RELEASE NOTES: JDK 11.0.28

Notes generated: Mon Jun 23 05:29:17 CEST 2025

JEPs

None.

RELEASE NOTES

security-libs/javax.crypto:pkcs11

Issue	Description
JDK-8293345	Legacy Mechanism Check in SunPKCS11 Provider Is Enhanced with Service Type Native PKCS11 mechanisms which support decryption but not encryption, or signature verification but not signing, are considered legacy and are disabled by default. The legacy mechanism check in SunPKCS11 provider is enhanced with the service type. For example, prior to this fix, a mechanism supporting encryption, decryption, and verification but not signing, is considered legacy and can't be used at all. After this fix, the corresponding Cipher service using this mechanism is available since both encryption and decryption are supported. However, the corresponding Signature service is not since only verification is supported. To bypass the legacy mechanism check, set the PKCS11 provider configuration attribute "allowLegacy" to true. The default value is false. Note that it is the caller's responsibility to make sure the legacy mechanism is not used for the unsupported functionality.

Issue

Description

JDK-8293345

Legacy Mechanism Check in SunPKCS11 Provider Is Enhanced with Service Type

Native PKCS11 mechanisms which support decryption but not encryption, or signature verification but not signing, are considered legacy and are disabled by default. The legacy mechanism check in SunPKCS11 provider is enhanced with the service type. For example, prior to this fix, a mechanism supporting encryption, decryption, and verification but not signing, is considered legacy and can't be used at all. After this fix, the corresponding Cipher service using this mechanism is available since both encryption and decryption are supported. However, the corresponding Signature service is not since only verification is supported. To bypass the legacy mechanism check, set the PKCS11 provider configuration attribute "allowLegacy" to true. The default value is false. Note that it is the caller's responsibility to make sure the legacy mechanism is not used for the unsupported functionality.

security-libs/java.security

Issue Description

Issue	Description
JDK-8359170	Added 4 New Root Certificates from Sectigo Limited The following root certificates have been added to the cacerts truststore: ``` + Sectigo Limited + sectigocodesignroote46 DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB Sectigo Limited sectigocodesignrootr46 DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB Sectigo Limited sectigotlsroote46 DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB Sectigo Limited sectigotlsrootr46 DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB ```
JDK-8350498	Removed Two Camerfirma Root Certificates The following root certificates, which are terminated and no longer in use, have been removed from the `cacerts` keystore: ``` + alias name "camerfirmachamberscommerceca [jdk]" Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU alias name "camerfirmachambersignca [jdk]" Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU ```
JDK-8303770	Removed Baltimore CyberTrust Root Certificate After Expiry Date The following expired root certificate has been removed from the `cacerts` keystore: ` + alias name "baltimorecybertrustca [jdk]" Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE`

JDK-8359170

Added 4 New Root Certificates from Sectigo Limited

The following root certificates have been added to the cacerts truststore: ``` + Sectigo Limited + sectigocodesignroote46 DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB

Sectigo Limited
sectigocodesignrootr46 DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
Sectigo Limited
sectigotlsroote46 DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
Sectigo Limited
sectigotlsrootr46 DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB ```

JDK-8350498

Removed Two Camerfirma Root Certificates

The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore: ``` + alias name "camerfirmachamberscommerceca [jdk]" Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

alias name "camerfirmachambersignca [jdk]" Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

```

JDK-8303770

Removed Baltimore CyberTrust Root Certificate After Expiry Date

The following expired root certificate has been removed from the cacerts keystore: ` + alias name "baltimorecybertrustca [jdk]" Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE`

FIXED ISSUES

client-libs/2d

Priority	Bug	Summary
P3	JDK-8348596	Update FreeType to 2.13.3
P3	JDK-8348110	Update LCMS to 2.17
P4	JDK-8356571	Re-enable -Wtype-limits for GCC in LCMS

client-libs/java.awt

Priority	Bug	Summary
P3	JDK-8348598	Update Libpng to 1.6.47
P4	JDK-8346887	DrawFocusRect() may cause an assertion failure

client-libs/javax.accessibility

Priority	Bug	Summary
P3	JDK-8339728	[Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class

core-libs/java.net

Priority	Bug	Summary
P4	JDK-8232625	HttpClient redirect policy should be more conservative

core-libs/java.time

Priority	Bug	Summary
P3	JDK-8352716	(tz) Update Timezone Data to 2025b

core-libs/java.util:i18n

Priority	Bug	Summary
P3	JDK-8356096	ISO 4217 Amendment 179 Update

hotspot/gc

Priority	Bug	Summary
P4	JDK-8339300	CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms
P4	JDK-8211400	nsk.share.gc.Memory::getArrayLength returns wrong value

hotspot/runtime

Priority	Bug	Summary
P2	JDK-8231058	VerifyOops crashes with assert(_offset >= 0) failed: offset for non comment?

hotspot/svc

Priority	Bug	Summary
P4	JDK-8315380	AsyncGetCallTrace crash in frame::safe_for_sender

infrastructure/build

Priority	Bug	Summary
P4	JDK-8350469	[11u] Test AbsPathsInImage.java fails - JDK-8239429 public clone
P4	JDK-8301753	AppendFile/WriteFile has differences between make 3.81 and 4+

infrastructure/release_eng

Priority	Bug	Summary
P4	JDK-8351099	Bump update version of OpenJDK: 11.0.28

security-libs

Priority	Bug	Summary
P4	JDK-8328957	Update PKCS11Test.java to not use hardcoded path

security-libs/java.security

Priority	Bug	Summary
P2	JDK-8359170	Add 2 TLS and 2 CS Sectigo roots
P3	JDK-8296631	NSS tests failing on OL9 linux-aarch64 hosts
P3	JDK-8303770	Remove Baltimore root certificate expiring in May 2025
P4	JDK-8026976	ECParameters, Point does not match field size
P4	JDK-8350498	Remove two Camerfirma root CA certificates
P4	JDK-8352302	Test sun/security/tools/jarsigner/TimestampCheck.java is failing
P4	JDK-8345133	Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout

security-libs/javax.crypto:pkcs11

Priority	Bug	Summary
P3	JDK-8293345	SunPKCS11 provider checks on PKCS11 Mechanism are problematic
P4	JDK-8331959	Update PKCS#11 Cryptographic Token Interface to v3.1

tools/jshell

Priority	Bug	Summary
P4	JDK-8347629	Test FailOverDirectExecutionControlTest.java fails with -Xcomp
P4	JDK-8327476	Upgrade JLine to 3.26.1