|
|
|
|
@ -3,938 +3,6 @@ Key:
|
|
|
|
|
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
|
|
|
|
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u442 (2025-01-21):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u442
|
|
|
|
|
|
|
|
|
|
* Changes
|
|
|
|
|
- JDK-8048003: test/compiler/8009761/Test8009761.java failed with: java.lang.RuntimeException: static java.lang.Object Test8009761.m3(boolean,boolean) not compiled
|
|
|
|
|
- JDK-8058322: Zero name_index item of MethodParameters attribute cause MalformedParameterException.
|
|
|
|
|
- JDK-8066708: JMXStartStopTest fails to connect to port 38112
|
|
|
|
|
- JDK-8133287: (fs) java/nio/file/Files/probeContentType/ParallelProbes.java should use othervm mode
|
|
|
|
|
- JDK-8189687: Swing: Invalid position of candidate pop-up of InputMethod in Hi-DPI on Windows
|
|
|
|
|
- JDK-8209023: fix 2 compiler tests to avoid JDK-8208690
|
|
|
|
|
- JDK-8239312: [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
|
|
|
|
|
- JDK-8260380: Upgrade to LittleCMS 2.12
|
|
|
|
|
- JDK-8315731: Open source several Swing Text related tests
|
|
|
|
|
- JDK-8335428: Enhanced Building of Processes
|
|
|
|
|
- JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
|
|
|
|
|
- JDK-8336564: Enhance mask blit functionality redux
|
|
|
|
|
- JDK-8338402: GHA: some of bundles may not get removed
|
|
|
|
|
- JDK-8339133: [8u] Profiler crashes at guarantee(is_result_safe || is_in_asgct()): unsafe access to zombie method
|
|
|
|
|
- JDK-8339180: Enhanced Building of Processes: Follow-on Issue
|
|
|
|
|
- JDK-8339394: Bump update version of OpenJDK: 8u442
|
|
|
|
|
- JDK-8339882: Replace ThreadLocalStorage::thread with Thread::current_or_null in jdk8 backport of JDK-8183925
|
|
|
|
|
- JDK-8340815: Add SECURITY.md file
|
|
|
|
|
- JDK-8342822: jdk8u432-b06 does not compile on AIX
|
|
|
|
|
- JDK-8342841: [8u] Separate jdk_security_infra tests from jdk_tier1
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
core-libs/java.util.jar:
|
|
|
|
|
|
|
|
|
|
JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
|
|
|
|
|
===================================================================================================================
|
|
|
|
|
In previous OpenJDK releases, when the jar tool extracted files from
|
|
|
|
|
an archive, it would overwrite any existing files with the same name
|
|
|
|
|
in the target directory. With this release, a new option ('-k' or
|
|
|
|
|
'--keep-old-files') may be specified so that existing files are not
|
|
|
|
|
overwritten.
|
|
|
|
|
|
|
|
|
|
The option may be specified in short or long option form, as in the
|
|
|
|
|
following examples:
|
|
|
|
|
|
|
|
|
|
* jar xkf foo.jar
|
|
|
|
|
* jar --extract --keep-old-files --file foo.jar
|
|
|
|
|
|
|
|
|
|
By default, the old behaviour remains in place and files will be
|
|
|
|
|
overwritten.
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u432 (2024-10-15):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u432
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2024-21208
|
|
|
|
|
- CVE-2024-21210
|
|
|
|
|
- CVE-2024-21217
|
|
|
|
|
- CVE-2024-21235
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
|
|
|
|
|
- JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
|
|
|
|
|
- JDK-8328286: Enhance HTTP client
|
|
|
|
|
- JDK-8328544: Improve handling of vectorization
|
|
|
|
|
- JDK-8328726: Better Kerberos support
|
|
|
|
|
- JDK-8331446: Improve deserialization support
|
|
|
|
|
- JDK-8332644: Improve graph optimizations
|
|
|
|
|
- JDK-8335713: Enhance vectorization analysis
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
|
|
|
|
|
- JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
|
|
|
|
|
- JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
|
|
|
|
|
- JDK-8021775: compiler/8009761/Test8009761.java "Failed: init recursive calls: 51. After deopt 50"
|
|
|
|
|
- JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
|
|
|
|
|
- JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option
|
|
|
|
|
- JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use
|
|
|
|
|
- JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
|
|
|
|
|
- JDK-8137329: [windows] Build broken on VS2010 after "8046148: JEP 158: Unified JVM Logging"
|
|
|
|
|
- JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
|
|
|
|
|
- JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
|
|
|
|
|
- JDK-8193682: Infinite loop in ZipOutputStream.close()
|
|
|
|
|
- JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
|
|
|
|
|
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
|
|
|
|
|
- JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
|
|
|
|
|
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
|
|
|
|
|
- JDK-8251188: Update LDAP tests not to use wildcard addresses
|
|
|
|
|
- JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
|
|
|
|
|
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
|
|
|
|
|
- JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
|
|
|
|
|
- JDK-8279164: Disable TLS_ECDH_* cipher suites
|
|
|
|
|
- JDK-8281096: Flags introduced by configure script are not passed to ADLC build
|
|
|
|
|
- JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
|
|
|
|
|
- JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
|
|
|
|
|
- JDK-8299677: Formatter.format might take a long time to format an integer or floating-point
|
|
|
|
|
- JDK-8305400: ISO 4217 Amendment 175 Update
|
|
|
|
|
- JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
|
|
|
|
|
- JDK-8307779: Relax the java.awt.Robot specification
|
|
|
|
|
- JDK-8309138: Fix container tests for jdks with symlinked conf dir
|
|
|
|
|
- JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
