Notes generated: Thu Dec 01 01:05:11 CET 2022





Issue Description

Modified HttpURLConnection behavior when no suitable proxy is found

The behavior of HttpURLConnection when using a ProxySelector has been modified with this JDK release. HttpURLConnection used to fall back to a DIRECT connection attempt if the configured proxy(s) failed to make a connection. This release introduces a change whereby no DIRECT connection will be attempted in such a scenario. Instead, the HttpURLConnection.connect() method will fail and throw an IOException which occurred from the last proxy tested.

Modified HttpURLConnection Behavior When a Suitable Proxy Is Not Found

The behavior of HttpURLConnection when using ProxySelector has been modified in this JDK release. HttpURLConnection used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails.

A new system property,, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails).


Issue Description

Running jps as root does not show all information

After the fix of [] (fixed in 8u31, 7u75 and 6u91), running jps as root did not show all the information from Java processes started by other users on some systems. This has now been fixed.


Issue Description

Allow SASL Mechanisms to Be Restricted

A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.


Issue Description

IANA Data 2016a

JDK contains IANA time zone data version 2016a. For more information, refer to Timezone Data Versions in the JRE Software.


New Japanese Era Name: Reiwa

An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3) or JapaneseEra.valueOf("Reiwa"). JDK 13 and later will have a new public field to represent this era.

The placeholder name, "NewEra", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")) will no longer work.


Issue Description

New system property for the remote JMX connector

New JMX agent property -

A new property,, is introduced that specifies the bind address for the default JMX agent. If the latter is not specified, the default JMX agent will listen on all interfaces ( and the host value placed in the agent service URL (JMXServiceURL) is the IP address returned from invocation of InetAddress.getLocalHost() method.

  • Name:
  • Definition : Specifies the bind address for the default JMX agent. It can be specified via the command line while starting the JVM or as part of the agent config file (
  • Value: IP address of any network interface of the machine


Issue Description

A new configurable property in java.util.logging.FileHandler.maxLocks

A new "java.util.logging.FileHandler.maxLocks" configurable property is added to java.util.logging.FileHandler.

This new logging property can be defined in the logging configuration file and makes it possible to configure the maximum number of concurrent log file locks a FileHandler can handle. The default value is 100.

In a highly concurrent environment where multiple (more than 101) standalone client applications are using the JDK Logging API with FileHandler simultaneously, it may happen that the default limit of 100 is reached, resulting in a failure to acquire FileHandler file locks and causing an IO Exception to be thrown. In such a case, the new logging property can be used to increase the maximum number of locks before deploying the application.

If not overridden, the default value of maxLocks (100) remains unchanged. See java.util.logging.LogManager and java.util.logging.FileHandler API documentation for more details.

System Property Controls the java.util.logging.FileHandler's MAX_LOCKS Limit

A new JDK implementation specific system property jdk.internal.FileHandlerLogging.maxLocks has been introduced to control the java.util.logging.FileHandler MAXLOCKS limit. The default value of the current MAXLOCKS (100) is retained if this new system property is not set or an invalid value is provided to the property. Valid values for this property are integers ranging from 1 to Integer.MAX_VALUE-1.


Issue Description

New defaults for DSA keys in jarsigner and keytool

For DSA keys, the default signature algorithm for keytool and jarsigner has changed from SHA1withDSA to SHA256withDSA and the default key size for keytool has changed from 1024 bits to 2048 bits.

Users wishing to revert to the previous behavior can use the -sigalg option of keytool and jarsigner and specify SHA1withDSA and the -keysize option of keytool and specify 1024.

There are a few potential compatibility risks associated with this change:

  1. If you have a script that uses the default key size of keytool to generate a DSA keypair but then subsequently specifies a specific signature algorithm, ex: ` keytool -genkeypair -keyalg DSA -keystore keystore -alias mykey ... keytool -certreq -sigalg SHA1withDSA -keystore keystore -alias mykey ... it will fail with one of the following exceptions, because the new 2048-bit keysize default is too strong for SHA1withDSA: `` keytool error: The security strength of SHA-1 digest algorithm is not sufficient for this key size keytool error: DSA key must be at most 1024 bits `` The workaround is to remove the-sigalgoption and use the stronger SHA256withDSA default or, at your own risk, use the-keysizeoption ofkeytool` to specify a smaller key size (1024).

  2. If you use jarsigner to sign JARs with the new defaults, previous versions (than this release) of JDK 6 and 7 do not support the stronger defaults and will not be able to verify the JAR. jarsigner -verify on an earlier release of JDK 6 or 7 will output the following error: ` jar is unsigned. (signatures missing or not parsable) If you thejarsignercommand line, the cause will be output: `` jar: processEntry caught: SHA256withDSA Signature not available `` If compatibility with earlier releases is important, you can, at your own risk, use the-sigalgoption ofjarsigner` and specify the weaker SHA1withDSA algorithm.

  3. If you use a PKCS11 keystore, the SunPKCS11 provider does not support the SHA256withDSA algorithm. jarsigner and some keytool commands may fail with the following exception if PKCS11 is specified with the -storetype option, ex:

    ` keytool error: No installed provider supports this key:$P11PrivateKey A similar error may occur if you are using NSS with the SunPKCS11 provider. The workaround is to use the-sigalgoption ofkeytool` and specify SHA1withDSA.


Issue Description

keytool now prints warnings when reading or generating certificates/certificate requests/CRLs using weak algorithms

With one exception, keytool will always print a warning if the certificate, certificate request, or CRL it is parsing, verifying, or generating is using a weak algorithm or key. When a certificate is from an existing TrustedCertificateEntry, either in the keystore directly operated on or in the cacerts keystore when the -trustcacerts option is specified for the -importcert command, keytool will not print a warning if it is signed with a weak signature algorithm. For example, suppose the file cert contains a CA certificate signed with a weak signature algorithm, keytool -printcert -file cert and keytool -importcert -file cert -alias ca -keystore ks will print out a warning, but after the last command imports it into the keystore, keytool -list -alias ca -keystore ks will not show a warning anymore.

An algorithm or a key is weak if it matches the value of the jdk.certpath.disabledAlgorithms security property defined in the conf/security/ file.


keytool now prints out information of a certificate's public key

Keytool now prints out the key algorithm and key size of a certificate's public key, in the form of "Subject Public Key Algorithm: `<size>-bit RSA key", where <size>` is the key size in bits (ex: 2048).


Support keystore type detection for JKS and PKCS12 keystores

To aid interoperability, the Java keystore type JKS now supports keystore compatibility mode by default. This mode enables JKS keystores to access both JKS and PKCS12 file formats. To disable keystore compatibility mode set the Security property 'keystore.type.compat' to the string value 'false'.


jarsigner Prints When a timestamp Will Expire

The jarsigner tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.


Disable SHA-1 TLS Server Certificates

Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default. TLS Server certificate chains that are anchored by enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the PKIX implementation of the CertPathValidator and CertPathBuilder APIs and the SunX509 and PKIX implementations of the TrustManagerFactory API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions.

To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms Security Properties in the file, as follows:

  • jdk.certpath.disabledAlgorithms:

    Three new constraints have been added to this Security Property:

    A new constraint named jdkCA, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted.

    A new constraint named denyAfter, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows:

  • if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date

  • if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

    A new constraint named usage, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported: TLSServer for TLS/SSL server certificate chains, TLSClient for TLS/SSL client certificate chains, and SignedJAR for certificate chains used with signed JARs.

Multiple constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is "SHA1 jdkCA & usage TLSServer".

  • jdk.jar.disabledAlgorithms:

    A new constraint has been added named denyAfter, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows:

  • if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date

  • if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

    For example, to restrict SHA1 in JAR files signed after January 1st 2018, add the following to the property: "SHA1 denyAfter 2018-01-01". The syntax is the same as the certpath property, however certificate checking will not be performed by this property.


jarsigner -verbose -verify should print the algorithms used to sign the jar

The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property jdk.jar.disabledAlgorithms, it will be labeled with "(weak)".

For example: ` - Signed by "CN=weak_signer" Digest algorithm: MD2 (weak) Signature algorithm: MD2withRSA (weak), 512-bit key (weak) Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key `

JDK-8184993 now always returns the ZipEntry instance with a '/' ended entry name for directory entry

The API doc specifies "A directory entry is defined to be one whose name ends with a '/'". However, in previous JDK releases entryName) may return a ZipEntry instance with an entry name that does not end with '/' for an existing zip directory entry when:

  • the passed in argument entryName does not end with a '/', and
  • there is a matching zip directory entry with name entryName + '/' in the zip file.

With this release, the name of the ZipEntry instance returned from always ends with '/' for any zip directory entry.

To revert to the previous behavior, set the system property to "false".

This change was made in order to fix a regression introduced in JDK 8u141 when verifying signed JARs and has caused some WebStart applications to fail to load. See JDK-8184993 for more information.


Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties.

To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property.

Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448


Add support for the SHA224withDSA and SHA256withDSA signature algorithms and DSA keys with sizes up to 2048 bits

Support has been added for the SHA224withDSA and SHA256withDSA signature algorithms and for DSA keys with sizes up to 2048 bits. Previously, only DSA keys with sizes up to 1024 bits were supported.


