Update OpenJDK to 15

vendor/generate_jre.sh

@@ -3,7 +3,7 @@
 # This script is used as a reference to generate a stripped-down JRE for the server
 
 rm -rf java/
-wget https://github.com/AdoptOpenJDK/openjdk14-binaries/releases/download/jdk-14.0.2%2B12/OpenJDK14U-jdk_x64_linux_hotspot_14.0.2_12.tar.gz
+wget https://github.com/AdoptOpenJDK/openjdk15-binaries/releases/download/jdk-15.0.2%2B7/OpenJDK15U-jdk_x64_linux_hotspot_15.0.2_7.tar.gz
 tar -zxvf OpenJDK*
 rm OpenJDK*
 mv jdk* jdk/

vendor/java/conf/security/java.security

@@ -115,7 +115,7 @@ security.provider.12=SunPKCS11
 # and "DRBG" SecureRandom implementations in the "Sun" provider.
 # (Other SecureRandom implementations might also use this property.)
 #
-# On Unix-like systems (for example, Solaris/Linux/MacOS), the
+# On Unix-like systems (for example, Linux/MacOS), the
 # "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from
 # special device files such as file:/dev/random.
 #
@@ -251,15 +251,18 @@ policy.provider=sun.security.provider.PolicyFile
 policy.url.1=file:${java.home}/conf/security/java.policy
 policy.url.2=file:${user.home}/.java.policy
 
-# whether or not we expand properties in the policy file
-# if this is set to false, properties (${...}) will not be expanded in policy
-# files.
+# Controls whether or not properties are expanded in policy and login
+# configuration files. If set to false, properties (${...}) will not
+# be expanded in policy and login configuration files. If commented out or
+# set to an empty string, the default value is "false" for policy files and
+# "true" for login configuration files.
 #
 policy.expandProperties=true
 
-# whether or not we allow an extra policy to be passed on the command line
-# with -Djava.security.policy=somefile. Comment out this line to disable
-# this feature.
+# Controls whether or not an extra policy or login configuration file is
+# allowed to be passed on the command line with -Djava.security.policy=somefile
+# or -Djava.security.auth.login.config=somefile. If commented out or set to
+# an empty string, the default value is "false".
 #
 policy.allowSystemProperty=true
 
@@ -631,6 +634,26 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
     RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
     include jdk.disabled.namedCurves
 
+#
+# Legacy algorithms for certification path (CertPath) processing and
+# signed JAR files.
+#
+# In some environments, a certain algorithm or key length may be undesirable
+# but is not yet disabled.
+#
+# Tools such as keytool and jarsigner may emit warnings when these legacy
+# algorithms are used. See the man pages for those tools for more information.
+#
+# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and
+# "jdk.jar.disabledAlgorithms" security properties.
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+
+jdk.security.legacyAlgorithms=SHA1, \
+    RSA keySize < 2048, DSA keySize < 2048
+
 #
 # Algorithm restrictions for signed JAR files
 #
@@ -768,11 +791,7 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
 # Example:
 #   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
 #
-jdk.tls.legacyAlgorithms= \
-        K_NULL, C_NULL, M_NULL, \
-        DH_anon, ECDH_anon, \
-        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
-        3DES_EDE_CBC
+jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC
 
 #
 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
@@ -1277,3 +1296,16 @@ jdk.io.permissionsUseCanonicalPath=false
 # security property value defined here.
 #
 #jdk.security.krb5.default.initiate.credential=always-impersonate
+
+#
+# Trust Anchor Certificates - CA Basic Constraint check
+#
+# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS
+# connections) must have the cA Basic Constraint field set to 'true'. Also, if
+# they include a Key Usage extension, the keyCertSign bit must be set. These
+# checks, enabled by default, can be disabled for backward-compatibility
+# purposes with the jdk.security.allowNonCaAnchor System and Security
+# properties. In the case that both properties are simultaneously set, the
+# System value prevails. The default value of the property is "false".
+#
+#jdk.security.allowNonCaAnchor=true

vendor/java/lib/security/blacklisted.certs

@@ -1,20 +1,39 @@
 Algorithm=SHA-256
+03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2
+08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650
 14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD
+1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7
+1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D
+2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4
 31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133
 3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66
+3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0
+423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB
 450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2
 4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE
 4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176
+535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172
+568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C3611BFE19
+585CFE6B7436CBD4E732763A2137D7F49599BA9B1790E688FCEC799C58EB84A6
 5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B
+71CB00749B9130FB2707A2664BFF958D0FCC8E161D9674C7450BA0FC2BEAF9D3
 76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645
 8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF
 9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC
+9FADCE80D62A959F9930D748488C1E22E821F4E1E4A43584B848C2FC11E04D77
 A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083
+A90132CEA1D4F7185E4F688EFFD16F6AC14DFD78356A807599A5DABBEEF3333E
 B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD
+C0D1F42B9F4BF7ACC045B7BB5D4805E10737F67B6310CE505248D543D0D5FE07
+D0156949F1381943442C6974E9B5B49EF441BB799EF20477B90A89C3F33620CE
+D151962D954970501C60079258EBCFA38502E0A9F03CD640322B08C0A3117FE5
 D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F
 D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967
+D6CEAE5D9E047FAF7D797858D229AC991AD44316D1E2A37A21926D763153593A
 DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE
+E0E740E4B0F8B3548181FF75B5372FAF4C70B99EC995D694ED0FB91B03FF8D21
 EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C
 F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7
+FBB12938ABD86C125796EDF4162D291028890A7D6C0C1CCA75FD4B95EBFA7A1A
 FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD
 FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B

vendor/java/lib/security/default.policy

@@ -78,6 +78,8 @@ grant codeBase "jrt:/java.sql.rowset" {
 
 
 grant codeBase "jrt:/java.xml.crypto" {
+    permission java.lang.RuntimePermission
+                   "getStackWalkerWithClassReference";
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.util";
     permission java.util.PropertyPermission "*", "read";

vendor/java/release

@@ -1,2 +1,2 @@
-JAVA_VERSION="14.0.2"
+JAVA_VERSION="15.0.2"
 MODULES="java.base java.datatransfer java.xml java.prefs java.desktop java.logging java.management java.security.sasl java.naming java.net.http java.scripting java.transaction.xa java.sql jdk.crypto.ec jdk.unsupported jdk.zipfs"