From 0a8e5a5b646ec78020ab64c50b475c831cb75eee Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sep 06 2022 02:20:38 +0000 Subject: Update to jdk-11.0.17+1 Update release notes to 11.0.17+1 Switch to EA mode for 11.0.17 pre-release builds. Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 Bump FreeType bundled version to 2.12.1 following JDK-8290334 --- diff --git a/.gitignore b/.gitignore index ecb6b0d..84b138d 100644 --- a/.gitignore +++ b/.gitignore @@ -107,3 +107,4 @@ /openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz /openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz /openjdk-jdk11u-jdk-11.0.16.1+1-4curve.tar.xz +/openjdk-jdk11u-jdk-11.0.17+1-4curve.tar.xz diff --git a/NEWS b/NEWS index 9f63831..aa2d5c3 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,316 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.17 (2022-10-18): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11017 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.17.html + +* Other changes + - JDK-6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM") + - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac + - JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java to use jtreg @requires + - JDK-8139348: Deprecate 3DES and RC4 in Kerberos + - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + - JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java makes not reliable time assumption + - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + - JDK-8183372: Refactor java/lang/Class shell tests to java + - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names + - JDK-8193462: Fix Filer handling of package-info initial elements + - JDK-8203277: preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body + - JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds" + - JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails with NullPointerException when running in CDS mode + - JDK-8210107: vmTestbase/nsk/stress/network tests fail with Cannot assign requested address (Bind failed) + - JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 generate incorrect messages upon failure + - JDK-8210960: Allow --with-boot-jdk-jvmargs to work during configure + - JDK-8212904: JTextArea line wrapping incorrect when using UI scale + - JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in some configs + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8215291: Broken links when generating from project without modules + - JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java timed out + - JDK-8217332: JTREG: Clean up, use generics instead of raw types + - JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003 and 004 use wrong path to test classes + - JDK-8219074: [TESTBUG] runtime/containers/docker/TestCPUAwareness.java typo of printing parameters (period should be shares) + - JDK-8219149: ProcessTools.ProcessBuilder should print timing info for subprocesses + - JDK-8220744: [TESTBUG] Move RedefineTests from runtime to serviceability + - JDK-8223575: add subspace transitions to gc+metaspace=info log lines + - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + - JDK-8226976: SessionTimeOutTests uses == operator for String value check + - JDK-8235870: C2 crashes in IdealLoopTree::est_loop_flow_merge_sz() + - JDK-8236490: Compiler bug relating to @NonNull annotation + - JDK-8236823: Ensure that API documentation uses minified libraries + - JDK-8238196: tests that use SA Attach should not be allowed to run against signed binaries on Mac OS X 10.14.5 and later + - JDK-8238203: Return value of GetUserDefaultUILanguage() should be handled as LANGID + - JDK-8238268: Many SA tests are not running on OSX because they do not attempt to use sudo when available + - JDK-8239379: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java on OSX + - JDK-8239902: [macos] Remove direct usage of JSlider, JProgressBar classes in CAccessible class + - JDK-8240903: Add test to check that jmod hashes are reproducible + - JDK-8247907: XMLDsig logging does not work + - JDK-8247964: All log0() in com/sun/org/slf4j/internal/Logger.java should be private + - JDK-8249623: test @ignore-d due to 7013634 should be returned back to execution + - JDK-8251551: Use .md filename extension for README + - JDK-8253829: Wrong length compared in SSPI bridge + - JDK-8253916: ResourceExhausted/resexhausted001 crashes on Linux-x64 + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + - JDK-8255729: com.sun.tools.javac.processing.JavacFiler.FilerOutputStream is inefficient + - JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted001/TestDescription.java shouldn't use timeout + - JDK-8258946: Fix optimization-unstable code involving signed integer overflow + - JDK-8261160: Add a deserialization JFR event + - JDK-8262085: Hovering Metal HTML Tooltips in different windows cause IllegalArgExc on Linux + - JDK-8264400: (fs) WindowsFileStore equality depends on how the FileStore was constructed + - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + - JDK-8265020: tests must be updated for new TestNG module name + - JDK-8265100: (fs) WindowsFileStore.hashCode() should read cached hash code once + - JDK-8265531: doc/building.md should mention homebrew install freetype + - JDK-8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List, List) + - JDK-8266254: