RELEASE NOTES FOR: 11.0.27
====================================================================================================

Notes generated: Fri Apr 25 05:20:16 CEST 2025

Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry.

JAVA ENHANCEMENT PROPOSALS (JEP):

  None.

RELEASE NOTES:

security-libs/javax.net.ssl:

    JDK-8346587: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025

      The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by
      Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple,
      and Microsoft.
      
      TLS server certificates issued on or before April 15, 2025 will continue to be trusted until
      they expire. Certificates issued after that date, and anchored by any of the Certificate
      Authorities in the table below, will be rejected.
      
      The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java
      Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
      certificate chain is anchored by any of the Certificate Authorities in the table below and the
      certificate has been issued after April 15, 2025.
      
      An application will receive an exception with a message indicating the trust anchor is not
      trusted, for example:
      
      ``` "TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy
      Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
      SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"
      ```
      
      The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from
      the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration
      file.
      
      The restrictions are imposed on the following Camerfirma Root certificates included in the
      JDK:
      
      <table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root
      Certificates distrusted after 2025-04-15"> <caption>Root Certificates distrusted after
      2025-04-15</caption> <thead> <tr> <th scope="col">Distinguished Name</th> <th
      scope="col">SHA-256 Fingerprint</th> </tr> </thead> <tbody> <tr> <td>CN=Chambers of Commerce
      Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU</td> <td>
      <p>0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3</p>
      </td> </tr> <tr> <td>CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
      SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address),
      C=EU</td> <td>
      <p>06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0</p>
      </td> </tr> <tr> <td>CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
      SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address),
      C=EU</td> <td>
      <p>13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA</p>
      </td> </tr> </tbody> </table>
      
      You can also use the `keytool` utility from the JDK to print out details of the certificate
      chain, as follows:
      
      keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
      
      If any of the certificates in the chain are issued by one of the root CAs in the table above
      are listed in the output you will need to update the certificate or contact the organization
      that manages the server.

tools/javac:

    JDK-8273914: Indy String Concat Changes Order of Operations

      String concatenation has been changed to evaluate each argument and eagerly convert it to a
      string, in left-to-right order. This fixes a bug in the invokedynamic-based string
      concatentation strategies introduced in [JEP 280](http://openjdk.java.net/jeps/280).
      
      For example, the following now prints `"foofoobar"`, not `"foobarfoobar"`:
      
      ```     StringBuilder builder = new StringBuilder("foo");     System.err.println("" + builder
      + builder.append("bar")); ```

security-libs/java.security:

    JDK-8309841: Jarsigner Should Print a Warning If an Entry Is Removed

      If an entry is removed from a signed JAR file, there is no mechanism to detect that it has
      been removed using the `JarFile` API, since the `getJarEntry` method returns `null` as if the
      entry had never existed. With this change, the `jarsigner -verify` command analyzes the
      signature files and if some sections do not have matching file entries, it prints out the
      following warning: "This JAR contains signed entries for files that do not exist". Users can
      further find out the names of these entries by adding the `-verbose` option to the command.


ALL FIXED ISSUES, BY COMPONENT AND PRIORITY:

client-libs:
  (P4) JDK-8328242: Add a log area to the PassFailJFrame

client-libs/java.awt:
  (P4) JDK-8195675: Call to insertText with single character from custom Input Method ignored
  (P4) JDK-8202926: Test java/awt/Focus/WindowUpdateFocusabilityTest/WindowUpdateFocusabilityTest.html fails

client-libs/javax.swing:
  (P2) JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header

core-libs:
  (P4) JDK-8336012: Fix usages of jtreg-reserved properties

core-libs/java.nio:
  (P4) JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out

core-libs/java.time:
  (P3) JDK-8347965: (tz) Update Timezone Data to 2025a
  (P4) JDK-8352097: (tz) zone.tab update missed in 2025a backport

core-libs/java.util:i18n:
  (P4) JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19

docs:
  (P4) JDK-8306408: Fix the format of several tables in building.md

hotspot/compiler:
  (P3) JDK-8331863: DUIterator_Fast used before it is constructed

hotspot/jfr:
  (P4) JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded"

hotspot/runtime:
  (P3) JDK-8343599: Kmem limit and max values swapped when printing container information
  (P3) JDK-8340387: Update OS detection code to recognize Windows Server 2025
  (P4) JDK-8268364: jmethod clearing should be done during unloading
  (P4) JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved

hotspot/svc-agent:
  (P4) JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x

infrastructure/build:
  (P4) JDK-8343786: [11u] GHA: Bump macOS and Xcode versions to macos-13 and XCode 14.3.1
  (P4) JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates
  (P4) JDK-8341424: GHA: Collect hs_errs from build time failures
  (P4) JDK-8342704: GHA: Report truncation is broken after JDK-8341424

infrastructure/other:
  (P4) JDK-8343474: [updates] Customize README.md to specifics of update project

infrastructure/release_eng:
  (P4) JDK-8354087: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.27
  (P4) JDK-8345509: Bump update version of OpenJDK: 11.0.27

security-libs/java.security:
  (P3) JDK-8309841: Jarsigner should print a warning if an entry is removed

security-libs/javax.net.ssl:
  (P3) JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
  (P4) JDK-8339560: Unaddressed comments during code review of JDK-8337664

tools/jar:
  (P4) JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
  (P4) JDK-8216539: tools/jar/modularJar/Basic.java timed out

tools/javac:
  (P4) JDK-8273914: Indy string concat changes order of operations