown that does not provide information +about the missing class. + +core-libs/java.net: + +JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos +================================================================ +Support has been added for TLS channel binding tokens for +Negotiate/Kerberos authentication over HTTPS through +javax.net.HttpsURLConnection. + +Channel binding tokens are increasingly required as an enhanced form +of security which can mitigate certain kinds of socially engineered, +man in the middle (MITM) attacks. They work by communicating from a +client to a server the client's understanding of the binding between +connection security (as represented by a TLS server cert) and higher +level authentication credentials (such as a username and +password). The server can then detect if the client has been fooled by +a MITM and shutdown the session/connection. + +The feature is controlled through a new system property +`jdk.https.negotiate.cbt` which is described fully at the following +page: + +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt + +core-libs/java.lang: + +JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder +===================================================================== +ProcessBuilder on Windows is restored to address a regression caused +by JDK-8250568. Previously, an argument to ProcessBuilder that +started with a double-quote and ended with a backslash followed by a +double-quote was passed to a command incorrectly and may cause the +command to fail. For example the argument `"C:\\Program Files\"`, +would be seen by the command with extra double-quotes. This update +restores the long standing behavior that does not treat the backslash +before the final double-quote specially. + +core-libs/java.util.jar: + +JDK-8278386: Default JDK compressor will be closed when IOException is encountered +================================================================================== +`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods +have been modified to close out the associated default JDK compressor +before propagating a Throwable up the +stack. `ZIPOutputStream.closeEntry()` method has been modified to +close out the associated default JDK compressor before propagating an +IOException, not of type ZipException, up the stack. + +core-libs/java.io: + +JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File +================================================================================================= +The Windows implementation of `java.io.File` allows access to NTFS +Alternate Data Streams (ADS) by default. Such streams have a structure +like “filename:streamname”. A system property `jdk.io.File.enableADS` +has been added to control this behavior. To disable ADS support in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `false` (case ignored). Stricter path checking however prevents +the use of special devices such as `NUL:` + +New in release OpenJDK 11.0.15 (2022-04-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11015 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.15.txt + +* New features + - JDK-8253795: Implementation of JEP 391: macOS/AArch64 Port +* Security fixes + - JDK-8269938: Enhance XML processing passes redux + - JDK-8270504, CVE-2022-21426: Better XPath expression handling + - JDK-8272255: Completely handle MIDI files + - JDK-8272261: Improve JFR recording file processing + - JDK-8272594: Better record of recordings + - JDK-8274221: More definite BER encodings + - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 + - JDK-8275151, CVE-2022-21443: Improved Object Identification + - JDK-8277227: Better identification of OIDs + - JDK-8277672, CVE-2022-21434: Better invocation handler handling + - JDK-8278356: Improve file creation + - JDK-8278449: Improve keychain support + - JDK-8278798: Improve supported intrinsic + - JDK-8278805: Enhance BMP image loading + - JDK-8278972, CVE-2022-21496: Improve URL supports + - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo +* Other changes + - JDK-8065704: Set LC_ALL=C for all relevant commands in the build system + - JDK-8177814: jdk/editpad is not in jdk TEST.groups + - JDK-8186780: clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment() + - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently + - JDK-8193277: SimpleFileObject inconsistency between getName and getShortName + - JDK-8199079: Test javax/swing/UIDefaults/6302464/bug6302464.java is unstable + - JDK-8202142: jfr/event/io/TestInstrumentation is unstable + - JDK-8207011: Remove uses of the register storage class specifier + - JDK-8207793: [TESTBUG] runtime/Metaspace/FragmentMetaspace.java fails: heap needs to be increased + - JDK-8208074: [TESTBUG] vmTestbase/nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption/TestDescription.java failed with NullPointerException + - JDK-8210194: [TESTBUG] jvmti_FollowRefObjects.cpp missing initializer for member _jvmtiHeapCallbacks::heap_reference_callback + - JDK-8210236: Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading + - JDK-8211170: AArch64: Warnings in C1 and template interpreter + - JDK-8211333: AArch64: Fix another build failure after JDK-8211029 + - JDK-8214004: Missing space between compiler thread name and task info in hs_err + - JDK-8214026: Canonicalized archive paths appearing in diagnostics + - JDK-8214761: Bug in parallel Kahan summation implementation + - JDK-8216969: ParseException thrown for certain months with russian locale + - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient + - JDK-8220634: SymLinkArchiveTest should handle not being able to create symlinks + - JDK-8222825: ARM32 SIGILL issue on single core CPU (not supported PLDW instruction) + - JDK-8223142: Clean-up WS and CB. + - JDK-8225559: assertion error at TransTypes.visitApply + - JDK-8232533: G1 uses only a single thread for pretouching the java heap + - JDK-8233827: Enable screenshots in the enhanced failure handler on Linux/macOS + - JDK-8233986: ProblemList javax/swing/plaf/basic/BasicTextUI/8001470/bug8001470.java for windows-x64 + - JDK-8234930: Use MAP_JIT when allocating pages for code cache on macOS + - JDK-8236210: javac generates wrong annotation for fields generated from record components + - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful + - JDK-8237787: rewrite vmTestbase/vm/compiler/CodeCacheInfo* from shell to java + - JDK-8237798: rewrite vmTestbase/jit/tiered from shell to java + - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails + - JDK-8240904: Screen flashes on test failures when running tests from make + - JDK-8241004: NMT tests fail on unaligned thread size with debug build + - JDK-8241423: NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default + - JDK-8247272: SA ELF file support has never worked for 64-bit causing address to symbol name mapping to fail + - JDK-8247515: OSX pc_to_symbol() lookup does not work with core files + - JDK-8249019: clean up FileInstaller $test.src $cwd in vmTestbase_vm_compiler tests + - JDK-8250750: JDK-8247515 fix for OSX pc_to_symbol() lookup fails with some symbols + - JDK-8251126: nsk.share.GoldChecker should read golden file from ${test.src} + - JDK-8251127: clean up FileInstaller $test.src $cwd in remaining vmTestbase_vm_compiler tests + - JDK-8251132: make main classes public in vmTestbase/jit tests + - JDK-8251558: J2DBench should support shaped and translucent windows + - JDK-8251998: remove usage of PropertyResolvingWrapper in vmTestbase/jit/t + - JDK-8252005: narrow disabling of allowSmartActionArgs in vmTestbase + - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" + - JDK-8253816: Support macOS W^X + - JDK-8253817: Support macOS Aarch64 ABI in Interpreter + - JDK-8253818: Support macOS Aarch64 ABI for compiled wrappers + - JDK-8253819: Implement os/cpu for macOS/AArch64 + - JDK-8253839: Update tests and JDK code for macOS/Aarch64 + - JDK-8254072: AArch64: Get rid of --disable-warnings-as-errors on Windows+ARM64 build + - JDK-8254085: javax/swing/text/Caret/TestCaretPositionJTextPane.java failed with "RuntimeException: Wrong caret position" + - JDK-8254827: JVMCI: Enable it for Windows+AArch64 + - JDK-8254940: AArch64: Cleanup non-product thread members + - JDK-8254941: Implement Serviceability Agent for macOS/AArch64 + - JDK-8255035: Update BCEL to Version 6.5.0 + - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale + - JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider + - JDK-8255776: Change build system for macOS/AArch64 + - JDK-8256154: Some TestNG tests require default constructors + - JDK-8256321: Some "inactive" color profiles use the wrong profile class + - JDK-8256373: [Windows/HiDPI] The Frame#setBounds does not work in a minimized state + - JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c + - JDK-8257769: Cipher.getParameters() throws NPE for ChaCha20-Poly1305 + - JDK-8258554: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F + - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream) + - JDK-8261205: AssertionError: Cannot add metadata to an intersection type + - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" + - JDK-8262894: [macos_aarch64] SIGBUS in Assembler::ld_st2 + - JDK-8262896: [macos_aarch64] Crash in jni_fast_GetLongField + - JDK-8262903: [macos_aarch64] Thread::current() called on detached thread + - JDK-8263185: Mallinfo deprecated in glibc 2.33 + - JDK-8264650: Cross-compilation to macos/aarch64 + - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark + - JDK-8266168: -Wmaybe-uninitialized happens in check_code.c + - JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp + - JDK-8266171: -Warray-bounds happens in imageioJPEG.c + - JDK-8266172: -Wstringop-overflow happens in vmError.cpp + - JDK-8266173: -Wmaybe-uninitialized happens in jni_util.c + - JDK-8266174: -Wmisleading-indentation happens in libmlib_image sources + - JDK-8266176: -Wmaybe-uninitialized happens in libArrayIndexOutOfBoundsExceptionTest.c + - JDK-8266187: Memory leak in appendBootClassPath() + - JDK-8266421: Deadlock in Sound System + - JDK-8266889: [macosx-aarch64] Crash with SIGBUS in MarkActivationClosure::do_code_blob during vmTestbase/nsk/jvmti/.../bi04t002 test run + - JDK-8268014: Build failure on SUSE Linux Enterprise Server 11.4 (s390x) due to 'SYS_get_mempolicy' was not declared + - JDK-8268542: serviceability/logging/TestFullNames.java tests only 1st test case + - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc + - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor + - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8272345: macos doesn't check `os::set_boot_path()` result + - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong + - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication + - JDK-8273277: C2: Move conditional negation into rc_predicate + - JDK-8273341: Update Siphash to version 1.0 + - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 + - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests + - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests + - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure + - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated + - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F + - JDK-8273682: Upgrade Jline to 3.20.0 + - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time + - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions + - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp + - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" + - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah + - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake + - JDK-8274658: ISO 4217 Amendment 170 Update + - JDK-8274714: Incorrect verifier protected access error message + - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily + - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler + - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime + - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem + - JDK-8275811: Incorrect instance to dispose + - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly + - JDK-8276141: XPathFactory set/getProperty method + - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" + - JDK-8276314: [JVMCI] check alignment of call displacement during code installation + - JDK-8276623: JDK-8275650 accidentally pushed "out" file + - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows + - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277385: Zero: Enable CompactStrings support + - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last + - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop + - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 + - JDK-8277795: ldap connection timeout not honoured under contention + - JDK-8277796: Bump update version for OpenJDK: jdk-11.0.15 + - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 + - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx + - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278309: [windows] use of uninitialized OSThread::_state + - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec + - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT + - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 + - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 + - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler + - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers + - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest + - JDK-8279379: GHA: Print tests that are in error + - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition + - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 + - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 + - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks + - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" + - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280414: Memory leak in DefaultProxySelector + - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + - JDK-8280786: Build failure on Solaris after 8262392 + - JDK-8280999: array_bounds should be array-bounds after 8278507 + - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames + - JDK-8281520: JFR: A wrong parameter is passed to the constructor of LeakKlassWriter + - JDK-8281599: test/lib/jdk/test/lib/KnownOIDs.java is redundant since JDK-8268801 + - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + - JDK-8282372: [11] build issue on MacOS/aarch64 12.2.1 using Xcode 13.1: call to 'log2_intptr' is ambiguous + - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character + - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + - JDK-8283018: 11u GHA: Update GCC 9 minor versions + - JDK-8283270: [11u] broken JRT_ENTRY_NO_ASYNC after Backport of JDK-8253795 + - JDK-8283778: 11u GHA: Fix GCC 9 ubuntu package names + - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + - JDK-8284920: Incorrect Token type causes XPath expression to return empty result + +Notes on individual issues: +=========================== + +security-libs/javax.crypto:pkcs11: + +JDK-8275737: SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library +========================================================================================================================== +SunPKCS11 provider is enhanced to support the following crypto +services and algorithms when the underlying PKCS11 library supports +the corresponding PKCS#11 mechanisms: + +* ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism +* ChaCha20-Poly1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism +* ChaCha20-Poly1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism +* ChaCha20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism + +New in release OpenJDK 11.0.14.1 (2022-02-08): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk110141 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt + +* Other changes + - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient + - JDK-8280786: Build failure on Solaris after 8262392 + - JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1 + +New in release OpenJDK 11.0.14 (2022-01-18): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11014 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt + +* New features + - JDK-8248238: Implementation: JEP 388: Windows AArch64 Support +* Security fixes + - JDK-8217375: jarsigner breaks old signature with long lines in manifest + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files + - JDK-8279541: Improve HarfBuzz +* Other changes + - JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails + - JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater() + - JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac + - JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead + - JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX + - JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events + - JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked. + - JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception + - JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF + - JDK-8078219: Verify lack of @test tag in files in java/net test directory + - JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely" + - JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently + - JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently + - JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently + - JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails + - JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed + - JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java + - JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails + - JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel + - JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows + - JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed + - JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing + - JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X + - JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8179880: Refactor javax/security shell tests to plain java tests + - JDK-8180568: Refactor javax/crypto shell tests to plain java tests + - JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests + - JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures + - JDK-8180573: Refactor sun/security/tools shell tests to plain java tests + - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' + - JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails + - JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails + - JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows + - JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows + - JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac + - JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac + - JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac + - JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac + - JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac + - JDK-8199138: Add RISC-V support to Zero + - JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows + - JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c + - JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors + - JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception + - JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java + - JDK-8207936: TestZipFile failed with java.lang.AssertionError exception + - JDK-8208242: Add @requires to vmTestbase/gc/g1 tests + - JDK-8209611: use C++ compiler for hotspot tests + - JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti + - JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests + - JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp) + - JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86 + - JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1 + - JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests + - JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8210395: Add doc to SecurityTools.java + - JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests + - JDK-8210481: Remove #ifdef cplusplus from vmTestbase + - JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests + - JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests + - JDK-8210689: Remove the multi-line old C style for string literals + - JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests + - JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665 + - JDK-8210920: Native C++ tests are not using CXXFLAGS + - JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)" + - JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti + - JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]* + - JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11 + - JDK-8211171: move JarUtils to top-level testlibrary + - JDK-8211227: Inconsistent TLS protocol version in debug output + - JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]* + - JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp + - JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]* + - JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E] + - JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M] + - JDK-8211905: Remove multiple casts for EM06 file + - JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) + - JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]* + - JDK-8212083: Handle remaining gc/lock native code and fix two strings + - JDK-8212148: Remove remaining NSK_CPP_STUBs + - JDK-8213110: Remove the use of applets in automatic tests + - JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default + - JDK-8213263: fix legal headers in test/langtools + - JDK-8213296: Fix legal headers in test/jdk/java/net + - JDK-8213301: Fix legal headers in jdk logging tests + - JDK-8213305: Fix legal headers in test/java/math + - JDK-8213306: Fix legal headers in test/java/nio + - JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools + - JDK-8213330: Fix legal headers in i18n tests + - JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name + - JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails + - JDK-8215410: Regression test for JDK-8214994 + - JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher + - JDK-8215624: Add parallel heap iteration for jmap –histo + - JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC + - JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted + - JDK-8216417: cleanup of IPv6 scope-id handling + - JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception + - JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX + - JDK-8217633: Configurable extensions with system properties + - JDK-8217882: java/net/httpclient/MaxStreams.java failed once + - JDK-8217903: java/net/httpclient/Response204.java fails with 404 + - JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" + - JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle + - JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address + - JDK-8221259: New tests for java.net.Socket to exercise long standing behavior + - JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris + - JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu + - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 + - JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ + - JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. + - JDK-8223138: Small clean-up in loop-tree support. + - JDK-8223139: Rename mandatory policy-do routines. + - JDK-8223140: Clean-up in 'ok_to_convert()' + - JDK-8223141: Change (count) suffix _ct into _cnt. + - JDK-8223400: Replace some enums with static const members in hotspot/runtime + - JDK-8223658: Performance regression of XML.validation in 13-b19 + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8224829: AsyncSSLSocketClose.java has timing issue + - JDK-8225083: Remove Google certificate that is expiring in December 2021 + - JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17 + - JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx + - JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine" + - JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7 + - JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text + - JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type" + - JDK-8230067: Add optional automatic retry when running jtreg tests + - JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms + - JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 + - JDK-8233403: Improve verbosity of some httpclient tests + - JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS + - JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS + - JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS + - JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS + - JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS + - JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos + - JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos + - JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos + - JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS + - JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing + - JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS + - JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos + - JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos + - JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos + - JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos + - JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos + - JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos + - JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos + - JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos + - JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos + - JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos + - JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms + - JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10 + - JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits + - JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1 + - JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait + - JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel + - JDK-8237354: Add option to jcmd to write a gzipped heap dump + - JDK-8237589: Fix copyright header formatting + - JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version + - JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on + - JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240256: Better resource cleaning for SunPKCS11 Provider + - JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server + - JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system + - JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244292: Headful clients failing with --illegal-access=deny + - JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java + - JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList + - JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA + - JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems) + - JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh + - JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder + - JDK-8247510: typo in IllegalHandshakeMessage + - JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn + - JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java + - JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64 + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle + - JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows + - JDK-8250810: Push missing parts of JDK-8248817 + - JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate + - JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c + - JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails + - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits + - JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible + - JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id + - JDK-8251930: AArch64: Native types mismatch in hotspot + - JDK-8252049: Native memory leak in ciMethodData ctor + - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly + - JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC + - JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection + - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens + - JDK-8253497: Core Libs Terminology Refresh + - JDK-8253682: The AppletInitialFocusTest1.java is unstable + - JDK-8253763: ParallelObjectIterator should have virtual destructor + - JDK-8253866: Security Libs Terminology Refresh + - JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY" + - JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface + - JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows + - JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core + - JDK-8255722: Create a new test for rotated blit + - JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad + - JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions + - JDK-8256152: tests fail because of ambiguous method resolution + - JDK-8256182: Update qemu-debootstrap cross-compilation recipe + - JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed + - JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest + - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font + - JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64 + - JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows + - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3 + - JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection. + - JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit + - JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard + - JDK-8261036: Reduce classes loaded by CleanerFactory initialization + - JDK-8261071: AArch64: Refactor interpreter native wrappers + - JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261297: NMT: Final report should use scale 1 + - JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big + - JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed + - JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed" + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp + - JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method" + - JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout + - JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly + - JDK-8265019: Update tests for additional TestNG test permissions + - JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test + - JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0 + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java + - JDK-8266949: Check possibility to disable OperationTimedOut on Unix + - JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267304: Bump global JTReg memory limit to 768m + - JDK-8267652: c2 loop unrolling by 8 results in reading memory past array + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE + - JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1 + - JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only + - JDK-8269034: AccessControlException for SunPKCS11 daemon threads + - JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269768: JFR Terminology Refresh + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8269984: [macos] JTabbedPane title looks like disabled + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270216: [macOS] Update named used for Java run loop mode + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270344: Session resumption errors + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1 + - JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems` + - JDK-8272316: Wrong Boot JDK help message in 11 + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8272828: Add correct licenses to jszip.md + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14 + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 + - JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332 + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277815: Fix mistakes in legal header backports + +Notes on individual issues: +=========================== + +core-svc/tools: + +JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump +===================================================================== +A new integer option `gz` has been added to the `GC.heap_dump` +diagnostic command. If it is specified, it will enable the gzip +compression of the written heap dump. The supplied value is the +compression level. It can range from 1 (fastest) to 9 (slowest, but +best compression). The recommended level is 1. + +security-libs/javax.net.ssl: + +JDK-8260310: Configurable Extensions With System Properties +=========================================================== +Two new system properties have been added. The system property, +`jdk.tls.client.disableExtensions`, is used to disable TLS extensions +used in the client. The system property, +`jdk.tls.server.disableExtensions`, is used to disable TLS extensions +used in the server. If an extension is disabled, it will be neither +produced nor processed in the handshake messages. + +The property string is a list of comma separated standard TLS +extension names, as registered in the IANA documentation (for example, +server_name, status_request, and signature_algorithms_cert). Note that +the extension names are case sensitive. Unknown, unsupported, +misspelled and duplicated TLS extension name tokens will be ignored. + +Please note that the impact of blocking TLS extensions is +complicated. For example, a TLS connection may not be able to be +established if a mandatory extension is disabled. Please do not +disable mandatory extensions, and do not use this feature unless you +clearly understand the impact. + +security-libs/javax.crypto:pkcs11: + +JDK-8272907: New SunPKCS11 Configuration Properties +=================================================== +The SunPKCS11 provider gains new provider configuration attributes to +better control native resources usage. The SunPKCS11 provider consumes +native resources in order to work with native PKCS11 libraries. To +manage and better control the native resources, additional +configuration attributes are added to control the frequency of +clearing native references as well as whether to destroy the +underlying PKCS11 Token after logout. + +The 3 new attributes for the SunPKCS11 provider configuration file +are: + +1) `destroyTokenAfterLogout` (boolean, defaults to false) + +If set to true, when `java.security.AuthProvider.logout()` is called +upon the SunPKCS11 provider instance, the underlying Token object will +be destroyed and resources will be freed. This essentially renders the +SunPKCS11 provider instance unusable after `logout()` calls. Note that +a PKCS11 provider with this attribute set to `true` should not be +added to the system provider list since the provider object is not +usable after a `logout()` method call. + +2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds) + +This defines the frequency for clearing native references during busy +periods (such as, how often should the cleaner thread processes the +no-longer-needed native references in the queue to free up native +memory). Note that the cleaner thread will switch to the +'longInterval' frequency after 200 failed tries (such as, when no +references are found in the queue). + +3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds) + +This defines the frequency for checking native reference during +non-busy period (such as, how often should the cleaner thread check +the queue for native references). Note that the cleaner thread will +switch back to the 'shortInterval' value if native PKCS11 references +for cleaning are detected. + +core-libs/java.nio: + +JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "." +===================================================================================================== +The ZIP file system provider has been changed to reject existing ZIP +files that contain entries with "." or ".." in name elements. ZIP +files with these entries can not be used as a file system. Invoking +the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw +`ZipException` if the ZIP file contains these entries. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + +New in release OpenJDK 11.0.13 (2021-10-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11013 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt + +* Security fixes + - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference + - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8024368: private methods are allocated vtable indices + - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently + - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites + - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream + - JDK-8158066: SourceDebugExtensionTest fails to rename file + - JDK-8168304: Make all of DependencyContext_test available in product mode + - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException + - JDK-8181313: SA: Remove libthread_db dependency on Linux + - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 + - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException + - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails + - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" + - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes + - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. + - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed + - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 + - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration + - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings + - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test + - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java + - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java + - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test + - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test + - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests + - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests + - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code + - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout + - JDK-8210802: temp files left by tests in jdk/java/net/httpclient + - JDK-8210819: Update the host name in CNameTest.java + - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test + - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK + - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. + - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected + - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up + - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang + - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up + - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 + - JDK-8212695: Add explicit timeout to several HTTP Client tests + - JDK-8212718: Refactor some annotation processor tests to better use collections + - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java + - JDK-8213137: Remove static initialization of monitor/mutex instances + - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit + - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests + - JDK-8213576: Make test AsyncCloseChannel.java run in othervm + - JDK-8213694: Test Timeout.java should run in othervm mode + - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 + - JDK-8213922: fix ctw stand-alone build + - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java + - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order + - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date + - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) + - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests + - JDK-8218145: block_if_requested is not proper inlined due to size + - JDK-8219417: bump jtreg requiredVersion to b14 + - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ + - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException + - JDK-8220445: Support for side by side MSVC Toolset versions + - JDK-8221988: add possibility to build with Visual Studio 2019 + - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail + - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods + - JDK-8224853: CDS address sanitizer errors + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions + - JDK-8225690: Multiple AttachListener threads can be created + - JDK-8225790: Two NestedDialogs tests fail on Ubuntu + - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java + - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly + - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK + - JDK-8226683: Remove review suggestion from fix to 8219804 + - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" + - JDK-8227766: CheckUnhandledOops is broken in MemAllocator + - JDK-8227815: Minimal VM: set_state is not a member of AttachListener + - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes + - JDK-8230808: Remove Access::equals() + - JDK-8230841: Remove oopDesc::equals() + - JDK-8231717: Improve performance of charset decoding when charset is always compactable + - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% + - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) + - JDK-8233790: Forward output from heap dumper to jcmd/jmap + - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java + - JDK-8234510: Remove file seeking requirement for writing a heap dump + - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file + - JDK-8235216: typo in test filename + - JDK-8235866: bump jtreg requiredVersion to 4.2b16 + - JDK-8236111: narrow allowSmartActionArgs disabling + - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException + - JDK-8236671: NullPointerException in JKS keystore + - JDK-8238930: problem list compiler/c2/Test8004741.java + - JDK-8238943: switch to jtreg 5.0 + - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test + - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files + - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration + - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler + - JDK-8241768: git needs .gitattributes + - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException + - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" + - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases + - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" + - JDK-8246387: switch to jtreg 5.1 + - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob + - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available + - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open + - JDK-8248403: AArch64: Remove uses of kernel integer types + - JDK-8248414: AArch64: Remove uses of long and unsigned long ints + - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model + - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread + - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC + - JDK-8248671: AArch64: Remove unused variables + - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper + - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply + - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows + - JDK-8249548: backward focus traversal gets stuck in button group + - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference + - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id + - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id + - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id + - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call + - JDK-8250824: AArch64: follow up for JDK-8248414 + - JDK-8251166: Add automated testcases for changes done in JDK-8214112 + - JDK-8251252: Add automated testcase for fix done in JDK-8214253 + - JDK-8251254: Add automated test for fix done in JDK-8218472 + - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test + - JDK-8251549: Update docs on building for Git + - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() + - JDK-8252194: Add automated test for fix done in JDK-8218469 + - JDK-8252648: Shenandoah: name gang tasks consistently + - JDK-8252825: Add automated test for fix done in JDK-8218479 + - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 + - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent + - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller + - JDK-8253424: Add support for running pre-submit testing using GitHub Actions + - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 + - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably + - JDK-8253899: Make IsClassUnloadingEnabled signature match specification + - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image + - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command + - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow + - JDK-8254175: Build no-pch configuration in debug mode for submit checks + - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation + - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c + - JDK-8254282: Add Linux x86_32 builds to submit workflow + - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments + - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 + - JDK-8255305: Add Linux x86_32 tier1 to submit workflow + - JDK-8255352: Archive important test outputs in submit workflow + - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" + - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop + - JDK-8255718: Zero: VM should know it runs in interpreter-only mode + - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux + - JDK-8255810: Zero: build fails without JVMTI + - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch + - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow + - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code + - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE + - JDK-8256277: Github Action build on macOS should define OS and Xcode versions + - JDK-8256354: Github Action build on Windows should define OS and MSVC versions + - JDK-8256393: Github Actions build on Linux should define OS and GCC versions + - JDK-8256414: add optimized build to submit workflow + - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing + - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors + - JDK-8257148: Remove obsolete code in AWTView.m + - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8257913: Add more known library locations to simplify Linux cross-compilation + - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 + - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test + - JDK-8259535: ECDSA SignatureValue do not always have the specified length + - JDK-8259679: GitHub actions should use MSVC 14.28 + - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8260923: Add more tests for SSLSocket input/output shutdown + - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention + - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions + - JDK-8261238: NMT should not limit baselining by size threshold + - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering + - JDK-8261652: Remove some dead comments from os_bsd_x86 + - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream + - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" + - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 + - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" + - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java + - JDK-8263136: C4530 was reported from VS 2019 at access bridge + - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block + - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" + - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) + - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems + - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod + - JDK-8263531: Remove unused buffer int + - JDK-8263667: Avoid running GitHub actions on branches named pr/* + - JDK-8263776: [JVMCI] add helper to perform Java upcalls + - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI + - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M + - JDK-8265132: C2 compilation fails with assert "missing precedence edge" + - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 + - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description + - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter + - JDK-8265761: Font with missed font family name is not properly printed on Windows + - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API + - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container + - JDK-8266018: Shenandoah: fix an incorrect assert + - JDK-8266206: Build failure after JDK-8264752 with older GCCs + - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 + - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong + - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report + - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation + - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array + - JDK-8266642: Improve ResolvedMethodTable hash function + - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems + - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted + - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress + - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header + - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes + - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance + - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion + - JDK-8267424: CTW: C1 fails with "State must not be null" + - JDK-8267459: Pasting Unicode characters into JShell does not work. + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 + - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID + - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly + - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 + - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code + - JDK-8268360: Missing check for infinite loop during node placement + - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop + - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan + - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check + - JDK-8268417: Add test from JDK-8268360 + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE + - JDK-8268620: InfiniteLoopException test may fail on x86 platforms + - JDK-8268635: Corrupt oop in ClassLoaderData + - JDK-8268699: Shenandoah: Add test for JDK-8268127 + - JDK-8268771: javadoc -notimestamp option does not work on index.html + - JDK-8268775: Password is being converted to String in AccessibleJPasswordField + - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag + - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server + - JDK-8269304: Regression ~5% in 2005 in b27 + - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build + - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark + - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation + - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string + - JDK-8269661: JNI_GetStringCritical does not lock char array + - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV + - JDK-8269847: JDK-8269594 backport breaks 11u builds + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas + - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas + - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u + - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 +===================================================================================================== +The `gencert` command of the `keytool` utility has been updated to +create AKID from the SKID of the issuing certificate as specified by +RFC 5280. + +security-libs/javax.net.ssl: + +JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites +==================================================== +New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have +been added to JSSE. These cipher suites are enabled by default. The +TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. +The following cipher suites are available for TLS 1.2: + +* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + +Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for +details on these new TLS cipher suites. + +JDK-8219551: Updated the Default Enabled Cipher Suites Preference +================================================================= +The preference of the default enabled cipher suites has been +changed. The compatibility impact should be minimal. If needed, +applications can customize the enabled cipher suites and the +preference. For more details, refer to the SunJSSE provider +documentation and the JSSE Reference Guide documentation. + +New in release OpenJDK 11.0.12 (2021-07-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11012 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt + +* Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support +* Other changes + - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit + - JDK-7106851: Test should not use System.exit + - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137 + - JDK-8076190: Customizing the generation of a PKCS12 keystore + - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms + - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux + - JDK-8177068: incomplete classpath causes NPE in Flow + - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution + - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll + - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() + - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen + - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails + - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException + - JDK-8206925: Support the certificate_authorities extension + - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty + - JDK-8207247: AARCH64: Enable Minimal and Client VM builds + - JDK-8207404: MulticastSocket tests failing on AIX + - JDK-8207779: Method::is_valid_method() compares 'this' with NULL + - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode. + - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64 + - JDK-8210443: Migrate Locale matching tests to JDK Repo. + - JDK-8213231: ThreadSnapshot::_threadObj can become stale + - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail + - JDK-8213725: JShell NullPointerException due to class file with unexpected package + - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32 + - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls + - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames + - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM + - JDK-8214854: JDWP: Unforseen output truncation in logging + - JDK-8214922: Add vectorization support for fmin/fmax + - JDK-8215009: GCC 8 compilation error in libjli + - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file + - JDK-8216259: AArch64: Vectorize Adler32 intrinsics + - JDK-8216314: SIGILL in CodeHeapState::print_names() + - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking + - JDK-8217465: [REDO] - Optimize CodeHeap Analytics + - JDK-8217561: X86: Add floating-point Math.min/max intrinsics + - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken + - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output + - JDK-8219142: Remove unused JIMAGE_ResourcePath + - JDK-8219586: CodeHeap State Analytics processes dead nmethods + - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS + - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout + - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU + - JDK-8222412: AARCH64: multiple instructions encoding issues + - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions + - JDK-8223444: Improve CodeHeap Free Space Management + - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods + - JDK-8223667: ASAN build broken + - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 + - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails + - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out + - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay + - JDK-8226374: Restrict TLS signature schemes and named groups + - JDK-8226627: assert(t->singleton()) failed: must be a constant + - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint + - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow + - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15 + - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size + - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp + - JDK-8231460: Performance issue (CodeHeap) with large free blocks + - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint) + - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns + - JDK-8232084: HotSpot build failed with GCC 9.2.1 + - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl + - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread + - JDK-8233787: Break cycle in vm_version* includes + - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register + - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes + - JDK-8235368: Update BCEL to Version 6.4.1 + - JDK-8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8236992: AArch64: remove redundant load_klass in itable stub + - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: [] + - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias already exists" + - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class + - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers + - JDK-8238812: assert(false) failed: bad AD file + - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java + - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64 + - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List` + - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files + - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler + - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 + - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string + - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) + - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset + - JDK-8241475: AArch64: Add missing support for PopCountVI node + - JDK-8241829: Cleanup the code for PrinterJob on windows + - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned + - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01 + - JDK-8242429: Better implementation for sign extract + - JDK-8242557: Add length limit for strings in PNGImageWriter + - JDK-8242919: Paste locks up jshell + - JDK-8243155: AArch64: Add support for SqrtVF + - JDK-8243240: AArch64: Add support for MulVB + - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings + - JDK-8243559: Remove root certificates with 1024-bit keys + - JDK-8243597: AArch64: Add support for integer vector abs + - JDK-8244031: HttpClient should have more tests for HEAD requests + - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected + - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails + - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC + - JDK-8246274: G1 old gen allocation tracking is not in a separate class + - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop + - JDK-8247408: IdealGraph bit check expression canonicalization + - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29 + - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown + - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32 + - JDK-8248043: Need to eliminate excessive i2l conversions + - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted + - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr + - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values + - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable + - JDK-8249189: AARCH64: more L2I conversions can be skipped + - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function + - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code + - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks + - JDK-8250876: Fix issues with cross-compile on macos + - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits + - JDK-8251525: AARCH64: Faster Math.signum(fp) + - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE + - JDK-8252311: AArch64: save two words in itable lookup stub + - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525 + - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows + - JDK-8253167: ARM32 builds fail after JDK-8247910 + - JDK-8253572: [windows] CDS archive may fail to open with long file names + - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops + - JDK-8253948: Memory leak in ImageFileReader + - JDK-8254631: Better support ALPN byte wire values in SunJSSE + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards + - JDK-8255086: Update the root locale display names + - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic + - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement + - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0 + - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small + - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1 + - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned + - JDK-8256523: Streamline Java SHA2 implementation + - JDK-8257414: Drag n Drop target area is wrong on high DPI systems + - JDK-8257569: Failure observed with JfrVirtualMemory::initialize + - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure + - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12 + - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist + - JDK-8257621: JFR StringPool misses cached items across consecutive recordings + - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32 + - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads + - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code + - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m + - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m + - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m + - JDK-8258414: OldObjectSample events too expensive + - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions + - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues + - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it + - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8259232: Bad JNI lookup during printing + - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization + - JDK-8259343: [macOS] Update JNI error handling in Cocoa code. + - JDK-8259585: Accessible actions do not work on mac os x + - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros + - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl + - JDK-8259710: Inlining trace leaks memory + - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion + - JDK-8259777: Incorrect predication condition generated by ADLC + - JDK-8259786: initialize last parameter of getpwuid_r + - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name + - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs + - JDK-8259886: Improve SSL session cache performance and scalability + - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection + - JDK-8260030: Improve stringStream buffer handling + - JDK-8260236: better init AnnotationCollector _contended_group + - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized + - JDK-8260284: C2: assert(_base == Int) failed: Not an Int + - JDK-8260380: Upgrade to LittleCMS 2.12 + - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory + - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory + - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module + - JDK-8260653: Unreachable nodes keep speculative types alive + - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out + - JDK-8260925: HttpsURLConnection does not work with other JSSE provider. + - JDK-8260926: Trace resource exhausted events unconditionally + - JDK-8261020: Wrong format parameter in create_emergency_chunk_path + - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code + - JDK-8261167: print_process_memory_info add a close call after fopen + - JDK-8261170: Upgrade to freetype 2.10.4 + - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code + - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check + - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js + - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION + - JDK-8261354: SIGSEGV at MethodIteratorHost + - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding + - JDK-8261397: try catch Method failing to work when dividing an integer by 0 + - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage + - JDK-8261447: MethodInvocationCounters frequently run into overflow + - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur + - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer + - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0 + - JDK-8261649: AArch64: Optimize LSE atomics in C++ code + - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge + - JDK-8261752: Multiple GC test are missing memory requirements + - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks + - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance + - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload + - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" + - JDK-8262110: DST starts from incorrect time in 2038 + - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0 + - JDK-8262163: Extend settings printout in jcmd VM.metaspace + - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source + - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" + - JDK-8262446: DragAndDrop hangs on Windows + - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c + - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds + - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack + - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies + - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() + - JDK-8262837: handle split_USE correctly + - JDK-8262900: ToolBasicTest fails to access HTTP server it starts + - JDK-8263260: [s390] Support latest hardware (z14 and z15) + - JDK-8263311: Watch registry changes for remote printers update instead of polling + - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address() + - JDK-8263448: CTW: fatal error: meet not symmetric + - JDK-8263504: Some OutputMachOpcodes fields are uninitialized + - JDK-8263557: Possible NULL dereference in Arena::destruct_contents() + - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true + - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address() + - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test + - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X + - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt + - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported + - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state + - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting + - JDK-8264190: Harden TLS interop tests + - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test + - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java + - JDK-8264360: Loop strip mining verification fails with "should be on the backedge" + - JDK-8264626: C1 should be able to inline excluded methods + - JDK-8264640: CMS ParScanClosure misses a barrier + - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched + - JDK-8264821: DirectIOTest fails on a system with large block size + - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch + - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo + - JDK-8264958: C2 compilation fails with assert "n is later than its clone" + - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8265154: vinserti128 operand mix up for KNL platforms + - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 + - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build + - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement + - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod + - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport + - JDK-8265666: Enable AIX build platform to make external debug symbols + - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier + - JDK-8265690: Use the latest Ubuntu base image version in Docker testing + - JDK-8265718: Build failure after JDK-8258414 11u backport + - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414 + - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind + - JDK-8265938: C2's conditional move optimization does not handle top Phi + - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified + - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" + - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753 + - JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x + - JDK-8266929: Unable to use algorithms from 3p providers + - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash + - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u + - JDK-8267641: [11u] 8227609 backport typo + - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64 + - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8215293: Customizing PKCS12 keystore Generation +=================================================== +New system and security properties have been added to enable users to +customize the generation of PKCS #12 keystores. This includes +algorithms and parameters for key protection, certificate protection, +and MacData. The detailed explanation and possible values for these +properties can be found in the "PKCS12 KeyStore properties" section of +the `java.security` file. + +Also, support for the following SHA-2 based HmacPBE algorithms has +been added to the SunJCE provider: + +* HmacPBESHA224 +* HmacPBESHA256 +* HmacPBESHA384 +* HmacPBESHA512 +* HmacPBESHA512/224 +* HmacPBESHA512/256 + +JDK-8256902: Removed Root Certificates with 1024-bit Keys +========================================================= +The following root certificates with weak 1024-bit RSA public keys +have been removed from the `cacerts` keystore: + +Alias Name: thawtepremiumserverca [jdk] +Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + +Alias Name: verisignclass2g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3ca [jdk] +Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisigntsaca [jdk] +Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA + +JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate +================================================================= + +The following root certificate have been removed from the cacerts truststore: + +Alias Name: soneraclass2ca +Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI + +JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms +====================================================================== +The default encryption and MAC algorithms used in a PKCS #12 keystore +have been updated. The new algorithms are based on AES-256 and SHA-256 +and are stronger than the old algorithms that were based on RC2, +DESede, and SHA-1. See the security properties starting with +`keystore.pkcs12` in the `java.security` file for detailed +information. + +For compatibility, a new system property named +`keystore.pkcs12.legacy` is defined that will revert the algorithms to +use the older, weaker algorithms. There is no value defined for this +property. + +security-libs/javax.net.ssl: + +JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values +========================================================================================= +Certain TLS ALPN values couldn't be properly read or written by the +SunJSSE provider. This is due to the choice of Strings as the API +interface and the undocumented internal use of the UTF-8 Character Set +which converts characters larger than U+00007F (7-bit ASCII) into +multi-byte arrays that may not be expected by a peer. + +ALPN values are now represented using the network byte representation +expected by the peer, which should require no modification for +standard 7-bit ASCII-based character Strings. However, SunJSSE now +encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 +characters. This means applications that used characters above +U+000007F that were previously encoded using UTF-8 may need to either +be modified to perform the UTF-8 conversion, or set the Java security +property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. + +See the updated guide at +https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html +for more information. + +JDK-8244460: Support for certificate_authorities Extension +========================================================== +The "certificate_authorities" extension is an optional extension +introduced in TLS 1.3. It is used to indicate the certificate +authorities (CAs) that an endpoint supports and should be used by the +receiving endpoint to guide certificate selection. + +With this JDK release, the "certificate_authorities" extension is +supported for TLS 1.3 in both the client and the server sides. This +extension is always present for client certificate selection, while it +is optional for server certificate selection. + +Applications can enable this extension for server certificate +selection by setting the `jdk.tls.client.enableCAExtension` system +property to `true`. The default value of the property is `false`. + +Note that if the client trusts more CAs than the size limit of the +extension (less than 2^16 bytes), the extension is not enabled. Also, +some server implementations do not allow handshake messages to exceed +2^14 bytes. Consequently, there may be interoperability issues when +`jdk.tls.client.enableCAExtension` is set to `true` and the client +trusts more CAs than the server implementation limit. + +New in release OpenJDK 11.0.11 (2021-04-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11011 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.11.txt + +* Security fixes + - JDK-8244473: Contextualize registration for JNDI + - JDK-8244543: Enhanced handling of abstract classes + - JDK-8249906, CVE-2021-2163: Enhance opening JARs + - JDK-8250568, CVE-2021-2161: Less ambiguous processing + - JDK-8253799: Make lists of normal filenames + - JDK-8257001: Improve Http Client Support +* Other changes + - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled + - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection + - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing + - JDK-8168869: jdeps: localized messages don't use proper line breaks + - JDK-8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID + - JDK-8202343: Disable TLS 1.0 and 1.1 + - JDK-8205992: jhsdb cannot attach to Java processes running in Docker containers + - JDK-8209193: Fix aarch64-linux compilation after -Wreorder changes + - JDK-8210413: AArch64: Optimize div/rem by constant in C1 + - JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction + - JDK-8211051: jdeps usage of --dot-output doesn't provide valid output for modular jar + - JDK-8211057: Gensrc step CompileProperties generates unstable CompilerProperties output + - JDK-8211150: G1 Full GC not purging code root memory and hence causing memory leak + - JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup delegation when module reads automatic module + - JDK-8212043: Add floating-point Math.min/max intrinsics + - JDK-8212218: [TESTBUG] runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out + - JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/WindowsComboBoxSizeTest.java fails in Windows + - JDK-8213909: jdeps --print-module-deps should report missing dependences + - JDK-8214180: Need better granularity for sleeping + - JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed due to missing Lib2 file + - JDK-8214230: Classes generated by SystemModulesPlugin.java are not reproducable + - JDK-8214741: docs/index.html has no title or copyright + - JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed after 8212043 + - JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003/TestDescription.java fails + - JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java failed - no KrbException thrown + - JDK-8218550: Add test omitted from JDK-8212043 + - JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event + - JDK-8221995: AARCH64: problems with CAS instructions encoding + - JDK-8222518: Remove unnecessary caching of Parker object in java.lang.Thread + - JDK-8222785: aarch64: add necessary masking for immediate shift counts + - JDK-8223186: HotSpot compile warnings from GCC 9 + - JDK-8225773: jdeps --check produces NPE if there are missing module dependences + - JDK-8225805: Java Access Bridge does not close the logger + - JDK-8226810: Failed to launch JVM because of NullPointerException occured on System.props + - JDK-8229396: jdeps ignores multi-release when generate-module-info used on command line + - JDK-8229474: Shenandoah: Cleanup CM::update_roots() + - JDK-8232225: Rework the fix for JDK-8071483 + - JDK-8232905: JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant + - JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t) == phase->C->get_alias_index(t_adr)) failed: correct memory chain + - JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is failing intermittently in nightly lnux-x64 system + - JDK-8233912: aarch64: minor improvements of atomic operations + - JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads non-strong fields with an on-strong load barrier + - JDK-8234742: Improve handshake logging + - JDK-8234796: Refactor Handshake::execute to take a more complex type than ThreadClosure + - JDK-8235324: Dying objects are published from users of CollectedHeap::object_iterate + - JDK-8235351: Lookup::unreflect should bind with the original caller independent of Method's accessible flag + - JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/AttachOnDemand/attach021/TestDescription.java test + - JDK-8237392: Shenandoah: Remove unreliable assertion + - JDK-8237483: AArch64 C1 OopMap inserted twice fatal error + - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 + - JDK-8239355: (dc) Initial value of SO_SNDBUF should allow sending large datagrams (macOS) + - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 + - JDK-8240704: CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent." + - JDK-8240751: Shenandoah: fold ShenandoahTracer definition + - JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with "assert(store != load->find_exact_control(load->in(0))) failed: dependence cycle found" + - JDK-8241598: Upgrade JLine to 3.14.0 + - JDK-8241649: Optimize Character.toString + - JDK-8241770: Module xxxAnnotation() methods throw NCDFE if module-info.class found as resource in unnamed module + - JDK-8241911: AArch64: Fix a potential register clash issue in reduce_add2I + - JDK-8242030: Wrong package declarations in jline classes after JDK-8241598 + - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled + - JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox + - JDK-8243670: Unexpected test result caused by C2 MergeMemNode::Ideal + - JDK-8244088: [Regression] Switch of Gnome theme ends up in deadlocked UI + - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files + - JDK-8244340: Handshake processing thread lacks yielding + - JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown for malformed class file + - JDK-8244683: A TSA server used by tests + - JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java failed with No enum constant + - JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused + - JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco agent + - JDK-8245512: CRC32 optimization using AVX512 instructions + - JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos + - JDK-8246707: (sc) SocketChannel.read/write throws AsynchronousCloseException on closed channel + - JDK-8246709: sun/security/tools/jarsigner/TsacertOptionTest.java compilation failed after JDK-8244683 + - JDK-8247200: assert((unsigned)fpargs < 32) + - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn. + - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit + - JDK-8248865: Document JNDI/LDAP timeout properties + - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. + - JDK-8249543: Force DirectBufferAllocTest to run with -ExplicitGCInvokesConcurrent + - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows + - JDK-8249749: modify a primitive array through a stream and a for cycle causes jre crash + - JDK-8249787: Make TestGCLocker more resilient with concurrent GCs + - JDK-8249867: xml declaration is not followed by a newline + - JDK-8250911: [windows] os::pd_map_memory() error detection broken + - JDK-8251255: [linux] Add process-memory information to hs-err and VM.info + - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier + - JDK-8251925: C2: RenaissanceStressTest fails with assert(!had_error): bad dominance + - JDK-8251944: Add Shenandoah test config to compiler/gcbarriers/UnsafeIntrinsicsTest.java + - JDK-8251992: VM crashed running TestComplexAddrExpr.java test with -XX:UseAVX=X + - JDK-8253220: Epsilon: clean up unused code/declarations + - JDK-8253274: The CycleDMImagetest brokes the system + - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node + - JDK-8253368: TLS connection always receives close_notify exception + - JDK-8255368: Math.exp() gives wrong result for large values on x86 32-bit platforms + - JDK-8255401: Shenandoah: Allow oldval and newval registers to overlap in cmpxchg_oop() + - JDK-8253404: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8253409: Double-rounding possibility in float fma + - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities + - JDK-8253524: C2: Refactor code that clones predicates during loop unswitching + - JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected + - JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn + - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*) + - JDK-8254104: MethodCounters must exist before nmethod is installed + - JDK-8254734: "dead loop detected" assert failure with patch from 8223051 + - JDK-8254748: Bad Copyright header format after JDK-8212218 + - JDK-8254799: runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryError.java fails with release VMs + - JDK-8255058: C1: assert(is_virtual()) failed: type check + - JDK-8255351: Add detection for Graviton 2 CPUs + - JDK-8255387: Japanese characters were printed upside down on AIX + - JDK-8255479: [aarch64] assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity + - JDK-8255544: Create a checked cast + - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() + - JDK-8255681: print callstack in error case in runAWTLoopWithApp + - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too + - JDK-8255742: PrintInlining as compiler directive doesn't print virtual calls + - JDK-8255845: Memory leak in imageFile.cpp + - JDK-8255880: UI of Swing components is not redrawn after their internal state changed + - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem + - JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls + - JDK-8256056: Deoptimization stub doesn't save vector registers on x86 + - JDK-8256061: RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers + - JDK-8256187: [TEST_BUG] Automate bug4275046.java test + - JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after JDK-8210764 due to mishandled lir_neg + - JDK-8256258: some missing NULL checks or asserts after CodeCache::find_blob_unsafe + - JDK-8256264: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8256290: javac/lambda/T8031967.java fails with StackOverflowError on x86_32 + - JDK-8256359: AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails + - JDK-8256387: Unexpected result if patching an entire instruction on AArch64 + - JDK-8256421: Add 2 HARICA roots to cacerts truststore + - JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for small copies in StubGenerator::copy_memory + - JDK-8256489: Make gtest for long path names on Windows more resilient in the presence of virus scanners + - JDK-8256501: libTestMainKeyWindow fails to build with Xcode 12.2 + - JDK-8256633: Fix product build on Windows+Arm64 + - JDK-8256682: JDK-8202343 is incomplete + - JDK-8256751: Incremental rebuild with precompiled header fails when touching a header file + - JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset() for CallLeafNoFP on x86_32 + - JDK-8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test + - JDK-8256807: C2: Not marking stores correctly as mismatched in string opts + - JDK-8256810: Incremental rebuild broken on Macosx + - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources + - JDK-8256888: Client manual test problem list update + - JDK-8257083: Security infra test failures caused by JDK-8202343 + - JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11 + - JDK-8257423: [PPC64] Support -XX:-UseInlineCaches + - JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst.testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps is on + - JDK-8257513: C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset()) + - JDK-8257547: Handle multiple prereqs on the same line in deps files + - JDK-8257561: Some code is not vectorized after 8251925 and 8250607 + - JDK-8257565: epsilonBarrierSet.hpp should not include barrierSetAssembler + - JDK-8257575: C2: "failed: only phis" assert failure in loop strip mining verification + - JDK-8257594: C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle + - JDK-8257633: Missing -mmacosx-version-min=X flag when linking libjvm + - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks + - JDK-8257707: Fix incorrect format string in Http1HeaderParser + - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines + - JDK-8257798: [PPC64] undefined reference to Klass::vtable_start_offset() + - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test + - JDK-8257910: [JVMCI] Set exception_seen accordingly in the runtime. + - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 + - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region + - JDK-8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234 + - JDK-8258247: Couple of issues in fix for JDK-8249906 + - JDK-8258373: Update the text handling in the JPasswordField + - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() + - JDK-8258419: RSA cipher buffer cleanup + - JDK-8258471: "search codecache" clhsdb command does not work + - JDK-8258534: Epsilon: clean up unused includes + - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 + - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures + - JDK-8258836: JNI local refs exceed capacity getDiagnosticCommandInfo + - JDK-8258884: [TEST_BUG] Convert applet-based test open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java to a regular java test + - JDK-8259007: This test printed a blank page + - JDK-8259049: Uninitialized variable after JDK-8257513 + - JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA to false + - JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState + - JDK-8259231: Epsilon: improve performance under contention during virtual space expansion + - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" + - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will expire in 90 days + - JDK-8259319: Illegal package access when SunPKCS11 requires SunJCE's classes + - JDK-8259339: AllocateUninitializedArray C2 intrinsic fails with void.class input + - JDK-8259428: AlgorithmId.getEncodedParams() should return copy + - JDK-8259446: runtime/jni/checked/TestCheckedReleaseArrayElements.java fails with stderr not empty + - JDK-8259949: x86 32-bit build fails when -fcf-protection is passed in the compiler flags + - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect + - JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543 + - JDK-8259706: C2 compilation fails with assert(vtable_index == Method::invalid_vtable_index) failed: correct sentinel value + - JDK-8259707: LDAP channel binding does not work with StartTLS extension + - JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction + - JDK-8259849: Shenandoah: Rename store-val to IU-barrier + - JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp + - JDK-8260029: aarch64: fix typo in verify_oop_array + - JDK-8260308: Update LogCompilation junit to 4.13.1 + - JDK-8260338: Some fields in HaltNode is not cloned + - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS + - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a + - JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports false positive + - JDK-8260497: Shenandoah: Improve SATB flushing + - JDK-8260502: [s390] NativeMovRegMem::verify() fails because it's too strict + - JDK-8260632: Build failures after JDK-8253353 + - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end + - JDK-8261022: Fix incorrect result of Math.abs() with char type + - JDK-8261089: [TESTBUG] native library of test TestCheckedReleaseCriticalArray.java fails to compile with gcc 4.x + - JDK-8261183: Follow on to Make lists of normal filenames + - JDK-8261209: isStandalone property: remove dependency on pretty-print + - JDK-8261231: Windows IME was disabled after DnD operation + - JDK-8261251: Shenandoah: Use object size for full GC humongous compaction + - JDK-8261310: PPC64 Zero build fails with 'VMError::controlled_crash(int)::FunctionDescriptor functionDescriptor' has incomplete type and cannot be defined + - JDK-8261334: NMT: tuning statistic shows incorrect hash distribution + - JDK-8261413: Shenandoah: Disable class-unloading in I-U mode + - JDK-8261522: [PPC64] AES intrinsics write beyond the destination array + - JDK-8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined + - JDK-8261585: Restore HandleArea used in Deoptimization::uncommon_trap + - JDK-8261753: Test java/lang/System/OsVersionTest.java still failing on BigSur patch versions after JDK-8253702 + - JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java in 11u + - JDK-8261912: Code IfNode::fold_compares_helper more defensively + - JDK-8261920: [AIX] jshell command throws java.io.IOError on non English locales + - JDK-8262018: Wrong format in SAP copyright header of OsVersionTest + - JDK-8263069: Exclude some failing tests from security/infra/java/security/cert/CertPathValidator + +Notes on individual issues: +=========================== + +core-libs/javax.naming: + +JDK-8258824: LDAP Channel Binding Support for Java GSS/Kerberos +=============================================================== +A new JNDI environment property "com.sun.jndi.ldap.tls.cbtype" has +been added to enable TLS Channel Binding data in LDAP authentication +over SSL/TLS protocol to the Windows AD server. The only valid value +at present is "tls-server-end-point", where channel binding data is +created on the base of the TLS server certificate. See RFC-5929 [0] +and the module description of the `java.naming` module for further +details. + +[0] RFC-5929 "Channel Bindings for TLS": https://www.ietf.org/rfc/rfc5929.txt + +security-libs/java.security: + +JDK-8260597: Added 2 HARICA Root CA Certificates +================================================ +The following root certificates have been added to the cacerts truststore: + +Alias Name: haricarootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +Alias Name: haricaeccrootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +security-libs/javax.net.ssl: + +JDK-8256490: Disable TLS 1.0 and 1.1 +==================================== +TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer +considered secure and have been superseded by more secure and modern +versions (TLS 1.2 and 1.3). + +These versions have now been disabled by default. If you encounter +issues, you can, at your own risk, re-enable the versions by removing +"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` +security property in the `java.security` configuration file. + +tools: + +JDK-8214213: jdeps --print-module-deps Reports Transitive Dependencies +====================================================================== +`jdeps --print-module-deps`, `--list-deps`, and `--list-reduce-deps` +options have been enhanced as follows. + +1. By default, they perform transitive module dependence analysis on +libraries on the class path and module path, both directly and +indirectly, as required by the given input JAR files or +classes. Previously, they only reported the modules required by the +given input JAR files or classes. The `--no-recursive` option can be +used to request non-transitive dependence analysis. + +2. By default, they flag any missing dependency, i.e. not found from +class path and module path, as an error. The `--ignore-missing-deps` +option can be used to suppress missing dependence errors. Note that a +custom image is created with the list of modules output by jdeps when +using the `--ignore-missing-deps` option for a non-modular +application. Such an application, running on the custom image, might +fail at runtime when missing dependence errors are suppressed. + +xml/jaxp: + +JDK-8249867 XML declaration is not followed by a newline +======================================================== + +The DOM Load and Save `LSSerializer` does not have an explicit control +for whether or not the XML Declaration ends with a newline. In this +release, a JDK implementation specific property +`http://www.oracle.com/xml/jaxp/properties/isStandalone` and +corresponding System property `jdk.xml.isStandalone` are added to +control the addition of a newline and act independently without +having to set the pretty-print property. This property can be used to +reverse the incompatible change introduced in Java SE 7 Update 4 with +an update of Xalan 2.7.1 where a newline is omitted when pretty-print +is required. + +For details, please refer to the bug report and the java.xml module-summary. + +Usage: + +// to set the property, get an instance of LSSerializer and set it along with pretty-print +LSSerializer ser = impl.createLSSerializer(); +ser.getDomConfig().setParameter("format-pretty-print", true); +ser.getDomConfig().setParameter("http://www.oracle.com/xml/jaxp/properties/isStandalone", true); + +// to use the System property, set it before initializing a LSSerializer +System.setProperty("jdk.xml.isStandalone", “true”); + +// to clear the property, place the line anywhere after the LSSerializer is initialized +System.clearProperty("jdk.xml.isStandalone"); + +New in release OpenJDK 11.0.10 (2021-01-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11010 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt + +* Security fixes + - JDK-8247619: Improve Direct Buffering of Characters +* Other changes + - JDK-6722928: Support SSPI as a native GSS-API provider + - JDK-7185258: [macosx] Deadlock in SunToolKit.realSync() + - JDK-8152332: [macosx] JFileChooser cannot be serialized on Mac OS X + - JDK-8161684: [testconf] Add VerifyOops' testing into compiler tiers + - JDK-8171279: Support X25519 and X448 in TLS + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8173658: JvmtiExport::post_class_unload() is broken for non-JavaThread initiators + - JDK-8191006: hsdis disassembler plugin does not compile with binutils 2.29+ + - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8 + - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode + - JDK-8200151: Add 8 JNDI tests to com/sun/jndi/dns/ConfigTests/ + - JDK-8208279: Add 8 JNDI tests to com/sun/jndi/dns/EnvTests/ + - JDK-8208483: Add 5 JNDI tests to com/sun/jndi/dns/FactoryTests/ + - JDK-8208542: Add 4 JNDI tests to com/sun/jndi/dns/ListTests/ + - JDK-8208665: Amend cross-compilation docs with qemu-debootstrap recipe + - JDK-8210088: ProblemList gc/epsilon/TestMemoryMXBeans.java + - JDK-8210339: Add 10 JNDI tests to com/sun/jndi/dns/FedTests/ + - JDK-8211450: UndetVar::dup is not copying the kind field to the duplicated instance + - JDK-8212160: JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" + - JDK-8212226: SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows) + - JDK-8213400: Support choosing group name in keytool keypair generation + - JDK-8213535: Windows HiDPI html lightweight tooltips are truncated + - JDK-8213698: Improve devkit creation and add support for linux/ppc64/ppc64le/s390x + - JDK-8214025: assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2 + - JDK-8214242: compiler/arguments/TestScavengeRootsInCode.java fails because of missing UnlockDiagnosticVMOptions + - JDK-8214787: Zero builds fail with "undefined JavaThread::thread_state()" + - JDK-8215583: Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java + - JDK-8216012: Infinite loop in RSA KeyPairGenerator + - JDK-8216324: GetClassMethods is confused by the presence of default methods in super interfaces + - JDK-8217429: WebSocket over authenticating proxy fails to send Upgrade headers + - JDK-8217976: test/jdk/java/net/httpclient/websocket/WebSocketProxyTest.java fails intermittently + - JDK-8218021: Have jarsigner preserve posix permission attributes + - JDK-8218287: jshell tool: input behavior unstable after 12-ea+24 on Windows + - JDK-8218851: JVM crash in custom classloader stress test, JDK 12 & 13 + - JDK-8220420: Cleanup c1_LinearScan + - JDK-8222072: JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv + - JDK-8222286: Fix for JDK-8213419 is broken on s390 + - JDK-8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy + - JDK-8222533: jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine + - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 + - JDK-8224555: vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed + - JDK-8224650: Add tests to support X25519 and X448 in TLS + - JDK-8225072: Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs + - JDK-8225329: -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms + - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors + - JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 + - JDK-8227275: Within native OOM error handling, assertions may hang the process + - JDK-8227647: [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled" + - JDK-8229495: SIGILL in C2 generated OSR compilation + - JDK-8230910: libsspi_bridge does not build on Windows 32bit + - JDK-8232114: JVM crashed at imjpapi.dll in native code + - JDK-8234147: Avoid looking up standard charsets in core libraries + - JDK-8234393: [macos] printing ignores printer tray + - JDK-8234863: Increase default value of MaxInlineLevel + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235456: Minimal VM is broken after JDK-8212160 + - JDK-8235829: graal crashes with Zombie.java test + - JDK-8236124: Minimal VM slowdebug build failed after JDK-8212160 + - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding + - JDK-8236944: The legVecZ operand should be limited to zmm0-zmm15 registers + - JDK-8237186: Fix typo in copyright header of java/io/Reader/TransferTo.java + - JDK-8237499: JFR: Include stack trace in the ThreadStart event + - JDK-8237512: AArch64: aarch64TestHook leaks a BufferBlob + - JDK-8237524: AArch64: String.compareTo() may return incorrect result + - JDK-8237950: C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization + - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read + - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test + - JDK-8239477: jdk/jfr/jcmd/TestJcmdStartStopDefault.java fails -XX:+VerifyOops with "verify_oop: rsi: broken oop" + - JDK-8239497: SEGV in EdgeUtils::field_name_symbol(Edge const&) + - JDK-8239886: Minimal VM build fails after JDK-8237499 + - JDK-8240633: Memory leaks in the implementations of FileChooserUI + - JDK-8240690: Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() + - JDK-8241234: Unify monitor enter/exit runtime entries. + - JDK-8241311: Move some charset mapping tests from closed to open + - JDK-8241797: Add some tests to the problem list + - JDK-8242029: AArch64: skip G1 array copy pre-barrier if marking not active + - JDK-8242335: Additional Tests for RSASSA-PSS + - JDK-8242480: Negative value may be returned by getFreeSwapSpaceSize() in the docker + - JDK-8242614: cleanup duplicated test ldap server in some com/sun/jndi/ldap/ tests + - JDK-8242846: Bring back test/jdk/tools/jlink/plugins/OrderResourcesPluginTest.java + - JDK-8243114: Implement montgomery{Multiply,Square}intrinsics on Windows + - JDK-8243290: Improve diagnostic messages for class verification and redefinition failures + - JDK-8243488: Add tests for set/get SendBufferSize and getReceiveBufferSize in DatagramSocket + - JDK-8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA + - JDK-8243617: compiler/onSpinWait/TestOnSpinWaitC1.java test uses wrong class + - JDK-8243619: compiler/codecache/CheckSegmentedCodeCache.java test misses -version + - JDK-8244142: some hotspot/runtime tests don't check exit code of forked JVM + - JDK-8244278: Excessive code cache flushes and sweeps + - JDK-8244282: test/hotspot/jtreg/compiler/intrinsics/Test8237524.java fails with --illegal-access=deny + - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 + - JDK-8244819: hsdis does not compile with binutils 2.34+ + - JDK-8245051: c1 is broken if it is compiled by gcc without -fno-lifetime-dse + - JDK-8245168: jlink should not be treated as a "small" tool + - JDK-8245400: Upgrade to LittleCMS 2.11 + - JDK-8246381: VM crashes with "Current BasicObjectLock* below than low_mark" + - JDK-8246434: Threads::print_on_error assumes that the heap has been set up + - JDK-8246648: issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 + - JDK-8247201: Print potential pointer value of readable stack memory in hs_err file + - JDK-8247763: assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined() + - JDK-8247867: Upgrade to freetype 2.10.2 + - JDK-8248190: Enable Power10 system and implement new byte-reverse instructions + - JDK-8248226: TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing + - JDK-8248347: windows build broken by JDK-8243114 + - JDK-8248532: Every time I change keyboard language at my MacBook, Java crashes + - JDK-8248552: C2 crashes with SIGFPE due to division by zero + - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled + - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms + - JDK-8248791: sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing + - JDK-8248845: AArch64: stack corruption after spilling vector register + - JDK-8249176: Update GlobalSignR6CA test certificates + - JDK-8249183: JVM crash in "AwtFrame::WmSize" method + - JDK-8249192: MonitorInfo stores raw oops across safepoints + - JDK-8249602: C2: assert(cnt == _outcnt) failed: no insertions allowed + - JDK-8249603: C1: assert(has_error == false) failed: register allocation invalid + - JDK-8249605: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8249607: C2: assert(!had_error) failed: bad dominance + - JDK-8249608: Vector register used by C2 compiled method corrupted at safepoint + - JDK-8249672: Include microcode revision in features_string on x86 + - JDK-8249748: gtest silently ignores bad jvm arguments + - JDK-8249821: Separate libharfbuzz from libfontmanager + - JDK-8250598: Hyper-V is detected in spite of running on host OS + - JDK-8250605: Linux x86_32 builds fail after JDK-8249821 + - JDK-8250636: iso8601_time returns incorrect offset part on MacOS + - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY + - JDK-8250772: Test com/sun/jndi/ldap/NamingExceptionMessageTest.java fails intermittently with javax.naming.ServiceUnavailableException + - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field + - JDK-8250894: Provide a configure option to build and run against the platform libharfbuzz + - JDK-8250928: JFR: Improve hash algorithm for stack traces + - JDK-8250968: Symlinks attributes not preserved when using jarsigner on zip files + - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities + - JDK-8251118: BiasedLocking::preserve_marks should not have a HandleMark + - JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout + - JDK-8251257: NMT: jcmd VM.native_memory scale=1 crashes target VM + - JDK-8251365: Build failure on AIX after 8250636 + - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray + - JDK-8251456: [TESTBUG] compiler/vectorization/TestVectorsNotSavedAtSafepoint.java failed OutOfMemoryError + - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed" + - JDK-8251535: Partial peeling at unsigned test adds incorrect loop exit check + - JDK-8251949: ZGC: Set explicit heap size for compiler/gcbarriers tests + - JDK-8252090: JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9) + - JDK-8252415: Bump update version for OpenJDK: jdk-11.0.10 + - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows + - JDK-8252497: Incorrect numeric currency code for ROL + - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option + - JDK-8252679: Two windows specific FileDIalog tests may fail on some Windows_Server_2016_Standard + - JDK-8252696: Loop unswitching may cause out of bound array load to be executed + - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent + - JDK-8253219: Epsilon: clean up unnecessary includes + - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues() + - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify + - JDK-8253269: The CheckCommonColors test should provide more info on failure + - JDK-8253284: Zero OrderAccess barrier mappings are incorrect + - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) + - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads + - JDK-8253791: Issue with useAppleColor check in CSystemColors.m + - JDK-8254016: Test8237524 fails with -XX:-CompactStrings option + - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate + - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp + - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp + - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b + - JDK-8254185: Fix Code cache sweeper heuristics for JDK 11 + - JDK-8254190: [s390] interpreter misses exception check after calling monitorenter + - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics + - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations + - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c + - JDK-8255050: Add pkcs11/KeyStore/ClientAuth.sh to Problem list + - JDK-8255065: Zero: accessor_entry misses the IRIW case + - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d + - JDK-8255269: Unsigned overflow in g1Policy.cpp + - JDK-8255365: Problem list failing client manual tests + - JDK-8255457: Shenandoah: cleanup ShenandoahMarkTask + - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0 + - JDK-8255550: x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect + - JDK-8255603: Memory/Performance regression after JDK-8210985 + - JDK-8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback + - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java + - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX + - JDK-8256452: Integrate missing part of JDK-8232370 to 11u + - JDK-8256483: [TESTBUG] serviceability/jvmti/GetClassMethods/libOverpassMethods.c fails to compile on gcc 4.4.x + - JDK-8256557: libharfbuzz fails to link on gcc 4.4.x due to -Wl,-z,defs + - JDK-8256618: Zero: Linux x86_32 build still fails + - JDK-8256736: Zero: GTest tests fail with "unsuppported vm variant" + - JDK-8256809: Annotation processing causes NPE during flow analysis + - JDK-8257181: s390x builds are very noisy with gc-sections messages + - JDK-8257242: [macOS] Java app crashes while switching input methods + - JDK-8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport + - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false + - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays + - JDK-8258630: Add expiry exception for QuoVadis root certificate + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8213821: -groupname Option Added to keytool Key Pair Generation +=================================================================== +A new `-groupname` option has been added to `keytool -genkeypair` so +that a user can specify a named group when generating a key pair. For +example, `keytool -genkeypair -keyalg EC -groupname secp384r1` will +generate an EC key pair by using the `secp384r1` curve. Because there +might be multiple curves with the same size, using the `-groupname` +option is preferred over the `-keysize` option. + +JDK-8248263: jarsigner Preserves POSIX File Permission and symlink Attributes +============================================================================= +When signing a file that contains POSIX file permission or symlink +attributes, `jarsigner` now preserves these attributes in the newly +signed file but warns that these attributes are unsigned and not +protected by the signature. The same warning is printed during the +`jarsigner -verify` operation for such files. + +Note that the `jar` tool does not read/write these attributes. This +change is more visible to tools like `unzip` where these attributes +are preserved. + +security-libs/javax.net.ssl: + +JDK-8225764: Support for X25519 and X448 in TLS +================================================ + +The named elliptic curve groups `x25519` and `x448` are now available +for JSSE key agreement in TLS versions 1.0 to 1.3, with `x25519` being +the most preferred of the default enabled named groups. The default +ordered list is now: + +* x25519 +* secp256r1 +* secp384r1 +* secp521r1 +* x448 +* secp256k1 +* ffdhe2048 +* ffdhe3072 +* ffdhe4096 +* ffdhe6144 +* ffdhe8192 + +The default list can be overridden using the system property *`jdk.tls.namedGroups`*. + +security-libs/org.ietf.jgss: + +JDK-8214079: Added a Default Native GSS-API Library on Windows +============================================================== +A native GSS-API library has been added to JDK on the Windows +platform. The library is client-side only and uses the default +credentials. It will be loaded when the `sun.security.jgss.native` +system property is set to "true". A user can still load a third-party +native GSS-API library by setting the system property +`sun.security.jgss.lib` to its path. + +New in release OpenJDK 11.0.9.1 (2020-10-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11091 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.1.txt + +* Regression fixes + - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) + +New in release OpenJDK 11.0.9 (2020-10-20): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1109 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt + +* Security fixes + - JDK-8233624: Enhance JNI linkage + - JDK-8236196: Improve string pooling + - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + - JDK-8237995, CVE-2020-14782: Enhance certificate processing + - JDK-8240124: Better VM Interning + - JDK-8241114, CVE-2020-14792: Better range handling + - JDK-8242680, CVE-2020-14796: Improved URI Support + - JDK-8242685, CVE-2020-14797: Better Path Validation + - JDK-8242695, CVE-2020-14798: Enhanced buffer support + - JDK-8243302: Advanced class supports + - JDK-8244136, CVE-2020-14803: Improved Buffer supports + - JDK-8244479: Further constrain certificates + - JDK-8244955: Additional Fix for JDK-8240124 + - JDK-8245407: Enhance zoning of times + - JDK-8245412: Better class definitions + - JDK-8245417: Improve certificate chain handling + - JDK-8248574: Improve jpeg processing + - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + - JDK-8253019: Enhanced JPEG decoding +* Other changes + - JDK-6532025: GIF reader throws misleading exception with truncated images + - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop + - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails + - JDK-8062947: Fix exception message to correctly represent LDAP connection failure + - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use + - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + - JDK-8172404: Tools should warn if weak algorithms are used before restricting them + - JDK-8193367: Annotated type variable bounds crash javac + - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + - JDK-8204963: javax.swing.border.TitledBorder has a memory leak + - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" + - JDK-8205534: Remove SymbolTable dependency from serviceability agent + - JDK-8206309: Tier1 SA tests fail + - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out + - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + - JDK-8211694: JShell: Redeclared variable should be reset + - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + - JDK-8212807: tools/jar/multiRelease/Basic.java times out + - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + - JDK-8213214: Set -Djava.io.tmpdir= when running tests + - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + - JDK-8214074: Ghash optimization using AVX instructions + - JDK-8214491: Upgrade to JLine 3.9.0 + - JDK-8214797: TestJmapCoreMetaspace.java timed out + - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\" + - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + - JDK-8215438: jshell tool: Ctrl-D causes EOF + - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + - JDK-8216974: HttpConnection not returned to the pool after 204 response + - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + - JDK-8221658: aarch64: add necessary predicate for ubfx patterns + - JDK-8221759: Crash when completing \"java.io.File.path\" + - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found + - JDK-8222074: Enhance auto vectorization for x86 + - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + - JDK-8223688: JShell: crash on the instantiation of raw anonymous class + - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + - JDK-8223940: Private key not supported by chosen signature algorithm + - JDK-8224184: jshell got IOException at exiting with AIX + - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + - JDK-8226536: Catch OOM from deopt that fails rematerializing objects + - JDK-8226575: OperatingSystemMXBean should be made container aware + - JDK-8226697: Several tests which need the @key headful keyword are missing it. + - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out + - JDK-8227269: Slow class loading when running with JDWP + - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" + - JDK-8228448: Jconsole can't connect to itself + - JDK-8228967: Trust/Key store and SSL context utilities for tests + - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + - JDK-8229815: Upgrade Jline to 3.12.1 + - JDK-8230000: some httpclients testng tests run zero test + - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test + - JDK-8230010: Remove jdk8037819/BasicTest1.java + - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" + - JDK-8230767: FlightRecorderListener returns null recording + - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + - JDK-8231586: enlarge encoding space for OopMapValue offsets + - JDK-8231953: Wrong assumption in assertion in oop::register_oop + - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + - JDK-8232083: Minimal VM is broken after JDK-8231586 + - JDK-8232161: Align some one-way conversion in MS950 charset with Windows + - JDK-8232855: jshell missing word in /help help + - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + - JDK-8233386: Initialize NULL fields for unused decorations + - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + - JDK-8233686: XML transformer uses excessive amount of memory + - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + - JDK-8234149: Several regression tests do not dispose Frame at end + - JDK-8234347: "Turkey" meta time zone does not generate composed localized names + - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly + - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + - JDK-8234541: C1 emits an empty message when it inlines successfully + - JDK-8234687: change javap reporting on unknown attributes + - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + - JDK-8236548: Localized time zone name inconsistency between English and other locales + - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575 + - JDK-8237182: Update copyright header for shenandoah and epsilon files + - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + - JDK-8238284: [macos] Zero VM build fails due to an obvious typo + - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 + - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method"); + - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + - JDK-8240169: javadoc fails to link to non-modular api docs + - JDK-8240295: hs_err elapsed time in seconds is not accurate enough + - JDK-8240360: NativeLibraryEvent has wrong library name on Linux + - JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + - JDK-8241750: x86_32 build failure after JDK-8227269 + - JDK-8242184: CRL generation error with RSASSA-PSS + - JDK-8242283: Can't start JVM when java home path includes non-ASCII character + - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework + - JDK-8243138: Enhance BaseLdapServer to support starttls extended request + - JDK-8243320: Add SSL root certificates to Oracle Root CA program + - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + - JDK-8243389: enhance os::pd_print_cpu_info on linux + - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + - JDK-8244087: 2020-04-24 public suffix list update + - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + - JDK-8244196: adjust output in os_linux + - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + - JDK-8244287: JFR: Methods samples have line number 0 + - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI + - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" + - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + - JDK-8245151: jarsigner should not raise duplicate warnings on verification + - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch + - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" + - JDK-8245832: JDK build make-static-libs should build all JDK libraries + - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + - JDK-8245981: Upgrade to jQuery 3.5.1 + - JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + - JDK-8246094: [macos] Sound Recording and playback is not working + - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + - JDK-8246330: Add TLS Tests for Legacy ECDSA curves + - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" + - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + - JDK-8247615: Initialize the bytes left for the heap sampler + - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + - JDK-8248348: Regression caused by the update to BCEL 6.0 + - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + - JDK-8248495: [macos] zerovm is broken due to libffi headers location + - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + - JDK-8249255: Build fails if source code in cygwin home dir + - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + - JDK-8249560: Shenandoah: Fix racy GC request handling + - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + - JDK-8250609: C2 crash in IfNode::fold_compares + - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + - JDK-8250787: Provider.put no longer registering aliases in FIPS env + - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" + - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + - JDK-8252258: [11u] JDK-8242154 changes the default vendor + - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258 + - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + +Notes on individual issues: +=========================== + +core-libs/java.nio.charsets: + +JDK-8240196: Modified the MS950 charset Encoder's Conversion Table +================================================================== +In this release, some of the one-way byte-to-char mappings have been +aligned with the preferred mappings provided by the Unicode Consortium +(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt). + +core-libs/java.util:i18n: + +JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales +===================================================================================== +English time zone names provided by the CLDR locale provider are now +correctly synthesized following the CLDR spec, rather than substituted +from the COMPAT provider. For example, SHORT style names are no longer +synthesized abbreviations of LONG style names, but instead produce GMT +offset formats. + +core-svc/java.lang.management: + +JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data +============================================================================================ +When executing in a container, or other virtualized operating +environment, the following `OperatingSystemMXBean` methods in this +release return container specific information, if +available. Otherwise, they return host specific data: + +* getFreePhysicalMemorySize() +* getTotalPhysicalMemorySize() +* getFreeSwapSpaceSize() +* getTotalSwapSpaceSize() +* getSystemCpuLoad() + +security-libs/java.security: + +JDK-8250756: Added Entrust Root Certification Authority - G4 certificate +======================================================================== +The Entrust root certificate has been added to the cacerts truststore: + +Alias Name: entrustrootcag4 +Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US + +JDK-8250860: Added 3 SSL Corporation Root CA Certificates +========================================================= +The following root certificates have been added to the cacerts truststore for the SSL Corporation: + +Alias Name: sslrootrsaca +Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrootevrsaca +Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrooteccca +Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US + +JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default +=================================================================================== +Weak named curves are disabled by default by adding them to the +following `disabledAlgorithms` security properties: + +* jdk.tls.disabledAlgorithms +* jdk.certpath.disabledAlgorithms +* jdk.jar.disabledAlgorithms + +Red Hat has always disabled many of the curves provided by upstream, +so the only addition in this release is: + +* secp256k1 + +The curves that remain enabled are: + +* secp256r1 +* secp384r1 +* secp521r1 +* X25519 +* X448 + +When large numbers of weak named curves need to be disabled, adding +individual named curves to each `disabledAlgorithms` property would be +overwhelming. To relieve this, a new security property, +`jdk.disabled.namedCurves`, is implemented that can list the named +curves common to all of the `disabledAlgorithms` properties. To use +the new property in the `disabledAlgorithms` properties, precede the +full property name with the keyword `include`. Users can still add +individual named curves to `disabledAlgorithms` properties separate +from this new property. No other properties can be included in the +`disabledAlgorithms` properties. + +To restore the named curves, remove the `include +jdk.disabled.namedCurves` either from specific or from all +`disabledAlgorithms` security properties. To restore one or more +curves, remove the specific named curve(s) from the +`jdk.disabled.namedCurves` property. + +JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them +=========================================================================== +The `keytool` and `jarsigner` tools have been updated to warn users +about weak cryptographic algorithms being used before they are +disabled. In this release, the tools issue warnings for the SHA-1 hash +algorithm and 1024-bit RSA/DSA keys. + +security-libs/javax.net.ssl: + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= +Two new system properties have been added to customize the TLS +signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been +added for the TLS client side, and `jdk.tls.server.SignatureSchemes` +has been added for the server side. + +Each system property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + +security-libs/javax.security: + +JDK-8242059: Support for canonicalize in krb5.conf +================================================== + +The 'canonicalize' flag in the [krb5.conf file][0] is now supported by +the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name +canonicalization is requested by clients in TGT requests to KDC +services (AS protocol). Otherwise, and by default, it is not +requested. + +The new default behavior is different from previous releases where +name canonicalization was always requested by clients in TGT requests +to KDC services (provided that support for RFC 6806[1] was not +explicitly disabled with the *sun.security.krb5.disableReferrals* +system or security properties). + +[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html +[1]: https://tools.ietf.org/html/rfc6806 + +JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b +==================================================================== +Following JDK's update to tzdata2020b, the long-obsolete files +pacificnew and systemv have been removed. As a result, the +"US/Pacific-New" zone name declared in the pacificnew data file is no +longer available for use. + +Information regarding the update can be viewed at +https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html + +New in release OpenJDK 11.0.8 (2020-07-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj1108 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt + +* Security fixes + - JDK-8230613: Better ASCII conversions + - JDK-8231800: Better listing of arrays + - JDK-8232014: Expand DTD support + - JDK-8233234: Better Zip Naming + - JDK-8233239, CVE-2020-14562: Enhance TIFF support + - JDK-8233255: Better Swing Buttons + - JDK-8234032: Improve basic calendar services + - JDK-8234042: Better factory production of certificates + - JDK-8234418: Better parsing with CertificateFactory + - JDK-8234836: Improve serialization handling + - JDK-8236191: Enhance OID processing + - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + - JDK-8237592, CVE-2020-14577: Enhance certificate verification + - JDK-8238002, CVE-2020-14581: Better matrix operations + - JDK-8238013: Enhance String writing + - JDK-8238804: Enhance key handling process + - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + - JDK-8238843: Enhanced font handing + - JDK-8238920, CVE-2020-14583: Better Buffer support + - JDK-8238925: Enhance WAV file playback + - JDK-8240119, CVE-2020-14593: Less Affine Transformations + - JDK-8240482: Improved WAV file playback + - JDK-8241379: Update JCEKS support + - JDK-8241522: Manifest improved jar headers redux + - JDK-8242136, CVE-2020-14621: Better XML namespace handling +* Other changes + - JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + - JDK-7124307: JSpinner and changing value by mouse + - JDK-8022574: remove HaltNode code after uncommon trap calls + - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + - JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + - JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + - JDK-8080353: JShell: Better error message on attempting to add default method + - JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + - JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + - JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + - JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + - JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + - JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + - JDK-8183369: RFC unconformity of HttpURLConnection with proxy + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + - JDK-8191930: [Graal] emits unparseable XML into compile log + - JDK-8193879: Java debugger hangs on method invocation + - JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + - JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + - JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows + - JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + - JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + - JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + - JDK-8203672: JNI exception pending in PlainSocketImpl.c + - JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + - JDK-8204834: Fix confusing "allocate" naming in OopStorage + - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + - JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + - JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages + - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + - JDK-8209333: Socket reset issue for TLS 1.3 socket close + - JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer + - JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI. + - JDK-8210147: adjust some WSAGetLastError usages in windows network coding + - JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 + - JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" + - JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set. + - JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero + - JDK-8211301: [macos] support full window content options + - JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs + - JDK-8211339: NPE during SSL handshake caused by HostnameChecker + - JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI + - JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames + - JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent + - JDK-8212167: JShell : Stack trace of exception has wrong line number + - JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks + - JDK-8212986: Make Visual Studio compiler check less strict + - JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure + - JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent + - JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false + - JDK-8214418: half-closed SSLEngine status may cause application dead loop + - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" + - JDK-8214444: Wrong strncat limits in dfa.cpp + - JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints + - JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here" + - JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5 + - JDK-8214862: assert(proj != __null) at compile.cpp:3251 + - JDK-8215369: Jcstress pollute /var/tmp with temporary files. + - JDK-8215551: Missing case label in nmethod::reloc_string_for() + - JDK-8215555: TieredCompilation C2 threads can excessively block handshakes + - JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension + - JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug + - JDK-8216154: C4819 warnings at HotSpot sources on Windows + - JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late + - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() + - JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled + - JDK-8217447: Develop flag TraceICs is broken + - JDK-8217606: LdapContext#reconnect always opens a new connection + - JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items + - JDK-8219214: Infinite Loop in CodeSection::dump() + - JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings() + - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl + - JDK-8221121: applications/microbenchmarks are encountering crashes in tier5 + - JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread + - JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode + - JDK-8221741: ClassCastException can happen when fontconfig.properties is used + - JDK-8221823: Requested JDialog width is ignored + - JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable + - JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10 + - JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric + - JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS + - JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option + - JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected + - JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed + - JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException + - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 + - JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled + - JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier + - JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base + - JDK-8225653: Provide more information when hitting SIGILL from HaltNode + - JDK-8225783: Incorrect use of binary operators on booleans in type.cpp + - JDK-8225789: Empty method parameter type should generate ClassFormatError + - JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state + - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + - JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor + - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread + - JDK-8226879: Memory leak in Type::hashcons + - JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 + - JDK-8228407: JVM crashes with shared archive file mismatch + - JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings + - JDK-8228757: Fail fast if the handshake type is unknown + - JDK-8229158: make UseSwitchProfiling non-experimental or false by-default + - JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed + - JDK-8229855: C2 fails with assert(false) failed: bad AD file + - JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint + - JDK-8231118: ARM32: Math tests failures + - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + - JDK-8231243: [TESTBUG] CustomFont.java cannot find font file + - JDK-8231438: [macOS] Dark mode for the desktop is not supported + - JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling + - JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors + - JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity + - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE + - JDK-8231671: Fix copyright headers in hotspot (missing comma after year) + - JDK-8231720: Some perf regressions after 8225653 + - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + - JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument + - JDK-8232080: jlink plugins for vendor information and run-time options + - JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it + - JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle + - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail + - JDK-8232357: Compare version info of Santuario to legal notice + - JDK-8232572: Add hooks for custom output dir in Bundles.gmk + - JDK-8232634: Problem List ICMColorDataTest.java + - JDK-8232748: Build static versions of certain JDK libraries + - JDK-8232846: ProcessHandle.Info command with non-English shows question marks + - JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies + - JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080 + - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + - JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs + - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp + - JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException + - JDK-8233608: Minimal build broken after JDK-8233494 + - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + - JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON + - JDK-8233707: systemScale.cpp could not compile with VS2019 + - JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4 + - JDK-8233880: Support compilers with multi-digit major version numbers + - JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type + - JDK-8234137: The "AutoTestOnTop.java" test may run external applications + - JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC + - JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows + - JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area + - JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly + - JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps + - JDK-8234522: [macos] Crash with use of native file dialog + - JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor + - JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out + - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3 + - JDK-8234728: Some security tests should support TLSv1.3 + - JDK-8234779: Provide idiom for declaring classes noncopyable + - JDK-8234968: check calloc rv in libinstrument InvocationAdapter + - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails + - JDK-8235183: Remove the "HACK CODE" in comment + - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions + - JDK-8235311: Tag mismatch may alert bad_record_mac + - JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM + - JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class + - JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop + - JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559 + - JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics() + - JDK-8235686: Add more custom hooks in Bundles.gmk + - JDK-8235739: Rare NPE at WComponentPeer.getGraphics() + - JDK-8235762: JVM crash in SWPointer during C2 compilation + - JDK-8235834: IBM-943 charset encoder needs updating + - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property. + - JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image + - JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop + - JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing + - JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId + - JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java + - JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2 + - JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8236897: Fix the copyright header for pkcs11gcm2.h + - JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build + - JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS + - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + - JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 + - JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs + - JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291 + - JDK-8237192: Generate stripped/public pdbs on Windows for jdk images + - JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers + - JDK-8237474: Default SSLEngine should create in server role + - JDK-8237859: C2: Crash when loads float above range check + - JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + - JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks + - JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes. + - JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs + - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + - JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) + - JDK-8238676: jni crashes on accessing it from process exit hook + - JDK-8238721: Add failing client jtreg tests to the Problem List + - JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device + - JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node + - JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly + - JDK-8238898: Missing hash characters for header on license file + - JDK-8238942: Rendering artifacts with LCD text and fractional metrics + - JDK-8238985: [TESTBUG] The arrow image is blue instead of green + - JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc + - JDK-8239055: Wrong implementation of VMState.hasListener + - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code. + - JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses + - JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning + - JDK-8239351: Give more meaningful InternalError messages in Deflater.c + - JDK-8239365: ProcessBuilder test modifications for AIX execution + - JDK-8239456: vtable stub generation: assert failure (code size estimate) + - JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect + - JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns + - JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true + - JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings + - JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8 + - JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException + - JDK-8239819: XToolkit: Misread of screen information memory + - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + - JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder + - JDK-8239915: Zero VM crashes when handling dynamic constant + - JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up + - JDK-8239976: Put JDK-8239965 on the ProblemList.txt + - JDK-8240073: Fix 'test-make' build target in 11u + - JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters + - JDK-8240202: A few client tests leave mouse buttons pressed + - JDK-8240220: IdealLoopTree::dump_head predicate printing is broken + - JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate + - JDK-8240227: Loop predicates should be copied to unswitched loops + - JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java + - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print + - JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module + - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + - JDK-8240603: Windows 32bit compile error after 8238676 + - JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk + - JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:" + - JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen + - JDK-8240824: enhance print_full_memory_info on Linux by THP related information + - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE" + - JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? + - JDK-8240972: macOS codesign fail on macOS 10.13.5 or older + - JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java + - JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete + - JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action + - JDK-8241556: Memory leak if -XX:CompileCommand is set + - JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted" + - JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64 + - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + - JDK-8241660: Add virtualization information output to hs_err file on macOS + - JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS + - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + - JDK-8241900: Loop unswitching may cause dependence on null check to be lost + - JDK-8241948: enhance list of environment variables printed in hs_err file + - JDK-8241996: on linux set full relro in the linker flags + - JDK-8242108: Performance regression after fix for JDK-8229496 + - JDK-8242141: New System Properties to configure the TLS signature schemes + - JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u + - JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable + - JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same + - JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking + - JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs + - JDK-8242470: Update Xerces to Version 2.12.1 + - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + - JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C) + - JDK-8242626: enhance posix print_rlimit_info + - JDK-8243059: Build fails when --with-vendor-name contains a comma + - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + - JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux + - JDK-8244777: ClassLoaderStats VM Op uses constant hash value + - JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function + - JDK-8244951: Missing entitlements for hardened runtime + - JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing) + - JDK-8245649: Revert 8245397 backport of 8230591 + - JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts + - JDK-8246613: Choose the default SecureRandom algo based on registration ordering + - JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8244167: Removal of Comodo Root CA Certificate +================================================== +The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + +alias name "addtrustclass1ca [jdk]" + +Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE + +JDK-8244166: Removal of DocuSign Root CA Certificate +==================================================== +The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + +alias name "keynectisrootca [jdk]" + +Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR + +security-libs/javax.crypto:pkcs11: + +JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database +============================================================================================================================ +The SunPKCS11 security provider can now be initialized with NSS when +FIPS-enabled external modules are configured in the Security Modules +Database (NSSDB). Prior to this change, the SunPKCS11 provider would +throw a RuntimeException with the message: "FIPS flag set for +non-internal module" when such a library was configured for NSS in +non-FIPS mode. + +This change allows the JDK to work properly with recent NSS releases +in GNU/Linux operating systems when the system-wide FIPS policy is +turned on. + +Further information can be found in JDK-8238555. + +security-libs/javax.net.ssl: + +JDK-8245077: Default SSLEngine Should Create in Server Role +=========================================================== +In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client +mode when handshaking. As a result, the set of default enabled +protocols may differ to what is expected. `SSLEngine` would usually be +used in server mode. From this JDK release onwards, `SSLEngine` will +default to server mode. The +`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may +be used to configure the mode. + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= + +Two new System Properties are added to customize the TLS signature +schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS +client side, and `jdk.tls.server.SignatureSchemes` is added for server +side. + +Each System Property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + +New in release OpenJDK 11.0.7 (2020-04-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj1107 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.7.txt + +* Security fixes + - JDK-8223898, CVE-2020-2754: Forward references to Nashorn + - JDK-8223904, CVE-2020-2755: Improve Nashorn matching + - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs + - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues + - JDK-8225603: Enhancement for big integers + - JDK-8226346: Build better binary builders + - JDK-8227467: Better class method invocations + - JDK-8227542: Manifest improved jar headers + - JDK-8229733: TLS message handling improvements + - JDK-8231415, CVE-2020-2773: Better signatures in XML + - JDK-8231785: Improved socket permissions + - JDK-8232424, CVE-2020-2778: More constrained algorithms + - JDK-8232581, CVE-2020-2767: Improve TLS verification + - JDK-8233250: Better X11 rendering + - JDK-8233410: Better Build Scripting + - JDK-8234027: Better JCEKS key support + - JDK-8234408, CVE-2020-2781: Improve TLS session handling + - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers + - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers + - JDK-8235274, CVE-2020-2805: Enhance typing of methods + - JDK-8235691, CVE-2020-2816: Enhance TLS connectivity + - JDK-8236201, CVE-2020-2830: Better Scanner conversions + - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap +* Other changes + - JDK-4919790: Errors in alert ssl message does not reflect the actual certificate status + - JDK-4949105: Access Bridge lacks html tags parsing + - JDK-7092821: java.security.Provider.getService() is synchronized and became scalability bottleneck + - JDK-7143743: Potential memory leak with zip provider + - JDK-8005819: Support cross-realm MSSFU + - JDK-8042383: [TEST_BUG] Test javax/swing/plaf/basic/BasicMenuUI/4983388/bug4983388.java fails with shortcuts on menus do not work + - JDK-8068184: Fix for JDK-8032832 caused a deadlock + - JDK-8145845: [AOT] NullPointerException in compiler/whitebox/GetCodeHeapEntriesTest.java + - JDK-8152988: [AOT] Update test batch definitions to include aot-ed java.base module mode into hs-comp testing + - JDK-8160926: FLAGS_COMPILER_CHECK_ARGUMENTS doesn't handle cross-compilation + - JDK-8163083: SocketListeningConnector does not allow invocations with port 0 + - JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k + - JDK-8167276: jvmci/compilerToVM/MaterializeVirtualObjectTest.java fails with -XX:-EliminateAllocations + - JDK-8169718: nsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false + - JDK-8176556: java/awt/dnd/ImageTransferTest/ImageTransferTest.java fails for JFIF + - JDK-8178798: Two compiler/aot/verification/vmflags tests fail by timeout with UseAVX=3 + - JDK-8183107: PKCS11 regression regarding checkKeySize + - JDK-8185005: Improve performance of ThreadMXBean.getThreadInfo(long ids[], int maxDepth) + - JDK-8189633: Missing -Xcheck:jni checking for DeleteWeakGlobalRef + - JDK-8189861: Refactor CacheFind + - JDK-8193042: NativeLookup::lookup_critical_entry() should only load shared library once + - JDK-8193596: java/net/DatagramPacket/ReuseBuf.java failed due to timeout + - JDK-8194944: Regression automated test 'open/test/jdk/javax/swing/JInternalFrame/8145896/TestJInternalFrameMaximize.java' fails + - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails + - JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE + - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails + - JDK-8198398: Test javax/swing/JColorChooser/Test6199676.java fails in mach5 + - JDK-8199072: Test javax/swing/GroupLayout/6613904/bug6613904.java is unstable + - JDK-8200432: javadoc fails with ClassCastException on {@link byte[]} + - JDK-8201349: build broken when configured with --with-zlib=bundled on gcc 7.3 + - JDK-8201355: Avoid native memory allocation in sun.security.mscapi.PRNG.generateSeed + - JDK-8201513: nsk/jvmti/IterateThroughHeap/filter-* are broken + - JDK-8203364: Some serviceability/sa/ tests intermittently fail with java.io.IOException: LingeredApp terminated with non-zero exit code 3 + - JDK-8203687: javax/net/ssl/compatibility/Compatibility.java supports TLS 1.3 + - JDK-8203904: javax/swing/JSplitPane/4816114/bug4816114.java: The divider location is wrong + - JDK-8203911: Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni + - JDK-8204525: [TESTBUG] runtime/NMT/MallocStressTest.java ran out of java heap + - JDK-8204529: gc/TestAllocateHeapAtMultiple.java fail with Agent 7 timed out + - JDK-8204551: Event descriptions are truncated in logs + - JDK-8206963: [AOT] bug with multiple class loaders + - JDK-8207367: 10 vmTestbase/nsk/jdi tests timed out when running with jtreg + - JDK-8207832: serviceability/sa/ClhsdbCDSCore.java failed with "Couldn't find core file location" + - JDK-8207938: At step6,Click Add button,case failed automatically. + - JDK-8208157: requires.VMProps throws NPE for missing properties in "release" file + - JDK-8208379: compiler/jvmci/events/JvmciNotifyInstallEventTest.java failed with "Got unexpected event count after 2nd install attempt: expected 9 to equal 2" + - JDK-8208658: Make CDS archived heap regions usable even if compressed oop encoding has changed + - JDK-8208715: Conversion of milliseconds to nanoseconds in UNIXProcess contains bug + - JDK-8209361: [AOT] Unexpected number of references for JVMTI_HEAP_REFERENCE_CONSTANT_POOL [111-->111]: 0 (expected at least 1) + - JDK-8209385: CDS runtime classpath checking is too strict when only classes from the system modules are archived + - JDK-8209389: SIGSEGV in WalkOopAndArchiveClosure::do_oop_work. + - JDK-8209418: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 + - JDK-8209494: Create a test for SwingSet InternalFrameDemo + - JDK-8209499: Create test for SwingSet EditorPaneDemo + - JDK-8209574: [AOT] breakpoint events are generated in different threads does not meet expected count + - JDK-8209686: cleanup arguments to PhaseIdealLoop() constructor + - JDK-8209789: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 + - JDK-8209802: Garbage collectors should register JFR types themselves to avoid build errors. + - JDK-8209807: improve handling exception in requires.VMProps + - JDK-8209817: stack is executable when building with Clang on Linux + - JDK-8209824: Improve the code coverage for ThreadLocal + - JDK-8209826: Undefined reference to os::write after JDK-8209657 (filemap.hpp cleanup) + - JDK-8209850: Allow NamedThreads to use GlobalCounter critical sections + - JDK-8209976: Improve iteration over non-JavaThreads + - JDK-8209993: Create a test for SwingSet3 ToolTipDemo + - JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() + - JDK-8210052: Enable testing for all the available look and feels in SwingSet3 demo tests + - JDK-8210055: Enable different look and feel tests in SwingSet3 demo tests + - JDK-8210057: Enable different look and feels in SwingSet3 demo test InternalFrameDemoTest + - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing + - JDK-8210220: [AOT] jdwp test cases are failing with error # ERROR: TEST FAILED: Cought IOException while receiving event packet + - JDK-8210289: ArchivedKlassSubGraphInfoRecord is incomplete + - JDK-8210459: Add support for generating compile_commands.json + - JDK-8210476: sun/security/mscapi/PrngSlow.java fails with Still too slow + - JDK-8210512: [Testbug] vmTestbase/nsk/jdi/ObjectReference/referringObjects/referringObjects002/referringObjects002.java fails with unexpected size of ClassLoaderReference.referringObjects + - JDK-8210523: runtime/appcds/cacheObject/DifferentHeapSizes.java crash + - JDK-8210632: Add key exchange algorithm to javax/net/ssl/TLSCommon/CipherSuite.java + - JDK-8210699: Problem list tests which times out in Xcomp mode + - JDK-8210793: [JVMCI] AllocateCompileIdTest.java failed to find DiagnosticCommand.class + - JDK-8210910: Create test for FileChooserDemo + - JDK-8210994: Create test for SwingSet3 FrameDemo + - JDK-8211139: Increase timeout value in all tests under jdk/sanity/client/SwingSet/src + - JDK-8211160: Handle different look and feels in JInternalFrameOperator + - JDK-8211211: vmTestbase/metaspace/stressDictionary/StressDictionary.java timeout + - JDK-8211322: Reduce the timeout of tooltip in SwingSet2DemoTest + - JDK-8211443: Enable different look and feels in SwingSet3 demo test SplitPaneDemoTest + - JDK-8211703: JInternalFrame : java.lang.AssertionError: cannot find the internal frame + - JDK-8211781: re-building fails after changing Graal sources + - JDK-8212897: Some improvements in the EditorPaneDemotest + - JDK-8212903: [TestBug] Tests test/jdk/javax/swing/LookAndFeel/8145547/DemandGTK2.sh and DemandGTK3.sh fail on Ubuntu 18.04 LTS + - JDK-8213009: Refactoring existing SunMSCAPI classes + - JDK-8213010: Supporting keys created with certmgr.exe + - JDK-8213168: Enable different look and feel tests in SwingSet3 demo test FileChooserDemoTest + - JDK-8213348: jdk.internal.vm.compiler.management service providers missing in module descriptor + - JDK-8213906: Update arm devkits with libXrandr headers + - JDK-8213908: AssertionError in DeferredAttr at setOverloadKind + - JDK-8214124: [TESTBUG] Bugs in runtime/NMT/MallocStressTest.java + - JDK-8214344: C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0 + - JDK-8214345: infinite recursion while checking super class + - JDK-8214471: Enable different look and feel tests in SwingSet3 demo test ToolTipDemoTest + - JDK-8214534: Setting of THIS_FILE in the build is broken + - JDK-8214557: Filter out VM flags which don't affect AOT code generation + - JDK-8214578: [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings + - JDK-8214840: runtime/NMT/MallocStressTest.java timed out + - JDK-8214850: Rename vm_operations.?pp files to vmOperations.?pp files + - JDK-8214904: Test8004741.java failed due to "Too few ThreadDeath hits; expected at least 6 but saw only 5" + - JDK-8215322: add @file support to jaotc + - JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) + - JDK-8215396: JTabbedPane preferred size calculation is wrong for SCROLL_TAB_LAYOUT + - JDK-8216180: [AOT] compiler/intrinsics/bigInteger/TestMulAdd.java crashed with AOT enabled + - JDK-8216353: Use utility APIs introduced in org/netbeans/jemmy/util/LookAndFeel class in client sanity test cases + - JDK-8216354: Syntax error in toolchain_windows.m4 + - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win) + - JDK-8216535: tools/jimage/JImageExtractTest.java timed out + - JDK-8217235: Create automated test for SwingSet ColorChooserDemoTest + - JDK-8217297: Add support for multiple look and feel for SwingSet SliderDemoTest + - JDK-8217338: [Containers] Improve systemd slice memory limit support + - JDK-8217613: [AOT] TEST_OPTS_AOT_MODULES doesn't work on mac + - JDK-8217634: RunTest documentation and usability update + - JDK-8217717: ZGC: Broken oop map in C1 load barrier stub + - JDK-8217728: Speed up incremental rerun of "make hotspot" + - JDK-8218268: Javac treats Manifest Class-Path entries as Paths instead of URLs + - JDK-8218662: Allow 204 responses with Content-Length:0 + - JDK-8218882: NET_Writev is declared, NET_WriteV is defined + - JDK-8218889: Improperly use of the Optional API + - JDK-8219205: JFR file without license header + - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions + - JDK-8219723: javax/net/ssl/compatibility/Compatibility.java failed on some SNI cases + - JDK-8220348: [ntintel] asserts about copying unaligned array + - JDK-8220451: jdi/EventQueue/remove/remove004 failed due to "ERROR: thread2 is not alive" + - JDK-8220456: jdi/EventQueue/remove_l/remove_l004 failed due to "TIMEOUT while waiting for event" + - JDK-8220479: java/nio/channels/Selector/SelectWithConsumer.java failed at testTwoChannels() + - JDK-8220613: java/util/Arrays/TimSortStackSize2.java times out with fastdebug build + - JDK-8220688: [TESTBUG] runtime/NMT/MallocStressTest.java timed out + - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr + - JDK-8221270: Duplicated synchronized keywords in SSLSocketImpl + - JDK-8221312: test/jdk/sanity/client/SwingSet/src/ColorChooserDemoTest.java failed + - JDK-8221851: Use of THIS_FILE in hotspot invalidates precompiled header on Linux/GCC + - JDK-8221885: Add intermittent test in the JavaSound to the ProblemList + - JDK-8222264: Windows incremental build is broken with JDK-8217728 + - JDK-8222391: javax/net/ssl/compatibility/Compatibility.java should be more flexible + - JDK-8222448: java/lang/reflect/PublicMethods/PublicMethodsTest.java times out + - JDK-8222519: ButtonDemoScreenshotTest fails randomly with "still state to be reached" + - JDK-8222741: jdi/EventQueue/remove/remove004 fails due to VMDisconnectedException + - JDK-8223003: SunMSCAPI keys are not cleaned up + - JDK-8223063: Support CNG RSA keys + - JDK-8223158: Docked MacBook cannot start any Java Swing applications + - JDK-8223260: NamingManager should cache InitialContextFactory + - JDK-8223464: Improve version string for Oracle CI builds + - JDK-8223558: Java does not render Myanmar script correctly + - JDK-8223627: jdk-13+20 bundle name contains null instead of ea + - JDK-8223638: Replace wildcard address with loopback or local host in tests - part 6 + - JDK-8223678: Add Visual Studio Code workspace generation support (for native code) + - JDK-8223727: com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer + - JDK-8223769: Assert triggers with -XX:+StressReflectiveCode + - JDK-8224187: Refactor arraycopy_prologue to allow ZGC read barriers on arraycopy + - JDK-8224475: JTextPane does not show images in HTML rendering + - JDK-8224673: Adjust permission for delayed starting of debugging + - JDK-8224705: Tests that need to be problem-listed or have printer resources + - JDK-8224778: test/jdk/demo/jfc/J2Ddemo/J2DdemoTest.java cannot find J2Ddemo.jar + - JDK-8224821: java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 + - JDK-8224830: test/jdk/java/awt/Focus/ModalExcludedWindowClickTest/ModalExcludedWindowClickTest.java fails on linux-x64 + - JDK-8224851: AArch64: fix warnings and errors with Clang and GCC 8.3 + - JDK-8224905: java/lang/ProcessBuilder/Basic.java#id1 failed with stream closed + - JDK-8225007: java/awt/print/PrinterJob/LandscapeStackOverflow.java may hang + - JDK-8225105: java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 + - JDK-8225117: java/math/BigInteger/SymmetricRangeTests.java fails with ParseException + - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test + - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test + - JDK-8225144: [macos] In Aqua L&F backspace key does not delete when Shift is pressed + - JDK-8225180: SignedObject with invalid Key not throwing the InvalidKeyException in Windows + - JDK-8225182: JNI exception pending in DestroyXIMCallback of awt_InputMethod.c:1327 + - JDK-8225199: [Graal] compiler/jvmci/compilerToVM/IsMatureVsReprofileTest.java fails with -XX:CompileThresholdScaling=0.1 + - JDK-8225305: ProblemList java/lang/invoke/VarHandles tests + - JDK-8225350: compiler/jvmci/compilerToVM/IsCompilableTest.java timed out + - JDK-8225430: Replace wildcard address with loopback or local host in tests - part 14 + - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14 + - JDK-8225487: giflib legal file is missing attribution for openbsd-reallocarray.c + - JDK-8225567: Wrong file headers with 8202414 fix changeset + - JDK-8225684: [AOT] vmTestbase/vm/oom/production/AlwaysOOMProduction tests fail with AOTed java.base + - JDK-8225766: Curve in certificate should not affect signature scheme when using TLSv1.3 + - JDK-8225797: OldObjectSample event creates unexpected amount of checkpoint data + - JDK-8226381: ProblemList java/lang/reflect/PublicMethods/PublicMethodsTest.java + - JDK-8226406: JVM fails to detect mismatched or corrupt CDS archive + - JDK-8226608: Hide the onjcmd option from the help output + - JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys + - JDK-8227112: exclude compiler/intrinsics/sha/sanity tests from AOT runs + - JDK-8227324: Upgrade to freetype 2.10.1 + - JDK-8227528: TestAbortVMOnSafepointTimeout.java failed due to "RuntimeException: 'Safepoint sync time longer than' missing from stdout/stderr" + - JDK-8227645: Some tests in serviceability/sa run with fixed -Xmx values and risk running out of memory + - JDK-8227646: [TESTBUG] appcds/SharedArchiveConsistency timed out + - JDK-8227662: freetype seeks to index at the end of the font data + - JDK-8228479: Correct the format of ColorChooserDemoTest + - JDK-8228613: java.security.Provider#getServices order is no longer deterministic + - JDK-8228969: 2019-09-28 public suffix list update + - JDK-8229236: CriticalJNINatives: dll handling should be done in native thread state + - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC + - JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions + - JDK-8229994: assert(false) failed: Bad graph detected in get_early_ctrl_for_expensive + - JDK-8230004: jdk/internal/jimage/JImageOpenTest.java runs no test + - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception + - JDK-8230390: Problemlist SA tests with AOT + - JDK-8230400: Missing constant pool entry for a method in stacktrace + - JDK-8230459: Test failed to resume JVMCI CompilerThread + - JDK-8230480: check malloc/calloc results in java.desktop + - JDK-8230597: Update GIFlib library to the 5.2.1 + - JDK-8230611: infinite loop in LogOutputList::wait_until_no_readers() + - JDK-8230624: [TESTBUG] Problemlist JFR compiler/TestCodeSweeper.java + - JDK-8230677: Should disable Escape Analysis if JVMTI capability can_get_owned_monitor_info was taken + - JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout + - JDK-8231025: Incorrect method tag offset for big endian platform + - JDK-8231081: TestMetadataRetention fails due to missing symbol id + - JDK-8231387: java.security.Provider.getService returns random result due to race condition with mutating methods in the same class + - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type + - JDK-8231445: check ZALLOC return values in awt coding + - JDK-8231507: Update Apache Santuario (XML Signature) to version 2.1.4 + - JDK-8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call + - JDK-8231753: use more Posix functionality in aix os::print_os_info + - JDK-8231810: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java fails intermittently with "java.lang.Exception: Unexpected EOF" + - JDK-8232003: (fs) Files.write can leak file descriptor in the exception case + - JDK-8232056: GetOwnedMonitorInfoWithEATest.java fails with ZGC: Heap too small + - JDK-8232060: add some initializations using sigemptyset in os_aix.cpp + - JDK-8232154: Update Mesa 3-D Headers to version 19.2.1 + - JDK-8232167: Visual Studio install found through --with-tools-dir value is discarded + - JDK-8232170: FSInfo#getJarClassPath throws an exception not declared in its throws clause + - JDK-8232200: [macos 10.15] Windows in fullscreen tests jumps around the screen + - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation + - JDK-8232224: [TESTBUG] problemlist JFR TestLargeRootSet.java + - JDK-8232370: Refactor some com.sun.jdi tests to enable IDE integration + - JDK-8232433: [macos 10.15] java/awt/Window/LocationAtScreenCorner/LocationAtScreenCorner.java may fail + - JDK-8232571: Add missing SIGINFO signal + - JDK-8232692: [TESTBUG] compiler/aot/fingerprint/SelfChangedCDS.java fails when cds is disabled + - JDK-8232713: Update BCEL version to 6.3.1 in license file + - JDK-8232806: Introduce a system property to disable eager lambda initialization + - JDK-8232834: RunTest sometimes fails to produce valid exitcode.txt + - JDK-8232880: Update test documentation with additional settings for client UI tooltip tests + - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + - JDK-8233018: Add a new test to verify that DatagramSocket is not interruptible + - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + - JDK-8233032: assert(in_bb(n)) failed: must be + - JDK-8233078: fix minimal VM build on Linux ppc64(le) + - JDK-8233328: fix minimal VM build on Linux s390x + - JDK-8233383: Various minor fixes + - JDK-8233466: aarch64: remove unnecessary load of mdo when profiling return and parameters type + - JDK-8233491: Crash in AdapterHandlerLibrary::get_adapter with CDS due to code cache exhaustion + - JDK-8233529: loopTransform.cpp:2984: Error: assert(p_f->Opcode() == Op_IfFalse) failed + - JDK-8233548: Update CUP to v0.11b + - JDK-8233649: Update ProblemList.txt to exclude failing headful tests on macos + - JDK-8233656: assert(d->is_CFG() && n->is_CFG()) failed: must have CFG nodes + - JDK-8233657: Intermittent NPE in Component.validate() + - JDK-8234288: Turkey Time Zone returns incorrect time zone name + - JDK-8234323: NULL-check return value of SurfaceData_InitOps on macosx + - JDK-8234339: replace JLI_StrTok in java_md_solinux.c + - JDK-8234340: Bump update version for OpenJDK: jdk-11.0.7 + - JDK-8234350: assert(mode == ControlAroundStripMined && (use == sfpt || !use->is_reachable_from_root())) failed: missed a node + - JDK-8234386: [macos] NPE was thrown at expanding Choice from maximized frame + - JDK-8234397: add OS uptime information to os::print_os_info output + - JDK-8234423: Modifying ArrayList.subList().subList() resets modCount of subList + - JDK-8234466: Class loading deadlock involving X509Factory#commitEvent() + - JDK-8234501: remove obsolete NET_ReadV + - JDK-8234525: enable link-time section-gc for linux s390x to remove unused code + - JDK-8234610: MaxVectorSize set wrongly when UseAVX=3 is specified after JDK-8221092 + - JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion + - JDK-8234723: javax/net/ssl/TLS tests support TLSv1.3 + - JDK-8234724: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java supports TLSv1.3 + - JDK-8234741: enhance os::get_core_path on macOS + - JDK-8234769: Duplicate attribution in freetype.md + - JDK-8234786: Fix for JDK-8214578 breaks OS X 10.12 compatibility + - JDK-8234809: set relro in linker flags when building with gcc + - JDK-8234824: java/nio/channels/SocketChannel/AdaptSocket.java fails on Windows 10 + - JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version + - JDK-8235288: AVX 512 instructions inadvertently used on Xeon for small vector width operations + - JDK-8235325: build failure on Linux after 8235243 + - JDK-8235383: C1 compilation fails with -XX:+PrintIRDuringConstruction -XX:+Verbose + - JDK-8235489: handle return values of sscanf calls in hotspot + - JDK-8235509: Backport for JDK-8209657 Refactor filemap.hpp to simplify integration with Serviceability Agent. + - JDK-8235510: java.util.zip.CRC32 performance drop after 8200067 + - JDK-8235563: [TESTBUG] appcds/CommandLineFlagComboNegative.java does not handle archive mapping failure + - JDK-8235637: jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled + - JDK-8235671: enhance print_rlimit_info in os_posix + - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 + - JDK-8235904: Infinite loop when rendering huge lines + - JDK-8235998: [c2] Memory leaks during tracing after '8224193: stringStream should not use Resource Area'. + - JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 + - JDK-8236140: assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it + - JDK-8236179: C1 register allocation error with T_ADDRESS + - JDK-8236488: Support for configure option --with-native-debug-symbols=internal is impossible on Windows + - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory + - JDK-8236709: struct SwitchRange in HS violates C++ One Definition Rule + - JDK-8236848: [JDK 11u] make run-test-tier1 fails after backport of JDK-8232834 + - JDK-8236873: Worker has a deadlock bug + - JDK-8237217: Incorrect G1StringDedupEntry type used in StringDedupTable destructor + - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read + - JDK-8237375: SimpleThresholdPolicy misses CounterDecay timestamp initialization + - JDK-8237508: Simplify JarFile.isInitializing + - JDK-8237540: Missing files in backport of JDK-8210910 + - JDK-8237541: Missing files in backport of JDK-8236528 + - JDK-8237600: Test SunJSSEFIPSInit fails on Ubuntu + - JDK-8237819: s390x - remove unused pd_zero_to_words_large + - JDK-8237869: exclude jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java because of instabilities + - JDK-8237879: make 4.3 breaks build + - JDK-8237945: CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo + - JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary + - JDK-8238247: CTW runner should sweep nmethods more aggressively + - JDK-8238366: CTW runner closes standard output on exit + - JDK-8238438: SuperWord::co_locate_pack picks memory state of first instead of last load + - JDK-8238502: sunmscapi.dll causing EXCEPTION_ACCESS_VIOLATION + - JDK-8238534: Deep sign macOS bundles before bundle archive is being created + - JDK-8238591: CTW: Split applications/ctw/modules/jdk_localedata.java + - JDK-8238596: AVX enabled by default for Skylake even when unsupported + - JDK-8238811: C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges + - JDK-8239005: [TESTBUG] test/hotspot/jtreg/runtime/StackGuardPages/TestStackGuardPages.java: exeinvoke.c: must initialize static state before calling do_overflow() + - JDK-8239466: Loss of precision in counter decay calculation in 11u backport of JDK-8237375 + - JDK-8239856: [ntintel] asserts about copying unaligned array element + - JDK-8240724: [test] jdk11 downport of 8224475 misses binary file test/jdk/javax/swing/JTextPane/arrow.png + - JDK-8241296: Segfault in JNIHandleBlock::oops_do() + +Notes on individual issues: +=========================== + +security-libs/javax.xml.crypto: + +JDK-8239467: Apache Santuario Library Updated to Version 2.1.4 +============================================================== +The Apache Santuario library has been upgraded to version 2.1.4. As a +result, a new system property +`com.sun.org.apache.xml.internal.security.parser.pool-size` has been +introduced. + +This new system property sets the pool size of the internal +`DocumentBuilder` cache used when processing XML Signatures. The +function is equivalent to the +`org.apache.xml.security.parser.pool-size` system property used in +Apache Santuario and has the same default value of 20. diff --git a/README.md b/README.md deleted file mode 100644 index 7342728..0000000 --- a/README.md +++ /dev/null @@ -1,11 +0,0 @@ -Anolis OS -======================================= -# 代码仓库说明 -## 分支说明 ->进行代码开发工作时,请注意选择当前版本对应的分支 -* aX分支为对应大版本的主分支,如a8分支对应当前最新版本 -* aX.Y分支为对应小版本的维护分支,如a8.2分支对应8.2版本 -## 开发流程 -1. 首先fork目标分支到自己的namespace -2. 在自己的fork分支上做出修改 -3. 