Support added to jarsigner for specifying timestamp hash algorithm

A new -tsadigestalg option is added to jarsigner to specify the message digest algorithm that is used to generate the message imprint to be sent to the TSA server. In older JDK releases, the message digest algorithm used was SHA-1. If this new option is not specified, SHA-256 will be used on JDK 7 Updates and later JDK family versions. On JDK 6 Updates, SHA-1 will remain the default but a warning will be printed to the standard output stream.


jarsigner treats timestamped signed jar invalid after the signer cert expires

If a jar file was signed with a timestamp when the signer certificate was still valid, it should be valid even after the signer certificate expires. However, jarsigner will incorrectly show a warning that that signer's certificate chain is not validated. This will be fixed in a future release.


Add mechanism to allow non default root CAs to not be subject to algorithm restrictions

'New certpath constraint: jdkCA In the file, an additional constraint named "jdkCA" is added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression.

Example:  To apply this constraint to SHA-1 certificates, include the following:  `SHA1 jdkCA`


Issue Description

IANA Data 2016f

JDK contains IANA time zone data version 2016f. For more information, refer to Timezone Data Versions in the JRE Software.


US/Pacific-New Zone Name Removed as Part of tzdata2020b

Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew and systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew data file is no longer available for use.

Information regarding this update can be viewed at


IANA Data 2016i

JDK contains IANA time zone data version 2016i. For more information, refer to Timezone Data Versions in the JRE Software.


Update Timezone Data to 2021c

The IANA Time Zone Database, on which the JDK's Date/Time libraries are based, has made a tweak to some of the time zone rules in 2021c.

Note that in 2021b, which is cumulatively included in this change, some of the time zone rules prior to the year 1970 have been modified according to changes introduced with 2021b. For more details, refer to the announcement of 2021b.


IANA Data 2016j

JDK contains IANA time zone data version 2016j. For more information, refer to Timezone Data Versions in the JRE Software.


IANA Data 2016d

JDK contains IANA time zone data version 2016d. For more information, refer to Timezone Data Versions in the JRE Software.


Issue Description

Serialization Filter Configuration

Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in <JRE>/lib/security/ Filter actions are logged to the '' logger, if enabled.


Issue Description

Weak Encryption Disabled by Default

The DES-related Kerberos 5 encryption types are not supported by default. These encryption types can be enabled by adding allow_weak_crypto=true in the krb5.conf file, but DES-related encryption types are considered highly insecure and should be avoided.


Kerberos Sequence Number Issues

Previously, when mutual authentication was not requested by the Kerberos 5 initiator, there was no mechanism to negotiate the acceptor's initial sequence number. With this release, if the system property is set to initiator, the SunJGSS provider will use the initiator's initial sequence number as the acceptor's initial sequence number. If set to zero or 0, 0 is used. The default value is initiator. All other values are illegal and will throw an Error when the system property is read.


Support the "s" (second) unit for kdc_timeout in krb5.conf

An interoperability issue is found between Java and the native Kerberos implementation on BSD (including macOS) on the kdc_timeout setting in krb5.conf, where Java interpreted it as milliseconds and BSD as seconds when no unit is specified. This code change adds support for the "s" (second) unit. Therefore if the timeout is 5 seconds, Java accepts both "5000" and "5s". Customers concerned about interoperability between Java and BSD should use "5s".


Issue Description

Add security property to configure XML Signature secure validation mode

A new security property named jdk.xml.dsig.secureValidationPolicy has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the configuration file is: ` jdk.xml.dsig.secureValidationPolicy=\ disallowAlg,\ disallowAlg,\ disallowAlg,\ disallowAlg,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ noDuplicateIds,\ noRetrievalMethodLoops Please refer to the definition of the property in` file for more information.


Issue Description

IANA Data 2015g

JDK contains IANA time zone data version 2015g. For more information, refer to [Timezone Data Versions in the JRE Software|].


Issue Description

Unable to use the JDWP API in JDK 8 to debug JDK >=9

The implementation of VirtualMachineImpl.canGetInstanceInfo() has been corrected, so it is now able to see JDK JVMs >= JDK 9.

This correction allows certain debugger agents to operate correctly without any action required from a user (developer).


Issue Description

Improved exception handling for bad LDAP referral replies

The JDK was throwing a NullPointerException when a non-compliant REFERRAL status result was sent but no referral values were included. With this change, a NamingException with message value of "Illegal encoding: referral is empty" will be thrown in such circumstances. See JDK-8149450 and JDK-8154304 for more details


LDAPS Communication Failure

Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ), may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:

` javax.naming.ServiceUnavailableException: <server:port>; socket closed at com.sun.jndi.ldap.Connection.readReply(Unknown Source)<br /> at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source) ... `


Issue Description

Decode error with Tomcat version 7.x

The zlib version shipped in the 8u151, 7u161 JDK releases was updated to zlib v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml). This issue is being fixed via JDK-8189789 [].

Users could disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected.


Issue Description

Nondeterministic wrong answer on arithmetic corrected

When performing OSR on loops with huge stride and/or initial values, in very rare cases, the tiered/server compilers could produce non-canonical loop shapes that produce nondeterministic answers when the answers should be deterministic. This issue has now been fixed.


Issue Description

Disable TLS 1.0 and 1.1

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the configuration file.


Updated the Default Enabled Cipher Suites Preference

The preference of the default enabled cipher suites has been changed. The compatibility impact should be minimal. If needed, applications can customize the enabled cipher suites and the preference. For more details, refer to the SunJSSE provider documentation and the JSSE Reference Guide documentation.


Disabled TLS anon and NULL Cipher Suites

The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.


Disabled All DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.


Correction of IllegalArgumentException from TLS handshake

A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code.

`java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves`

The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.


jdk.tls.client.protocols system property added

The jdk.tls.client.protocols system property is now available with the release of JDK . This property was originally introduced in JDK 8 and behaves in the same way. See [JSSE User Guide|]


Support for Customization of Default Enabled Cipher Suites via System Properties

The system property jdk.tls.client.cipherSuites can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property jdk.tls.server.cipherSuites can be used for customization on the server side.

The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicitly setting enabled cipher suites will override the system properties.

Refer to the Java Cryptography Architecture Standard Algorithm Name Documentation for the standard JSSE cipher suite names, and the Java Cryptography Architecture Oracle Providers Documentation for the cipher suite names supported by the SunJSSE provider.

Note that the actual use of enabled cipher suites is restricted by algorithm constraints.

Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations.

Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk.


Add TLS v1.1 and v1.2 to the client list of default-enabled protocols

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.

See details from crypto roadmap for more details.


Distrust TLS Server Certificates Anchored by Symantec Root CAs

The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.

TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).

An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the security property in the configuration file.

The restrictions are imposed on the following Symantec Root certificates included in the JDK:

Root Certificates distrusted after 2019-04-16
Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US


CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US


CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US


CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US


CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US


CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US


CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US


CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C:06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA


OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US


OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US


OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US


CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


Subordinate Certificates distrusted after 2019-12-31
Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US


CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US


If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.


Improve the default strength of EC in JDK.

To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the "jdk.certpath.disabledAlgorithms" Security Property) and SSL/TLS/DTLS connections (via the "jdk.tls.disabledAlgorithms" Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192").

EC curves less than 256 bits are removed from the SSL/TLS/DTLS implementation in JDK. The new System Property, "jdk.tls.namedGroups", defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example:

jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"

Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.

IllegalArgumentException from TLS handshake

A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code.

`java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves`

The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.

See JDK-8173783


TLS Session Hash and Extended Master Secret Extension Support

Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, a server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property jdk.tls.useExtendedMasterSecret to false in the JDK. By setting the System Property jdk.tls.allowLegacyResumption to false, an application can reject abbreviated handshaking when the session hash and extended master secret extension are not negotiated. By setting the System Property jdk.tls.allowLegacyMasterSecret to false, an application can reject connections that do not support the session hash and extended master secret extension.


Disable exportable cipher suites

To improve the strength of SSL/TLS connections, exportable cipher suites have been disabled in SSL/TLS connections in the JDK by the jdk.tls.disabledAlgorithms Security Property.


Issue Description

MSCAPI KeyStore can handle same named certificates

Java SE KeyStore does not allow certificates that have the same aliases.

However, on Windows, multiple certificates stored in one keystore are allowed to have non-unique friendly names.

The fix for JDK-6483657 makes it possible to operate on such non-uniquely named certificates through the Java API by artificially making the visible aliases unique.

Please note, this fix does not enable creating same-named certificates with the Java API. It only allows you to deal with same-named certificates that were added to the keystore by 3rd party tools.

It is still recommended that your design not use multiple certificates with the same name. In particular, the following sentence will not be removed from the Java documentation: "In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case."


Unlimited cryptography enabled by default

The JDK uses the Java Cryptography Extension (JCE) Jurisdiction Policy files to configure cryptographic algorithm restrictions. Previously, the Policy files in the JDK placed limits on various algorithms. This release ships with both the limited and unlimited jurisdiction policy files, with unlimited being the default. The behavior can be controlled via the new crypto.policy Security property found in the <java-home>/lib/ file. Refer to that file for more information on this property.


New Security property to control crypto policy

This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the file shipping with this release for more information.

Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the file.

Because the old JCE jurisdiction files are left in <java-home>/lib/security, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used : ` Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! at javax.crypto.JceSecurity.loadPolicies( at javax.crypto.JceSecurity.setupJurisdictionPolicies( `


Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits

Enhance the JDK security providers to support 3072-bit DiffieHellman and DSA parameters generation, pre-computed DiffieHellman parameters up to 8192 bits and pre-computed DSA parameters up to 3072 bits.


