Accepting request 1125800 from Java:Factory

October 2023 CPU fixes OBS-URL: https://build.opensuse.org/request/show/1125800 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/java-1_8_0-openjdk?expand=0&rev=96
2023-11-14 20:42:34 +00:00 · 2023-11-14 20:42:34 +00:00 · 5be06bc991
commit 5be06bc991
parent d7cb775132 1e962eac2b
8 changed files with 95 additions and 14 deletions
--- a/aarch32-git.tar.xz
+++ b/aarch32-git.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:86ac13cdd6ee4024e5bf4779418a6f62c75525a04f26ba70d2fcb7ad888f4a95
-size 7205604
+oid sha256:bb00d352f3748fdc5d26980999c83665bb3753ef4a74a9a4e82a8deee1f86476
+size 7205616
--- a/bsc1211968.patch
+++ b/bsc1211968.patch
@ -0,0 +1,15 @@
+--- openjdk/jdk/src/share/classes/sun/security/ssl/DHKeyExchange.java	2023-11-14 07:18:11.483931806 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/DHKeyExchange.java	2023-11-14 07:20:21.018138340 +0100
+@@ -253,11 +253,7 @@
+         static {
+             String property = GetPropertyAction.privilegedGetProperty(
+                     "jdk.tls.ephemeralDHKeySize");
+-            if (property == null || property.isEmpty()) {
+-                useLegacyEphemeralDHKeys = false;
+-                useSmartEphemeralDHKeys = false;
+-                customizedDHKeySize = -1;
+-            } else if ("matched".equals(property)) {
+            if (property == null || property.isEmpty() || "matched".equals(property)) {
+                 useLegacyEphemeralDHKeys = false;
+                 useSmartEphemeralDHKeys = true;
+                 customizedDHKeySize = -1;
--- a/icedtea-3.28.0.tar.xz
+++ b/icedtea-3.28.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:822697a4f0039ec312cc143df40916fc8b68fbfe49c2631186bbba83bd6c5c8d
-size 1571464
--- a/icedtea-3.29.0.tar.xz
+++ b/icedtea-3.29.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9954bf4ee8f7f4dbdec621419e6f2c42d3e97102987a7edb374e3bda7baf5169
+size 1572828
--- a/java-1_8_0-openjdk.changes
+++ b/java-1_8_0-openjdk.changes
@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Tue Nov 14 06:00:16 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Update to version jdk8u392 (icedtea-3.29.0)
+  * October 2023 CPU
+  * CVEs
+    + CVE-2023-22067, bsc#1216379
+    + CVE-2023-22081, bsc#1216374
+  * Security fixes
+    + JDK-8286503, JDK-8312367: Enhance security classes
+    + JDK-8297856: Improve handling of Bidi characters
+    + JDK-8303384: Improved communication in CORBA
+    + JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
+    + JDK-8309966: Enhanced TLS connections
+  * Import of OpenJDK 8 u392 build 08
+    + JDK-6722928: Provide a default native GSS-API library on
+      Windows
+    + JDK-8040887: [TESTBUG] Remove
+      test/runtime/6925573/SortMethodsTest.java
+    + JDK-8042726: [TESTBUG] TEST.groups file was not updated after
+      runtime/6925573/SortMethodsTest.java removal
+    + JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+    + JDK-8173072: zipfs fails to handle incorrect info-zip
+      "extended timestamp extra field"
+    + JDK-8200468: Port the native GSS-API bridge to Windows
+    + JDK-8202952: C2: Unexpected dead nodes after matching
+    + JDK-8205399: Set node color on pinned HashMap.TreeNode
+      deletion
+    + JDK-8209115: adjust libsplashscreen linux ppc64le builds for
+      easier libpng update
+    + JDK-8214046: [macosx] Undecorated Frame does not Iconify when
+      set to
+    + JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails
+      intermittently due to NumberFormatException
+    + JDK-8225687: Newly added sspi.cpp in JDK-6722928 still
+      contains some small errors
+    + JDK-8232225: Rework the fix for JDK-8071483
+    + JDK-8242330: Arrays should be cloned in several JAAS Callback
+      classes
+    + JDK-8253269: The CheckCommonColors test should provide more
+      info on failure
+    + JDK-8283441: C2: segmentation fault in
+      ciMethodBlocks::make_block_at(int)
+    + JDK-8284910: Buffer clean in PasswordCallback
+    + JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+    + JDK-8287663: Add a regression test for JDK-8287073
+    + JDK-8295685: Update Libpng to 1.6.38
+    + JDK-8295894: Remove SECOM certificate that is expiring in
+      September 2023
+    + JDK-8308788: [8u] Remove duplicate HaricaCA.java test
+    + JDK-8309122: Bump update version of OpenJDK: 8u392
+    + JDK-8309143: [8u] fix archiving inconsistencies in GHA
+    + JDK-8310026: [8u] make java_lang_String::hash_code consistent
+      across platforms
+    + JDK-8314960: Add Certigna Root CA - 2
+    + JDK-8315135: Memory leak in the native implementation of
+      Pack200.Unpacker.unpack()
+    + JDK-8317040: Exclude cleaner test failing on older releases
+- Added patch:
+  * bsc1211968.patch
+    + fix bsc#1211968: SLES12SP5 vulnerable to CVE-2015-4000
+      (Logjam)?
+
 -------------------------------------------------------------------
 Mon Jul 31 05:52:03 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/java-1_8_0-openjdk.spec
+++ b/java-1_8_0-openjdk.spec
@ -18,7 +18,7 @@

