RELEASE NOTES FOR: 23.0.2 ==================================================================================================== Notes generated: Sat Sep 07 06:27:58 CEST 2024 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8337664: Distrust TLS Server Certificates Issued After Oct 2024 and Anchored by Entrust Root CAs The JDK will stop trusting TLS server certificates issued after October 2024 and anchored by Entrust Root Certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust. TLS server certificates issued on or before October 31, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected. The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after October 31, 2024. An application will receive an Exception with a message indicating the trust anchor is not trusted, for example: "TLS server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net" If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. The restrictions are imposed on the following Entrust Root certificates included in the JDK:
Root Certificates distrusted after 2024-10-31
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows: keytool -v -list -alias -keystore If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/2d: (P4) JDK-8333277: ubsan: mlib_ImageScanPoly.c:292:43: runtime error: division by zero core-libs/java.lang.invoke: (P4) JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment core-libs/java.util: (P4) JDK-8336926: jdk/internal/util/ReferencedKeyTest.java can fail with ConcurrentModificationException hotspot/compiler: (P3) JDK-8321509: False positive in get_trampoline fast path causes crash (P4) JDK-8336692: Redo fix for JDK-8284620 (P4) JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS (P4) JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code (P4) JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool' hotspot/gc: (P2) JDK-8334482: Shenandoah: Deadlock when safepoint is pending during nmethods iteration (P3) JDK-8333088: ubsan: shenandoahAdaptiveHeuristics.cpp:245:44: runtime error: division by zero (P4) JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs (P4) JDK-8334769: Shenandoah: Move CodeCache_lock close to its use in ShenandoahConcurrentNMethodIterator (P5) JDK-8335904: Fix invalid comment in ShenandoahLock hotspot/jfr: (P4) JDK-8332699: ubsan: jfrEventSetting.inline.hpp:31:43: runtime error: index 163 out of bounds for type 'jfrNativeEventSetting [162]' hotspot/jvmti: (P3) JDK-8337331: crash: pinned virtual thread will lead to jvm crash when running with the javaagent option (P4) JDK-8333361: ubsan,test : libHeapMonitorTest.cpp:518:9: runtime error: null pointer passed as argument 2, which is declared to never be null (P4) JDK-8333730: ubsan: FieldIndices/libFieldIndicesTest.cpp:276:11: runtime error: null pointer passed as argument 2, which is declared to never be null hotspot/runtime: (P3) JDK-8335283: Build failure due to 'no_sanitize' attribute directive ignored (P3) JDK-8337958: Out-of-bounds array access in secondary_super_cache (P3) JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ... (P4) JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling (P4) JDK-8338110: Exclude Fingerprinter::do_type from ubsan checks (P4) JDK-8335397: Improve reliability of TestRecursiveMonitorChurn.java (P4) JDK-8335007: Inline OopMapCache table (P4) JDK-8333522: JFR SwapSpace event might read wrong free swap space size (P4) JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion (P4) JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned after JDK-8338058 (P4) JDK-8336148: Test runtime/locking/TestRecursiveMonitorChurn.java failed: Unexpected Inflation (P4) JDK-8333639: ubsan: cppVtables.cpp:81:55: runtime error: index 14 out of bounds for type 'long int [1]' (P4) JDK-8333354: ubsan: frame.inline.hpp:91:25: and src/hotspot/share/runtime/frame.inline.hpp:88:29: runtime error: member call on null pointer of type 'const struct SmallRegisterMap' (P4) JDK-8333363: ubsan: instanceKlass.cpp: runtime error: member call on null pointer of type 'struct AnnotationArray' (P4) JDK-8335237: ubsan: vtableStubs.hpp is_vtable_stub exclude from ubsan checks (P4) JDK-8334564: VM startup: fatal error: FLAG_SET_ERGO cannot be used to set an invalid value for NonNMethodCodeHeapSize hotspot/svc-agent: (P4) JDK-8335743: jhsdb jstack cannot print some information on the waiting thread (P4) JDK-8336284: Test TestClhsdbJstackLock.java/TestJhsdbJstackLock.java fails with -Xcomp after JDK-8335743 hotspot/test: (P4) JDK-8335299: Remove hs-atr-ci-genzgc (P4) JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty (P4) JDK-8332113: Update nsk.share.Log to be always verbose infrastructure: (P4) JDK-8337024: Bump version numbers for 23.0.2 (P4) JDK-8334166: Enable binary check infrastructure/build: (P4) JDK-8336343: Add more known sysroot library locations for ALSA (P4) JDK-8337283: configure.log is truncated when build dir is on different filesystem (P4) JDK-8336342: Fix known X11 library locations in sysroot (P4) JDK-8336928: GHA: Bundle artifacts removal broken (P4) JDK-8338286: GHA: Demote x86_32 to hotspot build only (P4) JDK-8334618: ubsan: support setting additional ubsan check options (P4) JDK-8337819: Update GHA JDKs to 22.0.2 security-libs/java.security: (P3) JDK-8333754: Add a Test against ECDSA and ECDH NIST Test vector (P3) JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket (P3) JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect (P4) JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test (P4) JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout security-libs/javax.net.ssl: (P3) JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs tools/jpackage: (P4) JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive