RELEASE NOTES: JDK 13.0.13

Notes generated: Tue Dec 03 01:30:48 CET 2024

JEPs

None.

RELEASE NOTES

core-libs/java.net

Issue Description
JDK-8279842

HTTPS Channel Binding Support for Java GSS/Kerberos


Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security, as represented by a TLS server cert, and higher level authentication credentials, such as a username and password. The server can then detect if the client has been fooled by a MITM and shutdown the session or connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully in Networking Properties.


security-libs/java.security

Issue Description
JDK-8269039

Disabled SHA-1 Signed JARs


JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

``` - Signed by "CN="Signer"" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

```

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.


core-libs/java.time

Issue Description
JDK-8292579

Update Timezone Data to 2022c


This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are `Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap`.

For more details, refer to the announcement of 2022b


FIXED ISSUES

client-libs/2d

Priority Bug Summary
P3 JDK-8256372 [macos] Unexpected symbol was displayed on JTextField with Monospaced font
P3 JDK-8290334 Update FreeType to 2.12.1
P3 JDK-8289853 Update HarfBuzz to 4.4.1

client-libs/java.awt

Priority Bug Summary
P3 JDK-8272806 [macOS] "Apple AWT Internal Exception" when input method is changed

client-libs/javax.imageio

Priority Bug Summary
P4 JDK-7131823 bug in GIFImageReader

core-libs/java.net

Priority Bug Summary
P3 JDK-8279842 HTTPS Channel Binding support for Java GSS/Kerberos

core-libs/java.nio

Priority Bug Summary
P3 JDK-8286594 (zipfs) Mention paths with dot elements in ZipException and cleanups

core-libs/java.text

Priority Bug Summary
P4 JDK-8264792 The NumberFormat for locale sq_XK formats price incorrectly.

core-libs/java.time

Priority Bug Summary
P3 JDK-8292579 (tz) Update Timezone Data to 2022c

core-libs/java.util:i18n

Priority Bug Summary
P3 JDK-8283277 ISO 4217 Amendment 171 Update
P3 JDK-8289549 ISO 4217 Amendment 172 Update
P4 JDK-8028265 Add legacy tz tests to OpenJDK

core-libs/javax.naming

Priority Bug Summary
P3 JDK-8277795 LDAP connection timeout not honoured under contention
P4 JDK-8287672 jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run

core-svc/java.lang.management

Priority Bug Summary
P4 JDK-8268361 Fix the infinite loop in next_line

hotspot/compiler

Priority Bug Summary
P2 JDK-8269285 Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998
P3 JDK-8283441 C2: segmentation fault in ciMethodBlocks::make_block_at(int)
P3 JDK-8262134 compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
P3 JDK-8278758 runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
P4 JDK-8252051 Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
P5 JDK-8272720 Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit

hotspot/jfr

Priority Bug Summary
P3 JDK-8257569 Failure observed with JfrVirtualMemory::initialize
P3 JDK-8287463 JFR: Disable TestDevNull.java on Windows
P3 JDK-8282947 JFR: Dump on shutdown live-locks in some conditions
P3 JDK-8284549 JFR: FieldTable leaks FieldInfoTable member
P3 JDK-8261354 SIGSEGV at MethodIteratorHost
P4 JDK-8249875 GCC 10 warnings -Wtype-limits with JFR code
P4 JDK-8280684 JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.

hotspot/runtime

Priority Bug Summary
P2 JDK-8272472 StackGuardPages test doesn't build with glibc 2.34
P4 JDK-8266170 -Wnonnull happens in classLoaderData.inline.hpp
P4 JDK-8266172 -Wstringop-overflow happens in vmError.cpp
P4 JDK-8286277 CDS VerifyError when calling clone() on object array
P4 JDK-8247818 GCC 10 warning stringop-overflow with symbol code

infrastructure

Priority Bug Summary
P4 JDK-8288649 Bump update version for OpenJDK: jdk-13.0.13

security-libs/java.security

Priority Bug Summary
P3 JDK-8277488 Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
P3 JDK-8269039 Disable SHA-1 Signed JARs
P3 JDK-8242565 Policy initialization issues when the denyAfter constraint is enabled

security-libs/javax.crypto

Priority Bug Summary
P3 JDK-8281628 KeyAgreement : generateSecret intermittently not resetting

security-libs/org.ietf.jgss

Priority Bug Summary
P3 JDK-8279520 SPNEGO has not passed channel binding info into the underlying mechanism

tools

Priority Bug Summary
P4 JDK-8277422 tools/jar/JarEntryTime.java fails with modified time mismatch

tools/javac

Priority Bug Summary
P3 JDK-8266082 AssertionError in Annotate.fromAnnotations with -Xdoclint
P3 JDK-8286855 javac error on invalid jar should only print filename
P3 JDK-8286444 javac errors after JDK-8251329 are not helpful enough to find root cause

xml/jaxp

Priority Bug Summary
P3 JDK-8289486 Improve XSLT XPath operators count efficiency
P4 JDK-8285081 Improve XPath operators count accuracy
P4 JDK-8282071 Update java.xml module-info
P4 JDK-8282280 Update Xerces2 Java to Version 2.12.2