RELEASE NOTES FOR: openjdk7u ==================================================================================================== Notes generated: Sun Dec 01 01:59:34 CET 2024 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: core-libs/java.net: JDK-8161016: Modified HttpURLConnection behavior when no suitable proxy is found The behavior of HttpURLConnection when using a ProxySelector has been modified with this JDK release. HttpURLConnection used to fall back to a DIRECT connection attempt if the configured proxy(s) failed to make a connection. This release introduces a change whereby no DIRECT connection will be attempted in such a scenario. Instead, the HttpURLConnection.connect() method will fail and throw an IOException which occurred from the last proxy tested. JDK-8161016: Modified HttpURLConnection Behavior When a Suitable Proxy Is Not Found The behavior of `HttpURLConnection` when using `ProxySelector` has been modified in this JDK release. `HttpURLConnection` used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails. A new system property, `sun.net.http.fallbackToDirect`, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails). core-svc/tools: JDK-8075773: Running jps as root does not show all information After the fix of [https://bugs.openjdk.java.net/browse/JDK-8050807] (fixed in 8u31, 7u75 and 6u91), running jps as root did not show all the information from Java processes started by other users on some systems. This has now been fixed. security-libs/javax.security: JDK-8200400: Allow SASL Mechanisms to Be Restricted A security property named `jdk.sasl.disabledMechanisms` has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the `mechanisms` argument of `Sasl.createSaslClient` or the `mechanism` argument of `Sasl.createSaslServer`. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box. core-libs/java.util:i18n: JDK-8148446: IANA Data 2016a JDK contains IANA time zone data version 2016a. For more information, refer to [Timezone Data Versions in the JRE Software](http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html). JDK-8205432: New Japanese Era Name: Reiwa An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling `JapaneseEra.of(3)` or `JapaneseEra.valueOf("Reiwa")`. JDK 13 and later will have a new public field to represent this era. The placeholder name, "`NewEra`", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (`JapaneseEra.valueOf("NewEra")`) will no longer work. core-svc/javax.management: JDK-6425769: New system property for the remote JMX connector New JMX agent property - `jmxremote.host` A new property, `com.sun.management.jmxremote.host`, is introduced that specifies the bind address for the default JMX agent. If the latter is not specified, the default JMX agent will listen on all interfaces (0.0.0.0) and the host value placed in the agent service URL (JMXServiceURL) is the IP address returned from invocation of `InetAddress.getLocalHost()` method. * Name: `com.sun.management.jmxremote.host` * Definition : Specifies the bind address for the default JMX agent. It can be specified via the command line while starting the JVM or as part of the agent config file (`management.properties`). * Value: IP address of any network interface of the machine core-libs/java.util.logging: JDK-8153955: A new configurable property in logging.properties: java.util.logging.FileHandler.maxLocks A new "java.util.logging.FileHandler.maxLocks" configurable property is added to java.util.logging.FileHandler. This new logging property can be defined in the logging configuration file and makes it possible to configure the maximum number of concurrent log file locks a FileHandler can handle. The default value is 100. In a highly concurrent environment where multiple (more than 101) standalone client applications are using the JDK Logging API with FileHandler simultaneously, it may happen that the default limit of 100 is reached, resulting in a failure to acquire FileHandler file locks and causing an IO Exception to be thrown. In such a case, the new logging property can be used to increase the maximum number of locks before deploying the application. If not overridden, the default value of maxLocks (100) remains unchanged. See java.util.logging.LogManager and java.util.logging.FileHandler API documentation for more details. JDK-8153955: System Property Controls the java.util.logging.FileHandler's MAX_LOCKS Limit A new JDK implementation specific system property `jdk.internal.FileHandlerLogging.maxLocks` has been introduced to control the `java.util.logging.FileHandler` MAX_LOCKS limit. The default value of the current MAX_LOCKS (100) is retained if this new system property is not set or an invalid value is provided to the property. Valid values for this property are integers ranging from 1 to Integer.MAX_VALUE-1. security-libs: JDK-8057810: New defaults for DSA keys in jarsigner and keytool For DSA keys, the default signature algorithm for `keytool` and `jarsigner` has changed from SHA1withDSA to SHA256withDSA and the default key size for `keytool` has changed from 1024 bits to 2048 bits. Users wishing to revert to the previous behavior can use the `-sigalg` option of `keytool` and `jarsigner` and specify SHA1withDSA and the `-keysize` option of `keytool` and specify 1024. There are a few potential compatibility risks associated with this change: 1. If you have a script that uses the default key size of `keytool` to generate a DSA keypair but then subsequently specifies a specific signature algorithm, ex: ``` keytool -genkeypair -keyalg DSA -keystore keystore -alias mykey ... keytool -certreq -sigalg SHA1withDSA -keystore keystore -alias mykey ... ``` it will fail with one of the following exceptions, because the new 2048-bit keysize default is too strong for SHA1withDSA: ``` keytool error: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size keytool error: java.security.InvalidKeyException: DSA key must be at most 1024 bits ``` The workaround is to remove the `-sigalg` option and use the stronger SHA256withDSA default or, at your own risk, use the `-keysize` option of `keytool` to specify a smaller key size (1024). 