|
|
|
|
|
- JDK-8315117: Update Zlib Data Compression Library to Version 1.3
|
|
|
|
|
- JDK-8315863: [GHA] Update checkout action to use v4
|
|
|
|
|
- JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes
|
|
|
|
|
- JDK-8318039: GHA: Bump macOS and Xcode versions
|
|
|
|
|
- JDK-8318951: Additional negative value check in JPEG decoding
|
|
|
|
|
- JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese
|
|
|
|
|
- JDK-8321480: ISO 4217 Amendment 176 Update
|
|
|
|
|
- JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1
|
|
|
|
|
- JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16
|
|
|
|
|
- JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1
|
|
|
|
|
- JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
|
|
|
|
|
- JDK-8326529: JFR: Test for CompilerCompile events fails due to time out
|
|
|
|
|
- JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
|
|
|
|
|
- JDK-8330415: Update system property for Java SE specification maintenance version
|
|
|
|
|
- JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
|
|
|
|
|
- JDK-8333126: Bump update version of OpenJDK: 8u432
|
|
|
|
|
- JDK-8333669: [8u] GHA: Dead VS2010 download link
|
|
|
|
|
- JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
|
|
|
|
|
- JDK-8334653: ISO 4217 Amendment 177 Update
|
|
|
|
|
- JDK-8334905: [8u] The test java/awt/Mixing/AWT_Mixing/JButtonOverlapping.java started to fail after 8159690
|
|
|
|
|
- JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
|
|
|
|
|
- JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
|
|
|
|
|
- JDK-8336928: GHA: Bundle artifacts removal broken
|
|
|
|
|
- JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory
|
|
|
|
|
- JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
|
|
|
|
|
- JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
|
|
|
|
|
- JDK-8338144: [8u] Remove duplicate license files
|
|
|
|
|
- JDK-8341057: Add 2 SSL.com TLS roots
|
|
|
|
|
- JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
security-libs/javax.net.ssl:
|
|
|
|
|
|
|
|
|
|
JDK-8279164: Disable TLS_ECDH_* cipher suites
|
|
|
|
|
=============================================
|
|
|
|
|
The TLS_ECDH cipher suites do not preserve forward secrecy and are
|
|
|
|
|
rarely used in practice. With this release, they are disabled by
|
|
|
|
|
adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in
|
|
|
|
|
the `java.security` configuration file. Attempts to use these suites
|
|
|
|
|
with this release will result in a `SSLHandshakeException` being
|
|
|
|
|
thrown. Note that ECDH cipher suites which use RC4 were already
|
|
|
|
|
disabled prior to this change.
|
|
|
|
|
|
|
|
|
|
Users can, *at their own risk*, remove this restriction by modifying
|
|
|
|
|
the `java.security` configuration file (or override it by using the
|
|
|
|
|
`java.security.properties` system property) so "ECDH" is no longer
|
|
|
|
|
listed in the `jdk.tls.disabledAlgorithms` security property.
|
|
|
|
|
|
|
|
|
|
This change has no effect on TLS_ECDHE cipher suites, which remain
|
|
|
|
|
enabled by default.
|
|
|
|
|
|
|
|
|
|
JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
|
|
|
|
|
JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
|
|
|
|
|
====================================================================================================
|
|
|
|
|
In accordance with similar plans recently announced by Google and
|
|
|
|
|
Mozilla, the JDK will not trust Transport Layer Security (TLS)
|
|
|
|
|
certificates issued after the 11th of November 2024 which are anchored
|
|
|
|
|
by Entrust root certificates. This includes certificates branded as
|
|
|
|
|
AffirmTrust, which are managed by Entrust.
|
|
|
|
|
|
|
|
|
|
Certificates issued on or before November 11th, 2024 will continue to
|
|
|
|
|
be trusted until they expire.
|
|
|
|
|
|
|
|
|
|
If a server's certificate chain is anchored by an affected
|
|
|
|
|
certificate, attempts to negotiate a TLS session will fail with an
|
|
|
|
|
Exception that indicates the trust anchor is not trusted. For example,
|
|
|
|
|
|
|
|
|
|
"TLS server certificate issued after 2024-11-11 and anchored by a
|
|
|
|
|
distrusted legacy Entrust root CA: CN=Entrust.net Certification
|
|
|
|
|
Authority (2048), OU=(c) 1999 Entrust.net Limited,
|
|
|
|
|
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
|
|
|
|
|
O=Entrust.net"
|
|
|
|
|
|
|
|
|
|
To check whether a certificate in a JDK keystore is affected by this
|
|
|
|
|
change, you can the `keytool` utility:
|
|
|
|
|
|
|
|
|
|
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
|
|
|
|
|
|
|
|
|
|
If any of the certificates in the chain are affected by this change,
|
|
|
|
|
then you will need to update the certificate or contact the
|
|
|
|
|
organisation responsible for managing the certificate.
|
|
|
|
|
|
|
|
|
|
These restrictions apply to the following Entrust root certificates
|
|
|
|
|
included in the JDK:
|
|
|
|
|
|
|
|
|
|
Alias name: entrustevca [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority
|
|
|
|
|
OU=(c) 2006 Entrust, Inc.
|
|
|
|
|
OU=www.entrust.net/CPS is incorporated by reference
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcaec1 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - EC1
|
|
|
|
|
OU=(c) 2012 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcag2 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - G2
|
|
|
|
|
OU=(c) 2009 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
|
|
|
|
|
|
|
|
|
|
Alias name: entrustrootcag4 [jdk]
|
|
|
|
|
CN=Entrust Root Certification Authority - G4
|
|
|
|
|
OU=(c) 2015 Entrust, Inc. - for authorized use only
|
|
|
|
|
OU=See www.entrust.net/legal-terms
|
|
|
|
|
O=Entrust, Inc.
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
|
|
|
|
|
|
|
|
|
|
Alias name: entrust2048ca [jdk]
|
|
|
|
|
CN=Entrust.net Certification Authority (2048)
|
|
|
|
|
OU=(c) 1999 Entrust.net Limited
|
|
|
|
|
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
|
|
|
|
|
O=Entrust.net
|
|
|
|
|
SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustcommercialca [jdk]
|
|
|
|
|
CN=AffirmTrust Commercial
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustnetworkingca [jdk]
|
|
|
|
|
CN=AffirmTrust Networking
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustpremiumca [jdk]
|
|
|
|
|
CN=AffirmTrust Premium
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
|
|
|
|
|
|
|
|
|
|
Alias name: affirmtrustpremiumeccca [jdk]
|
|
|
|
|
CN=AffirmTrust Premium ECC
|
|
|
|
|
O=AffirmTrust
|
|
|
|
|
C=US
|
|
|
|
|
SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
|
|
|
|
|
|
|
|
|
|
Users can, *at their own risk*, remove this restriction by modifying
|
|
|
|
|
the `java.security` configuration file (or override it by using the
|
|
|
|
|
`java.security.properties` system property) so "ENTRUST_TLS" is no
|
|
|
|
|
longer listed in the `jdk.security.caDistrustPolicies` security
|
|
|
|
|
property.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8341057: Add 2 SSL.com TLS roots
|
|
|
|
|
====================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: SSL.com
|
|
|
|
|
Alias Name: ssltlsrootecc2022
|
|
|
|
|
Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
|
|
|
|
|
|
|
|
|
|
Name: SSL.com
|
|
|
|
|
Alias Name: ssltlsrootrsa2022
|
|
|
|
|
Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
|
|
|
|
|
|
|
|
|
|
client-libs:
|
|
|
|
|
|
|
|
|
|
JDK-8307779: Relax the java.awt.Robot specification
|
|
|
|
|
===================================================
|
|
|
|
|
This release of OpenJDK 8 updates to the latest maintenance release of
|
|
|
|
|
the Java 8 specification. This relaxes the specification of three
|
|
|
|
|
methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
|
|
|
|
|
`getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to
|
|
|
|
|
allow these methods to fail when the desktop environment does not
|
|
|
|
|
permit moving the mouse pointer or capturing screen content.
|
|
|
|
|
|
|
|
|
|
core-libs/javax.naming:
|
|
|
|
|
|
|
|
|
|
JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
|
|
|
|
|
===============================================================================================================================
|
|
|
|
|
With this OpenJDK release, the JDK implementation of the LDAP provider
|
|
|
|
|
no longer supports the deserialisation of Java objects by
|
|
|
|
|
default. This is achieved by the system property
|
|
|
|
|
`com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
|
|
|
|
|
default.
|
|
|
|
|
|
|
|
|
|
Note that this release also increases the scope of the
|
|
|
|
|
`com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
|
|
|
|
|
of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
|
|
|
|
|
|
|
|
|
|
The result of this change is that transparent deserialisation of Java
|
|
|
|
|
objects will require an explicit opt-in. Applications that wish to
|
|
|
|
|
reconstruct Java objects and RMI stubs from LDAP attributes will need
|
|
|
|
|
to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
|
|
|
|
|
|
|
|
|
|
core-libs/java.net:
|
|
|
|
|
|
|
|
|
|
JDK-8328286: Enhance HTTP client
|
|
|
|
|
================================
|
|
|
|
|
This OpenJDK release limits the maximum header field size accepted by
|
|
|
|
|
the HTTP client within the JDK for all supported versions of the HTTP
|
|
|
|
|
protocol. The header field size is computed as the sum of the size of
|
|
|
|
|
the uncompressed header name, the size of the uncompressed header
|
|
|
|
|
value and a overhead of 32 bytes for each field section line. If a
|
|
|
|
|
peer sends a field section that exceeds this limit, a
|
|
|
|
|
`java.net.ProtocolException` will be raised.
|
|
|
|
|
|
|
|
|
|
This release also introduces a new system property,
|
|
|
|
|
`jdk.http.maxHeaderSize`. This property can be used to alter the
|
|
|
|
|
maximum header field size (in bytes) or disable it by setting the
|
|
|
|
|
value to zero or a negative value. The default value is 393,216 bytes
|
|
|
|
|
or 384kB.
|
|
|
|
|
|
|
|
|
|
core-libs/java.util.jar:
|
|
|
|
|
|
|
|
|
|
JDK-8193682: Infinite loop in ZipOutputStream.close()
|
|
|
|
|
=====================================================
|
|
|
|
|
In previous releases, the `DeflaterOutputStream.close()`,
|
|
|
|
|
`GZIPOutputStream.finish()` and `ZipOutputStream.closeEntry()` methods
|
|
|
|
|
did not close the associated default JDK compressor when an exception
|
|
|
|
|
was thrown during closure. With this release, the default compressor
|
|
|
|
|
is closed before propogating the Throwable up the stack. In the case
|
|
|
|
|
of `ZipOutputStream`, this only happens when the exception is not a
|
|
|
|
|
`ZipException`.
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u422 (2024-07-16):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u422
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2024-21131
|
|
|
|
|
- CVE-2024-21138
|
|
|
|
|
- CVE-2024-21140
|
|
|
|
|
- CVE-2024-21144
|
|
|
|
|
- CVE-2024-21145
|
|
|
|
|
- CVE-2024-21147
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8314794: Improve UTF8 String supports
|
|
|
|
|
- JDK-8319859: Better symbol storage
|
|
|
|
|
- JDK-8320097: Improve Image transformations
|
|
|
|
|
- JDK-8320548: Improved loop handling
|
|
|
|
|
- JDK-8322106: Enhance Pack 200 loading
|
|
|
|
|
- JDK-8323231: Improve array management
|
|
|
|
|
- JDK-8323390: Enhance mask blit functionality
|
|
|
|
|
- JDK-8324559: Improve 2D image handling
|
|
|
|
|
- JDK-8325600: Better symbol storage
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-8025439: [TEST BUG] [macosx] PrintServiceLookup.lookupPrintServices doesn't work properly since jdk8b105
|
|
|
|
|
- JDK-8069389: CompilerOracle prefix wildcarding is broken for long strings
|
|
|
|
|
- JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/bug7123767.java: number of checked graphics configurations should be limited
|
|
|
|
|
- JDK-8159690: [TESTBUG] Mark headful tests with @key headful.
|
|
|
|
|
- JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
|
|
|
|
|
- JDK-8203691: [TESTBUG] Test /runtime/containers/cgroup/PlainRead.java fails
|
|
|
|
|
- JDK-8205407: [windows, vs<2017] C4800 after 8203197
|
|
|
|
|
- JDK-8235834: IBM-943 charset encoder needs updating
|
|
|
|
|
- JDK-8239965: XMLEncoder/Test4625418.java fails due to "Error: Cp943 - can't read properly"
|
|
|
|
|
- JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
|
|
|
|
|
- JDK-8256152: tests fail because of ambiguous method resolution
|
|
|
|
|
- JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
|
|
|
|
|
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
|
|
|
|
|
- JDK-8268916: Tests for AffirmTrust roots
|
|
|
|
|
- JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
|
|
|
|
|
- JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
|
|
|
|
|
- JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
|
|
|
|
|
- JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
|
|
|
|
|
- JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
|
|
|
|
|
- JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL
|
|
|
|
|
- JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM
|
|
|
|
|
- JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074
|
|
|
|
|
- JDK-8315020: The macro definition for LoongArch64 zero build is not accurate.
|
|
|
|
|
- JDK-8316138: Add GlobalSign 2 TLS root certificates
|
|
|
|
|
- JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows
|
|
|
|
|
- JDK-8320005: Allow loading of shared objects with .a extension on AIX
|
|
|
|
|
- JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
|
|
|
|
|
- JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing
|
|
|
|
|
- JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
|
|
|
|
|
- JDK-8326686: Bump update version of OpenJDK: 8u422
|
|
|
|
|
- JDK-8327440: Fix "bad source file" error during beaninfo generation
|
|
|
|
|
- JDK-8328809: [8u] Problem list some CA tests
|
|
|
|
|
- JDK-8328825: Google CAInterop test failures
|
|
|
|
|
- JDK-8329544: [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
|
|
|
|
|
- JDK-8331791: [8u] AIX build break from JDK-8320005 backport
|
|
|
|
|
- JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
|
|
|
|
|
- JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3 ::Identity signature fixes
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
core-libs/java.net:
|
|
|
|
|
|
|
|
|
|
JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
|
|
|
|
|
===========================================================================
|
|
|
|
|
Two system properties have been added which control the keep alive
|
|
|
|
|
behavior of HttpURLConnection in the case where the server does not
|
|
|
|
|
specify a keep alive time. These are:
|
|
|
|
|
|
|
|
|
|
* `http.keepAlive.time.server`
|
|
|
|
|
* `http.keepAlive.time.proxy`
|
|
|
|
|
|
|
|
|
|
which control the number of seconds before an idle connection to a
|
|
|
|
|
server or proxy will be closed, respectively. If the server or proxy
|
|
|
|
|
specifies a keep alive time in a "Keep-Alive" response header, this
|
|
|
|
|
will take precedence over the values of these properties.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8316138: Add GlobalSign 2 TLS root certificates
|
|
|
|
|
===================================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: GlobalSign
|
|
|
|
|
Alias Name: globalsignr46
|
|
|
|
|
Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
|
|
|
|
|
|
|
|
|
|
Name: GlobalSign
|
|
|
|
|
Alias Name: globalsigne46
|
|
|
|
|
Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u412 (2024-04-16):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u412
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2024-21011
|
|
|
|
|
- CVE-2024-21085
|
|
|
|
|
- CVE-2024-21068
|
|
|
|
|
- CVE-2024-21094
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
|
|
|
|
|
- JDK-8318340: Improve RSA key implementations
|
|
|
|
|
- JDK-8319851: Improve exception logging
|
|
|
|
|
- JDK-8322114: Improve Pack 200 handling
|
|
|
|
|
- JDK-8322122: Enhance generation of addresses
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-8011180: Delete obsolete scripts
|
|
|
|
|
- JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
|
|
|
|
|
- JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
|
|
|
|
|
- JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
|
|
|
|
|
- JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
|
|
|
|
|
- JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
|
|
|
|
|
- JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
|
|
|
|
|
- JDK-8168518: rcache interop with krb5-1.15
|
|
|
|
|
- JDK-8183503: Update hotspot tests to allow for unique test classes directory
|
|
|
|
|
- JDK-8186095: upgrade to jtreg 4.2 b08
|
|
|
|
|
- JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
|
|
|
|
|
- JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
|
|
|
|
|
- JDK-8208655: use JTreg skipped status in hotspot tests
|
|
|
|
|
- JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
|
|
|
|
|
- JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
|
|
|
|
|
- JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
|
|
|
|
|
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
|
|
|
|
|
- JDK-8224768: Test ActalisCA.java fails
|
|
|
|
|
- JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
|
|
|
|
|
- JDK-8251551: Use .md filename extension for README
|
|
|
|
|
- JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
|
|
|
|
|
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
|
|
|
|
|
- JDK-8270517: Add Zero support for LoongArch
|
|
|
|
|
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
|
|
|
|
|
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
|
|
|
|
|
- JDK-8288132: Update test artifacts in QuoVadis CA interop tests
|
|
|
|
|
- JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
|
|
|
|
|
- JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
|
|
|
|
|
- JDK-8308592: Framework for CA interoperability testing
|
|
|
|
|
- JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
|
|
|
|
|
- JDK-8315042: NPE in PKCS7.parseOldSignedData
|
|
|
|
|
- JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
|
|
|
|
|
- JDK-8320713: Bump update version of OpenJDK: 8u412
|
|
|
|
|
- JDK-8321060: [8u] hotspot needs to recognise VS2022
|
|
|
|
|
- JDK-8321408: Add Certainly roots R1 and E1
|
|
|
|
|
- JDK-8322725: (tz) Update Timezone Data to 2023d
|
|
|
|
|
- JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
|
|
|
|
|
- JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
|
|
|
|
|
- JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
|
|
|
|
|
- JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
|
|
|
|
|
- JDK-8324530: Build error with gcc 10
|
|
|
|
|
- JDK-8325150: (tz) Update Timezone Data to 2024a
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
security-libs/org.ietf.jgss:krb5:
|
|
|
|
|
|
|
|
|
|
JDK-8168518: rcache interop with krb5-1.15
|
|
|
|
|
==========================================
|
|
|
|
|
The hash algorithm used in the Kerberos 5 replay cache file (rcache)
|
|
|
|
|
has been changed from MD5 to SHA256. This is the same algorithm used
|
|
|
|
|
by MIT krb5-1.15 and is interoperable with earlier releases of MIT
|
|
|
|
|
krb5.
