|
|
|
@ -3,6 +3,287 @@ Key:
|
|
|
|
|
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
|
|
|
|
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u432 (2024-10-15):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u432
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2024-21208
|
|
|
|
|
- CVE-2024-21210
|
|
|
|
|
- CVE-2024-21217
|
|
|
|
|
- CVE-2024-21235
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
|
|
|
|
|
- JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
|
|
|
|
|
- JDK-8328286: Enhance HTTP client
|
|
|
|
|
- JDK-8328544: Improve handling of vectorization
|
|
|
|
|
- JDK-8328726: Better Kerberos support
|
|
|
|
|
- JDK-8331446: Improve deserialization support
|
|
|
|
|
- JDK-8332644: Improve graph optimizations
|
|
|
|
|
- JDK-8335713: Enhance vectorization analysis
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
|
|
|
|
|
- JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
|
|
|
|
|
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
|
|
|
|
|
- JDK-8021775: compiler/8009761/Test8009761.java "Failed: init recursive calls: 51. After deopt 50"
|
|
|
|
|
- JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
|
|
|
|
|
- JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option
|
|
|
|
|
- JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use
|
|
|
|
|
- JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
|
|
|
|
|
- JDK-8137329: [windows] Build broken on VS2010 after "8046148: JEP 158: Unified JVM Logging"
|
|
|
|
|
- JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
|
|
|
|
|
- JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
|
|
|
|
|
- JDK-8193682: Infinite loop in ZipOutputStream.close()
|
|
|
|
|
- JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
|
|
|
|
|
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
|
|
|
|
|
- JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
|
|
|
|
|
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
|
|
|
|
|
- JDK-8251188: Update LDAP tests not to use wildcard addresses
|
|
|
|
|
- JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
|
|
|
|
|
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
|
|
|
|
|
- JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
|
|
|
|
|
- JDK-8279164: Disable TLS_ECDH_* cipher suites
|
|
|
|
|
- JDK-8281096: Flags introduced by configure script are not passed to ADLC build
|
|
|
|
|
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
|
|
|
|
|
- JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
|
|
|
|
|
- JDK-8299677: Formatter.format might take a long time to format an integer or floating-point
|
|
|
|
|
- JDK-8305400: ISO 4217 Amendment 175 Update
|
|
|
|
|
- JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
|
|
|
|
|
- JDK-8307779: Relax the java.awt.Robot specification
|
|
|
|
|
- JDK-8309138: Fix container tests for jdks with symlinked conf dir
|
|
|
|
|
- JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
|
|
|
|
|
- JDK-8315117: Update Zlib Data Compression Library to Version 1.3
|
|
|
|
|
- JDK-8315863: [GHA] Update checkout action to use v4
|
|
|
|
|
- JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes
|
|
|
|
|
- JDK-8318039: GHA: Bump macOS and Xcode versions
|
|
|
|
|
- JDK-8318951: Additional negative value check in JPEG decoding
|
|
|
|
|
- JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese
|
|
|
|
|
- JDK-8321480: ISO 4217 Amendment 176 Update
|
|
|
|
|
- JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1
|
|
|
|
|
- JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16
|
|
|
|
|
- JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1
|
|
|
|
|
- JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
|
|
|
|
|
- JDK-8326529: JFR: Test for CompilerCompile events fails due to time out
|
|
|
|
|
- JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
|
|
|
|
|
- JDK-8330415: Update system property for Java SE specification maintenance version
|
|
|
|
|
- JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
|
|
|
|
|
- JDK-8333126: Bump update version of OpenJDK: 8u432
|
|
|
|
|
- JDK-8333669: [8u] GHA: Dead VS2010 download link
|
|
|
|
|
- JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
|
|
|
|
|
- JDK-8334653: ISO 4217 Amendment 177 Update
|
|
|
|
|
- JDK-8334905: [8u] The test java/awt/Mixing/AWT_Mixing/JButtonOverlapping.java started to fail after 8159690
|
|
|
|
|
- JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
|
|
|
|
|
- JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
|
|
|
|
|
- JDK-8336928: GHA: Bundle artifacts removal broken
|
|
|
|
|
- JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory
|
|
|
|
|
- JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
|
|
|
|
|
- JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
|
|
|
|
|
- JDK-8338144: [8u] Remove duplicate license files
|
|
|
|
|
- JDK-8341057: Add 2 SSL.com TLS roots
|
|
|
|
|
- JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
security-libs/javax.net.ssl:
|
|
|
|
|
|
|
|
|
|
JDK-8279164: Disable TLS_ECDH_* cipher suites
|
|
|
|
|
=============================================
|
|
|
|
|
The TLS_ECDH cipher suites do not preserve forward secrecy and are
|
|
|
|
|
rarely used in practice. With this release, they are disabled by
|
|
|
|
|
adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in
|
|
|
|
|
the `java.security` configuration file. Attempts to use these suites
|
|
|
|
|
with this release will result in a `SSLHandshakeException` being
|
|
|
|
|
thrown. Note that ECDH cipher suites which use RC4 were already
|
|
|
|
|
disabled prior to this change.
