RELEASE NOTES FOR: 8u121 ==================================================================================================== Notes generated: Fri Mar 01 13:21:55 CET 2024 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8173783: Correction of IllegalArgumentException from TLS handshake A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an *IllegalArgumentException* thrown by the TLS handshaker code. ```java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves``` The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified. core-libs/java.io:serialization: JDK-8155760: Serialization Filter Configuration Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in [JEP 290 Serialization Filtering](http://openjdk.java.net/jeps/290) and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled. security-libs/javax.xml.crypto: JDK-8151893: Add security property to configure XML Signature secure validation mode A new security property named `jdk.xml.dsig.secureValidationPolicy` has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the `java.security` configuration file is: ``` jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ noDuplicateIds,\ noRetrievalMethodLoops ``` Please refer to the definition of the property in the `java.security` file for more information. security-libs/java.security: JDK-8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak. Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property `jdk.jar.disabledAlgorithms`, it will be labeled with "(weak)". For example: ``` - Signed by "CN=weak_signer" Digest algorithm: MD2 (weak) Signature algorithm: MD2withRSA (weak), 512-bit key (weak) Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key ``` ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/2d: (P3) JDK-8058316: lookupDefaultPrintService returns null on Solaris 11 when default printer is set using lpoptions command (P3) JDK-8170950: Text is displayed in bold when fonts are installed into symlinked folder client-libs/java.awt: (P3) JDK-8163979: [macosx] Chinese text shows as Latin w/ openVanilla input method (P3) JDK-8075516: Deleting a file from either the open or save java.awt.FileDialog hangs. (P4) JDK-8037099: [macosx] Remove all references to GC from native OBJ-C code client-libs/javax.accessibility: (P2) JDK-8076249: NPE in AccessBridge while editing JList model (P3) JDK-8076554: [macosx] Custom Swing text components need to allow standard accessibility (P3) JDK-8145207: [macosx] JList, VO can't access non-visible list items (P3) JDK-8165829: Android Studio 2.x crashes with NPE at sun.lwawt.macosx.CAccessibility.getAccessibleIndexInParent (P3) JDK-8171808: Performance problems in dialogs with large tables when JAB activated (P3) JDK-8163733: Uninitialised memory in WinAccessBridge.cpp:1128 client-libs/javax.swing: (P3) JDK-8173145: Menu is activated after using mnemonic Alt/Key combination (P3) JDK-7172652: With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin (P4) JDK-8152981: Double icons with JMenuItem setHorizontalTextPosition on Win 10 core-libs/java.io:serialization: (P2) JDK-8155760: Implement Serialization Filtering (P2) JDK-8166739: Improve extensibility of ObjectInputFilter information passed to the filter core-libs/java.net: (P3) JDK-8182672: Java 8u121 on Linux intermittently returns null for MAC address core-libs/java.time: (P2) JDK-8170316: (tz) Support tzdata2016j (P3) JDK-8176044: (tz) Support tzdata2017a core-libs/javax.naming: (P3) JDK-8169465: Deadlock in com.sun.jndi.ldap.pool.Connections deploy/deployment_toolkit: (P2) JDK-8158099: Revise java.com image and link paths dtjava.js and deployJava.js deploy/webstart: (P3) JDK-8141054: WebStart does not clean up jnlp file after closing hotspot/compiler: (P2) JDK-8038348: Instance field load is replaced by wrong data Phi hotspot/gc: (P4) JDK-8161993: G1 crashes if active_processor_count changes during startup hotspot/jvmti: (P3) JDK-8162795: [REDO] MemberNameTable doesn't purge stale entries hotspot/runtime: (P2) JDK-8165153: Crash in rebuild_cpu_to_node_map (P3) JDK-8170888: [linux] Experimental support for cgroup memory limits in container (ie Docker) environments (P3) JDK-6515172: Runtime.availableProcessors() ignores Linux taskset command (P4) JDK-8147910: Cache initial active_processor_count install/install: (P2) JDK-8161687: [MSI] [Wrappers] JRE is installed successfully if INSTALLDIR option is set to existing directory and files (P3) JDK-8163171: Java installer leaves cached files on host after update javafx/build: (P2) JDK-8164177: Update copyright header for files modified in 2016 (P3) JDK-8166759: jfxwebkit.dll is missing file detail for 8u112 and 9 javafx/other: (P3) JDK-8164497: Update .hgignore files to ingore .jcheck dir until we actually enable jcheck other-libs/corba: (P2) JDK-8164908: ReflectionFactory support for IIOP and custom serialization security-libs/java.security: (P2) JDK-8167591: Add MD5 to signed JAR restrictions (P2) JDK-8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar (P3) JDK-8161571: Verifying ECDSA signatures permits trailing bytes security-libs/javax.net.ssl: (P1) JDK-8173783: IllegalArgumentException: jdk.tls.namedGroups (P2) JDK-8167459: Add debug output for indicating if a chosen ciphersuite was legacy (P2) JDK-8167472: Chrome interop regression with JDK-8148516 (P3) JDK-8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property security-libs/javax.smartcardio: (P4) JDK-8059212: Modify sun/security/smartcardio manual regression tests so that they do not just fail if no cardreader found security-libs/javax.xml.crypto: (P2) JDK-8151893: Add security property to configure XML Signature secure validation mode xml/jax-ws: (P3) JDK-8159058: SAXParseException when sending soap message xml/jaxp: (P3) JDK-8167179: Make XSL generated namespace prefixes local to transformation process