|
|
|
|
|
|
|
|
|
|
The MD5 algorithm can still be used by setting the new
|
|
|
|
|
jdk.krb5.rcache.useMD5 property to 'true':
|
|
|
|
|
|
|
|
|
|
java -Djdk.krb5.rcache.useMD5=true ...
|
|
|
|
|
|
|
|
|
|
This is useful where either the system has a coarse clock and has to
|
|
|
|
|
depend on hash values in replay attack detection, or interoperability
|
|
|
|
|
with the rcache files in older versions of OpenJDK is required.
|
|
|
|
|
|
|
|
|
|
client-libs/java.awt:
|
|
|
|
|
|
|
|
|
|
JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
|
|
|
|
|
=======================================================================
|
|
|
|
|
The java.awt.SystemTray API is used to interact with the system's
|
|
|
|
|
desktop taskbar to provide notifications and may include an icon
|
|
|
|
|
representing an application. The GNOME desktop's support for taskbar
|
|
|
|
|
icons has not worked properly for several years, due to a platform
|
|
|
|
|
bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
|
|
|
|
|
desktops.
|
|
|
|
|
|
|
|
|
|
Therefore, in accordance with the SystemTray API specification,
|
|
|
|
|
java.awt.SystemTray.isSupported() will now return false on systems
|
|
|
|
|
that exhibit this bug, which is assumed to be those running a version
|
|
|
|
|
of GNOME Shell below 45.
|
|
|
|
|
|
|
|
|
|
The impact of this change is likely to be minimal, as users of the
|
|
|
|
|
SystemTray API should already be able to handle isSupported()
|
|
|
|
|
returning false and the system tray on such platforms has already been
|
|
|
|
|
unsupported for a number of years for all applications.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8321408: Added Certainly R1 and E1 Root Certificates
|
|
|
|
|
========================================================
|
|
|
|
|
The following root certificate has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Certainly
|
|
|
|
|
Alias Name: certainlyrootr1
|
|
|
|
|
Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US
|
|
|
|
|
|
|
|
|
|
Name: Certainly
|
|
|
|
|
Alias Name: certainlyroote1
|
|
|
|
|
Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u402 (2024-01-16):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u402
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2024-20918
|
|
|
|
|
- CVE-2024-20919
|
|
|
|
|
- CVE-2024-20921
|
|
|
|
|
- CVE-2024-20926
|
|
|
|
|
- CVE-2024-20945
|
|
|
|
|
- CVE-2024-20952
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8308204: Enhanced certificate processing
|
|
|
|
|
- JDK-8314284: Enhance Nashorn performance
|
|
|
|
|
- JDK-8314295: Enhance verification of verifier
|
|
|
|
|
- JDK-8314307: Improve loop handling
|
|
|
|
|
- JDK-8314468: Improve Compiler loops
|
|
|
|
|
- JDK-8316976: Improve signature handling
|
|
|
|
|
- JDK-8317547: Enhance TLS connection support
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
|
|
|
|
|
- JDK-8029995: accept yes/no for boolean krb5.conf settings
|
|
|
|
|
- JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
|
|
|
|
|
- JDK-8176509: Use pandoc for converting build readme to html
|
|
|
|
|
- JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
|
|
|
|
|
- JDK-8207404: MulticastSocket tests failing on AIX
|
|
|
|
|
- JDK-8212677: X11 default visual support for IM status window on VNC
|
|
|
|
|
- JDK-8239365: ProcessBuilder test modifications for AIX execution
|
|
|
|
|
- JDK-8271838: AmazonCA.java interop test fails
|
|
|
|
|
- JDK-8285398: Cache the results of constraint checks
|
|
|
|
|
- JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
|
|
|
|
|
- JDK-8302017: Allocate BadPaddingException only if it will be thrown
|
|
|
|
|
- JDK-8305329: [8u] Unify test libraries into single test library - step 1
|
|
|
|
|
- JDK-8307837: [8u] Check step in GHA should also print errors
|
|
|
|
|
- JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
|
|
|
|
|
- JDK-8311813: C1: Uninitialized PhiResolver::_loop field
|
|
|
|
|
- JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
|
|
|
|
- JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
|
|
|
|
|
- JDK-8315280: Bump update version of OpenJDK: 8u402
|
|
|
|
|
- JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
|
|
|
|
|
- JDK-8317291: Missing null check for nmethod::is_native_method()
|
|
|
|
|
- JDK-8317373: Add Telia Root CA v2
|
|
|
|
|
- JDK-8317374: Add Let's Encrypt ISRG Root X2
|
|
|
|
|
- JDK-8318759: Add four DigiCert root certificates
|
|
|
|
|
- JDK-8319187: Add three eMudhra emSign roots
|
|
|
|
|
- JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
|
|
|
|
|
- JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
security-libs/org.ietf.jgss:krb5:
|
|
|
|
|
|
|
|
|
|
JDK-8029995: accept yes/no for boolean krb5.conf settings
|
|
|
|
|
=========================================================
|
|
|
|
|
The krb5.conf configuration file now also accepts "yes" and "no", as
|
|
|
|
|
alternatives to the existing "true" and "false" support, when using
|
|
|
|
|
settings that take boolean values.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
|
|
|
|
===============================================================================================================================
|
|
|
|
|
A maximum signature file size property, jdk.jar.maxSignatureFileSize,
|
|
|
|
|
was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
|
|
|
|
|
default of 8MB. This default proved to be too small for some JAR
|
|
|
|
|
files. This release, 8u402, increases it to 16MB.
|
|
|
|
|
|
|
|
|
|
JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
|
|
|
|
|
=================================================================
|
|
|
|
|
The following root certificate has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Let's Encrypt
|
|
|
|
|
Alias Name: letsencryptisrgx2
|
|
|
|
|
Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
|
|
|
|
|
|
|
|
|
|
JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
|
|
|
|
|
=============================================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: DigiCert, Inc.
|
|
|
|
|
Alias Name: digicertcseccrootg5
|
|
|
|
|
Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
|
|
|
|
|
|
|
|
|
|
Name: DigiCert, Inc.
|
|
|
|
|
Alias Name: digicertcsrsarootg5
|
|
|
|
|
Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
|
|
|
|
|
|
|
|
|
|
Name: DigiCert, Inc.
|
|
|
|
|
Alias Name: digicerttlseccrootg5
|
|
|
|
|
Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
|
|
|
|
|
|
|
|
|
|
Name: DigiCert, Inc.
|
|
|
|
|
Alias Name: digicerttlsrsarootg5
|
|
|
|
|
Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
|
|
|
|
|
|
|
|
|
|
JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
|
|
|
|
|
============================================================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: eMudhra Technologies Limited
|
|
|
|
|
Alias Name: emsignrootcag1
|
|
|
|
|
Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
|
|
|
|
|
|
|
|
|
|
Name: eMudhra Technologies Limited
|
|
|
|
|
Alias Name: emsigneccrootcag3
|
|
|
|
|
Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
|
|
|
|
|
|
|
|
|
|
Name: eMudhra Technologies Limited
|
|
|
|
|
Alias Name: emsignrootcag2
|
|
|
|
|
Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
|
|
|
|
|
|
|
|
|
|
JDK-8317373: Added Telia Root CA v2 Certificate
|
|
|
|
|
===============================================
|
|
|
|
|
The following root certificate has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Telia Root CA v2
|
|
|
|
|
Alias Name: teliarootcav2
|
|
|
|
|
Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u392 (2023-10-17):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u392
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2023-22067
|
|
|
|
|
- CVE-2023-22081
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8286503, JDK-8312367: Enhance security classes
|
|
|
|
|
- JDK-8297856: Improve handling of Bidi characters
|
|
|
|
|
- JDK-8303384: Improved communication in CORBA
|
|
|
|
|
- JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
|
|
|
|
|
- JDK-8309966: Enhanced TLS connections
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-6722928: Provide a default native GSS-API library on Windows
|
|
|
|
|
- JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
|
|
|
|
|
- JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
|
|
|
|
|
- JDK-8139348: Deprecate 3DES and RC4 in Kerberos
|
|
|
|
|
- JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
|
|
|
|
|
- JDK-8200468: Port the native GSS-API bridge to Windows
|
|
|
|
|
- JDK-8202952: C2: Unexpected dead nodes after matching
|
|
|
|
|
- JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
|
|
|
|
|
- JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
|
|
|
|
|
- JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
|
|
|
|
|
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
|
|
|
|
|
- JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
|
|
|
|
|
- JDK-8232225: Rework the fix for JDK-8071483
|
|
|
|
|
- JDK-8242330: Arrays should be cloned in several JAAS Callback classes
|
|
|
|
|
- JDK-8253269: The CheckCommonColors test should provide more info on failure
|
|
|
|
|
- JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
|
|
|
|
|
- JDK-8284910: Buffer clean in PasswordCallback
|
|
|
|
|
- JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
|
|
|
|
|
- JDK-8287663: Add a regression test for JDK-8287073
|
|
|
|
|
- JDK-8295685: Update Libpng to 1.6.38
|
|
|
|
|
- JDK-8295894: Remove SECOM certificate that is expiring in September 2023
|
|
|
|
|
- JDK-8308788: [8u] Remove duplicate HaricaCA.java test
|
|
|
|
|
- JDK-8309122: Bump update version of OpenJDK: 8u392
|
|
|
|
|
- JDK-8309143: [8u] fix archiving inconsistencies in GHA
|
|
|
|
|
- JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
|
|
|
|
|
- JDK-8314960: Add Certigna Root CA - 2
|
|
|
|
|
- JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
|
|
|
|
|
- JDK-8317040: Exclude cleaner test failing on older releases
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
other-libs/corba:idl:
|
|
|
|
|
|
|
|
|
|
JDK-8303384: Improved communication in CORBA
|
|
|
|
|
============================================
|
|
|
|
|
The JDK's CORBA implementation now provides the option to limit
|
|
|
|
|
serialisation in stub objects to those with the "IOR:" prefix. For
|
|
|
|
|
ORB constrained stub classes:
|
|
|
|
|
|
|
|
|
|
* _DynArrayStub
|
|
|
|
|
* _DynEnumStub
|
|
|
|
|
* _DynFixedStub
|
|
|
|
|
* _DynSequenceStub
|
|
|
|
|
* _DynStructStub
|
|
|
|
|
* _DynUnionStub
|
|
|
|
|
* _DynValueStub
|
|
|
|
|
* _DynAnyStub
|
|
|
|
|
* _DynAnyFactoryStub
|
|
|
|
|
|
|
|
|
|
this is enabled by default and may be disabled by setting the system
|
|
|
|
|
property org.omg.DynamicAny.disableIORCheck to 'true'.
