RedHat has issued an advisory on March 24: https://rhn.redhat.com/errata/RHSA-2016-0513.html One of their patches includes a private nss header that it should not. Some references about this: https://bugzilla.mozilla.org/show_bug.cgi?id=206926 https://bugzilla.redhat.com/show_bug.cgi?id=675196 https://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/2014-July/016117.html Hopefully it builds fine without the patch. Updated packages building for Mageia 5 and Cauldron. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerability: An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions (CVE-2016-0636). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636 https://rhn.redhat.com/errata/RHSA-2016-0513.html ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5 from java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java
Whiteboard: (none) => has_procedure
Even with reverting all of the changes that depend on their hacked up nss packages that expose private headers, it still doesn't build, saying it can't find ecc_impl.h in jdk/src/share/native/sun/security/ec/impl/, even though it's there.
CC: (none) => qa-bugsAssignee: qa-bugs => pkg-bugs
the failure is that it can not find ecl-exp.h, included by ecc_impl.h, and indeed it does not exist
CC: (none) => pterjan
+#ifdef SYSTEM_NSS +#include <secitem.h> +#include <secerr.h> +#include <keythi.h> +#ifdef LEGACY_NSS +#include <softoken.h> +#else +#include <blapi.h> +#endif +#else +#include "ecl-exp.h" +#endif So having SYSTEM_NSS set would avoid that, else we need that header.
Hmm the patch is disabled, but actually it was already included without the patch, the patch is only moving the file from openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h to openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h but the inclusion of ecl-exp.h is already there in openjdk sources without patch.
lib64nss-devel:/usr/include/nss/ecl-exp.h So -I/usr/include/nss would probably work but that seems strange I actually failed to find what this header is needed for, but I would suggest trying one of those: - Adding the patch + --enable-system-nss - Removing the include
The system nss thing doesn't build because it depends on blapi.h, a private NSS header that's not shipped in the package, as I mentioned in Comment 0. It basically is dependent on Fedora's packaging of it.
I don't know why the file is not in the tarball, it seems to exist in the hg tree: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/20f2ccffa30f/src/share/native/sun/security/ec/impl/ecl-exp.h Specfile says: # aarch64-port now contains integration forest of both aarch64 and normal jdk # Source from upstream OpenJDK8 project. To regenerate, use # VERSION=aarch64-jdk8u77-b03 FILE_NAME_ROOT=aarch64-port-jdk8u-${VERSION} # REPO_ROOT=<path to checked-out repository> generate_source_tarball.sh # where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo} But even in the aarch64-port project, the file is there: http://hg.openjdk.java.net/aarch64-port/jdk8u/jdk/file/9331bfc2d798/src/share/native/sun/security/ec/impl
Probably because of the generate_source_tarball.sh that they use to generate the tarball, as stated in the comments you quoted. From that script: mv -v jdk/src/share/native/sun/security/ec/impl/ecc_impl.h . rm -vrf jdk/src/share/native/sun/security/ec/impl mkdir jdk/src/share/native/sun/security/ec/impl mv -v ecc_impl.h jdk/src/share/native/sun/security/ec/impl
URL: (none) => http://lwn.net/Vulnerabilities/681387/
Hi, I tried to build openjdk and I went to the conclusion that we have two options: - Use the system nss patches: in that case, we have to build nss like fedora does (the build not only needs blapi.h but also /usr/lib64/libfreebl.a because /usr/lib64/libfreebl.so.3 does not contain the necessary symbols). - Add all the missing files from http://hg.openjdk.java.net/aarch64-port/jdk8u/jdk/file/9331bfc2d798/src/share/native/sun/security/ec/impl in the tarball and do not use the system nss patches (and I am not sure patch 12 is needed either). As the first solution uses a static library and not a dynamic one, I do not see any interest in changing the way we package nss and I think the second solution is easier. Best regards, Nico.
CC: (none) => nicolas.salguero
Hi, On my machine, I was able to build openjdk without patch 12 but with a "complete" tarball (with all the missing files in src/share/native/sun/security/ec/impl) for mga5. If no one disagrees with my method, I can commit my modifications in mga5 and cauldron and launch the build. Best regards, Nico.
Yes using the tarball with the files not removed seems the right way to do it
So I did it.
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Thanks Nicolas, please remember to give a list of all RPMs and SRPMs when assigning an update candidate to the QA team. See: - Policy: https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29 - Example: https://bugs.mageia.org/show_bug.cgi?id=16998#c0
Sorry, I did not give it because I thought the list given in comment 0 was sufficient: Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5 from java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm
My bad, it was indeed sufficient, I had overlooked it. But now it's cristal clear :)
Thanks Nicolas! I just remembered that I intended to update icedtea-web the next time that I updated this package. Version 1.6.2 is a bugfix release. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerability: An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions (CVE-2016-0636). Also, the icedtea-web package has been updated to version 1.6.2 to fix all known issues in the Java browser plugin. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2016-February/034831.html https://rhn.redhat.com/errata/RHSA-2016-0513.html ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5 icedtea-web-1.6.2-1.mga5 icedtea-web-javadoc-1.6.2-1.mga5 from SRPMS: java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm icedtea-web-1.6.2-1.mga5.src.rpm
Cisco ASDM and some Java plugin tests work fine. Even the one on java.com works again! Testing complete Mageia 5 x86_64.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Tested fine on Mageia 5 i586 as well.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
Validating, thanks David.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0130.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED