RELEASE NOTES: JDK 13.0.9

Notes generated: Tue Dec 03 01:03:32 CET 2024

JEPs

None.

RELEASE NOTES

security-libs/javax.net.ssl

Issue Description
JDK-8254631

Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values


Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 Character Set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

ALPN values are now represented using the network byte representation expected by the peer, which should require no modification for standard 7-bit ASCII-based character Strings. However, SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.


Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values


Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO88591/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.


JDK-8206925

Support for certificate_authorities Extension


The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit.


security-libs/java.security

Issue Description
JDK-8172404

Tools Warn If Weak Algorithms Are Used


The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.


FIXED ISSUES

client-libs

Priority Bug Summary
P4 JDK-8273671 Backport of 8260616 misses one JNF header inclusion removal

client-libs/2d

Priority Bug Summary
P3 JDK-8262392 Update Mesa 3-D Headers to version 21.0.3

client-libs/java.awt

Priority Bug Summary
P2 JDK-8272602 [macOS] not all KEY_PRESSED events sent when control modifier is used
P3 JDK-8270216 [macOS] Update named used for Java run loop mode

client-libs/javax.accessibility

Priority Bug Summary
P3 JDK-8268775 Password is being converted to String in AccessibleJPasswordField

client-libs/javax.sound

Priority Bug Summary
P4 JDK-8266248 Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5

client-libs/javax.swing

Priority Bug Summary
P3 JDK-8258373 Update the text handling in the JPasswordField

core-libs

Priority Bug Summary
P4 JDK-8257620 Do not use objc_msgSend_stret to get macOS version

core-libs/java.net

Priority Bug Summary
P4 JDK-8254967 com.sun.net.HttpsServer spins on TLS session close

hotspot/compiler

Priority Bug Summary
P2 JDK-8263361 Incorrect arraycopy stub selected by C2 for SATB collectors
P2 JDK-8226871 invalid use of incomplete type class MacroAssembler when building minimal after JDK-8191278
P2 JDK-8191278 MappedByteBuffer bulk access memory failures are not handled gracefully
P2 JDK-8226878 zero crashes after JDK-8191278
P4 JDK-8267625 AARCH64: typo in LIR_Assembler::emit_profile_type
P4 JDK-8229254 solaris_x64 build fails after JDK-8191278

hotspot/gc

Priority Bug Summary
P2 JDK-8259271 gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
P2 JDK-8257999 Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region
P2 JDK-8260704 ParallelGC: oldgen expansion needs release-store for _end

hotspot/jvmti

Priority Bug Summary
P4 JDK-8253899 Make IsClassUnloadingEnabled signature match specification

hotspot/runtime

Priority Bug Summary
P3 JDK-8268635 Corrupt oop in ClassLoaderData
P3 JDK-8269934 RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status

hotspot/svc-agent

Priority Bug Summary
P4 JDK-8261236 C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled

infrastructure

Priority Bug Summary
P4 JDK-8269390 Bump update version for OpenJDK: jdk-13.0.9

infrastructure/build

Priority Bug Summary
P4 JDK-8261109 [macOS] Remove disabled warning for JNF in make/autoconf/flags-cflags.m4

security-libs/java.security

Priority Bug Summary
P3 JDK-8172404 Tools should warn if weak algorithms are used before restricting them

security-libs/javax.net.ssl

Priority Bug Summary
P3 JDK-8254631 Better support ALPN byte wire values in SunJSSE
P3 JDK-8206925 Support the certificate_authorities extension
P3 JDK-8268965 TCP Connection Reset when connecting simple socket to SSL server
P4 JDK-8270317 Large Allocation in CipherSuite
P4 JDK-8215712 Parsing extension failure may alert decode_error

security-libs/jdk.security

Priority Bug Summary
P4 JDK-8241888 Mirror jdk.security.allowNonCaAnchor system property with a security one