|
|
|
|
|
|
|
|
|
|
For remote service stub classes:
|
|
|
|
|
|
|
|
|
|
* _NamingContextStub
|
|
|
|
|
* _BindingIteratorStub
|
|
|
|
|
* _NamingContextExtStub
|
|
|
|
|
* _ServantActivatorStub
|
|
|
|
|
* _ServantLocatorStub
|
|
|
|
|
* _ServerManagerStub
|
|
|
|
|
* _ActivatorStub
|
|
|
|
|
* _RepositoryStub
|
|
|
|
|
* _InitialNameServiceStub
|
|
|
|
|
* _LocatorStub
|
|
|
|
|
* _ServerStub
|
|
|
|
|
|
|
|
|
|
it is disabled by default and may be enabled by setting the system
|
|
|
|
|
property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
|
|
|
|
|
|
|
|
|
|
security-libs/org.ietf.jgss:
|
|
|
|
|
|
|
|
|
|
JDK-6722928: Added a Default Native GSS-API Library on Windows
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
|
|
A native GSS-API library named `sspi_bridge.dll` has been added to the
|
|
|
|
|
JDK on the Windows platform. As with native GSS-API library provision
|
|
|
|
|
on other operating systems, it will only be loaded when the
|
|
|
|
|
`sun.security.jgss.native` system property is set to "true". A user
|
|
|
|
|
can still load a third-party native GSS-API library instead by setting
|
|
|
|
|
the `sun.security.jgss.lib` system property to the appropriate path.
|
|
|
|
|
|
|
|
|
|
The library is client-side only and uses the default credentials.
|
|
|
|
|
Native GSS support automatically uses cached credentials from the
|
|
|
|
|
underlying operating system, so the
|
|
|
|
|
`javax.security.auth.useSubjectCredsOnly` system property should be
|
|
|
|
|
set to false.
|
|
|
|
|
|
|
|
|
|
The `com.sun.security.auth.module.Krb5LoginModule` does not call
|
|
|
|
|
native JGSS and so its use in your JAAS config should be avoided.
|
|
|
|
|
|
|
|
|
|
security-libs/org.ietf.jgss:krb5:
|
|
|
|
|
|
|
|
|
|
JDK-8139348: Deprecate 3DES and RC4 in Kerberos
|
|
|
|
|
===============================================
|
|
|
|
|
The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
|
|
|
|
|
are now deprecated and disabled by default. To re-enable them, you
|
|
|
|
|
can either enable all weak crypto (which also includes `des-cbc-crc`
|
|
|
|
|
and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
|
|
|
|
|
`krb5.conf` configuration file or explicitly list all the preferred
|
|
|
|
|
encryption types using the `default_tkt_enctypes`,
|
|
|
|
|
`default_tgs_enctypes`, or `permitted_enctypes` settings.
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
|
|
|
|
|
==================================================================
|
|
|
|
|
The following root certificate from SECOM Trust System has been
|
|
|
|
|
removed from the `cacerts` keystore:
|
|
|
|
|
|
|
|
|
|
Alias Name: secomscrootca1 [jdk]
|
|
|
|
|
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
|
|
|
|
|
|
|
|
|
|
JDK-8314960: Added Certigna Root CA Certificate
|
|
|
|
|
===============================================
|
|
|
|
|
The following root certificate has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Certigna (Dhimyotis)
|
|
|
|
|
Alias Name: certignarootca
|
|
|
|
|
Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
|
|
|
|
|
|
|
|
|
|
security-libs/javax.security:
|
|
|
|
|
|
|
|
|
|
JDK-8242330: Arrays should be cloned in several JAAS Callback classes
|
|
|
|
|
=====================================================================
|
|
|
|
|
In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
|
|
|
|
|
were not cloned when passed into a constructor or returned. This
|
|
|
|
|
allowed an external program to get access to the internal fields of
|
|
|
|
|
these classes. The classes have been updated to return cloned arrays.
