Notes generated: Thu Jun 06 18:05:33 CEST 2024





Issue Description

HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through

Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security, as represented by a TLS server cert, and higher level authentication credentials, such as a username and password. The server can then detect if the client has been fooled by a MITM and shutdown the session or connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully in Networking Properties.


Issue Description

Disabled SHA-1 Signed JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

``` - Signed by "CN="Signer"" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01


JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the configuration file (or override it by using the system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.


Issue Description

Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are `Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap`.

For more details, refer to the announcement of 2022b


Issue Description

LDAP Channel Binding Support for Java GSS/Kerberos

A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype” has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. Possible value is “tls-server-end-point” - Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming module.



Priority Bug Summary
P3 JDK-8256372 [macos] Unexpected symbol was displayed on JTextField with Monospaced font
P3 JDK-8290334 Update FreeType to 2.12.1
P3 JDK-8289853 Update HarfBuzz to 4.4.1


Priority Bug Summary
P3 JDK-8272806 [macOS] "Apple AWT Internal Exception" when input method is changed


Priority Bug Summary
P4 JDK-7131823 bug in GIFImageReader


Priority Bug Summary
P3 JDK-8279842 HTTPS Channel Binding support for Java GSS/Kerberos


Priority Bug Summary
P3 JDK-8286594 (zipfs) Mention paths with dot elements in ZipException and cleanups
P3 JDK-8287162 (zipfs) Performance regression related to support for POSIX file permissions


Priority Bug Summary
P4 JDK-8264792 The NumberFormat for locale sq_XK formats price incorrectly.


Priority Bug Summary
P3 JDK-8292579 (tz) Update Timezone Data to 2022c


Priority Bug Summary
P5 JDK-8207936 TestZipFile failed with java.lang.AssertionError exception


Priority Bug Summary
P3 JDK-8283277 ISO 4217 Amendment 171 Update
P3 JDK-8289549 ISO 4217 Amendment 172 Update
P4 JDK-8028265 Add legacy tz tests to OpenJDK


Priority Bug Summary
P3 JDK-8245527 LDAP Channel Binding support for Java GSS/Kerberos
P3 JDK-8277795 LDAP connection timeout not honoured under contention
P4 JDK-8287672 jtreg test com/sun/jndi/ldap/ fails intermittently in nightly run
P4 JDK-8259707 LDAP channel binding does not work with StartTLS extension


Priority Bug Summary
P4 JDK-8268361 Fix the infinite loop in next_line


Priority Bug Summary
P1 JDK-8260632 Build failures after JDK-8253353
P2 JDK-8269285 Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998
P3 JDK-8283441 C2: segmentation fault in ciMethodBlocks::make_block_at(int)
P3 JDK-8262134 compiler/uncommontrap/ failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
P3 JDK-8278758 runtime/BootstrapMethod/ fails with release VMs after JDK-8262134
P4 JDK-8252051 Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
P5 JDK-8272720 Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit


Priority Bug Summary
P3 JDK-8257569 Failure observed with JfrVirtualMemory::initialize
P3 JDK-8287463 JFR: Disable on Windows
P3 JDK-8282947 JFR: Dump on shutdown live-locks in some conditions
P3 JDK-8284549 JFR: FieldTable leaks FieldInfoTable member
P3 JDK-8261354 SIGSEGV at MethodIteratorHost
P4 JDK-8249875 GCC 10 warnings -Wtype-limits with JFR code
P4 JDK-8280684 JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.


Priority Bug Summary
P2 JDK-8272472 StackGuardPages test doesn't build with glibc 2.34
P3 JDK-8290417 CDS cannot archive lamda proxy with useImplMethodHandle
P4 JDK-8266170 -Wnonnull happens in classLoaderData.inline.hpp
P4 JDK-8266172 -Wstringop-overflow happens in vmError.cpp
P4 JDK-8286277 CDS VerifyError when calling clone() on object array
P4 JDK-8293354 fastdebug build broken after JDK-8281866
P4 JDK-8247818 GCC 10 warning stringop-overflow with symbol code


Priority Bug Summary
P4 JDK-8288650 Bump update version for OpenJDK: jdk-15.0.9


Priority Bug Summary
P4 JDK-8276841 Add support for Visual Studio 2022
P4 JDK-8256538 Fix annoying awk warning in configure for java versions


Priority Bug Summary
P3 JDK-8269039 Disable SHA-1 Signed JARs


Priority Bug Summary
P3 JDK-8281628 KeyAgreement : generateSecret intermittently not resetting


Priority Bug Summary
P3 JDK-8279520 SPNEGO has not passed channel binding info into the underlying mechanism


Priority Bug Summary
P3 JDK-8266082 AssertionError in Annotate.fromAnnotations with -Xdoclint
P3 JDK-8268894 forged ASTs can provoke an AIOOBE at
P3 JDK-8286855 javac error on invalid jar should only print filename
P3 JDK-8286444 javac errors after JDK-8251329 are not helpful enough to find root cause


Priority Bug Summary
P3 JDK-8289486 Improve XSLT XPath operators count efficiency
P4 JDK-8285081 Improve XPath operators count accuracy
P4 JDK-8282071 Update java.xml module-info
P4 JDK-8282280 Update Xerces2 Java to Version 2.12.2