RELEASE NOTES FOR: 13.0.13 ==================================================================================================== Notes generated: Tue Sep 03 12:45:55 CEST 2024 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: core-libs/java.net: JDK-8279842: HTTPS Channel Binding Support for Java GSS/Kerberos Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection. Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security, as represented by a TLS server cert, and higher level authentication credentials, such as a username and password. The server can then detect if the client has been fooled by a MITM and shutdown the session or connection. The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully in [Networking Properties](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt). security-libs/java.security: JDK-8269039: Disabled SHA-1 Signed JARs JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers. To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy: - Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted. This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run `jarsigner -verify -verbose -certs` on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output. For example: ``` - Signed by "CN="Signer"" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA1withRSA (disabled), 2048-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 ``` JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms. Users can, *at their own risk*, remove these restrictions by modifying the `java.security` configuration file (or override it by using the `java.security.properties` system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the `jdk.certpath.disabledAlgorithms` security property and "SHA1 denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security property. core-libs/java.time: JDK-8292579: Update Timezone Data to 2022c This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database. As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are ```Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap```. For more details, refer to the announcement of [2022b](https://mm.icann.org/pipermail/tz-announce/2022-August/000071.html) ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/2d: (P3) JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font (P3) JDK-8290334: Update FreeType to 2.12.1 (P3) JDK-8289853: Update HarfBuzz to 4.4.1 client-libs/java.awt: (P3) JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed client-libs/javax.imageio: (P4) JDK-7131823: bug in GIFImageReader core-libs/java.net: (P3) JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos core-libs/java.nio: (P3) JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups core-libs/java.text: (P4) JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. core-libs/java.time: (P3) JDK-8292579: (tz) Update Timezone Data to 2022c core-libs/java.util:i18n: (P3) JDK-8283277: ISO 4217 Amendment 171 Update (P3) JDK-8289549: ISO 4217 Amendment 172 Update (P4) JDK-8028265: Add legacy tz tests to OpenJDK core-libs/javax.naming: (P3) JDK-8277795: LDAP connection timeout not honoured under contention (P4) JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run core-svc/java.lang.management: (P4) JDK-8268361: Fix the infinite loop in next_line hotspot/compiler: (P2) JDK-8269285: Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998 (P3) JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) (P3) JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" (P3) JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 (P4) JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly (P5) JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit hotspot/jfr: (P3) JDK-8257569: Failure observed with JfrVirtualMemory::initialize (P3) JDK-8287463: JFR: Disable TestDevNull.java on Windows (P3) JDK-8282947: JFR: Dump on shutdown live-locks in some conditions (P3) JDK-8284549: JFR: FieldTable leaks FieldInfoTable member (P3) JDK-8261354: SIGSEGV at MethodIteratorHost (P4) JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code (P4) JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. hotspot/runtime: (P2) JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 (P4) JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp (P4) JDK-8266172: -Wstringop-overflow happens in vmError.cpp (P4) JDK-8286277: CDS VerifyError when calling clone() on object array (P4) JDK-8247818: GCC 10 warning stringop-overflow with symbol code infrastructure: (P4) JDK-8288649: Bump update version for OpenJDK: jdk-13.0.13 security-libs/java.security: (P3) JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 (P3) JDK-8269039: Disable SHA-1 Signed JARs (P3) JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled security-libs/javax.crypto: (P3) JDK-8281628: KeyAgreement : generateSecret intermittently not resetting security-libs/org.ietf.jgss: (P3) JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism tools: (P4) JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch tools/javac: (P3) JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint (P3) JDK-8286855: javac error on invalid jar should only print filename (P3) JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause xml/jaxp: (P3) JDK-8289486: Improve XSLT XPath operators count efficiency (P4) JDK-8285081: Improve XPath operators count accuracy (P4) JDK-8282071: Update java.xml module-info (P4) JDK-8282280: Update Xerces2 Java to Version 2.12.2