Update to use jtreg 6 + - JDK-8266460: java.io tests fail on null stream with upgraded jtreg/TestNG + - JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static @Test methods + - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + - JDK-8266675: Optimize IntHashTable for encapsulation and ease of use + - JDK-8266774: System property values for stdout/err on Windows UTF-8 + - JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java + - JDK-8267180: Typo in copyright header for HashesTest + - JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java expectedNewSize calculation + - JDK-8267880: Upgrade the default PKCS12 MAC algorithm + - JDK-8268185: Update GitHub Actions for jtreg 6 + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269517: compiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges + - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + - JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently + - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + - JDK-8271512: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java due to 8270326 + - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8273526: Extend the OSContainer API pids controller with pids.current + - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend + - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + - JDK-8277893: Arraycopy stress tests + - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + - JDK-8279622: C2: miscompilation of map pattern as a vector reduction + - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + - JDK-8281181: Do not use CPU Shares to compute active processor count + - JDK-8281535: Create a regression test for JDK-4670051 + - JDK-8281569: Create tests for Frame.setMinimumSize() method + - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + - JDK-8281745: Create a regression test for JDK-4514331 + - JDK-8281988: Create a regression test for JDK-4618767 + - JDK-8282214: Upgrade JQuery to version 3.6.0 + - JDK-8282234: Create a regression test for JDK-4532513 + - JDK-8282280: Update Xerces to Version 2.12.2 + - JDK-8282343: Create a regression test for JDK-4518432 + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8282548: Create a regression test for JDK-4330998 + - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + - JDK-8282860: Write a regression test for JDK-4164779 + - JDK-8282933: Create a test for JDK-4529616 + - JDK-8283015: Create a test for JDK-4715496 + - JDK-8283017: GHA: Workflows break with update release versions + - JDK-8283087: Create a test or JDK-4715503 + - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + - JDK-8283493: Create an automated regression test for RFE 4231298 + - JDK-8283507: Create a regression test for RFE 4287690 + - JDK-8283621: Write a regression test for CCC4400728 + - JDK-8283623: Create an automated regression test for JDK-4525475 + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284882: SIGSEGV in Node::verify_edges due to compilation bailout + - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + - JDK-8285081: Improve XPath operators count accuracy + - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + - JDK-8285380: Fix typos in security + - JDK-8285398: Cache the results of constraint checks + - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17 + - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287366: Improve test failure reporting in GHA + - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run + - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + - JDK-8288467: remove memory_operand assert for spilled instructions + - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + - JDK-8289486: Improve XSLT XPath operators count efficiency + - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + - JDK-8289853: Update HarfBuzz to 4.4.1 + - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8290198: Shenandoah: a few Shenandoah tests failure after JDK-8214799 11u backport + - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + - JDK-8290334: Update FreeType to 2.12.1 + - JDK-8290813: jdk/nashorn/api/scripting/test/ScriptObjectMirrorTest.java fails: assertEquals is ambiguous + - JDK-8290886: [11u]: Backport of JDK-8266250 introduced test failures + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable +=========================================================================== +Two system properties have been added which control the keep alive +behavior of HttpURLConnection in the case where the server does not +specify a keep alive time. Two properties are defined for controlling +connections to servers and proxies separately. They are: + +* `http.keepAlive.time.server` +* `http.keepAlive.time.proxy` + +respectively. More information about them can be found on the +Networking Properties page: +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. + +hotspot/runtime: + +JDK-8281181: CPU Shares Ignored When Computing Active Processor Count +===================================================================== +Previous JDK releases used an incorrect interpretation of the Linux +cgroups parameter "cpu.shares". This might cause the JVM to use fewer +CPUs than available, leading to an under utilization of CPU resources +when the JVM is used inside a container. + +Starting from this JDK release, by default, the JVM no longer +considers "cpu.shares" when deciding the number of threads to be used +by the various thread pools. The `-XX:+UseContainerCpuShares` +command-line option can be used to revert to the previous +behavior. This option is deprecated and may be removed in a future JDK +release. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + +JDK-8267880: Upgrade the default PKCS12 MAC algorithm +===================================================== + +The default MAC algorithm used in a PKCS #12 keystore has been +updated. The new algorithm is based on SHA-256 and is stronger than +the old one based on SHA-1. See the security properties starting with +`keystore.pkcs12` in the `java.security` file for detailed +information. + +The new SHA-256 based MAC algorithms were introduced in the 11.0.12 +release. Keystores created using this newer, stronger, MAC algorithm +cannot be opened in versions of OpenJDK 11 earlier than 11.0.12. A +'java.security.NoSuchAlgorithmException' exception will be thrown in +such circumstances. + +For compatibility, use the `keystore.pkcs12.legacy` system property, +which will revert the algorithms to use the older, weaker +algorithms. There is no value defined for this property. + +core-libs/java.io:serialization: + +JDK-8261160: JDK Flight Recorder Event for Deserialization +========================================================== +It is now possible to monitor deserialization of objects using JDK +Flight Recorder (JFR). When JFR is enabled and the JFR configuration +includes deserialization events, JFR will emit an event whenever the +running program attempts to deserialize an object. The deserialization +event is named `jdk.Deserialization`, and it is disabled by +default. The deserialization event contains information that is used +by the serialization filter mechanism; see the ObjectInputFilter API +specification for details. + +Additionally, if a filter is enabled, the JFR event indicates whether +the filter accepted or rejected deserialization of the object. For +further information about how to use the JFR deserialization event, +see the article "Monitoring Deserialization to Improve Application +Security" +(https://inside.java/2021/03/02/monitoring-deserialization-activity-in-the-jdk/). + +For reference information about using and configuring JFR, see the +"JFR Runtime Guide" +(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/preface_jfrrt.htm#JFRRT165) +and "JFR Command Reference" +(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-command-reference/command-line-options.htm#JFRCR-GUID-FE61CA60-E1DF-460E-A8E0-F4FF5D58A7A0) +sections of the JDK Mission Control documentation. + +security-libs/org.ietf.jgss:krb5: + +JDK-8139348: Deprecate 3DES and RC4 in Kerberos +=============================================== +The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes) +are now deprecated and disabled by default. Users can set +`allow_weak_crypto = true` in the `krb5.conf` configuration file to +re-enable them (along with other weak etypes including `des-cbc-crc` +and `des-cbc-md5`) at their own risk. To disable a subset of the weak +etypes, users can list preferred etypes explicitly in any of the +`default_tkt_enctypes`, `default_tgs_enctypes`, or +`permitted_enctypes` settings. + New in release OpenJDK 11.0.16.1 (2022-08-12): ============================================= Live versions of these release notes can be found at: diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index e9d390c..7b2cf07 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -331,8 +331,8 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 16 -%global patchver 1 +%global updatever 17 +%global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -378,7 +378,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 2 +%global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -406,7 +406,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global ea_designator "" %global ea_designator_zip "" @@ -1514,11 +1514,11 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.12.0 +Provides: bundled(freetype) = 2.12.1 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 2.8.0 +Provides: bundled(harfbuzz) = 4.4.1 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.12.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h @@ -2716,6 +2716,13 @@ end %endif %changelog +* Tue Sep 06 2022 Andrew Hughes - 1:11.0.17.0.1-0.1.ea +- Update to jdk-11.0.17+1 +- Update release notes to 11.0.17+1 +- Switch to EA mode for 11.0.17 pre-release builds. +- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 +- Bump FreeType bundled version to 2.12.1 following JDK-8290334 + * Tue Aug 30 2022 Andrew Hughes - 1:11.0.16.1.1-2 - Switch to static builds, reducing system dependencies and making build more portable diff --git a/sources b/sources index 5248b91..8ef2b82 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk11u-jdk-11.0.16.1+1-4curve.tar.xz) = 346abd3e59183394d9177e3ec5b43394f0e0a77d01d7458df32358324d6a6411194c7bf69e1b5d1d6e0fa354e5eb2d05fee50c64d7c958b61dac8d9d7ec34d38 +SHA512 (openjdk-jdk11u-jdk-11.0.17+1-4curve.tar.xz) = 533793f9a2f0990de89d2e5cdf318316a8d3ab761a1dc85e9cf0e168af112b4aaae37e614b86cf792beb907539c13832530689a1fdfa6a4e6432df2260f3c8b0