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u382 (2023-07-18):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bit.ly/openjdk8u382
|
|
|
|
|
|
|
|
|
|
* CVEs
|
|
|
|
|
- CVE-2023-22045
|
|
|
|
|
- CVE-2023-22049
|
|
|
|
|
* Security fixes
|
|
|
|
|
- JDK-8298676: Enhanced Look and Feel
|
|
|
|
|
- JDK-8300596: Enhance Jar Signature validation
|
|
|
|
|
- JDK-8304468: Better array usages
|
|
|
|
|
- JDK-8305312: Enhanced path handling
|
|
|
|
|
* Other changes
|
|
|
|
|
- JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
|
|
|
|
|
- JDK-8151460: Metaspace counters can have inconsistent values
|
|
|
|
|
- JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
|
|
|
|
|
- JDK-8185736: missing default exception handler in calls to rethrow_Stub
|
|
|
|
|
- JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
|
|
|
|
|
- JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
|
|
|
|
|
- JDK-8241311: Move some charset mapping tests from closed to open
|
|
|
|
|
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
|
|
|
|
|
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
|
|
|
|
|
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
|
|
|
|
|
- JDK-8276841: Add support for Visual Studio 2022
|
|
|
|
|
- JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
|
|
|
|
|
- JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
|
|
|
|
|
- JDK-8282345: handle latest VS2022 in abstract_vm_version
|
|
|
|
|
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
|
|
|
|
|
- JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
|
|
|
|
|
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
|
|
|
|
|
- JDK-8293232: Fix race condition in pkcs11 SessionManager
|
|
|
|
|
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
|
|
|
|
|
- JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
|
|
|
|
|
- JDK-8298108: Add a regression test for JDK-8297684
|
|
|
|
|
- JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
|
|
|
|
|
- JDK-8301119: Support for GB18030-2022
|
|
|
|
|
- JDK-8301400: Allow additional characters for GB18030-2022 support
|
|
|
|
|
- JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
|
|
|
|
|
- JDK-8303028: Update system property for Java SE specification maintenance version
|
|
|
|
|
- JDK-8303462: Bump update version of OpenJDK: 8u382
|
|
|
|
|
- JDK-8304760: Add 2 Microsoft TLS roots
|
|
|
|
|
- JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
|
|
|
|
|
- JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
|
|
|
|
|
- JDK-8305975: Add TWCA Global Root CA
|
|
|
|
|
- JDK-8307134: Add GTS root CAs
|
|
|
|
|
- JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
|
|
|
|
|
- JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
|
|
|
|
|
- JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119
|
|
|
|
|
|
|
|
|
|
Notes on individual issues:
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
core-libs/java.lang:
|
|
|
|
|
|
|
|
|
|
JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
|
|
|
|
|
===========================================================================
|
|
|
|
|
In order to support "Implementation Level 2" of the GB18030-2022
|
|
|
|
|
standard, the JDK must be able to use characters from the CJK Unified
|
|
|
|
|
Ideographs Extension E block of Unicode 8.0. The addition of these
|
|
|
|
|
characters forms Maintenance Release 5 of the Java SE 8 specification,
|
|
|
|
|
which is implemented in this release of OpenJDK via the addition of a
|
|
|
|
|
new UnicodeBlock instance,
|
|
|
|
|
Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.
|
|
|
|
|
|
|
|
|
|
core-libs/java.util.jar:
|
|
|
|
|
|
|
|
|
|
8300596: Enhance Jar Signature validation
|
|
|
|
|
=========================================
|
|
|
|
|
A System property "jdk.jar.maxSignatureFileSize" is introduced to
|
|
|
|
|
configure the maximum number of bytes allowed for the
|
|
|
|
|
signature-related files in a JAR file during verification. The default
|
|
|
|
|
value is 8000000 bytes (8 MB).
|
|
|
|
|
|
|
|
|
|
security-libs/java.security:
|
|
|
|
|
|
|
|
|
|
JDK-8307134: Added 4 GTS Root CA Certificates
|
|
|
|
|
=============================================
|
|
|
|
|
The following root certificates have been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Google Trust Services LLC
|
|
|
|
|
Alias Name: gtsrootcar1
|
|
|
|
|
Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
|
|
|
|
|
|
|
|
|
|
Name: Google Trust Services LLC
|
|
|
|
|
Alias Name: gtsrootcar2
|
|
|
|
|
Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
|
|
|
|
|
|
|
|
|
|
Name: Google Trust Services LLC
|
|
|
|
|
Alias Name: gtsrootcar3
|
|
|
|
|
Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
|
|
|
|
|
|
|
|
|
|
Name: Google Trust Services LLC
|
|
|
|
|
Alias Name: gtsrootcar4
|
|
|
|
|
Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
|
|
|
|
|
|
|
|
|
|
JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
|
|
|
|
|
=====================================================================
|
|
|
|
|
The following root certificates has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: Microsoft Corporation
|
|
|
|
|
Alias Name: microsoftecc2017
|
|
|
|
|
Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
|
|
|
|
|
|
|
|
|
|
Name: Microsoft Corporation
|
|
|
|
|
Alias Name: microsoftrsa2017
|
|
|
|
|
Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
|
|
|
|
|
|
|
|
|
|
JDK-8305975: Added TWCA Root CA Certificate
|
|
|
|
|
===========================================
|
|
|
|
|
The following root certificate has been added to the cacerts
|
|
|
|
|
truststore:
|
|
|
|
|
|
|
|
|
|
Name: TWCA
|
|
|
|
|
Alias Name: twcaglobalrootca
|
|
|
|
|
Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
|
|
|
|
|
|
|
|
|
|
New in release OpenJDK 8u372 (2023-04-18):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
@ -1429,6 +497,19 @@ the current count of established connections and, if the configured
|
|
|
|
|
limit has been reached, then the newly accepted connection will be
|
|
|
|
|
closed immediately.
|
|
|
|
|
|
|
|
|
|
core-libs/java.net:
|
|
|
|
|
|
|
|
|
|
JDK-8286918: Better HttpServer service
|
|
|
|
|
======================================
|
|
|
|
|
The HttpServer can be optionally configured with a maximum connection
|
|
|
|
|
limit by setting the jdk.httpserver.maxConnections system property. A
|
|
|
|
|
value of 0 or a negative integer is ignored and considered to
|
|
|
|
|
represent no connection limit. In the case of a positive integer
|
|
|
|
|
value, any newly accepted connections will be first checked against
|
|
|
|
|
the current count of established connections and, if the configured
|
|
|
|
|
limit has been reached, then the newly accepted connection will be
|
|
|
|
|
closed immediately.
|
|
|
|
|
|
|
|
|
|
security-libs/javax.net.ssl:
|
|
|
|
|
|
|
|
|
|
JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
|
|
|
|
|
@ -1626,7 +707,7 @@ device paths such as `NUL:` are *not* used.
|
|
|
|
|
New in release OpenJDK 8u332 (2022-04-22):
|
|
|
|
|
===========================================
|
|
|
|
|
Live versions of these release notes can be found at:
|
|
|
|
|
* https://bitly.com/openjdk8u332
|
|
|
|
|
* https://bit.ly/openjdk8u332
|
|
|
|
|
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
|
|
|
|
|
|
|
|
|
|
* Security fixes
|
|
|
|
|
|