Issue Description

Introduced a new window ordering model

On the OS X platform, the AWT framework used native services to implement a parent-child relationship for windows. That caused some negative visual effects especially in multi-monitor environments. To get rid of disadvantages of such an approach, the new window ordering model, which is fully implemented at JDK layer, was introduced. Its main principles are listed below: - A window should be placed above its nearest parent window. - If a window has several child windows, all child windows should be located at the same layer and the window from the active window chain should be ordered above its siblings. - Ordering should not be performed for a window that is in an iconified state or when the transition to iconified state is in progress.

These rules are applied to every frame or dialog from the window hierarchy which contains the currently focused window.


Issue Description

Trackpad scrolling of text on OS X 10.12 Sierra is very fast

The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small NSEvent deltaX/Y values so rounding and summing them leads to the huge value returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method returns non-zero values only when the accumulated value exceeds a threshold and zero value. This is compliant with the MouseWheelEvent.getWheelRotation() specification:

Returns the number of "clicks" the mouse wheel was rotated, as an integer. A partial rotation may occur if the mouse supports a high-resolution wheel. In this case, the method returns zero until a full "click" has been accumulated.

For the precise wheel rotation values, use the MouseWheelEvent.getPreciseWheelRotation() method instead.



Priority Bug Summary
P2 JDK-8217676 Upgrade libpng to 1.6.37
P3 JDK-8214002 Cannot use italic font style if the font has embedded bitmap
P3 JDK-8028212 Custom cursor HiDPI support
P3 JDK-8077982 GIFLIB upgrade
P3 JDK-8022746 List of spelling errors in API doc
P3 JDK-8007295 Reduce number of warnings in awt classes
P4 JDK-8081315 8077982 giflib upgrade breaks system giflib builds with earlier versions
P4 JDK-8129822 Define "headful" jtreg keyword
P4 JDK-8035287 gcc warnings compiling various libraries files


Priority Bug Summary
P2 JDK-8216965 crash in freetypeScaler.c CopyBW2Grey8
P2 JDK-8026780 Crash on PPC and PPC v2 for Java_awt test suit
P2 JDK-8026702 Fix for 8025429 breaks jdk build on windows
P2 JDK-8227662 freetype seeks to index at the end of the font data
P2 JDK-8162488 JDK should be updated to use LittleCMS 2.8
P3 JDK-7124245 [lcms] ColorConvertOp to color space CS_GRAY apparently converts orange to 244,244,0
P3 JDK-8005530 [lcms] Improve performance of ColorConverOp for default destinations
P3 JDK-8041129 [OGL] surface->sw blit is extremely slow
P3 JDK-8232381 add result NULL-checking to freetypeScaler.c
P3 JDK-8230769 BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
P3 JDK-8024511 Crash during color profile destruction
P3 JDK-8020190 Fatal: Bug in native code: jfieldID class must match object
P3 JDK-8201433 Fix potential crash in BufImg_SetupICM
P3 JDK-8148127 IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline
P3 JDK-8005402 Need to provide benchmarks for color management
P3 JDK-7051394 NullPointerException when running regression tests LoadProfileTest by using openjdk-7-b144
P3 JDK-8067364 Printing to Postscript doesn't support dieresis
P3 JDK-7043064 sun/java2d/cmm/ tests failed against RI b141 & b138-nightly
P3 JDK-8047066 Test test/sun/awt/image/ fails with ClassCastException
P3 JDK-8056122 Upgrade JDK to use LittleCMS 2.6
P3 JDK-8078331 Upgrade JDK to use LittleCMS 2.7
P4 JDK-8025218 [javadoc] some errors in java/awt classes.
P4 JDK-8025085 [javadoc] some errors in javax/swing
P4 JDK-8005930 [lcms] ColorConvertOp: Alpha channel is not transferred from source to destination.
P4 JDK-8155145 [Parfait] JNI exception pending in fontpath.c:1300
P4 JDK-8140530 Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString
P4 JDK-8022175 Fix doclint warnings in javax.print
P4 JDK-8218854 FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth
P4 JDK-8017773 OpenJDK7 returns incorrect TrueType font metrics
P4 JDK-8057934 Upgrade to LittleCMS 2.6 breaks AIX build


Priority Bug Summary
P2 JDK-8011059 [macosx] Support automatic @2x images loading on Mac OS X


Priority Bug Summary
P2 JDK-8169589 [macosx] Activating a JDialog puts to back another dialog
P2 JDK-8027025 [macosx] getLocationOnScreen returns 0 if parent invisible
P2 JDK-7168851 [macosx] Netbeans crashes in CImage.nativeCreateNSImageFromArray
P2 JDK-8029253 [macosx] Performance problems with Retina display on Mac OS X
P2 JDK-8020688 broken links in documentation at
P2 JDK-8173853 IllegalArgumentException in java.awt.image.ReplicateScaleFilter
P2 JDK-8147077 IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General
P2 JDK-8179014 JFileChooser with Windows look and feel crashes on win 10
P2 JDK-8011123 serialVersionUID of java.awt.dnd.InvalidDnDOperationException changed in JDK8-b82
P2 JDK-8130769 The new menu can't be shown on the menubar after clicking the "Add" button.
P2 JDK-8220495 Update GIFlib library to the 5.1.8
P2 JDK-8230597 Update GIFlib library to the 5.2.1
P2 JDK-8155691 Update GIFlib library to the latest up-to-date
P2 JDK-8208353 Upgrade JDK to libpng 1.6.35
P2 JDK-8037287 Windows build failed after JDK-8030787
P3 JDK-7027045 (doc) java/awt/ has several typos in javadoc
P3 JDK-8024926 [macosx] AquaIcon HiDPI support
P3 JDK-8071668 [macosx] Clipboard does not work with 3rd parties Clipboard Managers
P3 JDK-7124253 [macosx] Flavor change notification not coming
P3 JDK-8033534 [macosx] Get MultiResolution image from native system
P3 JDK-8080729 [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus
P3 JDK-8020210 [macosx] JVM crashes in CWrapper$NSWindow.screen(long)
P3 JDK-8013581 [macosx] Key Bindings break with awt GraphicsEnvironment setFullScreenWindow
P3 JDK-7124552 [macosx] NullPointerException in getBufferStrategy()
P3 JDK-7148275 [macosx] setIconImages() not working correctly (distorted icon when minimized)
P3 JDK-8024779 [macosx] SwingNode crashes on exit
P3 JDK-7160627 [macosx] TextArea has wrong initial size
P3 JDK-8017626 [OGL] Translucent VolatileImages don't paint correctly
P3 JDK-8204142 AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.
P3 JDK-7155957 closed/java/awt/MenuBar/MenuBarStress1/ hangs on win 64 bit with jdk8
P3 JDK-8028617 Dvorak keyboard mapping not honored when ctrl key pressed
P3 JDK-8211435 Exception in thread "AWT-EventQueue-1" java.lang.IllegalArgumentException: null source
P3 JDK-8025409 Fix javadoc comments errors and warning reported by doclint report
P3 JDK-8005629 javac warnings compiling java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
P3 JDK-8041734 JFrame in full screen mode leaves empty workspace after close
P3 JDK-8187635 On Windows Swing changes keyboard layout on a window activation
P3 JDK-8079595 Resizing dialog which is JWindow parent makes JVM crash
P3 JDK-4717864 setFont() does not update Fonts of Menus already on screen
P4 JDK-8175163 [bsd] Fix build after "8005629: javac warnings compiling java.awt.EventDispatchThread..."
P4 JDK-8027561 [macosx] Cleanup "may not respond to selector" warnings in native code
P4 JDK-8005255 [macosx] Cleanup warnings in sun.lwawt
P4 JDK-8035568 [macosx] Cursor management unification
P4 JDK-7124213 [macosx] pack() does ignore size of a component; doesn't on the other platforms.
P4 JDK-7154841 [macosx] Popups appear behind taskbar
P4 JDK-8037099 [macosx] Remove all references to GC from native OBJ-C code
P4 JDK-6475361 Attempting to remove help menu from java.awt.MenuBar throws NullPointerException
P4 JDK-8000626 Implement dead key detection for KeyEvent on Linux
P4 JDK-8134610 Mac OS X build fails after July 2015 CPU
P4 JDK-8010297 Missing isLoggable() checks in logging code
P4 JDK-8026021 more fix of javadoc errors and warnings reported by doclint, see the description
P4 JDK-8133990 Revert introduction of lambda expression in sun.lwawt.macosx.LWCToolkit
P4 JDK-6961123 setWMClass fails to null-terminate WM_CLASS string


Priority Bug Summary
P3 JDK-8076455 IME Composition Window is displayed on incorrect position
P4 JDK-7117465 Warning cleanup for IMF classes


Priority Bug Summary
P4 JDK-8022406 Fix doclint issues in java.beans


Priority Bug Summary
P3 JDK-8145984 [macosx] sun.lwawt.macosx.CAccessible leaks


Priority Bug Summary
P2 JDK-8191073 JpegImageReader throws IndexOutOfBoundsException when trying to read image data from tables-only image
P3 JDK-8238842 AIOOBE in GIFImageReader.initializeStringTable


Priority Bug Summary
P3 JDK-8054431 Some of the input validation in the javasound is too strict
P4 JDK-7058700 Unexpected exceptions and timeouts in SF2 parser code


