diff options
| author | Max Rees <maxcrees@me.com> | 2020-05-04 12:37:39 -0500 |
|---|---|---|
| committer | Max Rees <maxcrees@me.com> | 2020-05-04 22:51:42 -0500 |
| commit | 28fdd34de44edcf8d1a08cc45cd564099e9268fc (patch) | |
| tree | 1e7dcb7d13c610594926f65a399b237b653fcead /user/openjdk8/icedtea-jdk-tls-nist-curves.patch | |
| parent | 13df4b4fac8068b1c833c4cff3c49feacc53b26e (diff) | |
| download | packages-28fdd34de44edcf8d1a08cc45cd564099e9268fc.tar.gz packages-28fdd34de44edcf8d1a08cc45cd564099e9268fc.tar.bz2 packages-28fdd34de44edcf8d1a08cc45cd564099e9268fc.tar.xz packages-28fdd34de44edcf8d1a08cc45cd564099e9268fc.zip | |
user/openjdk8: [CVE] bump to 8.252.09 (#269)
* Bootstrap using openjdk8. Note that it will need to be manually
installed when building now...
* Cherrypick patch changes from Alpine:
icedtea-jdk-tls-nist-curves.patch was integrated upstream, and
icedtea-hotspot-musl.patch was rebased for 8u232.
https://git.alpinelinux.org/aports/commit/community/openjdk8?id=04ec13ca9caa9a436001be92e674f230b9894894
* Rebase patches for 8u252-ga:
In particular, icedtea-jdk-getmntent-buffer.patch is dropped since
upstream takes a new approach by allocating a buffer according to the
length of the longest line in mtab.
https://bugs.openjdk.java.net/browse/JDK-8229872
* Use private variables (_) where applicable
Diffstat (limited to 'user/openjdk8/icedtea-jdk-tls-nist-curves.patch')
| -rw-r--r-- | user/openjdk8/icedtea-jdk-tls-nist-curves.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/user/openjdk8/icedtea-jdk-tls-nist-curves.patch b/user/openjdk8/icedtea-jdk-tls-nist-curves.patch deleted file mode 100644 index 75fb3af8c..000000000 --- a/user/openjdk8/icedtea-jdk-tls-nist-curves.patch +++ /dev/null @@ -1,47 +0,0 @@ -Bug #7404 TLS negotiation error in OpenJDK 8 u131 - -Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 -on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation -errors for some clients. - -Root cause appears to be OpenJDK announcing support for NIST curves the -underlying NSS library does doesn't. This patch limits OpenJDK's -announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 -(secp521r1). - -Related issues: - -* https://github.com/docker-library/openjdk/issues/115 -* https://bugs.alpinelinux.org/issues/7404 -* https://access.redhat.com/discussions/2339811 -* https://bugzilla.redhat.com/show_bug.cgi?id=1022017 -* https://bugzilla.redhat.com/show_bug.cgi?id=1348525 - ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700 -@@ -168,21 +168,10 @@ - "contains no supported elliptic curves"); - } - } else { // default curves -- int[] ids; -- if (requireFips) { -- ids = new int[] { -- // only NIST curves in FIPS mode -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- }; -- } else { -- ids = new int[] { -- // NIST curves first -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- // non-NIST curves -- 22, -- }; -- } -- -+ int[] ids = new int[] { -+ // NSS currently only supports these three NIST curves -+ 23, 24, 25 -+ }; - idList = new ArrayList<>(ids.length); - for (int curveId : ids) { - if (isAvailableCurve(curveId)) { |