|
|
|
|
|
|
|
|
|
|
Users can, *at their own risk*, remove this restriction by modifying
|
|
|
|
|
the `java.security` configuration file (or override it by using the
|
|
|
|
|
`java.security.properties` system property) so "ECDH" is no longer
|
|
|
|
|
listed in the `jdk.tls.disabledAlgorithms` security property.
|
|
|
|
|
|
|
|
|
|
This change has no effect on TLS_ECDHE cipher suites, which remain
|
|
|
|
|
enabled by default.
|
|
|
|
|
|
|
|
|
|
JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
|
|
|
|
|
JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
|
|
|
|
|
====================================================================================================
|
|
|
|
|
In accordance with similar plans recently announced by Google and
|
|
|
|
|
Mozilla, the JDK will not trust Transport Layer Security (TLS)
|
|
|
|
|
certificates issued after the 11th of November 2024 which are anchored
|
|
|
|
|
by Entrust root certificates. This includes certificates branded as
|
|
|
|
|
AffirmTrust, which are managed by Entrust.
|
|
|
|
|
|
|
|
|
|
Certificates issued on or before November 11th, 2024 will continue to
|
|
|
|
|
be trusted until they expire.
|
|
|
|
|
|
|
|
|
|
If a server's certificate chain is anchored by an affected
|
|
|
|
|
certificate, attempts to negotiate a TLS session will fail with an
|
|
|
|
|
Exception that indicates the trust anchor is not trusted. For example,
|
|
|
|
|
|
|
|
|
|
"TLS server certificate issued after 2024-11-11 and anchored by a
|
|
|
|
|
distrusted legacy Entrust root CA: CN=Entrust.net Certification
|
|
|
|
|
Authority (2048), OU=(c) 1999 Entrust.net Limited,
|
|
|
|
|
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
|
|
|
|
|
O=Entrust.net"
|
|
|
|
|
|
|
|
|
|
To check whether a certificate in a JDK keystore is affected by this
|
|
|
|
|
change, you can the `keytool` utility:
|
|
|
|
|
|
|
|
|
|
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
|
|
|
|
|
|
|
|
|
|
If any of the certificates in the chain are affected by this change,
|
|
|
|
|
then you will need to update the certificate or contact the
|
|
|
|
|
organisation responsible for managing the certificate.
|
|
|
|
|
|
|
|
|
|
These restrictions apply to the following Entrust root certificates
|
|
|
|
|
included in the JDK:
|
|
|
|
|
|
|
|
|
|
Alias name: entrustevca [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority
|
|
|
|
|
OU=(c) 2006 Entrust, Inc.