Priority Bug Summary
P2 JDK-8166591 [macos 10.12] Trackpad scrolling of text on macOS 10.12 Sierra is very fast (Trackpad, Retina only)
P2 JDK-8178996 [macos] JComboBox doesn't display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12
P2 JDK-8179665 [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location
P2 JDK-8158734 JEditorPane.createEditorKitForContentType throws NPE after 6882559
P3 JDK-8007219 [macosx] Frame size reverts meaning of maximized attribute if frame size close to display
P3 JDK-8031573 [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina
P3 JDK-8226892 ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
P3 JDK-8147842 IME Composition Window is displayed at incorrect location
P3 JDK-8130735 javax.swing.TimerQueue: timer fires late when another timer starts
P3 JDK-8173145 Menu is activated after using mnemonic Alt/Key combination
P3 JDK-8020708 NLS: mnemonics missing in SwingSet2/JInternalFrame demo
P3 JDK-8080628 No mnemonics on Open and Save buttons in JFileChooser
P3 JDK-8184016 Text in native popup is not always updated with Sogou IME
P3 JDK-8033786 White flashing when opening Dialogs and Menus using Nimbus with dark background
P3 JDK-7172652 With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin
P4 JDK-8025249 [javadoc] fix some javadoc errors in javax/swing
P4 JDK-7075563 Broken link in "javax.swing.SwingWorker"
P4 JDK-6882559 new JEditorPane("text/plain","") fails for null context class loader
P4 JDK-6624200 Regression test fails: test/closed/javax/swing/JMenuItem/4654927/
P5 JDK-8010782 clean up source files containing carriage return characters


Priority Bug Summary
P2 JDK-8081775 [TEST_BUG] two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12
P2 JDK-8138978 Examine usages of sun.misc.IOUtils
P3 JDK-8098547 (tz) Support tzdata2015e
P3 JDK-8133321 (tz) Support tzdata2015f
P3 JDK-8138716 (tz) Support tzdata2015g
P3 JDK-8135248 Add utility methods to check indexes and ranges
P3 JDK-8066504 GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version
P3 JDK-8026982 javadoc errors in core libs
P3 JDK-8016217 More javadoc warnings
P3 JDK-8016747 Replace deprecated PlatformLogger isLoggable(int) with isLoggable(Level)
P3 JDK-8039438 Some tests depend on internal API sun.misc.IOUtils
P4 JDK-8151731 Add new jtreg keywords to jdk 8
P4 JDK-8145017 Add support for 3 digit hotspot minor version numbers
P4 JDK-8031737 CHECK_NULL and CHECK_EXCEPTION macros cleanup
P4 JDK-8003890 corelibs test scripts should pass TESTVMOPTS
P4 JDK-8134248 Fix recently backported tests to work with OpenJDK 7u
P4 JDK-8205587 Implicit function declaration in jni_util.c
P4 JDK-8244548 JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
P4 JDK-8030875 Macros for checking and returning on exceptions


Priority Bug Summary
P3 JDK-8080835 Add blocking bulk read operations to
P4 JDK-8139206 Add InputStream readNBytes(int len)
P4 JDK-8167646 Better invalid FilePermission
P4 JDK-8235909 File.exists throws AccessControlException for invalid paths when a SecurityManager is installed
P4 JDK-8229899 is racy
P4 JDK-8193832 Performance of InputStream.readAllBytes() could be improved
P4 JDK-8236984 Reserved for 2020-01 CPU


Priority Bug Summary
P2 JDK-8155760 Implement Serialization Filtering
P2 JDK-8166739 Improve extensibility of ObjectInputFilter information passed to the filter
P3 JDK-8203368 ObjectInputStream filterCheck method throws NullPointerException


Priority Bug Summary
P2 JDK-8140344 add support for 3 digit update release numbers
P3 JDK-8035640 JNU_CHECK_EXCEPTION should support c++ JNI syntax
P4 JDK-6253144 Long narrowing conversion should describe the algorithm used and implied "risks"
P4 JDK-7132338 Use @code friendly idiom for '\' in javadoc


Priority Bug Summary
P1 JDK-8184119 Incorrect return processing for the LF editor of MethodHandles.permuteArguments


Priority Bug Summary
P4 JDK-8054213 Class name repeated in output of Type.toString()
P4 JDK-8174729 Race Condition in java.lang.reflect.WeakCache


Priority Bug Summary
P2 JDK-8034912 backport of 8031737 to jdk8u breaks linux buld.
P2 JDK-7125055 ContentHandler.getContent API changed in error
P2 JDK-8020842 IDN do not throw IAE when hostname ends with a trailing dot
P2 JDK-8225425 java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
P2 JDK-8204667 Resources not freed on exception
P3 JDK-8021833 javadoc cleanup in
P3 JDK-8075484 SocketInputStream.socketRead0 can hang even with soTimeout set
P3 JDK-8161016 Strange behavior of URLConnection with proxy
P4 JDK-8175087 [bsd] Fix build after "8024900: PPC64: Enable new build on AIX (jdk part)"
P4 JDK-8146602 [TEST_BUG] :jdk/test/sun/misc/URLClassPath/ test fails with NullPointerException
P4 JDK-8162876 [TEST_BUG] sun/net/www/protocol/http/ fails intermittently
P4 JDK-8254967 spins on TLS session close
P4 JDK-7167293 FtpURLConnection connection leak on FileNotFoundException
P4 JDK-6328537 Improve javadocs for Socket class by adding references to SocketOptions
P4 JDK-7090158 Networking Libraries don't build with javac -Werror
P4 JDK-7150092 NTLM authentication fail if user specified a different realm
P4 JDK-8168405 Pending exceptions in java.base/windows/native/libnet
P4 JDK-8177144 sun/net/www/http/HttpClient/ should run in ovm mode


Priority Bug Summary
P2 JDK-8026876 (fs) Build issue with src/solaris/classes/sun/nio/fs/
P2 JDK-8230085 (fs) FileStore::isReadOnly is always true on macOS Catalina
P2 JDK-8141491 Unaligned memory access in Bits.c
P3 JDK-8151582 (ch) test java/nio/channels/ failing due to "Connection succeeded"
P3 JDK-7050570 (fs) FileSystemProvider fails to initializes if run with file.encoding set to Cp037
P3 JDK-7184932 (sc) Replace use of temporary selectors in socket adapters with poll
P3 JDK-8020971 Fix doclint issues in java.nio.*
P3 JDK-8022594 Potential deadlock in of
P4 JDK-8219597 (bf) Heap buffer state changes could provoke unexpected exceptions
P4 JDK-8196956 (ch) More channels cleanup
P4 JDK-8232003 (fs) Files.write can leak file descriptor in the exception case
P4 JDK-8002306 (se) fails if invoked with thread interrupt status set [win]
P4 JDK-8165231 java.nio.Bits.unaligned() doesn't return true on ppc
P4 JDK-8028049 Tidy warnings cleanup for packages java.nio/
P5 JDK-8068761 Test java/nio/channels/ServerSocketChannel/ failed with SocketTimeoutException


Priority Bug Summary
P2 JDK-8006799 Optimize sun.nio.cs.ISO_8859_1$Encode.encodeArrayLoop() (jdk part of 6896617)


Priority Bug Summary
P2 JDK-8180582 After updating to Java8u131, the bind to rmiregistry is rejected by registryFilter even though registryFilter is set
P2 JDK-8237368 Problem with NullPointerException in RMI
P3 JDK-8186539 [testlibrary] TestSocketFactory should allow triggers before match/replace
P4 JDK-8005226 [TEST_BUG]: java/rmi/transport/pinClientSocketFactory/ fails intermittently
P4 JDK-8185719 [testlibrary] rmi TestSocketFactory does not flush
P4 JDK-8202996 Remove debug print statements from RMI fix
P4 JDK-8022440 suppress deprecation warnings in sun.rmi


Priority Bug Summary
P4 JDK-8021108 Clean up doclint warnings and errors in java.text package


Priority Bug Summary
P2 JDK-8151876 (tz) Support tzdata2016d
P2 JDK-8166875 (tz) Support tzdata2016g
P2 JDK-8170316 (tz) Support tzdata2016j
P2 JDK-8177449 (tz) Support tzdata2017b
P2 JDK-8190258 (tz) Support tzdata2017c
P2 JDK-8195837 (tz) Upgrade time-zone data to tzdata2018c
P2 JDK-8213085 (tz) Upgrade Timezone Data to tzdata2018g
P2 JDK-8276536 Update TimeZoneNames files to follow the changes made by JDK-8275766
P3 JDK-8159684 (tz) Support tzdata2016f
P3 JDK-8169191 (tz) Support tzdata2016i
P3 JDK-8176044 (tz) Support tzdata2017a
P3 JDK-8274407 (tz) Update Timezone Data to 2021c
P3 JDK-8275766 (tz) Update Timezone Data to 2021e
P3 JDK-8224560 (tz) Upgrade Timezone Data to tzdata2019a
P3 JDK-8231098 (tz) Upgrade Timezone Data to tzdata2019c
P3 JDK-8243541 (tz) Upgrade Timezone Data to tzdata2020a
P3 JDK-8254177 (tz) Upgrade Timezone Data to tzdata2020b
P3 JDK-8254982 (tz) Upgrade Timezone Data to tzdata2020c
P3 JDK-8255226 (tz) Upgrade Timezone Data to tzdata2020d
P3 JDK-8260356 (tz) Upgrade Timezone Data to tzdata2021a
P3 JDK-8275849 fails with tzdata2021e
P3 JDK-8225580 tzdata2018i integration causes test failures on jdk-13
P4 JDK-8200359 (tz) Upgrade time-zone data to tzdata2018d
P4 JDK-8203233 (tz) Upgrade time-zone data to tzdata2018e
P4 JDK-8215982 (tz) Upgrade Timezone Data to tzdata2018i
P4 JDK-8228469 (tz) Upgrade Timezone Data to tzdata2019b
P4 JDK-8259048 (tz) Upgrade Timezone Data to tzdata2020f
P4 JDK-8190259 test is broken by tzdata2017c
P4 JDK-8274467 fails with tzdata2021b
P4 JDK-8274468 fails with tzdata2021b