 %{!?aarch64:%global aarch64 aarch64 arm64 armv8}
 %global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm}
-%global icedtea_version 3.28.0
+%global icedtea_version 3.29.0
 %global buildoutputdir openjdk.build/
 # Convert an absolute path to a relative path.  Each symbolic link is
 # specified relative to the directory in which it is installed so that
@ -31,8 +31,8 @@
 # priority must be 6 digits in total
 %global priority        1805
 %global javaver         1.8.0
-%global updatever       382
-%global buildver        05
+%global updatever       392
+%global buildver        08
 # Standard JPackage directories and symbolic links.
 %global sdklnk          java-%{javaver}-openjdk
 %global archname        %{sdklnk}
@ -172,6 +172,8 @@ Source3:        https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_
 # nss fips configuration file
 Source17:       nss.fips.cfg.in
 # RPM/distribution specific patches
+# bsc#1211968
+Patch1:         bsc1211968.patch
 # RHBZ 1015432
 Patch2:         1015432.patch
 # Restrict access to java-atk-wrapper classes
@ -508,6 +510,7 @@ sh autogen.sh

 make patch %{?_smp_mflags}

+patch -p0 -i %{PATCH1}
 patch -p0 -i %{PATCH2}
 patch -p0 -i %{PATCH3}
 patch -p0 -i %{PATCH12}
@ -765,7 +768,7 @@ find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \
 %if 0%{?suse_version} <= 1130
 # bnc496378 - check the size of installed cacerts
 # 32 bytes means a default empty one
-if [[ $(stat -c "%{s}" %{buildroot}/%{cacerts}) == "32" ]]; then
+if [[ $(stat -c "%%s" %{buildroot}/%{cacerts}) == "32" ]]; then
    echo "ERROR: Default keystore seems empty"
    exit 1
 fi
@ -850,7 +853,7 @@ if [ X"`%{_bindir}/file --mime-type -b %{javacacerts}`" \
 fi

 # remove the default empty cacert file, if it's installed
-if [ 0`stat -c "%{s}" %{cacerts} 2>/dev/null` = "032" ] ; then
+if [ 0`stat -c "%%s" %{cacerts} 2>/dev/null` = "032" ] ; then
    rm -f %{cacerts}
 fi

--- a/openjdk-git.tar.xz
+++ b/openjdk-git.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e0e4bceac9b0fbcd67677d571158185e1146c61b7611a9a4ddbdee8f7d5f4c11
-size 59630060
+oid sha256:74d33382e17a757728bc209595a89068528406428fe3c66fc0bbf9d489ecfc14
+size 59648916
--- a/shenandoah-git.tar.xz
+++ b/shenandoah-git.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b6ebadba01a70aafe3a0811c36d669e2631c90013a46cf55c845c2be160f2eb7
-size 7290172
+oid sha256:fae45df7da24d04252c8fda59e753f3cec5684b978e889cdf5ad04f7832f8542
+size 7289632