向对应的仓库中提交merge request,源分支为fork分支 diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..2967a32 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,84 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + +} diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..d87647a --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", + "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", + "heure des Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST", + "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", + "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/fips-11u-9087e80d0ab.patch b/fips-11u-9087e80d0ab.patch new file mode 100644 index 0000000..a396fb8 --- /dev/null +++ b/fips-11u-9087e80d0ab.patch @@ -0,0 +1,1610 @@ +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index a73c0f38181..80710886ed8 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT], + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index 0ae23b93167..a242acc1234 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk +index a529768f39e..daf9c947172 100644 +--- a/make/lib/Lib-java.base.gmk ++++ b/make/lib/Lib-java.base.gmk +@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml +index fb07d54c1f0..c5813e2b7aa 100644 +--- a/make/nb_native/nbproject/configurations.xml ++++ b/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index b36510a376b..ad5182e1e7c 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,12 +48,20 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -83,6 +105,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -98,6 +121,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -192,6 +216,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..90f6dd2ebc0 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,248 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..21bc6d0b591 +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 688ec9f0915..8489b940c43 100644 +--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -76,6 +77,7 @@ public class SharedSecrets { + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +363,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 5460efcf8c5..f08dc2fafc5 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603b..ff3d5e0e4ab 100644 +--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index de7da5c3379..5c3813dda7b 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index c50ba93ecfc..de2a91a478c 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.provider.SunEntries.createAliases; +@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : createAliases("SSL")), null); +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 097517926d1..474fe6f401f 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -85,6 +85,14 @@ security.provider.tbd=Apple + security.provider.tbd=SunPKCS11 + #endif + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -335,6 +348,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..b848a1fd783 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 099caac605f..977e5332bd1 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback; + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + + import jdk.internal.misc.InnocuousThread; ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453c..f033fe47593 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -148,18 +149,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec new file mode 100644 index 0000000..b415eed --- /dev/null +++ b/java-11-openjdk.spec @@ -0,0 +1,3920 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-11-openjdk.spec +# +# Produce only release builds (no slowdebug builds) on x86_64: +# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ rhpkg mockbuild --without slowdebug --without fastdebug + +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Remove build artifacts by default +%bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} + +# By default, we build a slowdebug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%global shenandoah_feature shenandoahgc +%else +%global use_shenandoah_hotspot 0 +%global shenandoah_feature -shenandoahgc +%endif + +# On certain architectures, we compile the ZGC +%ifarch %{zgc_arches} +%global use_zgc_hotspot 1 +%global zgc_feature zgc +%else +%global use_zgc_hotspot 0 +%global zgc_feature -zgc +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%if 0%{?flatpak} +%global bootstrap_build false +%else +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 11 +%global interimver 0 +%global updatever 18 +%global patchver 0 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver %{featurever} +# Add LTS designator for RHEL builds +%if 0%{?rhel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{release}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 9087e80d0ab + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 10 +%global rpmrelease 3 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} + +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) + +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +%global javaver %{featurever} + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%global family %{name}.%{_arch} +%global family_noarch %{name} + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka target_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +key=java +alternatives \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ + --slave %{_bindir}/rmid rmid %{jrebindir -- %{?1}}/rmid \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ + %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/pack200.1$ext pack200.1$ext \\ + %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmid.1$ext rmid.1$ext \\ + %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ + %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} + +for X in %{origin} %{javaver} ; do + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} +done + +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} + +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + + +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +key=javac +alternatives \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ +%ifarch %{aot_arches} + --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ +%endif + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{sa_arches} +%ifnarch %{zero_arches} + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/rmic rmic %{sdkbindir -- %{?1}}/rmic \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ + %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} + +for X in %{origin} %{javaver} ; do + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} +done + +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} + +%define post_devel() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} +%{update_desktop_icons} +} + +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} +exit 0 +} + +%define postun_javadoc() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} +exit 0 +} + +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmid +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/unpack200 +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%ifarch %{share_arches} +%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# this is conifg template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_jvmdir}/jre +# https://bugzilla.redhat.com/show_bug.cgi?id=1312019 +%ghost %{_bindir}/jjs +%ghost %{_bindir}/keytool +%ghost %{_bindir}/pack200 +%ghost %{_bindir}/rmid +%ghost %{_bindir}/rmiregistry +%ghost %{_bindir}/unpack200 +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmic +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%ifarch %{aot_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jaotc +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_jvmdir}/%{alt_java_name} +%ghost %{_bindir}/jaotc +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/rmic +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +%{_jvmdir}/%{sdkdir -- %{?1}}/sample +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%endif +%endif +} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +%if 0%{?rhel} >= 8 +Recommends: gtk3%{?_isa} +%endif + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# 2022g required as of JDK-8297804 +Requires: tzdata-java >= 2022g +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 4.0 +OrderWithRequires: copy-jdk-configs +%endif +# for printing support +Requires: cups-libs +# for system security properties +Requires: crypto-policies +# for FIPS PKCS11 provider +Requires: nss +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} +# for optional support of kernel stream control, card reader and printing bindings +%if 0%{?rhel} >= 8 +Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} +%endif + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + + +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Restrict access to java-atk-wrapper classes +Patch2: rh1648644-java_access_bridge_privileged_security.patch +# NSS via SunPKCS11 Provider (disabled due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +Patch600: rh1750419-redhat_alt_java.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch + +# Crypto policy and FIPS support patches +# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips +# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Return in C code after having generated Java exception +# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection +# RH2052819: Fix FIPS reliance on crypto policies +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +Patch1001: fips-11u-%{fipsver}.patch + +############################################# +# +# Shenandoah specific patches +# +############################################# + +# Currently empty + +############################################# +# +# Upstreamable patches +# +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. +############################################# + +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch + +############################################# +# +# Backportable patches +# +# This section includes patches which are +# present in the current development tree, but +# need to be reviewed & pushed to the appropriate +# updates tree of OpenJDK. +############################################# + +############################################# +# +# Patches appearing in 11.0.18 +# +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: unzip +BuildRequires: javapackages-filesystem +BuildRequires: java-%{buildjdkver}-openjdk-devel +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# 2022g required as of JDK-8297804 +BuildRequires: tzdata-java >= 2022g +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.12.1 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 4.4.1 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.12.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools. +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{featurever} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{featurever}. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +Group: Development/Tools + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} %{featurever} Demos +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} %{featurever} demos. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} %{featurever} demos. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} %{featurever} Source Bundle +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_src_rpo %{nil}} + +%description src +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{featurever} API documentation +%if 0%{?rhel} <= 8 +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-debug + +%{java_javadoc_rpo -- %{nil} %{nil}} + +%description javadoc +The %{origin_nice} %{featurever} API documentation. + +%package javadoc-zip +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if 0%{?rhel} <= 8 +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-debug + +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} + +%description javadoc-zip +The %{origin_nice} %{featurever} API documentation compressed in a single archive. +%endif + +%prep + +echo "Preparing %{oj_vendor_version}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +pushd %{top_level_dir_name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +# Add crypto policy and FIPS support +%patch1001 -p1 +# nss.cfg PKCS11 support; must come last as it also alters java.security +%patch1000 -p1 +popd # openjdk + +%patch600 +%patch1003 + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 + sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +EXTRA_CFLAGS="%ourcppflags -Wno-error" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +# Fixes annocheck warnings in assembler files due to missing build notes +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{ppc64le} + --with-jobs=1 \ +%endif + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt=%{lts_designator} \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-asflags="$EXTRA_ASFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --disable-javac-server \ + --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ + --disable-warnings-as-errors + + cat spec.gmk + + make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + + popd +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + if [ -d ${outputdir}/docs ] ; then + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + + # Print release information + cat ${imagepath}/release + + fi +} + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}${loop}} + bootinstalldir=boot${installdir} + + if test "x${loop}" = "x%{main_suffix}" ; then + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi + + done # end of main / staticlibs loop + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +# Check translations are available for new timezones +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif + +so_suffix="so" +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) +-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error +-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +-- Define the path to directory being replaced below. +-- DO NOT add a trailing slash at the end. +path1 = "%{_jvmdir}/%{sdkdir -- %{nil}}/conf" +path2 = "%{_jvmdir}/%{sdkdir -- %{nil}}/lib/security" +array = {path1, path2} +for index, path in pairs(array) do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%posttrans headless +%{alternatives_java_install %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%if %{include_staticlibs} +%files static-libs +%{files_static_libs %{nil}} +%endif + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} +%endif + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + +%changelog +* Wed Jan 11 2023 Andrew Hughes - 1:11.0.18.0.10-3 +- Update to jdk-11.0.18+10 (GA) +- Update release notes to 11.0.18+10 +- Switch to GA mode for release +- Resolves: rhbz#2160111 + +* Tue Jan 03 2023 Andrew Hughes - 1:11.0.18.0.9-0.3.ea +- Update to jdk-11.0.18+9 +- Update release notes to 11.0.18+9 +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- Resolves: rhbz#2150194 + +* Thu Dec 15 2022 Andrew Hughes - 1:11.0.18.0.1-0.3.ea +- Update to jdk-11.0.18+1 +- Update release notes to 11.0.18+1 +- Switch to EA mode for 11.0.18 pre-release builds. +- Drop local copies of JDK-8294357 & JDK-8295173 now upstream contains tzdata 2022e +- Drop local copy of JDK-8275535 which is finally upstream +- Related: rhbz#2150194 + +* Wed Oct 26 2022 Andrew Hughes - 1:11.0.17.0.8-2 +- Update to jdk-11.0.17+8 (GA) +- Update release notes to 11.0.17+8 +- Switch to GA mode for release +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds +- Remove freetype sources along with zlib sources +- Resolves: rhbz#2133695 + +* Wed Oct 05 2022 Andrew Hughes - 1:11.0.17.0.7-0.2.ea +- Update to jdk-11.0.17+7 +- Update release notes to 11.0.17+7 +- Resolves: rhbz#2130374 + +* Tue Sep 06 2022 Andrew Hughes - 1:11.0.17.0.1-0.2.ea +- Update to jdk-11.0.17+1 +- Update release notes to 11.0.17+1 +- Switch to EA mode for 11.0.17 pre-release builds. +- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 +- Bump FreeType bundled version to 2.12.1 following JDK-8290334 +- Related: rhbz#2130374 + +* Tue Aug 30 2022 Andrew Hughes - 1:11.0.16.1.1-3 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2121266 + +* Wed Aug 24 2022 Andrew Hughes - 1:11.0.16.1.1-2 +- Update to jdk-11.0.16.1+1 +- Update release notes to 11.0.16.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119527 + +* Fri Jul 22 2022 Andrew Hughes - 1:11.0.16.0.8-2 +- Update to jdk-11.0.16+8 +- Update release notes to 11.0.16+8 +- Switch to GA mode for release +- Resolves: rhbz#2106515 + +* Sat Jul 16 2022 Andrew Hughes - 1:11.0.16.0.7-0.1.ea +- Update to jdk-11.0.16+7 +- Update release notes to 11.0.16+7 +- Switch to EA mode for 11.0.16 pre-release builds. +- Use same tarball naming style as java-17-openjdk and java-latest-openjdk +- Drop JDK-8257794 patch now upstreamed +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Use "git apply" with patches in the tarball script to allow binary diffs +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Make use of the vendor version string to store our version & release rather than an upstream release date +- Explicitly require crypto-policies during build and runtime for system security properties +- Resolves: rhbz#2083298 + +* Thu Jul 14 2022 Jiri Vanek - 1:11.0.16.0.7-0.1.ea +- Add additional patch during tarball generation to align tests with ECC changes +- Related: rhbz#2083298 + +* Fri Jul 08 2022 Andrew Hughes - 1:11.0.15.0.10-6 +- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099838 +- Resolves: rhbz#2090378 + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:11.0.15.0.10-5 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102430 + +* Thu Jun 30 2022 Stephan Bergmann - 1:11.0.15.0.10-4 +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102731 + +* Sun Apr 24 2022 Andrew Hughes - 1:11.0.15.0.10-3 +- Update to jdk-11.0.15.0+10 +- Update release notes to 11.0.15.0+10 +- Switch to GA mode for release +- Resolves: rhbz#2073593 + +* Tue Apr 12 2022 Andrew Hughes - 1:11.0.15.0.8-0.1.ea +- Update to jdk-11.0.15.0+8 +- Update release notes to 11.0.15.0+8 +- Rebase RH1996182 FIPS patch after JDK-8254410 +- Resolves: rhbz#2048549 + +* Tue Apr 12 2022 Andrew Hughes - 1:11.0.15.0.1-0.1.ea +- Update to jdk-11.0.15.0+1 +- Update release notes to 11.0.15.0+1 +- Switch to EA mode for 11.0.15 pre-release builds. +- Related: rhbz#2048549 + +* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052827 + +* Fri Feb 25 2022 Andrew Hughes - 1:11.0.14.1.1-5 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053284 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3 +- Family extracted to globals +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-2 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008192 + +* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1 +- Update to jdk-11.0.14.1+1 +- Update release notes to 11.0.14.1+1 +- Require tzdata 2021e as of JDK-8275766. +- Resolves: rhbz#2052809 +- Resolves: rhbz#1966234 + +* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-6 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052816 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-5 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Sync gdb test with java-1.8.0-openjdk. +- Improve architecture restrictions for the gdb test. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.9-5 +- Give javadoc-zip its own Provides, next to the plain javadoc ones +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-4 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Resolves: rhbz#2021559 + +* Thu Feb 10 2022 Severin Gehwolf - 1:11.0.14.0.9-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023534 + +* Mon Jan 17 2022 Andrew Hughes - 1:11.0.14.0.9-2 +- Update to jdk-11.0.14.0+9 +- Update release notes to 11.0.14.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#2039366 + +* Fri Jan 14 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea +- Update to jdk-11.0.14.0+8 +- Update release notes to 11.0.14.0+8 +- Resolves: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.14.0.1-0.1.ea +- Update to jdk-11.0.14.0+1 +- Update release notes to 11.0.14.0+1 +- Switch to EA mode for 11.0.14 pre-release builds. +- Rename blacklisted.certs to blocked.certs following JDK-8253866 +- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034 +- Related: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022821 + +* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-4 +- Replaced hardcoded 11 by featurever where appropriate +- Fixed comment of `for slowdebug` to correct `any debug` +- Related: rhbz#2022821 + +* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-3 +- Update to jdk-11.0.13.0+8 +- Update release notes to 11.0.13.0+8 +- Switch to GA mode for final release. +- Resolves: rhbz#2012335 + +* Tue Oct 12 2021 Andrew Hughes - 1:11.0.13.0.7-0.1.ea +- Update to jdk-11.0.13.0+7 +- Update release notes to 11.0.13.0+7 +- Resolves: rhbz#1999938 + +* Mon Oct 11 2021 Andrew Hughes - 1:11.0.13.0.1-0.1.ea +- Update to jdk-11.0.13.0+1 +- Update release notes to 11.0.13.0+1 +- Update tarball generation script to use git following OpenJDK 11u's move to github +- Switch to EA mode for 11.0.13 pre-release builds. +- Remove "-clean" suffix as no 11.0.13 builds are unclean. +- Drop JDK-8269668 patch which is now applied upstream. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- The bootstrap JDK is now in bootinstalldir, not bootbuilddir. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-8 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Related: rhbz#1999938 + +* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-7 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1991003 + +* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-7 +- Add patch to allow plain key import. +- Resolves: rhbz#1991003 + +* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#1999938 + +* Mon Sep 06 2021 Andrew Hughes - 1:11.0.12.0.7-5 +- Remove non-Free test from source tarball. +- Related: rhbz#1999938 + +* Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. +- Resolves: rhbz#1997357 + +* Fri Aug 27 2021 Andrew Hughes - 1:11.0.12.0.7-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997357 + +* Wed Jul 28 2021 Severin Gehwolf - 1:11.0.12.0.7-2 +- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668) +- Resolves: rhbz#1994104 + +* Tue Jul 13 2021 Andrew Hughes - 1:11.0.12.0.7-1 +- Update to jdk-11.0.12.0+7 +- Update release notes to 11.0.12.0+7 +- Switch to GA mode for final release. +- Resolves: rhbz#1972395 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.6-0.0.ea +- Update to jdk-11.0.12.0+6 +- Update release notes to 11.0.12.0+6 +- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change +- Resolves: rhbz#1967374 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.4-0.0.ea +- Update to jdk-11.0.12.0+4 +- Update release notes to 11.0.12.0+4 +- Correct bug ID JDK-8264846 to intended ID of JDK-8264848 +- Resolves: rhbz#1967374 + +* Mon Jul 05 2021 Andrew Hughes - 1:11.0.12.0.3-0.0.ea +- Update to jdk-11.0.12.0+3 +- Update release notes to 11.0.12.0+3 +- Resolves: rhbz#1967374 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.1.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Resolves: rhbz#1966234 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.0.ea +- Update to jdk-11.0.12.0+2 +- Update release notes to 11.0.12.0+2 +- Resolves: rhbz#1967374 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.3.ea +- Remove explicit compiler flags which should be handled by the upstream build + (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse) +- Resolves: rhbz#1966234 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.2.ea +- Add ppc64le and aarch64 to fastdebug_arches +- Resolves: rhbz#1969255 + +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.1.ea +- Re-order source files to sync with Fedora. +- Resolves: rhbz#1966234 + +* Mon Jun 28 2021 Severin Gehwolf - 1:11.0.12.0.1-0.1.ea +- Add a test verifying system crypto policies can be disabled +- Resolves: rhbz#1966234 + +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.0.ea +- Update to jdk-11.0.12.0+1 +- Update release notes to 11.0.12.0+1 +- Switch to EA mode for 11.0.12 pre-release builds. +- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed) +- Resolves: rhbz#1967374 + +* Wed Jun 16 2021 Jiri Vanek - 1:11.0.11.0.9-5 +- adapted to newst cjc to fix issue with rpm 4.17 +- Disable copy-jdk-configs for Flatpak builds +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction +- Resolves: rhbz#1953923 + +* Tue Jun 08 2021 Andrew Hughes - 1:11.0.11.0.9-4 +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Resolves: rhbz#1929465 + +* Tue Jun 08 2021 Martin Balao - 1:11.0.11.0.9-4 +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Resolves: rhbz#1929465 + +* Wed Apr 21 2021 Andrew Hughes - 1:11.0.11.0.9-3 +- Update to jdk-11.0.11.0+9 +- Update release notes to 11.0.11.0+9 +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-04-20 @ 1pm PT. +- Resolves: rhbz#1938201 + +* Thu Apr 15 2021 Andrew Hughes - 1:11.0.11.0.7-0.3.ea +- Require tzdata 2021a to match upstream change JDK-8260356 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.7-0.2.ea +- Update to jdk-11.0.11.0+7 +- Update release notes to 11.0.11.0+7 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.6-0.2.ea +- Update to jdk-11.0.11.0+6 +- Update release notes to 11.0.11.0+6 +- Resolves: rhbz#1942310 + +* Sat Apr 10 2021 Andrew Hughes - 1:11.0.11.0.5-0.2.ea +- Update to jdk-11.0.11.0+5 +- Update release notes to 11.0.11.0+5 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.4-0.2.ea +- Update to jdk-11.0.11.0+4 +- Update release notes to 11.0.11.0+4 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.3-0.2.ea +- Update to jdk-11.0.11.0+3 +- Update release notes to 11.0.11.0+3 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.2-0.2.ea +- Update to jdk-11.0.11.0+2 +- Update release notes to 11.0.11.0+2 +- Resolves: rhbz#1942310 + +* Mon Apr 05 2021 Andrew Hughes - 1:11.0.11.0.1-0.2.ea +- Update to jdk-11.0.11.0+1 +- Update release notes to 11.0.11.0+1 +- Switch to EA mode for 11.0.11 pre-release builds. +- Require tzdata 2020f to match upstream change JDK-8259048 +- Remove RH1868754 patch as this is now resolved upstream by JDK-8258833 +- Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319 +- Resolves: rhbz#1942310 + +* Sun Mar 28 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-10 +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Resolves: rhbz#1942310 + +* Wed Mar 24 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-9 +- Fixed not-including fastdebug build in case of --without fastdebug +- Resolves: rhbz#1942310 + +* Mon Feb 22 2021 Andrew Hughes - 1:11.0.10.0.9-8 +- Perform static library build on a separate source tree with bundled image libraries +- Make static library build optional +- Based on initial work by Severin Gehwolf +- Resolves: rhbz#1930513 + +* Mon Feb 22 2021 Andrew Hughes - 1:11.0.10.0.9-7 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) +- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository +- Resolves: rhbz#1814915 + +* Mon Feb 22 2021 Stephan Bergmann - 1:11.0.10.0.9-6 +- Hardcode /usr/sbin/alternatives for Flatpak builds +- Resolves: rhbz#1930370 + +* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.9-5 +- Fix accidental use of $ instead of % for variable reference. +- Resolves: rhbz#1908972 + +* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.9-4 +- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs. +- Resolves: rhbz#1915071 + +* Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-3 +- Fix debug and fastdebug descriptions to emphasise the difference is optimisation or no optimisation. +- Resolves: rhbz#1908972 + +* Sun Jan 17 2021 Jiri Vanek - 1:11.0.10.0.9-3 +- Removed lib-style provides for fastdebug_suffix_unquoted +- Fixed missing condition for fastdebug packages being counted as debug ones +- Fix typo in variable +- Resolves: rhbz#1908972 + +* Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-2 +- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode +- Resolves: rhbz#1894083 + +* Fri Jan 15 2021 Andrew Hughes - 1:11.0.10.0.9-1 +- Update to jdk-11.0.10.0+9 +- Update release notes to 11.0.10.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#1908972 + +* Thu Jan 14 2021 Andrew Hughes - 1:11.0.10.0.8-0.1.ea +- Update to jdk-11.0.10.0+8 +- Update release notes to 11.0.10.0+8. +- Update tarball generation script to use PR3818 which handles JDK-8171279 changes +- Drop JDK-8250861 as applied upstream. +- Resolves: rhbz#1903908 + +* Tue Jan 12 2021 Andrew John Hughes - 1:11.0.10.0.1-0.1.ea +- Update to jdk-11.0.10.0+1 +- Update release notes to 11.0.10.0+1 +- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly. +- Still use 11.0.x rather than 11.0.x.0 for file naming, as the trailing zero is omitted from tags. +- Revert configure and built_doc_archive hacks to build 11.0.9.1 from 11.0.9.0 sources, and synced with RHEL version. +- Cleanup debug package descriptions and version number placement. +- Switch to EA mode for 11.0.10 pre-release builds. +- Drop JDK-8222286, JDK-8236512 & JDK-8254177 as applied upstream +- Use system harfbuzz now this is supported. +- Use system tzdata2020b now it's available. +- Adjust RH1842572 patch due to context change from JDK-8213400 +- Resolves: rhbz#1903908 + +* Tue Dec 29 2020 Andrew Hughes - 1:11.0.9.11-9 +- Introduced ssbd_arches to denote architectures with SSBD mitigation (currently only x86_64) +- Introduced nm-based check to verify alt-java on ssbd_arches is patched, and no other alt-java or java binaries are patched +- RH1750419 patch amended to emit a warning on architectures where alt-java is the same as java +- Resolves: rhbz#1784116 + +* Tue Dec 29 2020 Jiri Vanek - 1:11.0.9.11-9 +- Redefined linux -> __linux__ and __x86_64 -> __x86_64__ in RH1750419 patch +- Resolves: rhbz#1784116 + +* Tue Dec 29 2020 Andrew Hughes - 1:11.0.9.11-8 +- Update release notes for 11.0.9.1 release. +- Resolves: rhbz#1895274 + +* Tue Dec 01 2020 Jiri Vanek - 1:11.0.9.11-7 +- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 +- Resolves: rhbz#1784116 + +* Wed Nov 11 2020 Andrew Hughes - 1:11.0.9.11-6 +- Fix typo of build_doc_archive/built_doc_archive +- Resolves: rhbz#1895274 + +* Wed Nov 04 2020 Severin Gehwolf - 1:11.0.9.11-5 +- Update to jdk-11.0.9.1+1 +- RPM version stays at 11.0.9.11 so as to not break upgrade path. +- Adds a single patch for JDK-8250861. +- Resolves: rhbz#1895274 + +* Thu Oct 29 2020 Jiri Vanek - 1:11.0.9.11-4 +- Move all license files to NVR-specific JVM directory. +- This bad placement was killing parallel installability and thus having a bad impact on leapp, if used. +- Resolves: rhbz#1889481 + +* Tue Oct 27 2020 Andrew Hughes - 1:11.0.9.11-3 +- Bump release number to build on RHEL 8.4.0 branch. +- Resolves: rhbz#1876665 +- Resolves: rhbz#1889497 +- Resolves: rhbz#1883849 + +* Wed Oct 21 2020 Andrew Hughes - 1:11.0.9.11-2 +- Add backport of JDK-8236512 to correct use of killSession +- Resolves: rhbz#1889497 + +* Mon Oct 19 2020 Severin Gehwolf - 1:11.0.9.11-2 +- Fix directory ownership of static-libs package +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-1 +- Delay tzdata 2020b dependency until tzdata update has shipped. +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-1 +- Update to jdk-11.0.9+11 +- Update release notes for 11.0.9 release. +- Add backport of JDK-8254177 to update to tzdata 2020b +- Require tzdata 2020b due to resource changes in JDK-8254177 +- This tarball is embargoed until 2020-10-20 @ 1pm PT. +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.10-0.3.ea +- Improve quoting of vendor name +- Resolves: rhbz#1876665 + +* Wed Oct 14 2020 Jiri Vanek - 1:11.0.9.10-0.3.ea +- Set vendor property and vendor URLs +- Made URLs to be preconfigured by OS +- Moved vendor_version_string to a better place +- Resolves: rhbz#1876665 + +* Wed Oct 14 2020 Andrew Hughes - 1:11.0.9.10-0.2.ea +- Add patch to allow the PKCS11 provider access to the SunJCE provider with the security manager enabled +- Resolves: rhbz#1883849 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.10-0.1.ea +- Update to jdk-11.0.9+10 (EA) +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.9-0.1.ea +- Update to jdk-11.0.9+9 (EA) +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.8-0.1.ea +- Update to jdk-11.0.9+8 (EA) +- Remove JDK-8252258/RH1868406 now applied upstream. +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.7-0.1.ea +- Update to jdk-11.0.9+7 (EA) +- Resolves: rhbz#1876665 + +* Mon Oct 12 2020 Severin Gehwolf - 1:11.0.9.6-0.2.ea +- Update static-libs packaging to new layout +- Resolves: rhbz#1876665 + +* Sat Oct 10 2020 Andrew Hughes - 1:11.0.9.6-0.1.ea +- Update to jdk-11.0.9+6 (EA) +- Update tarball generation script to use PR3802, handling JDK-8233228 & JDK-8177334 +- Resolves: rhbz#1876665 + +* Thu Oct 08 2020 Andrew Hughes - 1:11.0.9.5-0.1.ea +- Update to jdk-11.0.9+5 (EA) +- Resolves: rhbz#1876665 + +* Thu Oct 08 2020 Andrew Hughes - 1:11.0.9.4-0.1.ea +- Update to jdk-11.0.9+4 (EA) +- Resolves: rhbz#1876665 + +* Wed Oct 07 2020 Andrew Hughes - 1:11.0.9.3-0.1.ea +- Update to jdk-11.0.9+3 (EA) +- Remove JDK-8251117/RH1860990 as now applied upstream. +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.2-0.2.ea +- Following JDK-8005165, class data sharing can be enabled on all JIT architectures +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.2-0.1.ea +- Update to jdk-11.0.9+2 (EA) +- With Shenandoah now upstream in OpenJDK 11, we can use jdk-updates/jdk11 directly +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.1-0.1.ea +- Cleanup architecture and JVM feature handling in preparation for using upstreamed Shenandoah. +- Resolves: rhbz#1876665 + +* Mon Sep 28 2020 Andrew Hughes - 1:11.0.9.1-0.0.ea +- Update to shenandoah-jdk-11.0.9+1 (EA) +- Switch to EA mode for 11.0.9 pre-release builds. +- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard. +- Resolves: rhbz#1876665 + +* Thu Sep 17 2020 Andrew Hughes - 1:11.0.8.10-6 +- Add patch to cancel PKCS#11 operations on failure (RH1868754) +- Add patch to allow the PKCS11 provider access to the SunJCE provider (RH1868740) +- Resolves: rhbz#1868740 +- Resolves: rhbz#1868754 + +* Fri Aug 28 2020 Andrew Hughes - 1:11.0.8.10-5 +- Use 'oj_' prefix on new vendor globals to avoid a conflict with RPM's vendor value. +- Resolves: rhbz#1868406 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-4 +- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use. +- Resolves: rhbz#1860986 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-3 +- Add JDK-8252258 to return default vendor to the original value of 'Oracle Corporation' +- Include a test in the RPM to check the build has the correct vendor information. +- Resolves: rhbz#1868406 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-2 +- Backport JDK-8251117 to allow key length to be retrieved from PKCS#11 FIPS keys +- Resolves: rhbz#1860990 + +* Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-1 +- Update to shenandoah-jdk-11.0.8+10 (GA) +- Switch to GA mode for final release. +- Update release notes with last minute fix (JDK-8248505). +- Resolves: rhbz#1838811 + +* Fri Jul 10 2020 Andrew Hughes - 1:11.0.8.9-0.1.ea +- Update to shenandoah-jdk-11.0.8+9 (EA) +- Update release notes for 11.0.8 release. +- Resolves: rhbz#1838811 + +* Tue Jun 30 2020 Andrew Hughes - 1:11.0.8.8-0.1.ea +- Update to shenandoah-jdk-11.0.8+8 (EA) +- Resolves: rhbz#1838811 + +* Mon Jun 29 2020 Andrew Hughes - 1:11.0.8.7-0.4.ea +- Add support for fastdebug builds on x86_64 only. +- Resolves: rhbz#1836068 + +* Sun Jun 28 2020 Andrew Hughes - 1:11.0.8.7-0.3.ea +- Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +- Resolves: rhbz#1842572 + +* Wed Jun 24 2020 Andrew Hughes - 1:11.0.8.7-0.2.ea +- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... +- Resolves: rhbz#1838811 + +* Wed Jun 24 2020 Jiri Vanek - 1:11.0.8.7-0.2.ea +- Create a copy of java as alt-java with alternatives and man pages +- Resolves: rhbz#1838811 + +* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.7-0.1.ea +- Update to shenandoah-jdk-11.0.8+7 (EA) +- Resolves: rhbz#1838811 + +* Mon Jun 22 2020 Jiri Vanek - 1:11.0.8.6-0.3.ea +- Symlink hunk moved behind the main copy logic, to be more user-friendly with multiple installs +- Resolves: rhbz#1820172 + +* Mon Jun 22 2020 Jiri Vanek - 1:11.0.8.6-0.2.ea +- Added scriplet to handle dir-> symling change when updating el7->el8 +- Resolves: rhbz#182017 + +* Thu Jun 18 2020 Andrew Hughes - 1:11.0.8.6-0.1.ea +- Update to shenandoah-jdk-11.0.8+6 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 09 2020 Severin Gehwolf - 1:11.0.8.5-0.2.ea +- Disable stripping of debug symbols for static libraries part of + the -static-libs sub-package. +- Resolves: rhbz#1839084 + +* Sun Jun 07 2020 Andrew Hughes - 1:11.0.8.5-0.1.ea +- Update to shenandoah-jdk-11.0.8+5 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 02 2020 Andrew John Hughes - 1:11.0.8.4-0.3.ea +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Resolves: rhbz#1725961 + +* Mon Jun 01 2020 Andrew John Hughes - 1:11.0.8.4-0.2.ea +- Use appropriate keystore types when in FIPS mode. +- Resolves: rhbz#1818909 + +* Mon May 25 2020 Andrew Hughes - 1:11.0.8.4-0.1.ea +- Update to shenandoah-jdk-11.0.8+4 (EA) +- Require tzdata 2020a due to resource changes in JDK-8243541 +- Resolves: rhbz#1838811 + +* Mon May 25 2020 Andrew Hughes - 1:11.0.8.3-0.1.ea +- Update to shenandoah-jdk-11.0.8+3 (EA) +- Resolves: rhbz#1838811 + +* Mon May 25 2020 Severin Gehwolf - 1:11.0.8.2-0.2.ea +- Build static-libs-image and add resulting files via -static-libs + sub-package. +- Resolves: rhbz#1839084 + +* Mon May 18 2020 Andrew Hughes - 1:11.0.8.2-0.1.ea +- Update to shenandoah-jdk-11.0.8+2 (EA) +- Resolves: rhbz#1838811 + +* Sun May 10 2020 Andrew Hughes - 1:11.0.8.1-0.1.ea +- Update to shenandoah-jdk-11.0.8+1 (EA) +- Switch to EA mode for 11.0.8 pre-release builds. +- Drop JDK-8237396 & JDK-8228407 backports now applied upstream. +- Resolves: rhbz#1838811 + +* Wed Apr 22 2020 Andrew John Hughes - 1:11.0.7.10-3 +- Bump release number for RHEL 8.3.0. +- Resolves: rhbz#1810557 + +* Wed Apr 22 2020 Andrew Hughes - 1:11.0.7.10-2 +- Add JDK-8228407 backport to resolve crashes during verification. +- Resolves: rhbz#1810557 + +* Wed Apr 22 2020 Andrew Hughes - 1:11.0.7.10-2 +- Amend release notes, removing issue actually fixed in 11.0.6. +- Resolves: rhbz#1810557 + +* Wed Apr 22 2020 Andrew Hughes - 1:11.0.7.10-2 +- Add release notes. +- Resolves: rhbz#1810557 + +* Wed Apr 22 2020 Andrew Hughes - 1:11.0.7.10-2 +- Make use of --with-extra-asflags introduced in jdk-11.0.6+1. +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:11.0.7.10-1 +- Update to shenandoah-jdk-11.0.7+10 (GA) +- Switch to GA mode for final release. +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:11.0.7.9-0.1.ea +- Update to shenandoah-jdk-11.0.7+9 (EA) +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:11.0.7.8-0.1.ea +- Update to shenandoah-jdk-11.0.7+8 (EA) +- Resolves: rhbz#1810557 + +* Sat Apr 18 2020 Andrew Hughes - 1:11.0.7.7-0.1.ea +- Update to shenandoah-jdk-11.0.7+7 (EA) +- Resolves: rhbz#1810557 + +* Sat Apr 18 2020 Andrew Hughes - 1:11.0.7.6-0.1.ea +- Update to shenandoah-jdk-11.0.7+6 (EA) +- Resolves: rhbz#1810557 + +* Thu Apr 16 2020 Andrew Hughes - 1:11.0.7.5-0.1.ea +- Update to shenandoah-jdk-11.0.7+5 (EA) +- Resolves: rhbz#1810557 + +* Sat Apr 11 2020 Andrew Hughes - 1:11.0.7.4-0.1.ea +- Update to shenandoah-jdk-11.0.7+4 (EA) +- Resolves: rhbz#1810557 + +* Wed Apr 08 2020 Andrew Hughes - 1:11.0.7.3-0.1.ea +- Update to shenandoah-jdk-11.0.7+3 (EA) +- Resolves: rhbz#1810557 + +* Mon Apr 06 2020 Andrew Hughes - 1:11.0.7.2-0.1.ea +- Update to shenandoah-jdk-11.0.7+2 (EA) +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:11.0.7.1-0.1.ea +- Update to shenandoah-jdk-11.0.7+1 (EA) +- Switch to EA mode for 11.0.7 pre-release builds. +- Drop JDK-8236039 backport now applied upstream. +- Resolves: rhbz#1810557 + +* Fri Mar 27 2020 Andrew John Hughes - 1:11.0.6.10-4 +- Need to support noarch for creating source RPMs for non-scratch builds. +- Resolves: rhbz#1737115 + +* Thu Mar 19 2020 Andrew John Hughes - 1:11.0.6.10-4 +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Resolves: rhbz#1737115 + +* Sun Feb 23 2020 Andrew John Hughes - 1:11.0.6.10-3 +- Sync SystemTap & desktop files with upstream IcedTea release 3.15.0 +- Resolves: rhbz#1737115 + +* Sun Feb 23 2020 Andrew John Hughes - 1:11.0.6.10-3 +- Sync SystemTap & desktop files with upstream IcedTea release 3.11.0 using new script +- Resolves: rhbz#1737115 + +* Sun Feb 16 2020 Andrew Hughes - 1:11.0.6.10-2 +- Add JDK-8237396 backport to resolve Shenandoah TCK breakage in traversal mode. +- Resolves: rhbz#1785753 + +* Sat Jan 11 2020 Andrew John Hughes - 1:11.0.6.10-1 +- Update to shenandoah-jdk-11.0.6+10 (GA) +- Switch to GA mode for final release. +- Add JDK-8236039 backport to resolve OpenShift blocker +- Resolves: rhbz#1785753 + +* Thu Jan 09 2020 Andrew Hughes - 1:11.0.6.1-0.1.ea +- Update to shenandoah-jdk-11.0.6+1 (EA) +- Switch to EA mode for 11.0.6 pre-release builds. +- Add support for jfr binary. +- Drop JDK-8230923 now applied upstream. +- Resolves: rhbz#1785753 + +* Wed Jan 08 2020 Andrew Hughes - 1:11.0.5.10-6 +- Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve. +- Regenerate source tarball using the updated script and add the -'4curve' suffix. +- Resolves: rhbz#1746875 + +* Thu Jan 02 2020 Andrew John Hughes - 1:11.0.5.10-5 +- Revert SSBD removal for now, until appropriate messaging has been decided. +- Resolves: rhbz#1784116 + +* Fri Dec 27 2019 Andrew John Hughes - 1:11.0.5.10-4 +- Remove CVE-2018-3639 mitigation due to performance regression and + OpenJDK position on speculative execution vulnerabilities. + https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html +- Resolves: rhbz#1784116 + +* Wed Nov 06 2019 Andrew John Hughes - 1:11.0.5.10-3 +- Bump release number for RHEL 8.2.0. +- Resolves: rhbz#1753423 + +* Fri Oct 25 2019 Andrew John Hughes - 1:11.0.5.10-2 +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Resolves: rhbz#1751845 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.10-1 +- Update to shenandoah-jdk-11.0.5+10 (GA) +- Switch to GA mode for final release. +- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream. +- Resolves: rhbz#1753423 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.9-0.0.ea +- Update to shenandoah-jdk-11.0.5+9 (EA) +- Resolves: rhbz#1753423 + +* Mon Oct 07 2019 Andrew Hughes - 1:11.0.5.1-0.1.ea +- Update to shenandoah-jdk-11.0.5+1 (EA) +- Switch to EA mode for 11.0.5 pre-release builds. +- Drop JDK-8223482 which is included upstream in 11.0.5+1. +- Resolves: rhbz#1753423 + +* Mon Sep 30 2019 Andrew John Hughes - 1:11.0.4.11-4 +- Backport JDK-8230923 so arguments are passed to security providers. +- Update RH1655466 patch with changes in OpenJDK 8 version. +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. +- Resolves: rhbz#1751845 + +* Tue Aug 13 2019 Martin Balao - 1:11.0.4.11-3 +- Support the FIPS mode crypto policy on RHEL 8. +- Resolves: rhbz#1725961 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-2 +- Drop NSS runtime dependencies and patches to link against it. +- Resolves: rhbz#1678554 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-1 +- Update to shenandoah-jdk-11.0.4+11 (GA) +- Switch to GA mode for final release. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.10-0.1.ea +- Update to shenandoah-jdk-11.0.4+10 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.9-0.1.ea +- Update to shenandoah-jdk-11.0.4+9 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.8-0.1.ea +- Update to shenandoah-jdk-11.0.4+8 (EA) +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Make use of Recommends and Suggests dependent on RHEL 8+ environment. +- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime. +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew Hughes - 1:11.0.4.7-0.1.ea +- Update to shenandoah-jdk-11.0.4+7 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Obsolete javadoc-debug and javadoc-debug-zip packages via javadoc and javadoc-zip respectively. +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Update to shenandoah-jdk-11.0.4+6 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.5-0.1.ea +- Update to shenandoah-jdk-11.0.4+5 (EA) +- Resolves: rhbz#1724452 + +* Tue Jul 02 2019 Andrew Hughes - 1:11.0.4.4-0.1.ea +- Update to shenandoah-jdk-11.0.4+4 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 01 2019 Andrew Hughes - 1:11.0.4.3-0.1.ea +- Update to shenandoah-jdk-11.0.4+3 (EA) +- Resolves: rhbz#1724452 + +* Sun Jun 30 2019 Andrew John Hughes - 1:11.0.4.2-0.1.ea +- Update to shenandoah-jdk-11.0.4+2 (EA) +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.4.2-0.1.ea +- Package jspawnhelper (see JDK-8220360). +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.3.7-5 +- Include 'ea' designator in Release when appropriate. +- Resolves: rhbz#1724452 + +* Wed May 22 2019 Andrew Hughes - 1:11.0.3.7-5 +- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately. +- Resolves: rhbz#1724452 + +* Thu Apr 25 2019 Severin Gehwolf - 1:11.0.3.7-4 +- Don't build the test images needlessly. +- Don't produce javadoc/javadoc-zip sub packages for the debug variant build. +- Don't perform a bootcycle build for the debug variant build. +- Resolves: rhbz#1724452 + +* Wed Apr 24 2019 Severin Gehwolf - 1:11.0.3.7-3 +- Do not generate lib-style requires for -slowdebug subpackages. +- Resolves: rhbz#1693468 + +* Tue Apr 23 2019 Severin Gehwolf - 1:11.0.3.7-3 +- Fix requires/provides for the non-system JDK case. JDK 11 is not a system JDK at this point. +- Resolves: rhbz#1693468 + +* Tue Apr 16 2019 Severin Gehwolf - 1:11.0.3.7-2 +- Don't package lib/client and lib/client/classes.jsa which don't exist (see RH1643469) +- Resolves: rhbz#1693468 + +* Sun Apr 07 2019 Andrew Hughes - 1:11.0.3.7-1 +- Update to shenandoah-jdk-11.0.3+7 (April 2019 GA) +- Resolves: rhbz#1693468 + +* Sat Apr 06 2019 Andrew Hughes - 1:11.0.3.6-1 +- Update to shenandoah-jdk-11.0.3+6 (April 2019 EA) +- Drop JDK-8210416/RH1632174 applied upstream. +- Drop JDK-8210425/RH1632174 applied upstream. +- Drop JDK-8210647/RH1632174 applied upstream. +- Drop JDK-8210761/RH1632174 applied upstream. +- Drop JDK-8210703/RH1632174 applied upstream. +- Add cast to resolve s390 ambiguity in call to log2_intptr +- Resolves: rhbz#1693468 + +* Fri Apr 05 2019 Severin Gehwolf - 1:11.0.2.7-4 +- Add patch for RH1566890 +- Resolves: rhbz#1693468 + +* Tue Mar 26 2019 Jiri Vanek - 1:11.0.2.7-3 +- added gating + +* Fri Feb 08 2019 Severin Gehwolf - 1:11.0.2.7-2 +- Add explicit requirement for libXcomposite which is used when performing + screenshots from Java. +- Add explicit BR unzip required for building OpenJDK. +- Resolves: rhbz#1666532 + +* Thu Feb 07 2019 Andrew John Hughes - 1:11.0.2.7-1 +- Add PR3695 to allow the system crypto policy to be turned off. +- Correct original system crypto policy patch to refer to OpenJDK 11 bug (PR3694) +- Resolves: rhbz#1666532 + +* Tue Jan 15 2019 Andrew Hughes - 1:11.0.2.7-0 +- Update to shenandoah-jdk-11.0.2+7 (January 2019 CPU) +- Drop JDK-8211105/RH1628612/RH1630996 applied upstream. +- Drop JDK-8209639/RH1640127 applied upstream. +- Re-generate JDK-8210416/RH1632174 following JDK-8209786 +- Resolves: rhbz#1666532 +- Resolves: rhbz#1659143 + +* Fri Jan 11 2019 Andrew Hughes - 1:11.0.1.13-11 +- Update to shenandoah-jdk-11.0.1+13-20190101 +- Update tarball generation script in preparation for PR3681/RH1656677 SunEC changes. +- Use remove-intree-libraries.sh to remove the remaining SunEC code for now. +- Fix PR1983 SunEC patch so that ecc_impl.h is patched rather than added +- Add missing RH1022017 patch to reduce curves reported by SSL to those we support. +- Remove RH1648995; fixed upstream +- Resolves: rhbz#1659143 + +* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-9 +- for non debug supackages, ghosted all masters and slaves (rhbz1649776) +- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic +- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides + +* Wed Dec 5 2018 Severin Gehwolf - 1:11.0.1.13-8 +- Added %%global _find_debuginfo_opts -g +- Resolves: rhbz#1657335 + +* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6 +- fixed tck failures of arraycopy and process exec with shenandoah on +- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch + +* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5 +- headless' suggests of cups, replaced by Requires of cups-libs + +* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3 +- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch + +* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3 +- Use upstream's version of Aarch64 intrinsics disable patch: + - Removed: + RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch + RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch + - Superceded by: + jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2 +- Use LTS designator in version output for RHEL. + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1 +- Update to October 2018 CPU release, 11.0.1+13. + +* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2 +- Use --with-vendor-version-string=18.9 so as to show original + GA date for the JDK. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1 +- Identify as GA version and no longer as early access (EA). +- JDK 11 has been released for GA on 2018-09-25. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9 +- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes + RHBZ-1624122. +- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to + optimize compilation of fdlibm library. +- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libjsig. +- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- Reinstate filtering of opt flags coming from redhat-rpm-config. + +* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8 +- removed version less provides +- javadocdir moved to arched dir as it is no longer noarch + +* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6 +- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch, + so as to disable log math intrinsic on aarch64. Work-around for + JDK-8210858 + +* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5 +- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch, + so as to disable dsin/dcos math intrinsics on aarch64. Work-around for + JDK-8210461. + +* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6 +- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to + optimize compilation of fdlibm library. +- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- No longer filter -O flags from C flags coming from + redhat-rpm-config. + +* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4 +- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x + +* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3 +- Enable ZGC on x86_64. + +* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2 +- jfr/*jfc files listed for all arches +- lib/classlist do not exists s390, ifarch-ed via jit_arches out + +* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1 +- Update to latest upstream build jdk11+28, the first release + candidate. + +* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8 +- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so + as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue. + +* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6 +- dissabled accessibility, fixed provides for main package's debug variant + +* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5 +- now buildrequires javapackages-filesystem as the issue with macros should be fixed + +* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2 +- changed to build by itself instead of by jdk10 + +* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1 +- added Recommends gtk3 for main package +- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped) +- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package +- see RHBZ1598152 +- added trick to catch hs_err files (sgehwolf) +- updated to shenandaoh-jdk-11+22 + +* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1 +- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch +- improved a bit generate_source_tarball.sh to serve also for systemtap +- thus deleted generate_tapsets.sh +- simplified and cleared update_package.sh +- moved to single source jdk - from shenandoah/jdk11 +- bumped to latest jdk11+20 +- adapted PR2126 to jdk11+20 +- adapted handling of systemtap sources to new style +- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory) +- shortened summaries and descriptions to around 80 chars +- Hunspell spell checked +- license fixed to correct jdk11 (sgehwolf) +- more correct handling of internal libraries (sgehwolf) +- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815) +- added test for shenandaoh GC presence where expected +- Removed workaround for broken aarch64 slowdebug build +- Removed all defattrs +- Removed no longer necessary cleanup of diz and debuginfo files + +* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1 +- updated sources to jdk-11+19 +- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit +- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit + +* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5 +- Revert rename: java-11-openjdk => java-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4 +- Add aarch64 to aot_arches. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3 +- Rename to package java-11-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2 +- Disable Aarch64 slowdebug build (see JDK-8204331). +- s390x doesn't have the SA even though it's a JIT arch. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1 +- Initial version of JDK 11 ea based on tag jdk-11+16. +- Removed patches no longer needed or upstream: + sorted-diff.patch (see JDK-8198844) + JDK-8201788-bootcycle-images-jobs.patch + JDK-8201509-s390-atomic_store.patch + JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11) + JDK-8193802-npe-jar-getVersionMap.patch +- Updated and renamed patches: + java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch +- Updated patches for JDK 11: + pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9 +- Use proper private_libs expression for filtering requires/provides. + +* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8 +- Bump release and rebuild for fixed gdb. See RHBZ#1589118. + +* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7 +- quoted sed expressions, changed possibly confusing # by @ +- added vendor(origin) into icons +- removed last trace of relative symlinks +- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem + +* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5 +- Move to javapackages-filesystem for directory ownership. + Resolves RHBZ#1500288 + +* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4 +- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix + RHBZ#1557375. + +* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3 +- Inject build flags properly. See RHBZ#1571359 +- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch + since libjsig.so doesn't get linker flags injected properly. + +* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2 +- Removed unneeded patches: + PStack-808293.patch + multiple-pkcs11-library-init.patch + ppc_stack_overflow_fix.patch +- Added patches for s390 Zero builds: + JDK-8201495-s390-java-opts.patch + JDK-8201509-s390-atomic_store.patch +- Renamed patches for clarity: + aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch + systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch + bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch + system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1 +- updated to security update 1 +- jexec unlinked from path +- used java-openjdk as boot jdk +- aligned provides/requires +- renamed zip javadoc + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12 +- Enable basic EC ciphers test in %%check. + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11 +- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10. +- Resolves RHBZ#1565658 + +* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10 +- jexec linked to path + +* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9 +- subpackage(s) replaced by sub-package(s) and other cosmetic changes + +* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8 +- removed accessibility sub-packages +- kept applied patch and properties files +- debug sub-packages renamed to slowdebug + +* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1 +- initial load diff --git a/jconsole.desktop.in b/jconsole.desktop.in new file mode 100644 index 0000000..8a3b04d --- /dev/null +++ b/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/nss.cfg.in b/nss.cfg.in new file mode 100644 index 0000000..377a39c --- /dev/null +++ b/nss.cfg.in @@ -0,0 +1,5 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..2d9ec35 --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,8 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = sql:/etc/pki/nssdb +nssDbMode = readOnly +nssModule = fips + +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh new file mode 100644 index 0000000..ee02f60 --- /dev/null +++ b/remove-intree-libraries.sh @@ -0,0 +1,166 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib & freetype having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} + +# Minimal is limited to just zlib and freetype so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h + + diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch new file mode 100644 index 0000000..a877506 --- /dev/null +++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -0,0 +1,18 @@ +diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java +--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java ++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java +@@ -883,9 +883,13 @@ + return null; + } + }); + if (!GraphicsEnvironment.isHeadless()) { +- loadAssistiveTechnologies(); ++ try { ++ loadAssistiveTechnologies(); ++ } catch (AWTError error) { ++ // ignore silently ++ } + } + } + return toolkit; + } diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch new file mode 100644 index 0000000..cd3329a --- /dev/null +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -0,0 +1,12 @@ +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 474fe6f401f..7e94ae32023 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -84,6 +84,7 @@ security.provider.tbd=Apple + #ifndef solaris + security.provider.tbd=SunPKCS11 + #endif ++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Security providers used when FIPS mode support is active diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch new file mode 100644 index 0000000..53026ad --- /dev/null +++ b/rh1648644-java_access_bridge_privileged_security.patch @@ -0,0 +1,20 @@ +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -304,6 +304,8 @@ + # + package.access=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # List of comma-separated packages that start with or equal this string +@@ -316,6 +318,8 @@ + # + package.definition=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # Determines whether this properties file can be appended to diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..e6355f2 --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,116 @@ +diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk +--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 ++++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 +@@ -41,6 +41,16 @@ + OPTIMIZATION := HIGH, \ + )) + ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ ++ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ ++ LIBS_windows := user32.lib comctl32.lib, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(OPENJDK_TARGET_OS), windows) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,14 @@ + #include "jli_util.h" + #include "jni.h" + ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) ++#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/rh1842572-rsa_default_for_keytool.patch b/rh1842572-rsa_default_for_keytool.patch new file mode 100644 index 0000000..9f1dabc --- /dev/null +++ b/rh1842572-rsa_default_for_keytool.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java ++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +@@ -1135,7 +1135,7 @@ + } + } else if (command == GENKEYPAIR) { + if (keyAlgName == null) { +- keyAlgName = "DSA"; ++ keyAlgName = "RSA"; + } + doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); + kssave = true; diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch new file mode 100644 index 0000000..1b706a1 --- /dev/null +++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch @@ -0,0 +1,19 @@ +Remove uses of FAR in jpeg code + +Upstream libjpeg-trubo removed the (empty) FAR macro: +http://sourceforge.net/p/libjpeg-turbo/code/1312/ + +Adjust our code to not use the undefined FAR macro anymore. + +diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +@@ -1385,7 +1385,7 @@ + /* and fill it in */ + dst_ptr = icc_data; + for (seq_no = first; seq_no < last; seq_no++) { +- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; ++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; + unsigned int length = + icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; + -- Gitee From b8ca28388cc33ab6b57138f183f80b434eab4864 Mon Sep 17 00:00:00 2001 From: panxuefeng Date: Wed, 9 Aug 2023 14:45:14 +0800 Subject: [PATCH 2/4] exclude some arches --- java-11-openjdk.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index b415eed..82895e0 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1109,6 +1109,8 @@ exit 0 %endif } +ExcludeArch: %{aarch64} x86_64 loongarch64 + # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: Requires: fontconfig%{?_isa} -- Gitee From 1d291b723b31a795985cd6a38b2ab9a281fc1c68 Mon Sep 17 00:00:00 2001 From: panxuefeng Date: Wed, 9 Aug 2023 14:57:19 +0800 Subject: [PATCH 3/4] change baseline to java-11-openjdk-11.0.17.0.8-2.el8 --- NEWS | 308 +------------------- TestTranslations.java | 32 +- java-11-openjdk.spec | 54 ++-- jdk8275535-rh2053256-ldap_auth.patch | 26 ++ jdk8293834-kyiv_cldr_update.patch | 57 ++++ jdk8294357-tzdata2022d.patch | 304 +++++++++++++++++++ jdk8295173-tzdata2022e.patch | 420 +++++++++++++++++++++++++++ 7 files changed, 837 insertions(+), 364 deletions(-) create mode 100644 jdk8275535-rh2053256-ldap_auth.patch create mode 100644 jdk8293834-kyiv_cldr_update.patch create mode 100644 jdk8294357-tzdata2022d.patch create mode 100644 jdk8295173-tzdata2022e.patch diff --git a/NEWS b/NEWS index e03d474..3386935 100644 --- a/NEWS +++ b/NEWS @@ -3,316 +3,10 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 11.0.18 (2023-01-17): -============================================= -Live versions of these release notes can be found at: - * https://bit.ly/openjdk11018 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.18.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8289350: Better media supports - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException - - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails - - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails - - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails - - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java - - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java - - JDK-8172269: When checking the default behaviour for a scroll tab layout and checking the 'opaque' checkbox, the area behind tabs is not red. - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8193942: Regression automated test '/open/test/jdk/javax/swing/JFrame/8175301/ScaledFrameBackgroundTest.java' fails - - JDK-8194126: Regression automated Test '/open/test/jdk/javax/swing/JColorChooser/Test7194184.java' fails - - JDK-8198343: Test java/awt/print/PrinterJob/TestPgfmtSetMPA.java may fail w/o printer - - JDK-8199290: [TESTBUG] sun.hotspot.WhiteBox$WhiteBoxPermission is not copied - - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails - - JDK-8206125: [windows] cannot pass relative path to --with-boot-jdk - - JDK-8210047: some pages contain content outside of landmark region - - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8213239: Configure cannot handle command overrides with arguments - - JDK-8215571: jdb does not include jdk.* in the default class filter - - JDK-8217032: Check pandoc capabilities in configure - - JDK-8222091: Javadoc does not handle package annotations correctly on package-info.java - - JDK-8222251: preflow visitor is not visiting lambda expressions - - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails - - JDK-8227179: Test for new gc+metaspace=info output format - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8228672: [TESTBUG] gc/metaspace/TestSizeTransitions.java fails on 32-bit platforms - - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs - - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos - - JDK-8233565: [TESTBUG] NullModalityDialogTest.java fails on MacOS - - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos - - JDK-8239708: Split basics.m4 into basic.m4 and util.m4 - - JDK-8240281: Remove failing assertion code when selecting first memory state in SuperWord::co_locate_pack - - JDK-8242468: VS2019 build missing vcruntime140_1.dll - - JDK-8243565: some gc tests use 'test.java.opts' and not 'test.vm.opts' - - JDK-8243568: serviceability/logging/TestLogRotation.java uses 'test.java.opts' and not 'test.vm.opts' - - JDK-8244010: Simplify usages of ProcessTools.createJavaProcessBuilder in our tests - - JDK-8244557: test/jdk/javax/swing/JTabbedPane/TestBackgroundScrollPolicy.java failed - - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows - - JDK-8249694: java/lang/StringBuffer/HugeCapacity.java and j/l/StringBuilder/HugeCapacity.java tests shouldn't be @ignore-d - - JDK-8253877: gc/g1/TestGCLogMessages.java fails - missing "Evacuation failure" message - - JDK-8254874: ZGC: JNIHandleBlock verification failure in stack watermark processing - - JDK-8254976: Re-enable swing jtreg tests which were broken due to samevm mode - - JDK-8255439: System Tray icons get corrupted when Windows scaling changes - - JDK-8256109: Create implementation for NSAccessibilityButton protocol - - JDK-8257679: Improved unix compatibility layer in Windows build (winenv) - - JDK-8257722: Improve "keytool -printcert -jarfile" output - - JDK-8258005: JDK build fails with incorrect fixpath script - - JDK-8259485: Document need for short paths when building on Windows - - JDK-8260272: bash configure --prefix does not work after JDK-8257679 - - JDK-8261336: IGV: enhance default filters - - JDK-8261445: Use memory_order_relaxed for os::random(). - - JDK-8261758: [TESTBUG] gc/g1/TestGCLogMessages.java fails if ergonomics detect too small InitialHeapSize - - JDK-8263326: Remove ReceiverTypeData check from serviceability/sa/TestPrintMdo.java - - JDK-8263871: On sem_destroy() failing we should assert - - JDK-8264593: debug.cpp utilities should be available in product builds. - - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class - - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint - - JDK-8266967: debug.cpp utility find() should print Java Object fields. - - JDK-8268361: Fix the infinite loop in next_line - - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions - - JDK-8268893: jcmd to trim the glibc heap - - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs - - JDK-8269873: serviceability/sa/Clhsdb tests are using a C2 specific VMStruct field - - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 - - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints - - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 - - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 - - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction - - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java - - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI - - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS - - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java - - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening - - JDK-8274597: Some of the dnd tests time out and fail intermittently - - JDK-8275170: Some jtreg sound tests should be marked with sound keyword - - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked - - JDK-8276841: Add support for Visual Studio 2022 - - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points - - JDK-8277497: Last column cell in the JTable row is read as empty cell - - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore - - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - - JDK-8280158: New test from JDK-8274736 failed with/without patch in JDK11u - - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound - - JDK-8280863: Update build README to reflect that MSYS2 is supported - - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR - - JDK-8280948: Write a regression test for JDK-4659800 - - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix - - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 - - JDK-8281296: Create a regression test for JDK-4515999 - - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) - - JDK-8282046: Create a regression test for JDK-8000326 - - JDK-8282276: Problem list failing two Robot Screen Capture tests - - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access - - JDK-8282345: handle latest VS2022 in abstract_vm_version - - JDK-8282402: Create a regression test for JDK-4666101 - - JDK-8282640: Create a test for JDK-4740761 - - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 - - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure - - JDK-8282777: Create a Regression test for JDK-4515031 - - JDK-8282778: Create a regression test for JDK-4699544 - - JDK-8282857: Create a regression test for JDK-4702690 - - JDK-8282936: Write a regression test for JDK-4615365 - - JDK-8282937: Write a regression test for JDK-4820080 - - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup - - JDK-8283422: Create a new test for JDK-8254790 - - JDK-8284294: Create an automated regression test for RFE 4138746 - - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph - - JDK-8284521: Write an automated regression test for RFE 4371575 - - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox - - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X - - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation - - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" - - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8285305: Create an automated test for JDK-4495286 - - JDK-8285373: Create an automated test for JDK-4702233 - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test - - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox - - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment - - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" - - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray - - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows - - JDK-8286872: Refactor add/modify notification icon (TrayIcon) - - JDK-8287076: Document.normalizeDocument() produces different results - - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn - - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path - - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative - - JDK-8287724: Fix various issues with msys2 - - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile - - JDK-8287895: Some langtools tests fail on msys2 - - JDK-8287896: PropertiesTest.sh fail on msys2 - - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 - - JDK-8289043: C2: Vector constant materialization attempt - - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output - - JDK-8290207: Missing notice in dom.md - - JDK-8290209: jcup.md missing additional text - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) - - JDK-8291461: assert(false) failed: bad AD file - - JDK-8292083: Detected container memory limit may exceed physical machine memory - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory - - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update - - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free - - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures - - JDK-8292887: Bump update version for OpenJDK: jdk-11.0.18 - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present - - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293672: Update freetype md file - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 - - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8294138: [11u] Revert change from JDK-8210962 in basic.m4 - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode - - JDK-8294740: Add cgroups keyword to TestDockerBasic.java - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295288: Some vm_flags tests associate with a wrong BugID - - JDK-8295322: Tests for JDK-8271459 were not backported to 11u - - JDK-8295429: Update harfbuzz md file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - - JDK-8295714: GHA ::set-output is deprecated and will be removed - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296239: ISO 4217 Amendment 174 Update - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296652: Restore windows aarch64 fixpath patch that was removed in 8239708 - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297481: Create a regression test for JDK-4424517 - - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - - JDK-8297804: (tz) Update Timezone Data to 2022g - - JDK-8298737: 8296772 backport to jdk11u caused build error on sparc - - JDK-8299393: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.18 - - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java - - JDK-8299616: [11u] Bootcycle build fails after JDK-8257679 backport - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/javax.crypto: - -JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location -===================================================================================== -The Windows KeyStore support in the SunMSCAPI provider has been -expanded to include access to the local machine location. The new -keystore types are: - -* "Windows-MY-LOCALMACHINE" -* "Windows-ROOT-LOCALMACHINE" - -The following keystore types were also added, allowing developers to -make it clear they map to the current user: - -* "Windows-MY-CURRENTUSER" (same as "Windows-MY") -* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") - -security-libs/java.security: - -JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set -========================================================================================================== -Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to -hold principals and credentials so that it rejected null -values. Attempts to call add(null), contains(null) or remove(null) -were changed to throw a NullPointerException. - -However, the logout() methods in the LoginModule implementations -within the JDK were not updated to check for null values, which may -occur in the event of a failed login. As a result, a logout() call may -throw a NullPointerException. - -The LoginModule implementations have now been updated with such checks -and an implementation note added to the specification to suggest that -the same change is made in third party modules. Developers of third -party modules are advised to verify that their logout() method does not -throw a NullPointerException. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - New in release OpenJDK 11.0.17 (2022-10-18): ============================================= Live versions of these release notes can be found at: - * https://bit.ly/openjdk11017 + * https://bitly.com/openjdk11017 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.17.html * Security fixes diff --git a/TestTranslations.java b/TestTranslations.java index d87647a..dbea417 100644 --- a/TestTranslations.java +++ b/TestTranslations.java @@ -30,7 +30,7 @@ import java.util.TimeZone; public class TestTranslations { - private static Map KYIV, CIUDAD_JUAREZ; + private static Map KYIV; static { Map map = new HashMap(); @@ -44,18 +44,6 @@ public class TestTranslations { "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); KYIV = Collections.unmodifiableMap(map); - - map = new HashMap(); - map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", - "Mountain Daylight Time", "MDT", "MDT", - "Mountain Time", "MT", "MT"}); - map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", - "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", - "heure des Rocheuses", "UTC\u221207:00", "MT"}); - map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST", - "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", - "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); - CIUDAD_JUAREZ = Collections.unmodifiableMap(map); } @@ -65,6 +53,7 @@ public class TestTranslations { System.exit(1); } + String localeProvider = args[0]; System.out.println("Checking sanity of full zone string set..."); boolean invalid = Arrays.stream(Locale.getAvailableLocales()) .peek(l -> System.out.println("Locale: " + l)) @@ -79,18 +68,9 @@ public class TestTranslations { System.exit(2); } - String localeProvider = args[0]; - testZone(localeProvider, KYIV, - new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); - testZone(localeProvider, CIUDAD_JUAREZ, - new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); - } - - private static void testZone(String localeProvider, Map exp, String[] ids) { - for (Locale l : exp.keySet()) { - String[] expected = exp.get(l); - System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); - for (String id : ids) { + for (Locale l : KYIV.keySet()) { + String[] expected = KYIV.get(l); + for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { String expectedShortStd = null; String expectedShortDST = null; String expectedShortGen = null; @@ -144,7 +124,7 @@ public class TestTranslations { } if (!expected[6].equals(longGen)) { - System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", id, l, longGen, expected[6]); System.exit(8); } diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 82895e0..086ef98 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -331,7 +331,7 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 18 +%global updatever 17 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -377,8 +377,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 10 -%global rpmrelease 3 +%global buildver 8 +%global rpmrelease 2 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -1109,8 +1109,6 @@ exit 0 %endif } -ExcludeArch: %{aarch64} x86_64 loongarch64 - # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: Requires: fontconfig%{?_isa} @@ -1145,8 +1143,9 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release} Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem -# 2022g required as of JDK-8297804 -Requires: tzdata-java >= 2022g +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +Requires: tzdata-java >= 2022d # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1401,6 +1400,8 @@ Patch1001: fips-11u-%{fipsver}.patch ############################################# Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked +Patch8: jdk8275535-rh2053256-ldap_auth.patch ############################################# # @@ -1421,6 +1422,12 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8293834: Update CLDR data following tzdata 2022c update +Patch2001: jdk8293834-kyiv_cldr_update.patch +# JDK-8294357: (tz) Update Timezone Data to 2022d +Patch2002: jdk8294357-tzdata2022d.patch +# JDK-8295173: (tz) Update Timezone Data to 2022e +Patch2003: jdk8295173-tzdata2022e.patch BuildRequires: autoconf BuildRequires: automake @@ -1455,8 +1462,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022g required as of JDK-8297804 -BuildRequires: tzdata-java >= 2022g +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +BuildRequires: tzdata-java >= 2022d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1839,11 +1847,17 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# tzdata updates targetted for 11.0.18 +%patch2001 -p1 +%patch2002 -p1 +%patch2003 -p1 popd # openjdk %patch600 %patch1003 +%patch8 + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2678,28 +2692,6 @@ end %endif %changelog -* Wed Jan 11 2023 Andrew Hughes - 1:11.0.18.0.10-3 -- Update to jdk-11.0.18+10 (GA) -- Update release notes to 11.0.18+10 -- Switch to GA mode for release -- Resolves: rhbz#2160111 - -* Tue Jan 03 2023 Andrew Hughes - 1:11.0.18.0.9-0.3.ea -- Update to jdk-11.0.18+9 -- Update release notes to 11.0.18+9 -- Drop local copy of JDK-8293834 now this is upstream -- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 -- Update TestTranslations.java to test the new America/Ciudad_Juarez zone -- Resolves: rhbz#2150194 - -* Thu Dec 15 2022 Andrew Hughes - 1:11.0.18.0.1-0.3.ea -- Update to jdk-11.0.18+1 -- Update release notes to 11.0.18+1 -- Switch to EA mode for 11.0.18 pre-release builds. -- Drop local copies of JDK-8294357 & JDK-8295173 now upstream contains tzdata 2022e -- Drop local copy of JDK-8275535 which is finally upstream -- Related: rhbz#2150194 - * Wed Oct 26 2022 Andrew Hughes - 1:11.0.17.0.8-2 - Update to jdk-11.0.17+8 (GA) - Update release notes to 11.0.17+8 diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch new file mode 100644 index 0000000..7a25e4b --- /dev/null +++ b/jdk8275535-rh2053256-ldap_auth.patch @@ -0,0 +1,26 @@ +diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +index 300f3682655..6f3eb6c450b 100644 +--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java ++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + ctx = getLdapCtxFromUrl( + r.getDomainName(), url, new LdapURL(u), env); + return ctx; ++ } catch (AuthenticationException e) { ++ // do not retry on a different endpoint to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + // try the next element + lastException = e; +@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + for (String u : urls) { + try { + return getUsingURL(u, env); ++ } catch (AuthenticationException e) { ++ // do not retry on a different URL to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + ex = e; + } diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch new file mode 100644 index 0000000..45d14c9 --- /dev/null +++ b/jdk8293834-kyiv_cldr_update.patch @@ -0,0 +1,57 @@ +commit 58ba3b61d276423cef1e1f52bd73c9706cc073fc +Author: Andrew Hughes +Date: Sat Oct 15 05:37:36 2022 +0100 + + Backport e10231248fc100f9dfa08468ac897f60b843857f + +diff --git a/src/jdk.localedata/share/classes/sun/util/cldr/resources/common/bcp47/timezone.xml b/src/jdk.localedata/share/classes/sun/util/cldr/resources/common/bcp47/timezone.xml +index 35f8fc86efa..a9b635b4fa4 100644 +--- a/src/jdk.localedata/share/classes/sun/util/cldr/resources/common/bcp47/timezone.xml ++++ b/src/jdk.localedata/share/classes/sun/util/cldr/resources/common/bcp47/timezone.xml +@@ -392,7 +392,7 @@ For terms of use, see http://www.unicode.org/copyright.html + + + +- ++ + + + +diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java +index c2b5672646c..53903d19d3d 100644 +--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java ++++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 8181157 8202537 8234347 8236548 ++ * @bug 8181157 8202537 8234347 8236548 8293834 + * @modules jdk.localedata + * @summary Checks CLDR time zone names are generated correctly at runtime + * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest +@@ -102,6 +102,24 @@ public class TimeZoneNamesTest { + "UTC+04:00", + "heure : Astrakhan", + "UTC+04:00"}, ++ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time", ++ "GMT+02:00", ++ "Eastern European Summer Time", ++ "GMT+03:00", ++ "Eastern European Time", ++ "GMT+02:00"}, ++ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est", ++ "UTC+02:00", ++ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", ++ "UTC+03:00", ++ "heure d\u2019Europe de l\u2019Est", ++ "UTC+02:00"}, ++ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit", ++ "OEZ", ++ "Osteurop\u00e4ische Sommerzeit", ++ "OESZ", ++ "Osteurop\u00e4ische Zeit", ++ "OEZ"}, + {"Europe/Saratov", Locale.US, "Saratov Standard Time", + "GMT+04:00", + "Saratov Daylight Time", diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch new file mode 100644 index 0000000..625efa5 --- /dev/null +++ b/jdk8294357-tzdata2022d.patch @@ -0,0 +1,304 @@ +commit f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b +Author: David Alvarez +Date: Tue Oct 11 20:04:39 2022 +0000 + + 8294357: (tz) Update Timezone Data to 2022d + + Reviewed-by: phh + Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index decb8716b22..889d0e6dad7 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022c ++tzdata2022d +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index 3a150b0f36b..f9df7432947 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # The winter time in 2015 started on October 23 at 01:00. + # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY + # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 +-# +-# From Paul Eggert (2019-04-10): +-# For now, guess spring-ahead transitions are at 00:00 on the Saturday +-# preceding March's last Sunday (i.e., Sat>=24). + + # From P Chan (2021-10-18): + # http://wafa.ps/Pages/Details/34701 +@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # From Heba Hamad (2022-03-10): + # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. + ++# From Heba Hamad (2022-08-30): ++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by ++# 60 minutes backwards. Also the state of Palestine adopted the summer ++# and winter time for the years: 2023,2024,2025,2026 ... ++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf ++# (2022-08-31): ... the Saturday before the last Sunday in March and October ++# at 2:00 AM ,for the years from 2023 to 2026. ++# (2022-09-05): https://mtit.pna.ps/Site/New/1453 ++# ++# From Paul Eggert (2022-08-31): ++# For now, assume that this rule will also be used after 2026. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - +@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - + Rule Palestine 2014 only - Oct 24 0:00 0 - + Rule Palestine 2015 only - Mar 28 0:00 1:00 S + Rule Palestine 2015 only - Oct 23 1:00 0 - +-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S +-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - ++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S ++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - + Rule Palestine 2019 only - Mar 29 0:00 1:00 S +-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - +-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S ++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - ++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - +-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - +-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S ++Rule Palestine 2021 only - Oct 29 1:00 0 - ++Rule Palestine 2022 only - Mar 27 0:00 1:00 S ++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward +index d4a29e8cf29..7765d99aedf 100644 +--- a/make/data/tzdata/backward ++++ b/make/data/tzdata/backward +@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index 879b5337536..accc845dbaf 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 + # From Alexander Krivenyshev (2014-03-17): + # time change at 2:00 (2am) on March 30, 2014 + # https://vz.ru/news/2014/3/17/677464.html +-# From Paul Eggert (2014-03-30): +-# Simferopol and Sevastopol reportedly changed their central town clocks +-# late the previous day, but this appears to have been ceremonial +-# and the discrepancies are small enough to not worry about. ++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): ++# The clocks at the railway station in Simferopol were put forward from 22:00 ++# to 24:00 the previous day in a "symbolic ceremony"; however, per ++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings ++# time switch at 2am" on Sunday. ++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html ++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 ++# https://www.bbc.com/news/av/world-europe-26806583 + 2:00 EU EE%sT 2014 Mar 30 2:00 + 4:00 - MSK 2014 Oct 26 2:00s + 3:00 - MSK +@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # US colleague David Cochrane) are still trying to get more + # information upon these local deviations from Kiev rules. + # +-# From Paul Eggert (2022-02-08): +-# For now, assume that Ukraine's other three zones followed the same rules, ++# From Paul Eggert (2022-08-27): ++# For now, assume that Ukraine's zones all followed the same rules, + # except that Crimea switched to Moscow time in 1994 as described elsewhere. + + # From Igor Karpov, who works for the Ukrainian Ministry of Justice, +@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # * Ukrainian Government's Resolution of 20.03.1992, No. 139. + # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm + +-# From Paul Eggert (2022-04-12): +-# As is usual in tzdb, Ukrainian zones use the most common English spellings. +-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in +-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, +-# "Kyiv" is now more common due to widespread reporting of the current conflict. +-# Conversely, tzdb continues to use the names Europe/Uzhgorod and +-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is +-# certainly wrong as a transliteration of the Czech "Praha". +-# English-language spelling of Ukrainian names is in flux, and +-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more +-# common in English; in the meantime, do not change these +-# English spellings as that means less disruption for our users. +- + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-# This represents most of Ukraine. See above for the spelling of "Kyiv". + Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time + 2:00 - EET 1930 Jun 21 +@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 C-Eur EE%sT 1996 May 13 + 2:00 EU EE%sT +-# Transcarpathia used CET 1990/1991. +-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but +-# "Uzhgorod" is more common in English. +-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +- 1:00 - CET 1940 +- 1:00 C-Eur CE%sT 1944 Oct +- 1:00 1:00 CEST 1944 Oct 26 +- 1:00 - CET 1945 Jun 29 +- 3:00 Russia MSK/MSD 1990 +- 3:00 - MSK 1990 Jul 1 2:00 +- 1:00 - CET 1991 Mar 31 3:00 +- 2:00 - EET 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT +-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. +-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but +-# "Zaporozh'ye" is more common in English. Use the common English +-# spelling, except omit the apostrophe as it is not allowed in +-# portable Posix file names. +-Zone Europe/Zaporozhye 2:20:40 - LMT 1880 +- 2:20 - +0220 1924 May 2 +- 2:00 - EET 1930 Jun 21 +- 3:00 - MSK 1941 Aug 25 +- 1:00 C-Eur CE%sT 1943 Oct 25 +- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 +- 2:00 E-Eur EE%sT 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT + + # Vatican City + # See Europe/Rome. +diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica +index 13ec081c7e0..3c0e0e2061c 100644 +--- a/make/data/tzdata/southamerica ++++ b/make/data/tzdata/southamerica +@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 + # for America/Santiago will start on midnight of September 11th; + # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) + # will keep UTC -3 "indefinitely"... This is because on September 4th +-# we will have a voting whether to approve a new Constitution.... +-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ ++# we will have a voting whether to approve a new Constitution. ++# ++# From Eduardo Romero Urra (2022-08-17): ++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf ++# ++# From Paul Eggert (2022-08-17): ++# Although the presidential decree stops at fall 2026, assume that ++# similar DST rules will continue thereafter. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - +diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab +index 51b65fa273c..ee025196e50 100644 +--- a/make/data/tzdata/zone.tab ++++ b/make/data/tzdata/zone.tab +@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam + UA +5026+03031 Europe/Kyiv Ukraine (most areas) +-UA +4837+02218 Europe/Uzhgorod Transcarpathia +-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index bfe0dd3b548..1dc82561f23 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -573,12 +573,8 @@ public final class ZoneInfoFile { + // we can then pass in the dom = -1, dow > 0 into ZoneInfo + // + // hacking, assume the >=24 is the result of ZRB optimization for +- // "last", it works for now. From tzdata2020d this hacking +- // will not work for Asia/Gaza and Asia/Hebron which follow +- // Palestine DST rules. +- if (dom < 0 || dom >= 24 && +- !(zoneId.equals("Asia/Gaza") || +- zoneId.equals("Asia/Hebron"))) { ++ // "last", it works for now. ++ if (dom < 0 || dom >= 24) { + params[1] = -1; + params[2] = toCalendarDOW[dow]; + } else { +@@ -600,7 +596,6 @@ public final class ZoneInfoFile { + params[7] = 0; + } else { + // hacking: see comment above +- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e + if (dom < 0 || dom >= 24) { + params[6] = -1; + params[7] = toCalendarDOW[dow]; +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index c32bee39fba..71470168456 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022c ++tzdata2022d +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +index a5e6428a3f5..e3ce742f887 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index fc148537f1f..b3823958ae4 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -163,11 +163,9 @@ Europe/Simferopol MSK + Europe/Sofia EET EEST + Europe/Tallinn EET EEST + Europe/Tirane CET CEST +-Europe/Uzhgorod EET EEST + Europe/Vienna CET CEST + Europe/Vilnius EET EEST + Europe/Warsaw CET CEST +-Europe/Zaporozhye EET EEST + Europe/Zurich CET CEST + HST HST + MET MET MEST +diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +index 7b50c342a0d..a7d14f1aa21 100644 +--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java ++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +@@ -176,11 +176,12 @@ public class TestZoneInfo310 { + * save time in IANA tzdata. This bug is tracked via JDK-8223388. + * + * These are the zones/rules that employ negative DST in vanguard +- * format (as of 2019a): ++ * format (as of 2019a), Palestine added in 2022d: + * + * - Rule "Eire" + * - Rule "Morocco" + * - Rule "Namibia" ++ * - Rule "Palestine" + * - Zone "Europe/Prague" + * + * Tehran/Iran rule has rules beyond 2037, in which javazic assumes +@@ -196,6 +197,8 @@ public class TestZoneInfo310 { + zid.equals("Europe/Dublin") || // uses "Eire" rule + zid.equals("Europe/Prague") || + zid.equals("Asia/Tehran") || // last rule mismatch ++ zid.equals("Asia/Gaza") || // uses "Palestine" rule ++ zid.equals("Asia/Hebron") || // uses "Palestine" rule + zid.equals("Iran")) { // last rule mismatch + continue; + } diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch new file mode 100644 index 0000000..f5823a0 --- /dev/null +++ b/jdk8295173-tzdata2022e.patch @@ -0,0 +1,420 @@ +commit 826a9b80d7db0395308d9f8d5f23d5afc0756971 +Author: duke +Date: Fri Oct 14 20:26:41 2022 +0000 + + Backport 21407dec0156301871a83328615e4d975c4287c4 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index 889d0e6dad7..b8cb36e69f4 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022d ++tzdata2022e +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index f9df7432947..5b2337fd0b6 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u + # From the Arabic version, it seems to say it would be at midnight + # (assume 24:00) on the last Thursday in February, starting from 2022. + ++# From Issam Al-Zuwairi (2022-10-05): ++# The Council of Ministers in Jordan decided Wednesday 5th October 2022, ++# that daylight saving time (DST) will be throughout the year.... ++# ++# From Brian Inglis (2022-10-06): ++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news ++# ++# From Paul Eggert (2022-10-05): ++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - +@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - + Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - + Rule Jordan 2013 only - Dec 20 0:00 0 - + Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S +-Rule Jordan 2014 max - Oct lastFri 0:00s 0 - +-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S ++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - ++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Amman 2:23:44 - LMT 1931 +- 2:00 Jordan EE%sT ++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s ++ 3:00 - +03 + + + # Kazakhstan +@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - + # Our brief summary: + # https://www.timeanddate.com/news/time/syria-dst-2012.html + +-# From Arthur David Olson (2012-03-27): +-# Assume last Friday in March going forward XXX. ++# From Steffen Thorsen (2022-10-05): ++# Syria is adopting year-round DST, starting this autumn.... ++# From https://www.enabbaladi.net/archives/607812 ++# "This [the decision] came after the weekly government meeting today, ++# Tuesday 4 October ..." ++# ++# From Paul Eggert (2022-10-05): ++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. + + Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S + Rule Syria 2008 only - Nov 1 0:00 0 - + Rule Syria 2009 only - Mar lastFri 0:00 1:00 S + Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S +-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S +-Rule Syria 2009 max - Oct lastFri 0:00 0 - ++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S ++Rule Syria 2009 2022 - Oct lastFri 0:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq +- 2:00 Syria EE%sT ++ 2:00 Syria EE%sT 2022 Oct 28 0:00 ++ 3:00 - +03 + + # Tajikistan + # From Shanks & Pottenger. +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index accc845dbaf..2832c4b9763 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u + 0:00 Spain WE%sT 1940 Mar 16 23:00 + 1:00 Spain CE%sT 1979 + 1:00 EU CE%sT +-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 ++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u + 0:00 - WET 1918 May 6 23:00 + 0:00 1:00 WEST 1918 Oct 7 23:00 + 0:00 - WET 1924 +diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica +index 114cef14cce..ce4ee74582c 100644 +--- a/make/data/tzdata/northamerica ++++ b/make/data/tzdata/northamerica +@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D + Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S + Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 ++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Chicago C%sT 1936 Mar 1 2:00 + -5:00 - EST 1936 Nov 15 2:00 +@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 + -6:00 Chicago C%sT 1967 + -6:00 US C%sT + # Oliver County, ND switched from mountain to central time on 1992-10-25. +-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 ++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1992 Oct 25 2:00 + -6:00 US C%sT + # Morton County, ND, switched from mountain to central time on +@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 + # Jones, Mellette, and Todd Counties in South Dakota; + # but in practice these other counties were already observing central time. + # See . +-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 ++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2003 Oct 26 2:00 + -6:00 US C%sT + +@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 + # largest city in Mercer County). Google Maps places Beulah's city hall + # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". + +-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 ++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2010 Nov 7 2:00 + -6:00 US C%sT + +@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S + Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D + Rule Denver 1965 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 ++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1920 + -7:00 Denver M%sT 1942 + -7:00 US M%sT 1946 +@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D + Rule CA 1950 1961 - Sep lastSun 2:00 0 S + Rule CA 1962 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 ++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1946 + -8:00 CA P%sT 1967 + -8:00 US P%sT +@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 + # Go with the Arizona State Library instead. + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 ++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1944 Jan 1 0:01 + -7:00 - MST 1944 Apr 1 0:01 + -7:00 US M%sT 1944 Oct 1 0:01 +@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston + # switched four weeks late in 1974. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 ++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1923 May 13 2:00 + -7:00 US M%sT 1974 + -7:00 - MST 1974 Feb 3 2:00 +@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 ++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Indianapolis C%sT 1942 + -6:00 US C%sT 1946 +@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D + Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 ++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1951 + -6:00 Marengo C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S + Rule Vincennes 1961 only - Sep lastSun 2:00 0 S + Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 ++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Vincennes C%sT 1964 Apr 26 2:00 + -5:00 - EST 1969 +@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D + Rule Perry 1961 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 ++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Perry C%sT 1964 Apr 26 2:00 + -5:00 - EST 1967 Oct 29 2:00 +@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D + Rule Pike 1961 1964 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 ++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1955 + -6:00 Pike C%sT 1965 Apr 25 2:00 + -5:00 - EST 1966 Oct 30 2:00 +@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S + Rule Starke 1957 1958 - Sep lastSun 2:00 0 S + Rule Starke 1959 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 ++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1947 + -6:00 Starke C%sT 1962 Apr 29 2:00 + -5:00 - EST 1963 Oct 27 2:00 +@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S + Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 ++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Pulaski C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 + # + # Switzerland County, Indiana, did not observe DST from 1973 through 2005. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 ++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1954 Apr 25 2:00 + -5:00 - EST 1969 + -5:00 US E%sT 1973 +@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D + Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S + Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 ++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1921 + -6:00 Louisville C%sT 1942 + -6:00 US C%sT 1946 +@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 + # Federal Register 65, 160 (2000-08-17), pp 50154-50158. + # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm + # +-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 ++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 - CST 1968 + -6:00 US C%sT 2000 Oct 29 2:00 +@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # longitude they are located at. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++Rule Mexico 1931 only - May 1 23:00 1:00 D ++Rule Mexico 1931 only - Oct 1 0:00 0 S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D + Rule Mexico 2002 max - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + # Quintana Roo; represented by Cancún +-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 ++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 Mexico E%sT 1998 Aug 2 2:00 + -6:00 Mexico C%sT 2015 Feb 1 2:00 + -5:00 - EST + # Campeche, Yucatán; represented by Mérida +-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 ++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT +@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 + # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, + # 2016-03-12 + # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza +-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 ++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT 2010 + -6:00 US C%sT + # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) +-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 ++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT + # Central Mexico +-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 ++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 Mexico C%sT 2001 Sep 30 2:00 + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT +@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 + # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, + # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. + # (See the 2016-03-12 El Universal source mentioned above.) +-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 ++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT 2010 + -7:00 US M%sT + # Chihuahua (away from US border) +-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 ++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT + # Sonora +-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 ++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 + # Use "Bahia_Banderas" to keep the name to fourteen characters. + + # Mazatlán +-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 ++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 + -7:00 Mexico M%sT + + # Bahía de Banderas +-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 ++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 + -6:00 Mexico C%sT + + # Baja California +-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 ++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1924 + -8:00 - PST 1927 Jun 10 23:00 + -7:00 - MST 1930 Nov 15 +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index 71470168456..0cad939008f 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022d ++tzdata2022e +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index b3823958ae4..2f2786f1c69 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -97,9 +97,7 @@ America/Winnipeg CST CDT + America/Yakutat AKST AKDT + America/Yellowknife MST MDT + Antarctica/Macquarie AEST AEDT +-Asia/Amman EET EEST + Asia/Beirut EET EEST +-Asia/Damascus EET EEST + Asia/Famagusta EET EEST + Asia/Gaza EET EEST + Asia/Hebron EET EEST -- Gitee From c86bb1ef69430becea426f5a8e41d8c4aa9cada9 Mon Sep 17 00:00:00 2001 From: panxuefeng Date: Wed, 9 Aug 2023 14:59:41 +0800 Subject: [PATCH 4/4] exclude some arches --- java-11-openjdk.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 086ef98..88d6cc9 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1109,6 +1109,8 @@ exit 0 %endif } +ExcludeArch: %{aarch64} x86_64 loongarch64 + # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: Requires: fontconfig%{?_isa} -- Gitee