Priority Bug Summary
P3 JDK-8146458 Improve exception reporting for Objects.checkIndex/checkFromToIndex/checkFromIndexSize
P3 JDK-7116997 Misc warnings in java.util.PropertyPermission
P3 JDK-8155794 Move Objects.checkIndex BiFunction accepting methods to an internal package
P3 JDK-8142493 Utility methods to check indexes and ranges doesn't specify behavior when function produces null
P4 JDK-7117249 clean up warnings in java.util.jar, .logging, .prefs
P4 JDK-7193406 Clean-up JDK Build Warnings in java.util,
P4 JDK-8141243 Unexpected timezone returned after parsing a date
P4 JDK-7157893 Warnings Cleanup in java.util.*


Priority Bug Summary
P3 JDK-8021417 Fix doclint issues in java.util.concurrent
P3 JDK-8054446 Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
P4 JDK-8140587 Atomic*FieldUpdaters should use Class.isInstance instead of direct class check
P4 JDK-7103570 AtomicIntegerFieldUpdater does not work when SecurityManager is installed
P4 JDK-7117360 Warnings in java.util.concurrent.atomic package


Priority Bug Summary
P2 JDK-8189789 tomcat gzip-compressed response bodies appear to be broken in update 151
P4 JDK-7098755 test/sun/misc/JarIndex/metaInfFilenames/ should use supported compiler interface
P4 JDK-8196854 TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException
P4 JDK-8166248 tools/pack200/ fails on Win32: Could not reserve enough space
P5 JDK-7143230 fix warnings in java.util.jar,, zipfs demo, etc.


Priority Bug Summary
P3 JDK-8153955 increase java.util.logging.FileHandler MAX_LOCKS limit


Priority Bug Summary
P3 JDK-6854417 [TEST_BUG]: java/util/regex/ fails intermittently


Priority Bug Summary
P3 JDK-8016252 More defensive HashSet.readObject
P4 JDK-6904367 (coll) IdentityHashMap is resized before exceeding the expected maximum size
P4 JDK-8068427 Hashtable deserialization reconstitutes table with wrong capacity


Priority Bug Summary
P2 JDK-8202088 Japanese new era implementation
P2 JDK-8210153 localized currency symbol of VES
P2 JDK-8207152 Placeholder for Japanese new era should be two characters
P2 JDK-8195478 sun/text/resources/ fails with java.lang.Exception
P3 JDK-8075667 (tz) Support tzdata2015b
P3 JDK-8077685 (tz) Support tzdata2015d
P3 JDK-8148446 (tz) Support tzdata2016a
P3 JDK-8206120 Add test cases for lenient Japanese era parsing
P3 JDK-8219890 Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
P3 JDK-7092447 Clarify the default locale used in each locale sensitive operation
P3 JDK-8145952 Currency update needed for ISO 4217 Amendment #161
P3 JDK-8164784 Currency update needed for ISO 4217 Amendment #162.
P3 JDK-8193552 ISO 4217 Amendment #165 Update
P3 JDK-8202026 ISO 4217 Amendment #166 Update
P3 JDK-8204269 ISO 4217 Amendment #167 Update
P3 JDK-8208746 ISO 4217 Amendment #168 Update
P3 JDK-8209775 ISO 4217 Amendment #169 Update
P3 JDK-8129361 ISO 4217 amendment 160
P3 JDK-8218781 Localized names for Japanese Era Reiwa in COMPAT provider
P3 JDK-8003846 Override mechanism for currency data should not require creating in java.home
P3 JDK-8205432 Replace the placeholder Japanese era name
P3 JDK-8187946 Support ISO 4217 Amendments 163 and 164
P4 JDK-8208656 Move java/util/Calendar/CalendarTestScripts tests into OpenJDK
P4 JDK-8074350 Support ISO 4217 "Current funds codes" table (A.2)
P4 JDK-7117487 Warnings Cleanup: some i18n classes in java.util and sun.util


Priority Bug Summary
P2 JDK-8151678 com/sun/jndi/ldap/ failed due to timeout on DeadServerNoTimeoutTest is incorrect
P2 JDK-8205330 InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
P2 JDK-8211107 LDAPS communication failure with jdk 1.8.0_181
P3 JDK-8210695 Create test to cover JDK-8205330 InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
P3 JDK-8169465 Deadlock in com.sun.jndi.ldap.pool.Connections
P3 JDK-8149450 LdapCtx.processReturnCode() throwing Null Pointer Exception
P4 JDK-8160768 Add capability to custom resolve host/domain names within the default JNDI LDAP provider
P4 JDK-8035105 DNS provider cleanups
P4 JDK-7059542 JNDI name operations should be locale independent


Priority Bug Summary
P4 JDK-8068279 (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName
P4 JDK-7187144 JavaDoc for ScriptEngineFactory.getProgram() contains an error


Priority Bug Summary
P2 JDK-8044419 [TEST_BUG]: com/sun/jdi/ fails when run under root
P3 JDK-8027705 com/sun/jdi/ fails when a background thread is generating events.
P3 JDK-8197943 Unable to use JDWP API in JDK 8 to debug JDK 9 VM
P4 JDK-8074146 [TEST_BUG] jdb has succeded to read an unreadable file
P4 JDK-8036132 [TEST_BUG] Tab characters in test/com/sun/jdi files
P4 JDK-4858370 JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command


Priority Bug Summary
P3 JDK-8035054 JarFacade.c should not include ctype.h


Priority Bug Summary
P2 JDK-8077953 [TEST_BUG] com/sun/management/OperatingSystemMXBean/ Compilation failed after JDK-8077387
P2 JDK-8139870 fails for composite types with items of ArrayType
P3 JDK-8145982 JMXInterfaceBindingTest is failing intermittently
P3 JDK-8146015 JMXInterfaceBindingTest is failing intermittently for IPv6 addresses
P4 JDK-8034857 gcc warnings compiling src/solaris/native/sun/management
P4 JDK-7117570 Warnings in sun.mangement.* and its subpackages


Priority Bug Summary
P3 JDK-8065764 [TEST_BUG] javax/management/monitor/ hangs
P3 JDK-8064331 JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
P4 JDK-6425769 Allow specifying an address to bind JMX remote connector
P4 JDK-8147857 RMIConnector logs attribute names incorrectly


Priority Bug Summary
P3 JDK-8075773 jps running as root fails after the fix of JDK-8050807
P3 JDK-8140244 Port fix of JDK-8075773 to AIX and possibly MacOSX


Priority Bug Summary
P3 JDK-8025215 jdk8 l10n resource file translation update 4
P3 JDK-8059177 jdk8u40 l10n resource file translation update 1
P3 JDK-8083601 jdk8u60 l10n resource file translation update 2
P3 JDK-8025974 l10n for policytool
P4 JDK-8191840 Update localizations with positional arguments following JDK-8191137


Priority Bug Summary
P1 JDK-6675699 need comprehensive fix for unconstrained ConvI2L with narrowed type
P1 JDK-8072753 Nondeterministic wrong answer on arithmetic
P1 JDK-8177095 Range check dependent CastII/ConvI2L is prematurely eliminated
P1 JDK-8068881 SIGBUS in C2 compiled method weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory$SimulatedWsdlDefinitions.
P2 JDK-8215265 C2: range check elimination may allow illegal out of bound access
P2 JDK-8154831 CastII/ConvI2L for a range check is prematurely eliminated
P2 JDK-8050972 Concurrency problem in PcDesc cache
P2 JDK-8250861 Crash in MinINode::Ideal(PhaseGVN*, bool)
P2 JDK-8164480 Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
P2 JDK-8161147 jvm crashes when -XX:+UseCountedLoopSafepoints is enabled
P2 JDK-8158260 PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions
P3 JDK-8073735 [TEST_BUG] compiler/loopopts/ got OOME
P3 JDK-8078666 JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
P3 JDK-8033168 PPC64: gcc 4.8 warning in output_c.cpp
P3 JDK-8149543 range check CastII nodes should not be split through Phi
P3 JDK-8174164 SafePointNode::_replaced_nodes breaks with irreducible loops
P3 JDK-8162603 Unrecognized VM option 'UseCountedLoopSafepoints'
P4 JDK-6869327 Add new C2 flag to keep safepoints in counted loops.
P4 JDK-8194859 Bad backport of 8024468 breaks Zero build due to lack of 8010862 in OpenJDK 7
P4 JDK-8026796 Make replace_in_map() on parent maps generic
P4 JDK-8197981 Missing return statement in __sync_val_compare_and_swap_8
P4 JDK-8185502 No overflow operator on OpenJDK 7
P4 JDK-8185716 OpenJDK 7 PPC64 port uses a different ins_encode format in
P4 JDK-8019517 PPC64 (part 102): cppInterpreter: implement G1 support
P4 JDK-8019518 PPC64 (part 104) : cppInterpreter: implement support for compressed Oops
P4 JDK-8037915 PPC64/AIX: Several smaller fixes
P4 JDK-8033117 PPC64: Adapt to 8002074: Support for AES on SPARC
P4 JDK-8165807 PPC64: Backport PPC64 port to OpenJDK 7
P4 JDK-8080190 PPC64: Fix wrong rotate instructions in the .ad file
P4 JDK-8035647 PPC64: Support for elf v2 abi.
P4 JDK-8139421 PPC64LE: MacroAssembler::bxx64_patchable kills register R12
P4 JDK-8078482 ppc: pass thread to throw_AbstractMethodError
P4 JDK-8048703 ReplacedNodes dumps it's content to tty
P4 JDK-8042309 Some bugfixes for the ppc64 port.
P4 JDK-8002074 Support for AES on SPARC
P4 JDK-8145096 Undefined behaviour in HotSpot
P5 JDK-8008321 compile.cpp verify_graph_edges uses "bool" as "int"


