RELEASE NOTES FOR: 23.0.1
====================================================================================================

Notes generated: Thu Oct 03 13:19:32 CEST 2024

Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry.

JAVA ENHANCEMENT PROPOSALS (JEP):

  None.

RELEASE NOTES:

security-libs/javax.net.ssl:

    JDK-8337664: Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

      The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored
      by Entrust root certificates, in line with similar plans recently announced by Google and
      Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which
      are managed by Entrust.
      
      TLS server certificates issued on or before November 11, 2024 will continue to be trusted
      until they expire. Certificates issued after that date, and anchored by any of the Certificate
      Authorities in the table below, will be rejected.
      
      The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java
      Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
      certificate chain is anchored by any of the Certificate Authorities in the table below and the
      certificate has been issued after November 11, 2024.
      
      An application will receive an Exception with a message indicating the trust anchor is not
      trusted, for example:
      
      ``` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust
      root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
      OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net ```
      
      If necessary, and at your own risk, you can work around the restrictions by removing
      "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the
      `java.security` configuration file.
      
      The restrictions are imposed on the following Entrust Root certificates included in the JDK:
      
      <table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root
      Certificates distrusted after 2024-11-11"> 	<caption>Root Certificates distrusted after
      2024-10-31</caption> 	<thead> 		<tr> 			<th scope="col">Distinguished Name</th> 			<th
      scope="col">SHA-256 Fingerprint</th> 		</tr> 	</thead> 	<tbody> 		<tr> 			<td>CN=Entrust Root
      Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
      reference, O=Entrust, Inc., C=US</td> 			<td>
      			<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999
      Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
      O=Entrust.net</td> 			<td>
      			<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td> 			<td>
      			<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td> 			<td>
      			<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td> 			<td>
      			<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td> 			<td>
      			<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
      			</td> 		</tr> 	</tbody> </table>
      
      You can also use the `keytool` utility from the JDK to print out details of the certificate
      chain, as follows:
      
      keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
      
      If any of the certificates in the chain are issued by one of the root CAs in the table above
      are listed in the output you will need to update the certificate or contact the organization
      that manages the server. 

    JDK-8341059: Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

      The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored
      by Entrust root certificates, in line with similar plans recently announced by Google and
      Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which
      are managed by Entrust.
      
      TLS server certificates issued on or before November 11, 2024 will continue to be trusted
      until they expire. Certificates issued after that date, and anchored by any of the Certificate
      Authorities in the table below, will be rejected.
      
      The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java
      Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
      certificate chain is anchored by any of the Certificate Authorities in the table below and the
      certificate has been issued after November 11, 2024.
      
      An application will receive an Exception with a message indicating the trust anchor is not
      trusted, for example:
      
      ``` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust
      root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
      OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net ```
      
      If necessary, and at your own risk, you can work around the restrictions by removing
      "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the
      `java.security` configuration file.
      
      The restrictions are imposed on the following Entrust Root certificates included in the JDK:
      
      <table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root
      Certificates distrusted after 2024-11-11"> 	<caption>Root Certificates distrusted after
      2024-10-31</caption> 	<thead> 		<tr> 			<th scope="col">Distinguished Name</th> 			<th
      scope="col">SHA-256 Fingerprint</th> 		</tr> 	</thead> 	<tbody> 		<tr> 			<td>CN=Entrust Root
      Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
      reference, O=Entrust, Inc., C=US</td> 			<td>
      			<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999
      Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
      O=Entrust.net</td> 			<td>
      			<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td> 			<td>
      			<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td> 			<td>
      			<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td> 			<td>
      			<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td> 			<td>
      			<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
      			</td> 		</tr> 	</tbody> </table>
      
      You can also use the `keytool` utility from the JDK to print out details of the certificate
      chain, as follows:
      
      keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
      
      If any of the certificates in the chain are issued by one of the root CAs in the table above
      are listed in the output you will need to update the certificate or contact the organization
      that manages the server. 

security-libs/java.security:

    JDK-8341057: Added SSL.com TLS Root CA Certificates Issued in 2022

      The following root certificates have been added to the cacerts truststore: ``` + SSL.com   +
      ssltlsrootecc2022     DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
      
      + SSL.com   + ssltlsrootrsa2022     DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation,
      C=US ```


ALL FIXED ISSUES, BY COMPONENT AND PRIORITY:

client-libs/2d:
  (P4) JDK-8334123: log the opening of Type 1 fonts

client-libs/javax.swing:
  (P3) JDK-6967482: TAB-key does not work in JTables after selecting details-view in JFileChooser
  (P4) JDK-8166352: FilePane.createDetailsView() removes JTable TAB, SHIFT-TAB functionality

core-libs/java.nio:
  (P3) JDK-8338696: (fs) BasicFileAttributes.creationTime() falls back to epoch if birth time is unavailable (Linux)
  (P4) JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java fails with jtreg test timeout due to lost datagram
  (P4) JDK-8336301: test/jdk/java/nio/channels/AsyncCloseAndInterrupt.java leaves around a FIFO file upon test completion

hotspot/compiler:
  (P4) JDK-8333652: RISC-V: compiler/vectorapi/VectorGatherMaskFoldingTest.java fails when using RVV
  (P5) JDK-8335536: Fix assertion failure in IdealGraphPrinter when append is true

hotspot/gc:
  (P4) JDK-8333716: Shenandoah: Check for disarmed method before taking the nmethod lock
  (P4) JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock

hotspot/jvmti:
  (P4) JDK-8335775: Remove extraneous 's' in comment of rawmonitor.cpp test file

hotspot/runtime:
  (P4) JDK-8334239: Introduce macro for ubsan method/function exclusions
  (P4) JDK-8332818: ubsan: archiveHeapLoader.cpp:70:27: runtime error: applying non-zero offset 18446744073707454464 to null pointer
  (P4) JDK-8333887: ubsan: unsafe.cpp:247:13: runtime error: store to null pointer of type 'volatile int'

infrastructure:
  (P4) JDK-8334041: Bump version numbers for 23.0.1

infrastructure/build:
  (P4) JDK-8333676: JCK_RETRY_COUNT appears to not work

security-libs/java.security:
  (P2) JDK-8341057: Add 2 SSL.com TLS roots

security-libs/javax.net.ssl:
  (P2) JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
  (P3) JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
  (P4) JDK-8332524: Instead of printing "TLSv1.3," it is showing "TLS13"

tools/jpackage:
  (P4) JDK-8325525: Create jtreg test case for JDK-8325203