RELEASE NOTES FOR: 15.0.9
====================================================================================================

Notes generated: Wed Apr 03 01:43:23 CEST 2024

Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry.

JAVA ENHANCEMENT PROPOSALS (JEP):

  None.

RELEASE NOTES:

core-libs/java.net:

    JDK-8279842: HTTPS Channel Binding Support for Java GSS/Kerberos

      Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication
      over HTTPS through javax.net.HttpsURLConnection.
      
      Channel binding tokens are increasingly required as an enhanced form of security. They work by
      communicating from a client to a server the client's understanding of the binding between
      connection security, as represented by a TLS server cert, and higher level authentication
      credentials, such as a username and password. The server can then detect if the client has
      been fooled by a MITM and shutdown the session or connection.
      
      The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is
      described fully in [Networking
      Properties](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt).

security-libs/java.security:

    JDK-8269039: Disabled SHA-1 Signed JARs

      JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were
      unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the
      JAR. It also applies to the signature and digest algorithms of the certificates in the
      certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP
      responses that are used to verify if those certificates have been revoked. These restrictions
      also apply to signed JCE providers.
      
      To reduce the compatibility risk for JARs that have been previously timestamped, there is one
      exception to this policy:
      
      - Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be
      restricted.
      
      This exception may be removed in a future JDK release. To determine if your signed JARs are
      affected by this change, run `jarsigner -verify -verbose -certs` on the signed JAR, and look
      for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated
      as unsigned in the output.
      
      For example:
      
      ``` -  Signed by "CN="Signer""      Digest algorithm: SHA-1 (disabled)      Signature
      algorithm: SHA1withRSA (disabled), 2048-bit key
      
      WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that
      is now disabled by the security property:
      
      jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter
      2019-01-01
      
      ```
      
      JARs affected by these new restrictions should be replaced or re-signed with stronger
      algorithms. 
      
      Users can, *at their own risk*, remove these restrictions by modifying the `java.security`
      configuration file (or override it by using the `java.security.properties` system property)
      and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the
      `jdk.certpath.disabledAlgorithms` security property and "SHA1 denyAfter 2019-01-01" from the
      `jdk.jar.disabledAlgorithms` security property.

core-libs/java.time:

    JDK-8292579: Update Timezone Data to 2022c

      This version includes changes from 2022b that merged multiple regions that have the same
      timestamp data post-1970 into a single time zone database.  All time zone IDs remain the same
      but the merged time zones will point to a shared zone database.
      
      As a result, pre-1970 data may not be compatible with earlier JDK versions.  The affected
      zones are ```Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik,
      Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo,
      Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe,
      Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei,
      Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland,
      Pacific/Ponape, Pacific/Truk, and Pacific/Yap```.
      
      For more details, refer to the announcement of
      [2022b](https://mm.icann.org/pipermail/tz-announce/2022-August/000071.html)

core-libs/javax.naming:

    JDK-8245527: LDAP Channel Binding Support for Java GSS/Kerberos

      A new JNDI environment property `“com.sun.jndi.ldap.tls.cbtype”` has been added to enable TLS
      Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server.
      Possible value is `“tls-server-end-point”` - Channel Binding data is created on the base of
      the TLS server certificate. See the module description of the `java.naming` module. 


ALL FIXED ISSUES, BY COMPONENT AND PRIORITY:

client-libs/2d:
  (P3) JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font
  (P3) JDK-8290334: Update FreeType to 2.12.1
  (P3) JDK-8289853: Update HarfBuzz to 4.4.1

client-libs/java.awt:
  (P3) JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed

client-libs/javax.imageio:
  (P4) JDK-7131823: bug in GIFImageReader

core-libs/java.net:
  (P3) JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos

core-libs/java.nio:
  (P3) JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
  (P3) JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions

core-libs/java.text:
  (P4) JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.

core-libs/java.time:
  (P3) JDK-8292579: (tz) Update Timezone Data to 2022c

core-libs/java.util.jar:
  (P5) JDK-8207936: TestZipFile failed with java.lang.AssertionError exception

core-libs/java.util:i18n:
  (P3) JDK-8283277: ISO 4217 Amendment 171 Update
  (P3) JDK-8289549: ISO 4217 Amendment 172 Update
  (P4) JDK-8028265: Add legacy tz tests to OpenJDK

core-libs/javax.naming:
  (P3) JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos
  (P3) JDK-8277795: LDAP connection timeout not honoured under contention
  (P4) JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
  (P4) JDK-8259707: LDAP channel binding does not work with StartTLS extension

core-svc/java.lang.management:
  (P4) JDK-8268361: Fix the infinite loop in next_line

hotspot/compiler:
  (P1) JDK-8260632: Build failures after JDK-8253353
  (P2) JDK-8269285: Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998
  (P3) JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
  (P3) JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
  (P3) JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
  (P4) JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
  (P5) JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit

hotspot/jfr:
  (P3) JDK-8257569: Failure observed with JfrVirtualMemory::initialize
  (P3) JDK-8287463: JFR: Disable TestDevNull.java on Windows
  (P3) JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
  (P3) JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
  (P3) JDK-8261354: SIGSEGV at MethodIteratorHost
  (P4) JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
  (P4) JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.

hotspot/runtime:
  (P2) JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
  (P3) JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
  (P4) JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp
  (P4) JDK-8266172: -Wstringop-overflow happens in vmError.cpp
  (P4) JDK-8286277: CDS VerifyError when calling clone() on object array
  (P4) JDK-8293354: fastdebug build broken after JDK-8281866
  (P4) JDK-8247818: GCC 10 warning stringop-overflow with symbol code

infrastructure:
  (P4) JDK-8288650: Bump update version for OpenJDK: jdk-15.0.9

infrastructure/build:
  (P4) JDK-8276841: Add support for Visual Studio 2022
  (P4) JDK-8256538: Fix annoying awk warning in configure for java versions

security-libs/java.security:
  (P3) JDK-8269039: Disable SHA-1 Signed JARs

security-libs/javax.crypto:
  (P3) JDK-8281628: KeyAgreement : generateSecret intermittently not resetting

security-libs/org.ietf.jgss:
  (P3) JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism

tools/javac:
  (P3) JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
  (P3) JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
  (P3) JDK-8286855: javac error on invalid jar should only print filename
  (P3) JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause

xml/jaxp:
  (P3) JDK-8289486: Improve XSLT XPath operators count efficiency
  (P4) JDK-8285081: Improve XPath operators count accuracy
  (P4) JDK-8282071: Update java.xml module-info
  (P4) JDK-8282280: Update Xerces2 Java to Version 2.12.2