Priority Bug Summary
P1 JDK-8180048 Interned string and symbol table leak memory during parallel unlinking
P1 JDK-8147087 Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
P2 JDK-8179084 HotSpot VM fails to start when AggressiveHeap is set
P3 JDK-8059661 [TEST_BUG] Test SoftReference and OOM behavior
P3 JDK-7112912 Message "Error occurred during initialization of VM" on boxes with lots of RAM
P4 JDK-8016302 Change type of the number of GC workers to unsigned int (2)
P4 JDK-8064786 Fix debug build after 8062808: Turn on the -Wreturn-type warning
P4 JDK-8161993 G1 crashes if active_processor_count changes during startup
P4 JDK-8048214 Linker error when compiling G1SATBCardTableModRefBS after include order changes
P4 JDK-8014489 tests/gc/arguments/Test(Serial|CMS|Parallel|G1)HeapSizeFlags jtreg tests invoke wrong class
P4 JDK-8062808 Turn on the -Wreturn-type warning
P5 JDK-8043723 max_heap_for_compressed_oops() declared with size_t, but defined with uintx


Priority Bug Summary
P2 JDK-8207151 JVM 7u181 crash with SIGSEGV when Tomcat 7 starts
P2 JDK-8157548 JVM crashes sometimes while starting
P3 JDK-8170888 [linux] Experimental support for cgroup memory limits in container (ie Docker) environments
P3 JDK-8130183 InnerClasses: VM permits wrong inner_class_info_index value of zero
P3 JDK-8075118 JVM stuck in infinite loop during verification
P3 JDK-8059803 Update use of GetVersionEx to get correct Windows version in hs_err files
P4 JDK-8153673 [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
P4 JDK-8087120 [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms
P4 JDK-8034797 AIX: Fix os::naked_short_sleep() in os_aix.cpp after 8028280
P4 JDK-8147910 Cache initial active_processor_count
P4 JDK-8048169 Change 8037816 breaks HS build on PPC64 and CPP-Interpreter platforms
P4 JDK-8187667 Disable deprecation warning for readdir_r
P4 JDK-8197510 fastdebug builds fail due to lack of p2i
P4 JDK-8202850 Fix for 8189123 doesn't include precompiled headers
P4 JDK-8035396 Introduce accessor for tmp_oop in frame.
P4 JDK-8226318 Placeholder for Class Loader improvements
P4 JDK-8050942 PPC64: implement template interpreter for ppc64le
P4 JDK-8036976 PPC64: implement the template interpreter
P4 JDK-8036767 PPC64: Support for little endian execution model
P4 JDK-8139258 PPC64LE: argument passing problem when passing 15 floats in native call
P4 JDK-8218798 slowdebug build broken by JDK-8205714
P4 JDK-8150490 Update OS detection code to recognize Windows Server 2016
P4 JDK-8143245 Zero build requires disabled warnings
P4 JDK-8197801 Zero debug build fails on "assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries + 1)) failed: bad stack limit"
P4 JDK-8154210 Zero: Better byte behaviour
P5 JDK-8078628 linux-zero does not build without precompiled header


Priority Bug Summary
P1 JDK-8072932 Test fails with access denied ("" "getDomainCombiner")
P3 JDK-8069590 AIX port of "8050807: Better performing performance data handling"
P4 JDK-8081475 SystemTap does not work when JDK is compiled with GCC 5
P4 JDK-8004007 test/sun/tools/jinfo/ fails on when runSA is set to true


Priority Bug Summary
P2 JDK-8068491 Update the protocol for references of to HTTPS.
P4 JDK-8173849 [TEST] Fix use of java.util.Base64 in test cases
P4 JDK-8173854 [TEST] Update DHEKeySizing test case following 8076328 & 8081760


Priority Bug Summary
P2 JDK-7069870 Parts of the JDK erroneously rely on generic array initializers with diamond
P3 JDK-8074312 Enable hotspot builds on 4.x Linux kernels
P3 JDK-7172012 Make test-in-build an option (Queens)
P4 JDK-8147466 Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp
P4 JDK-8167144 AIX: 8022507: SIGSEGV at ParMarkBitMap::verify_clear()
P4 JDK-8167198 AIX: Changes to make AIX compile after latest upstream changes
P4 JDK-8133966 Allow OpenJDK to build on PaX-enabled kernels
P4 JDK-8151841 Build needs additional flags to compile with GCC 6
P4 JDK-8232643 Building error in jdk7u241 after 7068616
P4 JDK-8043029 Change 8037816 breaks HS build with older GCC versions which don't support diagnostic pragmas
P4 JDK-7068617 Core libraries don't build with javac -Xlint:all -Werror
P4 JDK-7060849 Eliminate pack200 build warnings
P4 JDK-8133967 Fix build where PAX_COMMAND is not specified
P4 JDK-8222449 freetypecheck compares versions using lexicographic comparison
P4 JDK-8076506 Increment minor version of HSx for 7u91 and initialize the build number
P4 JDK-8131181 Increment minor version of HSx for 7u95 and initialize the build number
P4 JDK-8068674 Increment minor version of HSx for 8u51 and initialize the build number
P4 JDK-8078529 Increment the build value to b02 for hs25.51 in 8u51-b10
P4 JDK-8081622 Increment the build value to b03 for hs25.51 in 8u51-b15
P4 JDK-8196978 JDK-8187667 fails on GCC 4.4.7 as found on RHEL 6
P4 JDK-7072353 JNDI libraries do not build with javac -Xlint:all -Werror
P4 JDK-7068616 NIO libraries do not build with javac -Xlint:all,-deprecation -Werror
P4 JDK-8133970 Only apply PaX-marking when needed by a running PaX kernel
P4 JDK-7077389 Reflection classes do not build with javac -Xlint:all -Werror
P4 JDK-8217753 Remove Linux version check from HotSpot builds
P4 JDK-7064075 Security libraries don't build with javac -Xlint:all,-deprecation -Werror


Priority Bug Summary
P2 JDK-8213154 Update copyright headers of files in src tree that are missing Classpath exception


Priority Bug Summary
P2 JDK-8164908 ReflectionFactory support for IIOP and custom serialization
P4 JDK-8167335 Fix build on Linux with 64kb default page size
P4 JDK-8200760 was missed in backport of JDK-8160104


Priority Bug Summary
P3 JDK-7104650 rawtype warnings in several net, nio and security source files
P4 JDK-8142927 Feed some text to STDIN in ProcessTools.executeProcess()
P4 JDK-7116722 Miscellaneous warnings sun.misc ( and related classes )
P4 JDK-8000970 Multi-core compilation of the jdk is prevented by auxiliary classes hidden inside java source files.
P4 JDK-8142926 OutputAnalyzer's shouldXXX() calls return this
P4 JDK-7117357 Warnings in sun.instrument, tools and other sun.* classes


Priority Bug Summary
P3 JDK-8006951 Avoid storing duplicate PKCS12 attributes
P3 JDK-8017325 Cleanup of the javadoc tag in
P3 JDK-8017326 Cleanup of the javadoc tag in
P3 JDK-8158116 com/sun/crypto/provider/KeyAgreement/ failed with timeout
P3 JDK-8190690 Impact on krb5 test cases in the 8u nightly
P3 JDK-8057810 New defaults for DSA keys in jarsigner and keytool
P4 JDK-8191845 [TEST_BUG] Too many new-lines in backport of WeakAlg test
P4 JDK-8033271 Manual security tests have @ignore rather than @run main/manual
P4 JDK-8165463 Native implementation of sunmscapi should use operator new (nothrow) for allocations
P4 JDK-8007607 security native code doesn't always use malloc, realloc, and calloc correctly