2. If you use `jarsigner` to sign JARs with the new defaults, previous versions (than this release) of JDK 6 and 7 do not support the stronger defaults and will not be able to verify the JAR. `jarsigner -verify` on an earlier release of JDK 6 or 7 will output the following error: ``` jar is unsigned. (signatures missing or not parsable) ``` If you add `-J-Djava.security.debug=jar` to the `jarsigner` command line, the cause will be output: ``` jar: processEntry caught: java.security.NoSuchAlgorithmException: SHA256withDSA Signature not available ``` If compatibility with earlier releases is important, you can, at your own risk, use the `-sigalg` option of `jarsigner` and specify the weaker SHA1withDSA algorithm. 3. If you use a `PKCS11` keystore, the SunPKCS11 provider does not support the `SHA256withDSA` algorithm. `jarsigner` and some `keytool` commands may fail with the following exception if `PKCS11` is specified with the `-storetype` option, ex: ``` keytool error: java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey ``` A similar error may occur if you are using NSS with the SunPKCS11 provider. The workaround is to use the `-sigalg` option of `keytool` and specify SHA1withDSA. security-libs/java.security: JDK-8171319: keytool now prints warnings when reading or generating certificates/certificate requests/CRLs using weak algorithms With one exception, keytool will always print a warning if the certificate, certificate request, or CRL it is parsing, verifying, or generating is using a weak algorithm or key. When a certificate is from an existing `TrustedCertificateEntry`, either in the keystore directly operated on or in the `cacerts` keystore when the `-trustcacerts` option is specified for the `-importcert` command, keytool will not print a warning if it is signed with a weak signature algorithm. For example, suppose the file `cert` contains a CA certificate signed with a weak signature algorithm, `keytool -printcert -file cert` and `keytool -importcert -file cert -alias ca -keystore ks` will print out a warning, but after the last command imports it into the keystore, `keytool -list -alias ca -keystore ks` will not show a warning anymore. An algorithm or a key is weak if it matches the value of the `jdk.certpath.disabledAlgorithms` security property defined in the `conf/security/java.security` file. JDK-8029659: keytool now prints out information of a certificate's public key Keytool now prints out the key algorithm and key size of a certificate's public key, in the form of "Subject Public Key Algorithm: ```-bit RSA key", where ``` is the key size in bits (ex: 2048). JDK-8184993: java.util.zip.ZipFile.getEntry() now always returns the ZipEntry instance with a '/' ended entry name for directory entry The `java.util.zip.ZipEntry` API doc specifies "A directory entry is defined to be one whose name ends with a '/'". However, in previous JDK releases `java.util.zip.ZipFile.getEntry(String entryName)` may return a `ZipEntry` instance with an entry name that does not end with '/' for an existing zip directory entry when: * the passed in argument `entryName` does not end with a '/', and * there is a matching zip directory entry with name `entryName` + '/' in the zip file. With this release, the name of the `ZipEntry` instance returned from `java.util.zip.ZipFile.getEntry()` always ends with '/' for any zip directory entry. To revert to the previous behavior, set the system property `jdk.util.zip.ensureTrailingSlash` to "false". This change was made in order to fix a regression introduced in JDK 8u141 when verifying signed JARs and has caused some WebStart applications to fail to load. See JDK-8184993 for more information. JDK-8062552: Support keystore type detection for JKS and PKCS12 keystores To aid interoperability, the Java keystore type JKS now supports keystore compatibility mode by default. This mode enables JKS keystores to access both JKS and PKCS12 file formats. To disable keystore compatibility mode set the Security property 'keystore.type.compat' to the string value 'false'. JDK-8233228: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default Weak named curves are disabled by default by adding them to the following `disabledAlgorithms` security properties: `jdk.tls.disabledAlgorithms`, `jdk.certpath.disabledAlgorithms`, and `jdk.jar.disabledAlgorithms`. The named curves are listed below. With 47 weak named curves to be disabled, adding individual named curves to each `disabledAlgorithms` property would be overwhelming. To relieve this, a new security property, `jdk.disabled.namedCurves`, is implemented that can list the named curves common to all of the `disabledAlgorithms` properties. To use the new property in the `disabledAlgorithms` properties, precede the full property name with the keyword `include`. Users can still add individual named curves to `disabledAlgorithms` properties separate from this new property. No other properties can be included in the `disabledAlgorithms` properties. To restore the named curves, remove the `include jdk.disabled.namedCurves` either from specific or from all `disabledAlgorithms` security properties. To restore one or more curves, remove the specific named curve(s) from the `jdk.disabled.namedCurves` property. Curves that are disabled through `jdk.disabled.namedCurves` include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448 JDK-8191438: jarsigner Prints When a timestamp Will Expire The `jarsigner` tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year. JDK-7044060: Add support for the SHA224withDSA and SHA256withDSA signature algorithms and DSA keys with sizes up to 2048 bits Support has been added for the SHA224withDSA and SHA256withDSA signature algorithms and for DSA keys with sizes up to 2048 bits. Previously, only DSA keys with sizes up to 1024 bits were supported. JDK-8176536: Disable SHA-1 TLS Server Certificates Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default. TLS Server certificate chains that are anchored by enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the `PKIX` implementation of the `CertPathValidator` and `CertPathBuilder` APIs and the `SunX509` and `PKIX` implementations of the `TrustManagerFactory` API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions. To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the `jdk.certpath.disabledAlgorithms` and `jdk.jar.disabledAlgorithms` Security Properties in the java.security file, as follows: - `jdk.certpath.disabledAlgorithms`: Three new constraints have been added to this Security Property: A new constraint named `jdkCA`, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted. A new constraint named `denyAfter`, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows: - if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date - if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted. A new constraint named `usage`, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported: `TLSServer` for TLS/SSL server certificate chains, `TLSClient` for TLS/SSL client certificate chains, and `SignedJAR` for certificate chains used with signed JARs. Multiple constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is "SHA1 jdkCA & usage TLSServer". - `jdk.jar.disabledAlgorithms`: A new constraint has been added named `denyAfter`, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows: - if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date - if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted. For example, to restrict SHA1 in JAR files signed after January 1st 2018, add the following to the property: "SHA1 denyAfter 2018-01-01". The syntax is the same as the certpath property, however certificate checking will not be performed by this property. JDK-8038837: Support added to jarsigner for specifying timestamp hash algorithm A new -tsadigestalg option is added to jarsigner to specify the message digest algorithm that is used to generate the message imprint to be sent to the TSA server. In older JDK releases, the message digest algorithm used was SHA-1. If this new option is not specified, SHA-256 will be used on JDK 7 Updates and later JDK family versions. On JDK 6 Updates, SHA-1 will remain the default but a warning will be printed to the standard output stream. JDK-8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak. Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property `jdk.jar.disabledAlgorithms`, it will be labeled with "(weak)". For example: ``` - Signed by "CN=weak_signer" Digest algorithm: MD2 (weak) Signature algorithm: MD2withRSA (weak), 512-bit key (weak) Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key ``` JDK-8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires If a jar file was signed with a timestamp when the signer certificate was still valid, it should be valid even after the signer certificate expires. However, jarsigner will incorrectly show a warning that that signer's certificate chain is not validated. This will be fixed in a future release. JDK-8140422: Add mechanism to allow non default root CAs to not be subject to algorithm restrictions '**New certpath constraint: jdkCA** In the `java.security` file, an additional constraint named "jdkCA" is added to the `jdk.certpath.disabledAlgorithms` property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression. Example:  To apply this constraint to SHA-1 certificates, include the following:  ```SHA1 jdkCA``` core-libs/java.time: JDK-8159684: IANA Data 2016f JDK contains IANA time zone data version 2016f. For more information, refer to [Timezone Data Versions in the JRE Software](http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html). JDK-8151876: IANA Data 2016d JDK contains IANA time zone data version 2016d. For more information, refer to [Timezone Data Versions in the JRE Software](http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html). JDK-8254177: US/Pacific-New Zone Name Removed as Part of tzdata2020b Following the JDK's update to tzdata2020b, the long-obsolete files named `pacificnew` and `systemv` have been removed. As a result, the "US/Pacific-New" Zone name declared in the `pacificnew` data file is no longer available for use. Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html JDK-8169191: IANA Data 2016i JDK contains IANA time zone data version 2016i. For more information, refer to [Timezone Data Versions in the JRE Software](http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html). JDK-8274407: Update Timezone Data to 2021c The IANA Time Zone Database, on which the JDK's Date/Time libraries are based, has made a tweak to some of the time zone rules in [2021c](https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note that in [2021b](https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html), which is cumulatively included in this change, some of the time zone rules prior to the year 1970 have been modified according to changes introduced with 2021b. For more details, refer to the announcement of [2021b](https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html). core-libs/java.io:serialization: JDK-8155760: Serialization Filter Configuration Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in [JEP 290 Serialization Filtering](http://openjdk.java.net/jeps/290) and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled. security-libs/org.ietf.jgss:krb5: JDK-8012679: Weak Encryption Disabled by Default The DES-related Kerberos 5 encryption types are not supported by default. These encryption types can be enabled by adding `allow_weak_crypto=true` in the `krb5.conf` file, but DES-related encryption types are considered highly insecure and should be avoided. JDK-8201627: Kerberos Sequence Number Issues Previously, when mutual authentication was not requested by the Kerberos 5 initiator, there was no mechanism to negotiate the acceptor's initial sequence number. With this release, if the system property `sun.security.krb5.acceptor.sequence.number.nonmutual` is set to `initiator`, the SunJGSS provider will use the initiator's initial sequence number as the acceptor's initial sequence number. If set to `zero` or `0`, 0 is used. The default value is `initiator`. All other values are illegal and will throw an Error when the system property is read. JDK-8036779: Support the "s" (second) unit for kdc_timeout in krb5.conf