|
|
|
|
|
OU=www.entrust.net/CPS is incorporated by reference
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcaec1 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - EC1
|
|
|
|
|
OU=(c) 2012 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcag2 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - G2
|
|
|
|
|
OU=(c) 2009 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcag4 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - G4
|
|
|
|
|
OU=(c) 2015 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
|
|
|
|
|
|
|
|
|
|
Alias name: entrust2048ca [jdk]
|
|
|
|
|
CN=Entrust.net Certification Authority (2048)
|
|
|
|
|
OU=(c) 1999 Entrust.net Limited
|
|
|
|
|
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
|
|
|
|
|
O=Entrust.net
|
|
|
|
|
SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustcommercialca [jdk]
|
|
|
|
|
CN=AffirmTrust Commercial
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustnetworkingca [jdk]
|
|
|
|
|
CN=AffirmTrust Networking
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustpremiumca [jdk]
|
|
|
|
|
CN=AffirmTrust Premium
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustpremiumeccca [jdk]
|
|
|
|
|
CN=AffirmTrust Premium ECC
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
|
|
|
|
|
|
|
|
|
|
Users can, *at their own risk*, remove this restriction by modifying
|
|
|
|
|
the `java.security` configuration file (or override it by using the
|
|
|
|
|
`java.security.properties` system property) so "ENTRUST_TLS" is no
|
|
|
|
|
longer listed in the `jdk.security.caDistrustPolicies` security
|
|
|
|
|
property.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8341057: Add 2 SSL.com TLS roots
|
|
|
|
|
====================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: SSL.com
|
|
|
|
|
Alias Name: ssltlsrootecc2022
|
|
|
|
|
Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
|
|
|
|
|
|
|
|
|
|
Name: SSL.com
|
|
|
|
|
Alias Name: ssltlsrootrsa2022
|
|
|
|
|
Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
|
|
|
|
|
|
|
|
|
|
client-libs:
|
|
|
|
|
|
|
|
|
|
JDK-8307779: Relax the java.awt.Robot specification
|
|
|
|
|
===================================================
|
|
|
|
|
This release of OpenJDK 8 updates to the latest maintenance release of
|
|
|
|
|
the Java 8 specification. This relaxes the specification of three
|
|
|
|
|
methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
|
|
|
|
|
`getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to
|
|
|
|
|
allow these methods to fail when the desktop environment does not
|
|
|
|
|
permit moving the mouse pointer or capturing screen content.
|
|
|
|
|
|
|
|
|
|
core-libs/javax.naming:
|
|
|
|
|
|
|
|
|
|
JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
|
|
|
|
|
===============================================================================================================================
|
|
|
|
|
With this OpenJDK release, the JDK implementation of the LDAP provider
|
|
|
|
|
no longer supports the deserialisation of Java objects by
|
|
|
|
|
default. This is achieved by the system property
|
|
|
|
|
`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
|
|
|
|
|
default.
|
|
|
|
|
|
|
|
|
|
Note that this release also increases the scope of the
|
|
|
|
|
`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
|
|
|
|
|
of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
|
|
|
|
|
|
|
|
|
|
The result of this change is that transparent deserialisation of Java
|
|
|
|
|
objects will require an explicit opt-in. Applications that wish to
|
|
|
|
|
reconstruct Java objects and RMI stubs from LDAP attributes will need
|
|
|
|
|
to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
|
|
|
|
|
|
|
|
|
|
core-libs/java.net:
|
|
|
|
|
|
|
|
|
|
JDK-8328286: Enhance HTTP client
|
|
|
|
|
================================
|
|
|
|
|
This OpenJDK release limits the maximum header field size accepted by
|
|
|
|
|
the HTTP client within the JDK for all supported versions of the HTTP
|
|
|
|
|
protocol. The header field size is computed as the sum of the size of
|
|
|
|
|
the uncompressed header name, the size of the uncompressed header
|
|
|
|
|
value and a overhead of 32 bytes for each field section line. If a
|
|
|
|
|
peer sends a field section that exceeds this limit, a
|
|
|
|
|
`java.net.ProtocolException` will be raised.
|
|
|
|
|
|
|
|
|
|
This release also introduces a new system property,
|
|
|
|
|
`jdk.http.maxHeaderSize`. This property can be used to alter the
|
|
|
|
|
maximum header field size (in bytes) or disable it by setting the
|
|
|
|
|
value to zero or a negative value. The default value is 393,216 bytes
|
|
|
|
|
or 384kB.
|
|
|
|
|
|
|
|
|
|
core-libs/java.util.jar:
|
|
|
|
|
|
|
|
|
|
JDK-8193682: Infinite loop in ZipOutputStream.close()
|
|
|
|
|
=====================================================
|
|
|
|
|
In previous releases, the `DeflaterOutputStream.close()`,
|
|
|
|
|
`GZIPOutputStream.finish()` and `ZipOutputStream.closeEntry()` methods
|
|
|
|
|
did not close the associated default JDK compressor when an exception
|
|
|
|
|
was thrown during closure. With this release, the default compressor
|
|
|
|
|
is closed before propogating the Throwable up the stack. In the case
|
|
|
|
|
of `ZipOutputStream`, this only happens when the exception is not a
|
|
|
|
|
`ZipException`.
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u422 (2024-07-16):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|