Priority Bug Summary
P1 JDK-8029788 Certificate validation - java.lang.ClassCastException
P1 JDK-8031825 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
P2 JDK-8021191 Add isAuthorized check to limited doPrivileged methods
P2 JDK-8167591 Add MD5 to signed JAR restrictions
P2 JDK-8140422 Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
P2 JDK-8049171 Additional tests for jarsigner's warnings
P2 JDK-8216280 Allow later Symantec Policy distrust date for two Apple SubCAs
P2 JDK-8233228 Disable weak named curves by default in TLS, CertPath, and Signed JAR
P2 JDK-8175251 Failed to load RSA private key from pkcs12
P2 JDK-8184673 Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers
P2 JDK-8176536 Improved algorithm constraints checking
P2 JDK-8184993 Jar file verification failing with SecurityException: digest missing xxx
P2 JDK-8163304 jarsigner -verbose -verify should print the algorithms used to sign the jar
P2 JDK-8005408 KeyStore API enhancements
P2 JDK-8177569 keytool should not warn if signature algorithm used in cacerts is weak
P2 JDK-8171319 keytool should print out warnings when reading or generating cert/cert req using weak algorithms
P2 JDK-8050374 More Signature tests
P2 JDK-8041787 Need new regressions tests for buffer handling for PBE algorithms
P2 JDK-8010112 NullPointerException in
P2 JDK-8062552 Support keystore type detection for JKS and PKCS12 keystores
P3 JDK-8166362 [TEST_BUG] test sun/net/www/http/HttpClient/ failing with cert error in 8u121 b01
P3 JDK-8014097 add doPrivileged methods with limited privilege scope
P3 JDK-8038837 Add support to jarsigner for specifying timestamp hash algorithm
P3 JDK-8165367 Additional tests for JEP 288: Disable SHA-1 Certificates
P3 JDK-8007483 attributes are ignored when loading keys from a PKCS12 keystore
P3 JDK-7195409 CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
P3 JDK-8178728 Check the AlgorithmParameters in algorithm constraints
P3 JDK-8019360 Cleanup of the javadoc tag in*
P3 JDK-7162687 enhance KDC server availability detection
P3 JDK-8009636 JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
P3 JDK-8130132 jarsigner should emit warning if weak algorithms or keysizes are used
P3 JDK-8191438 jarsigner should print when a timestamp will expire
P3 JDK-8180289 jarsigner treats timestamped signed jar invalid after the signer cert expires
P3 JDK-8191137 keytool fails to format resource strings for keys for some languages after JDK-8171319
P3 JDK-8179564 Missing @bug for tests added with JDK-8165367
P3 JDK-6953295 Move few{util, x509, pkcs} classes used by keytool/jarsigner to another package
P3 JDK-7044060 Need to support NSA Suite B Cryptography algorithms
P3 JDK-8015571 OCSP validation fails if ocsp.responderCertSubjectName is set
P3 JDK-8006946 PKCS12 test failure due to incorrect alias name
P3 JDK-8149411 PKCS12KeyStore cannot extract AES Secret Keys
P3 JDK-7142339 is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done
P3 JDK-8039921 SHA1WithDSA with key > 1024 bits not working
P3 JDK-7187051 tests should do cleanup before start test
P3 JDK-7184246 Simplify Config.get() of krb5
P3 JDK-8153146 sun/security/krb5/auto/ failed with timeout
P3 JDK-8023546 sun/security/mscapi/ fails intermittently
P3 JDK-8137255 sun/security/provider/NSASuiteB/ timeouts intermittently
P3 JDK-8159805 sun/security/tools/jarsigner/warnings/ fails after JDK-8027781
P3 JDK-8157898 failed with timeout
P3 JDK-8146377 test/sun/security/tools/jarsigner/ failing (cert expired?)
P3 JDK-8157404 Unable to read certain PKCS12 keystores from SequenceInputStream
P3 JDK-8037550 Update RFC references in javadoc to RFC 5280
P3 JDK-8161571 Verifying ECDSA signatures permits trailing bytes
P4 JDK-7024771 "\\<>" in attribute value part of X500Principal constructor parameter makes strange effect
P4 JDK-8146477 [TEST_BUG] failing again
P4 JDK-8146967 [TEST_BUG] javax/security/auth/SubjectDomainCombiner/ should use 4-args ProtectionDomain constructor
P4 JDK-8181841 A TSA server returns timestamp with precision higher than milliseconds
P4 JDK-6637288 Add OCSP support to PKIX CertPathBuilder implementation
P4 JDK-7196855 fails on ubuntu because not found
P4 JDK-8164846 CertificateException missing cause of underlying exception
P4 JDK-8006994 Cleanup PKCS12 tests to ensure streams get closed
P4 JDK-7198901 correct the field size check when decoding a point on ECC curve
P4 JDK-7115744 Do not call File::deleteOnExit in security tests
P4 JDK-6995421 Eliminate the static dependency to
P4 JDK-8076117 EndEntityChecker should not process custom extensions after PKIX validation
P4 JDK-8022439 Fix lint warnings in
P4 JDK-8133991 Fix mistake in 8075374 backport
P4 JDK-7175041 HttpTimestamper should accept https URI
P4 JDK-8006863 javadoc cleanup for 8005408
P4 JDK-8029659 Keytool, print key algorithm of certificate or key entry
P4 JDK-7111579 klist starttime, renewtill, ticket etype
P4 JDK-7192202 Make sure keytool prints both unknown and unparseable extensions
P4 JDK-7152176 More krb5 tests
P4 JDK-8143913 MSCAPI keystore should accept Certificate[] in setEntry()
P4 JDK-8028591 NegativeArraySizeException in
P4 JDK-8027781 New jarsigner timestamp warning is grammatically incorrect
P4 JDK-7054969 Null-check-in-finally pattern in java/security documentation
P4 JDK-8028431 NullPointerException in DerValue.equals(DerValue)
P4 JDK-8079129 NullPointerException in PKCS#12 Keystore in
P4 JDK-7152582 PKCS11 tests should use the NSS libraries available in the OS
P4 JDK-7167988 PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
P4 JDK-8147969 Print size of DH keysize when errors are encountered
P4 JDK-8035974 Refactor DigestBase.engineUpdate() method for better code generation by JIT compiler
P4 JDK-7102686 Restructure timestamp code so that jars and modules can more easily share the same code
P4 JDK-7126011 ReverseBuilder.getMatchingCACerts may throws NPE
P4 JDK-6854712 Revocation checking enhancements (JEP-124)
P4 JDK-7088502 Security libraries don't build with javac -Werror
P4 JDK-7194449 String resources for Key Tool and Policy Tool should be in their respective packages
P4 JDK-8139436 might load incomplete data
P4 JDK-8176183 sun/security/mscapi/ fails on Windows
P4 JDK-7142888 sun/security/tools/jarsigner/ fail on sparc
P4 JDK-7081817 test/sun/security/provider/certpath/X509CertPath/ failing
P4 JDK-7152169 TEST_BUG: sun/security/tools/jarsigner/ occasionally fail due to keytool error on sparc
P4 JDK-8049834 Two security tools tests do not run with only JRE
P4 JDK-7194075 Various classes of sunec.jar are duplicated in rt.jar
P5 JDK-7147336 clarification on warning of keytool -printcrl
P5 JDK-6880619 reg test for 6879540


Priority Bug Summary
P2 JDK-8075286 Additional tests for signature algorithm OIDs and transformation string
P2 JDK-8170157 Enable unlimited cryptographic policy by default in Oracle JDK builds
P2 JDK-8048819 Implement reliability test for DH algorithm
P2 JDK-8041781 Need new regression tests for PBE keys
P2 JDK-8044193 Need to add tests for AES cipher
P2 JDK-8072452 Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
P2 JDK-8048601 Tests for JCE crypto ciphers (part 1)
P3 JDK-8170245 [TEST_BUG] Cipher tests fail when running with unlimited policy
P3 JDK-8196952 Bad primeCertainty value setting in DSAParameterGenerator
P3 JDK-8207775 Better management of CipherCore buffers
P3 JDK-8208583 Better management of internal KeyStore buffers
P3 JDK-8203228 Branch-free output conversion for X25519 and X448
P3 JDK-8012900 CICO ignores AAD in GCM mode
P3 JDK-8209862 CipherCore performance improvement
P3 JDK-8064546 CipherInputStream throws BadPaddingException if stream is not fully read
P3 JDK-8179098 Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
P3 JDK-8181594 Efficient and constant-time modular arithmetic
P3 JDK-8019772 Fix doclint issues in javax.crypto and subpackages
P3 JDK-4963723 Implement SHA-224
P3 JDK-6483657 MSCAPI provider does not create unique alias names
P3 JDK-8165751 NPE hit with
P3 JDK-6383200 PBE: need new algorithm support in password based encryption
P3 JDK-8035166 Remove dependency on EC classes from pkcs11 provider
P3 JDK-8157561 Ship the unlimited policy files in JDK Updates
P3 JDK-8182999 SunEC throws ProviderException on invalid curves
P3 JDK-8157603 doesn't check one of the decrypted message as expected
P4 JDK-8190449 [TEST_BUG] sun/security/pkcs11/KeyPairGenerator/ fails on Solaris x64 5.10
P4 JDK-8001419 Build the JCE portion of JDK-8000970
P4 JDK-7171982 Cipher getParameters() throws RuntimeException: Cannot find SunJCE provider
P4 JDK-8208648 ECC Field Arithmetic Enhancements
P4 JDK-8029475 Fix more doclint issues in
P4 JDK-8209129 Further improvements to cipher buffer management
P4 JDK-8150530 Improve javax.crypto.BadPaddingException messages
P4 JDK-8208698 Improved ECC Implementation
P4 JDK-8183591 Incorrect behavior when reading DER value with Integer.MAX_VALUE length
P4 JDK-8219570 JDK-6383200 wrongly extends PBEParameterSpec API
P4 JDK-8158517 Minor optimizations to ISO10126PADDING
P4 JDK-8162344 The API changes made by CR 7064075 need to be reverted
P4 JDK-7065233 To interpret case-insensitive string locale independently
P4 JDK-8201317 X25519/X448 code improvements
P5 JDK-8098854 Do cleanup in a proper order in sunmscapi code


Priority Bug Summary
P2 JDK-8048357 PKCS basic tests
P2 JDK-8143377 Test fails
P3 JDK-8134232 KeyStore.load() throws an IOException with a wrong cause in case of wrong password
P3 JDK-6414899 P11Digest should support cloning
P3 JDK-7196382 PKCS11 provider should support 2048-bit DH
P4 JDK-8078348 [TEST_BUG] sun/security/pkcs11/sslecc/ fails with BindException
P4 JDK-8034856 gcc warnings compiling src/solaris/native/sun/security/pkcs11
P4 JDK-8051972 sun/security/pkcs11/ec/ fails intermittently
P5 JDK-8203182 Release session if initialization of SunPKCS11 Signature fails


Priority Bug Summary
P1 JDK-7093640 Enable client-side TLS 1.2 by default
P1 JDK-8173783 IllegalArgumentException: jdk.tls.namedGroups
P2 JDK-8167459 Add debug output for indicating if a chosen ciphersuite was legacy
P2 JDK-8167472 Chrome interop regression with JDK-8148516
P2 JDK-8202343 Disable TLS 1.0 and 1.1
P2 JDK-8074462 Handshake messages can be strictly ordered
P2 JDK-8148516 Increase the minimum strength of EC keys
P2 JDK-8069038 javax/net/ssl/TLS/ needs to be updated for JDK-8061210
P2 JDK-8132082 Let OracleUcrypto accept RSAPrivateKey
P2 JDK-6956398 make ephemeral DH key match the length of the certificate key
P2 JDK-8049432 New tests for TLS property jdk.tls.client.protocols
P2 JDK-8217579 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
P2 JDK-8148421 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
P3 JDK-8146387 [TEST BUG] Test SSLSession/SessionCacheSizeTests socket accept timed out
P3 JDK-8022228 [TEST_BUG] Intermittent test failures in sun/security/ssl/javax/net/ssl/NewAPIs
P3 JDK-8170131 Certificates not being blocked by jdk.tls.disabledAlgorithms property
P3 JDK-8208350 Disable all DES cipher suites
P3 JDK-8211883 Disable anon and NULL cipher suites
P3 JDK-8207258 Distrust TLS server certificates anchored by Symantec Root CAs
P3 JDK-8133070 Hot lock on BulkCipher.isAvailable
P3 JDK-8193683 Increase the number of clones in the CloneableDigest
P3 JDK-8162362 Introduce system property to control enabled ciphersuites
P3 JDK-8076369 Introduce the jdk.tls.client.protocols system property for JDK 7u
P3 JDK-8163237 Restrict the use of EXPORT cipher suites
P3 JDK-8203190 SessionId.hashCode generates too many collisions
P3 JDK-8024068 sun/security/ssl/javax/net/ssl/ServerName/ fails
P3 JDK-8029661 Support TLS v1.2 algorithm in SunPKCS11 provider
P3 JDK-8146669 Test SessionTimeOutTests fails intermittently
P3 JDK-8163326 Update the default enabled cipher suites preference
P3 JDK-8170035 When determining the ciphersuite lists there is no debug output for disabled suites.
P4 JDK-8037557 [TEST BUG] test timeout
P4 JDK-8164533 [TEST_BUG] sun/security/ssl/SSLSocketImpl/ failed with "Error while cleaning up threads after test"
P4 JDK-7105780 Add SSLSocket client/SSLEngine server to templates directory
P4 JDK-8193892 Impact of noncloneable MessageDigest implementation
P4 JDK-8026119 Regression test failing intermittently
P4 JDK-6996372 synchronizing handshaking hash.
P4 JDK-8144313 Test SessionTimeOutTests can be timeout
P4 JDK-8019341 Update CookieHttpsClientTest to use the newer framework.
P4 JDK-8156502 Use short name of


Priority Bug Summary
P2 JDK-8075299 Additional tests for krb5 settings
P2 JDK-8048147 Privilege tests with JAAS Subject.doAs
P2 JDK-8075301 Tests for system property
P3 JDK-8044500 Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes
P3 JDK-8200400 Allow Sasl mechanisms to be restricted
P3 JDK-8240621 Build failure on Windows after JDK-8044500
P3 JDK-8058290 JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
P4 JDK-8020557 javadoc cleanup in
P4 JDK-8028780 JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
P4 JDK-8229767 Typo in Sasl.createClient and Sasl.createServer
P4 JDK-8163104 Unexpected NPE still possible on some Kerberos ticket calls
P4 JDK-8147772 Update KerberosTicket to describe behavior if it has been destroyed and fix NullPointerExceptions


Priority Bug Summary
P3 JDK-6474807 (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException
P4 JDK-8050893 (smartcardio) Invert reset argument in tests in sun/security/smartcardio
P4 JDK-8059212 Modify sun/security/smartcardio manual regression tests so that they do not just fail if no cardreader found


Priority Bug Summary
P1 JDK-8022120 JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails
P2 JDK-8151893 Add security property to configure XML Signature secure validation mode
P3 JDK-8149029 Secure validation of XML based digital signature always enabled when checking wrapping attacks
P3 JDK-8038349 Signing XML with DSA throws Exception when key is larger than 1024 bits
P3 JDK-8011547 Update XML Signature implementation to Apache Santuario 1.5.4
P3 JDK-8012288 XML DSig API allows wrong tag names and extra elements in SignedInfo
P3 JDK-8049244 XML Signature performance issue caused by unbuffered signature data
P4 JDK-8038184 XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String


Priority Bug Summary
P3 JDK-8185628 Backport jdk/test/lib/testlibrary/ to jdk8u which is helpful in test development
P3 JDK-8172529 Use PKIXValidator in jarsigner
P4 JDK-8173622 Backport of 7180907 is incomplete


Priority Bug Summary
P2 JDK-8078439 SPNEGO auth fails if client proposes MS krb5 OID
P3 JDK-8187218 GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days.
P3 JDK-8014310 JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
P3 JDK-8197518 Kerberos krb5 authentication: AuthList's put method leads to performance issue
P4 JDK-8048194 GSSContext.acceptSecContext fails when a supported mech is initiator preferred


Priority Bug Summary
P2 JDK-8075297 Tests for RFEs 4515853 and 4745056
P3 JDK-8132111 Do not request for addresses for forwarded TGT
P3 JDK-8031111 fix krb5 caddr
P3 JDK-8131051 KDC might issue a renewable ticket even if not requested
P3 JDK-8186831 Kerberos ignores PA-DATA with a non-null s2kparams
P3 JDK-8201627 Kerberos sequence number issues
P3 JDK-8036971 krb5.conf does not accept directive lines before the first section
P3 JDK-8017453 ReplayCache tests fail on multiple platforms
P3 JDK-8036779 interprets kdc_timeout as msec instead of sec
P3 JDK-8087144 sun/security/krb5/auto/ fails with Retry count is -1 less
P4 JDK-7172701 KDC tests cleanup
P4 JDK-8186576 KerberosTicket does not properly handle renewable tickets at the end of their lifetime
P4 JDK-8012679 Let allow_weak_crypto default to false
P4 JDK-8011124 Make KerberosTime immutable
P4 JDK-6966259 should a principalname object always have a realm?
P4 JDK-8077670 sun/security/krb5/auto/ may fail with BindException
P4 JDK-8186884 Test native KDC, Java krb5 lib, and native krb5 lib in one test


Priority Bug Summary
P4 JDK-8237604 [TEST_BUG] sun/security/tools/jarsigner/ not adapted for changes in JDK-7194449


Priority Bug Summary
P4 JDK-8078668 jar usage string mentions unsupported option


Priority Bug Summary
P2 JDK-8024756 method grouping tabs are not selectable
P3 JDK-6978886 javadoc shows stacktrace after print error resulting from disk full
P3 JDK-8008949 javadoc stopped copying doc-files
P4 JDK-8001669 javadoc internal DocletAbortException should set cause when appropriate
P4 JDK-8000418 javadoc should used a standard "generated by javadoc" string
P4 JDK-8000666 javadoc should write directly to Writer instead of composing strings
P4 JDK-8000673 remove dead code from HtmlWriter and subtypes


Priority Bug Summary
P4 JDK-7015157 String "Tabular Navigation" should be rephrased for avoiding mistranslation


Priority Bug Summary
P4 JDK-7127906 (launcher) convert the launcher regression tests to java


Priority Bug Summary
P2 JDK-8029955 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars


Priority Bug Summary
P2 JDK-8046817 JDK 8 schemagen tool does not generate xsd files for enum types
P3 JDK-8073357 schema1.xsd has wrong content. Sequence of the enum values has been changed
P3 JDK-8159240 XSOM parser incorrectly processes type names with whitespaces


Priority Bug Summary
P2 JDK-8076290 JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297
P3 JDK-8073385 Bad error message on parsing illegal character in XML attribute
P3 JDK-8167179 Make XSL generated namespace prefixes local to transformation process
P3 JDK-8074297 substring in XSLT returns wrong character if string contains supplementary chars
P3 JDK-8144593 Suppress not recognized property/feature warning messages from SAXParser
P4 JDK-8185501 Missing import in JAXP code