An interoperability issue is found between Java and the native Kerberos implementation on BSD (including macOS) on the kdc_timeout setting in krb5.conf, where Java interpreted it as milliseconds and BSD as seconds when no unit is specified. This code change adds support for the "s" (second) unit. Therefore if the timeout is 5 seconds, Java accepts both "5000" and "5s". Customers concerned about interoperability between Java and BSD should use "5s". security-libs/javax.xml.crypto: JDK-8151893: Add security property to configure XML Signature secure validation mode A new security property named `jdk.xml.dsig.secureValidationPolicy` has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the `java.security` configuration file is: ``` jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ noDuplicateIds,\ noRetrievalMethodLoops ``` Please refer to the definition of the property in the `java.security` file for more information. core-libs: JDK-8138716: IANA Data 2015g JDK contains IANA time zone data version 2015g. For more information, refer to [Timezone Data Versions in the JRE Software|http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html]. core-svc/debugger: JDK-8197943: Unable to use the JDWP API in JDK 8 to debug JDK >=9 The implementation of `VirtualMachineImpl.canGetInstanceInfo()` has been corrected, so it is now able to see JDK JVMs >= JDK 9. This correction allows certain debugger agents to operate correctly without any action required from a user (developer). core-libs/javax.naming: JDK-8149450: Improved exception handling for bad LDAP referral replies The JDK was throwing a NullPointerException when a non-compliant REFERRAL status result was sent but no referral values were included. With this change, a NamingException with message value of "Illegal encoding: referral is empty" will be thrown in such circumstances. See JDK-8149450 and JDK-8154304 for more details JDK-8211107: LDAPS Communication Failure Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ), may encounter an exception when establishing the connection. The top most frames from Exception stack traces of applications encountering such issues might resemble the following: ``` javax.naming.ServiceUnavailableException: ; socket closed at com.sun.jndi.ldap.Connection.readReply(Unknown Source) at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source) ... ``` core-libs/java.util.jar: JDK-8189789: Decode error with Tomcat version 7.x The zlib version shipped in the 8u151, 7u161 JDK releases was updated to zlib v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml). This issue is being fixed via JDK-8189789 [https://bugs.openjdk.java.net/browse/JDK-8189789]. Users could disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected. hotspot/compiler: JDK-8072753: Nondeterministic wrong answer on arithmetic corrected When performing OSR on loops with huge stride and/or initial values, in very rare cases, the tiered/server compilers could produce non-canonical loop shapes that produce nondeterministic answers when the answers should be deterministic. This issue has now been fixed. security-libs/javax.net.ssl: JDK-8202343: Disable TLS 1.0 and 1.1 TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3). These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. JDK-8076369: jdk.tls.client.protocols system property added The jdk.tls.client.protocols system property is now available with the release of JDK . This property was originally introduced in JDK 8 and behaves in the same way. See [JSSE User Guide|http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#jdk_tls_client_protocols] JDK-8162362: Support for Customization of Default Enabled Cipher Suites via System Properties The system property `jdk.tls.client.cipherSuites` can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property `jdk.tls.server.cipherSuites` can be used for customization on the server side. The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicitly setting enabled cipher suites will override the system properties. Refer to the [Java Cryptography Architecture Standard Algorithm Name Documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html) for the standard JSSE cipher suite names, and the [Java Cryptography Architecture Oracle Providers Documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html) for the cipher suite names supported by the SunJSSE provider. Note that the actual use of enabled cipher suites is restricted by algorithm constraints. Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations. Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk. JDK-8163326: Updated the Default Enabled Cipher Suites Preference The preference of the default enabled cipher suites has been changed. The compatibility impact should be minimal. If needed, applications can customize the enabled cipher suites and the preference. For more details, refer to the SunJSSE provider documentation and the JSSE Reference Guide documentation. JDK-8211883: Disabled TLS anon and NULL Cipher Suites The TLS anon (anonymous) and NULL cipher suites have been added to the `jdk.tls.disabledAlgorithms` security property and are now disabled by default. JDK-7093640: Add TLS v1.1 and v1.2 to the client list of default-enabled protocols TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases. See [details from crypto roadmap](https://www.java.com/en/configure_crypto.html#enableTLSv1_2) for more details. JDK-8207258: Distrust TLS Server Certificates Anchored by Symantec Root CAs The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the [DigiCert support page](https://www.digicert.com/replace-your-symantec-ssl-tls-certificates/) for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017). An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019. The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below. An application will receive an Exception with a message indicating the trust anchor is not trusted, ex: "TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US" If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Root Certificates distrusted after 2019-04-16
Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A

CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US

37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8:2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C

CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F:7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66

CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E:E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4

CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93:42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12

CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A:97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F

CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US

A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB:43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57

CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C:06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47:9C:36:93:65:08:80:50:56:98:10:5D:BC:E9

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B

CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44

CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79

CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF

CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Subordinate Certificates distrusted after 2019-12-31
Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US

AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A:9C:DB:EC:77:29:6A:42:4B

CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US

A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A:C1:49:08:82:D4:88:ED

If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge. You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows: keytool -v -list -alias -keystore If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours. JDK-8148516: Improve the default strength of EC in JDK. To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the "jdk.certpath.disabledAlgorithms" Security Property) and SSL/TLS/DTLS connections (via the "jdk.tls.disabledAlgorithms" Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS/DTLS implementation in JDK. The new System Property, "jdk.tls.namedGroups", defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example: jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1" Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties. JDK-8148516: IllegalArgumentException from TLS handshake A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an *IllegalArgumentException* thrown by the TLS handshaker code. ```java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves``` The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified. See [JDK-8173783](https://bugs.openjdk.java.net/browse/JDK-8173783) JDK-8148421: TLS Session Hash and Extended Master Secret Extension Support Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, a server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property `jdk.tls.useExtendedMasterSecret` to `false` in the JDK. By setting the System Property `jdk.tls.allowLegacyResumption` to `false`, an application can reject abbreviated handshaking when the session hash and extended master secret extension are not negotiated. By setting the System Property `jdk.tls.allowLegacyMasterSecret` to `false`, an application can reject connections that do not support the session hash and extended master secret extension. JDK-8163237: Disable exportable cipher suites To improve the strength of SSL/TLS connections, exportable cipher suites have been disabled in SSL/TLS connections in the JDK by the `jdk.tls.disabledAlgorithms` Security Property. JDK-8208350: Disabled All DES TLS Cipher Suites DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the `jdk.tls.disabledAlgorithms` security property. These cipher suites can be reactivated by removing "DES" from the `jdk.tls.disabledAlgorithms` security property in the `java.security` file or by dynamically calling the `Security.setProperty()` method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the `SSLSocket.setEnabledCipherSuites()` or `SSLEngine.setEnabledCipherSuites()` methods. Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the `jdk.tls.disabledAlgorithms` security property. JDK-8173783: Correction of IllegalArgumentException from TLS handshake A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an *IllegalArgumentException* thrown by the TLS handshaker code. ```java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves``` The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified. security-libs/javax.crypto: JDK-8170157: Unlimited cryptography enabled by default The JDK uses the Java Cryptography Extension (JCE) Jurisdiction Policy files to configure cryptographic algorithm restrictions. Previously, the Policy files in the JDK placed limits on various algorithms. This release ships with both the limited and unlimited jurisdiction policy files, with unlimited being the default. The behavior can be controlled via the new `crypto.policy` Security property found in the `/lib/java.security` file. Refer to that file for more information on this property. JDK-8157561: New Security property to control crypto policy This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new `crypto.policy` Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information. Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the java.security file. Because the old JCE jurisdiction files are left in `/lib/security`, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used : ``` Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524) ``` JDK-6483657: MSCAPI KeyStore can handle same named certificates Java SE KeyStore does not allow certificates that have the same aliases. http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html However, on Windows, multiple certificates stored in one keystore are allowed to have non-unique friendly names. The fix for JDK-6483657 makes it possible to operate on such non-uniquely named certificates through the Java API by artificially making the visible aliases unique. Please note, this fix does not enable creating same-named certificates with the Java API. It only allows you to deal with same-named certificates that were added to the keystore by 3rd party tools. It is still recommended that your design not use multiple certificates with the same name. In particular, the following sentence will not be removed from the Java documentation: "In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case." http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html JDK-8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits Enhance the JDK security providers to support 3072-bit DiffieHellman and DSA parameters generation, pre-computed DiffieHellman parameters up to 8192 bits and pre-computed DSA parameters up to 3072 bits. client-libs/java.awt: JDK-8169589: Introduced a new window ordering model On the OS X platform, the AWT framework used native services to implement a parent-child relationship for windows. That caused some negative visual effects especially in multi-monitor environments. To get rid of disadvantages of such an approach, the new window ordering model, which is fully implemented at JDK layer, was introduced. Its main principles are listed below: - A window should be placed above its nearest parent window. - If a window has several child windows, all child windows should be located at the same layer and the window from the active window chain should be ordered above its siblings. - Ordering should not be performed for a window that is in an iconified state or when the transition to iconified state is in progress. These rules are applied to every frame or dialog from the window hierarchy which contains the currently focused window. client-libs/javax.swing: JDK-8166591: Trackpad scrolling of text on OS X 10.12 Sierra is very fast The `MouseWheelEvent.getWheelRotation()` method returned rounded native `NSEvent deltaX/Y` events on Mac OS X. The latest macOS Sierra 10.12 produces very small `NSEvent deltaX/Y` values so rounding and summing them leads to the huge value returned from the `MouseWheelEvent.getWheelRotation()`. The JDK-8166591 fix accumulates `NSEvent deltaX/Y` and the `MouseWheelEvent.getWheelRotation()` method returns non-zero values only when the accumulated value exceeds a threshold and zero value. This is compliant with the `MouseWheelEvent.getWheelRotation()` specification: >Returns the number of "clicks" the mouse wheel was rotated, as an integer. A partial rotation may occur if the mouse supports a high-resolution wheel. In this case, the method returns zero until a full "click" has been accumulated. For the precise wheel rotation values, use the `MouseWheelEvent.getPreciseWheelRotation()` method instead. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs: (P2) JDK-8217676: Upgrade libpng to 1.6.37 (P3) JDK-8214002: Cannot use italic font style if the font has embedded bitmap (P3) JDK-8028212: Custom cursor HiDPI support (P3) JDK-8077982: GIFLIB upgrade (P3) JDK-8022746: List of spelling errors in API doc (P3) JDK-8007295: Reduce number of warnings in awt classes (P4) JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions (P4) JDK-8129822: Define "headful" jtreg keyword (P4) JDK-8035287: gcc warnings compiling various libraries files client-libs/2d: (P2) JDK-8216965: crash in freetypeScaler.c CopyBW2Grey8 (P2) JDK-8026780: Crash on PPC and PPC v2 for Java_awt test suit (P2) JDK-8026702: Fix for 8025429 breaks jdk build on windows (P2) JDK-8227662: freetype seeks to index at the end of the font data (P2) JDK-8162488: JDK should be updated to use LittleCMS 2.8 (P3) JDK-7124245: [lcms] ColorConvertOp to color space CS_GRAY apparently converts orange to 244,244,0 (P3) JDK-8005530: [lcms] Improve performance of ColorConverOp for default destinations (P3) JDK-8041129: [OGL] surface->sw blit is extremely slow (P3) JDK-8232381: add result NULL-checking to freetypeScaler.c (P3) JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return (P3) JDK-8024511: Crash during color profile destruction (P3) JDK-8020190: Fatal: Bug in native code: jfieldID class must match object (P3) JDK-8201433: Fix potential crash in BufImg_SetupICM (P3) JDK-8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline (P3) JDK-8005402: Need to provide benchmarks for color management (P3) JDK-7051394: NullPointerException when running regression tests LoadProfileTest by using openjdk-7-b144 (P3) JDK-8067364: Printing to Postscript doesn't support dieresis (P3) JDK-7043064: sun/java2d/cmm/ tests failed against RI b141 & b138-nightly (P3) JDK-8047066: Test test/sun/awt/image/bug8038000.java fails with ClassCastException (P3) JDK-8056122: Upgrade JDK to use LittleCMS 2.6 (P3) JDK-8078331: Upgrade JDK to use LittleCMS 2.7 (P4) JDK-8025218: [javadoc] some errors in java/awt classes. (P4) JDK-8025085: [javadoc] some errors in javax/swing (P4) JDK-8005930: [lcms] ColorConvertOp: Alpha channel is not transferred from source to destination. (P4) JDK-8155145: [Parfait] JNI exception pending in fontpath.c:1300 (P4) JDK-8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString (P4) JDK-8022175: Fix doclint warnings in javax.print (P4) JDK-8218854: FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth (P4) JDK-8017773: OpenJDK7 returns incorrect TrueType font metrics (P4) JDK-8057934: Upgrade to LittleCMS 2.6 breaks AIX build client-libs/demo: (P2) JDK-8011059: [macosx] Support automatic @2x images loading on Mac OS X client-libs/java.awt: (P2) JDK-8169589: [macosx] Activating a JDialog puts to back another dialog (P2) JDK-8027025: [macosx] getLocationOnScreen returns 0 if parent invisible (P2) JDK-7168851: [macosx] Netbeans crashes in CImage.nativeCreateNSImageFromArray (P2) JDK-8029253: [macosx] Performance problems with Retina display on Mac OS X (P2) JDK-8020688: broken links in documentation at http://docs.oracle.com/javase/6/docs/api/index. (P2) JDK-8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter (P2) JDK-8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General (P2) JDK-8179014: JFileChooser with Windows look and feel crashes on win 10 (P2) JDK-8011123: serialVersionUID of java.awt.dnd.InvalidDnDOperationException changed in JDK8-b82 (P2) JDK-8130769: The new menu can't be shown on the menubar after clicking the "Add" button. (P2) JDK-8220495: Update GIFlib library to the 5.1.8 (P2) JDK-8230597: Update GIFlib library to the 5.2.1 (P2) JDK-8155691: Update GIFlib library to the latest up-to-date (P2) JDK-8208353: Upgrade libpng to 1.6.35 (P2) JDK-8037287: Windows build failed after JDK-8030787 (P3) JDK-7027045: (doc) java/awt/Window.java has several typos in javadoc (P3) JDK-8024926: [macosx] AquaIcon HiDPI support (P3) JDK-8071668: [macosx] Clipboard does not work with 3rd parties Clipboard Managers (P3) JDK-7124253: [macosx] Flavor change notification not coming (P3) JDK-8033534: [macosx] Get MultiResolution image from native system (P3) JDK-8080729: [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus (P3) JDK-8020210: [macosx] JVM crashes in CWrapper$NSWindow.screen(long) (P3) JDK-8013581: [macosx] Key Bindings break with awt GraphicsEnvironment setFullScreenWindow (P3) JDK-7124552: [macosx] NullPointerException in getBufferStrategy() (P3) JDK-7148275: [macosx] setIconImages() not working correctly (distorted icon when minimized) (P3) JDK-8024779: [macosx] SwingNode crashes on exit (P3) JDK-7160627: [macosx] TextArea has wrong initial size (P3) JDK-8017626: [OGL] Translucent VolatileImages don't paint correctly (P3) JDK-8204142: AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. (P3) JDK-7155957: closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.java hangs on win 64 bit with jdk8 (P3) JDK-8028617: Dvorak keyboard mapping not honored when ctrl key pressed (P3) JDK-8211435: Exception in thread "AWT-EventQueue-1" java.lang.IllegalArgumentException: null source (P3) JDK-8025409: Fix javadoc comments errors and warning reported by doclint report (P3) JDK-8005629: javac warnings compiling java.awt.EventDispatchThread and sun.awt.X11.XIconWindow (P3) JDK-8041734: JFrame in full screen mode leaves empty workspace after close (P3) JDK-8187635: On Windows Swing changes keyboard layout on a window activation (P3) JDK-8079595: Resizing dialog which is JWindow parent makes JVM crash (P3) JDK-4717864: setFont() does not update Fonts of Menus already on screen (P4) JDK-8175163: [bsd] Fix build after "8005629: javac warnings compiling java.awt.EventDispatchThread..." (P4) JDK-8027561: [macosx] Cleanup "may not respond to selector" warnings in native code (P4) JDK-8005255: [macosx] Cleanup warnings in sun.lwawt (P4) JDK-8035568: [macosx] Cursor management unification (P4) JDK-7124213: [macosx] pack() does ignore size of a component; doesn't on the other platforms. (P4) JDK-7154841: [macosx] Popups appear behind taskbar (P4) JDK-8037099: [macosx] Remove all references to GC from native OBJ-C code (P4) JDK-6475361: Attempting to remove help menu from java.awt.MenuBar throws NullPointerException (P4) JDK-8000626: Implement dead key detection for KeyEvent on Linux (P4) JDK-8134610: Mac OS X build fails after July 2015 CPU (P4) JDK-8010297: Missing isLoggable() checks in logging code (P4) JDK-8026021: more fix of javadoc errors and warnings reported by doclint, see the description (P4) JDK-8133990: Revert introduction of lambda expression in sun.lwawt.macosx.LWCToolkit (P4) JDK-6961123: setWMClass fails to null-terminate WM_CLASS string client-libs/java.awt:i18n: (P3) JDK-8076455: IME Composition Window is displayed on incorrect position (P4) JDK-7117465: Warning cleanup for IMF classes client-libs/java.beans: (P4) JDK-8022406: Fix doclint issues in java.beans client-libs/javax.accessibility: (P3) JDK-8145984: [macosx] sun.lwawt.macosx.CAccessible leaks client-libs/javax.imageio: (P2) JDK-8191073: JpegImageReader throws IndexOutOfBoundsException when trying to read image data from tables-only image (P3) JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable client-libs/javax.sound: (P3) JDK-8054431: Some of the input validation in the javasound is too strict (P4) JDK-7058700: Unexpected exceptions and timeouts in SF2 parser code client-libs/javax.swing: (P2) JDK-8166591: [macos 10.12] Trackpad scrolling of text on macOS 10.12 Sierra is very fast (Trackpad, Retina only) (P2) JDK-8178996: [macos] JComboBox doesn't display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12 (P2) JDK-8179665: [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location (P2) JDK-8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559 (P3) JDK-8007219: [macosx] Frame size reverts meaning of maximized attribute if frame size close to display (P3) JDK-8031573: [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina (P3) JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys (P3) JDK-8147842: IME Composition Window is displayed at incorrect location (P3) JDK-8130735: javax.swing.TimerQueue: timer fires late when another timer starts (P3) JDK-8173145: Menu is activated after using mnemonic Alt/Key combination (P3) JDK-8020708: NLS: mnemonics missing in SwingSet2/JInternalFrame demo (P3) JDK-8080628: No mnemonics on Open and Save buttons in JFileChooser (P3) JDK-8184016: Text in native popup is not always updated with Sogou IME (P3) JDK-8033786: White flashing when opening Dialogs and Menus using Nimbus with dark background (P3) JDK-7172652: With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin (P4) JDK-8025249: [javadoc] fix some javadoc errors in javax/swing (P4) JDK-7075563: Broken link in "javax.swing.SwingWorker" (P4) JDK-6882559: new JEditorPane("text/plain","") fails for null context class loader (P4) JDK-6624200: Regression test fails: test/closed/javax/swing/JMenuItem/4654927/bug4654927.java (P5) JDK-8010782: clean up source files containing carriage return characters core-libs: (P2) JDK-8081775: [TEST_BUG] two lib/testlibrary tests are failing with "Error. failed to clean up files after test" with jtreg 4.1 b12 (P2) JDK-8138978: Examine usages of sun.misc.IOUtils (P3) JDK-8098547: (tz) Support tzdata2015e (P3) JDK-8133321: (tz) Support tzdata2015f (P3) JDK-8138716: (tz) Support tzdata2015g (P3) JDK-8135248: Add utility methods to check indexes and ranges (P3) JDK-8066504: GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version (P3) JDK-8026982: javadoc errors in core libs (P3) JDK-8016217: More javadoc warnings (P3) JDK-8016747: Replace deprecated PlatformLogger isLoggable(int) with isLoggable(Level) (P3) JDK-8039438: Some tests depend on internal API sun.misc.IOUtils (P4) JDK-8151731: Add new jtreg keywords to jdk 8 (P4) JDK-8145017: Add support for 3 digit hotspot minor version numbers (P4) JDK-8031737: CHECK_NULL and CHECK_EXCEPTION macros cleanup (P4) JDK-8003890: corelibs test scripts should pass TESTVMOPTS (P4) JDK-8134248: Fix recently backported tests to work with OpenJDK 7u (P4) JDK-8205587: Implicit function declaration in jni_util.c (P4) JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result (P4) JDK-8030875: Macros for checking and returning on exceptions core-libs/java.io: (P3) JDK-8080835: Add blocking bulk read operations to java.io.InputStream (P4) JDK-8139206: Add InputStream readNBytes(int len) (P4) JDK-8167646: Better invalid FilePermission (P4) JDK-8235909: File.exists throws AccessControlException for invalid paths when a SecurityManager is installed (P4) JDK-8229899: java.io.File.isInvalid() is racy (P4) JDK-8193832: Performance of InputStream.readAllBytes() could be improved (P4) JDK-8236984: Reserved for 2020-01 CPU core-libs/java.io:serialization: (P2) JDK-8155760: Implement Serialization Filtering (P2) JDK-8166739: Improve extensibility of ObjectInputFilter information passed to the filter (P3) JDK-8203368: ObjectInputStream filterCheck method throws NullPointerException core-libs/java.lang: (P2) JDK-8140344: add support for 3 digit update release numbers (P3) JDK-8035640: JNU_CHECK_EXCEPTION should support c++ JNI syntax (P4) JDK-6253144: Long narrowing conversion should describe the algorithm used and implied "risks" (P4) JDK-7132338: Use @code friendly idiom for '\' in javadoc core-libs/java.lang.invoke: (P1) JDK-8184119: Incorrect return processing for the LF editor of MethodHandles.permuteArguments core-libs/java.lang:reflect: (P4) JDK-8054213: Class name repeated in output of Type.toString() (P4) JDK-8174729: Race Condition in java.lang.reflect.WeakCache core-libs/java.net: (P2) JDK-8034912: backport of 8031737 to jdk8u breaks linux buld. (P2) JDK-7125055: ContentHandler.getContent API changed in error (P2) JDK-8020842: IDN do not throw IAE when hostname ends with a trailing dot (P2) JDK-8225425: java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries (P2) JDK-8204667: Resources not freed on exception (P3) JDK-8021833: javadoc cleanup in java.net (P3) JDK-8075484: SocketInputStream.socketRead0 can hang even with soTimeout set (P3) JDK-8161016: Strange behavior of URLConnection with proxy (P4) JDK-8175087: [bsd] Fix build after "8024900: PPC64: Enable new build on AIX (jdk part)" (P4) JDK-8146602: [TEST_BUG] :jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException (P4) JDK-8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently (P4) JDK-8254967: com.sun.net.HttpsServer spins on TLS session close (P4) JDK-7167293: FtpURLConnection connection leak on FileNotFoundException (P4) JDK-6328537: Improve javadocs for Socket class by adding references to SocketOptions (P4) JDK-7090158: Networking Libraries don't build with javac -Werror (P4) JDK-7150092: NTLM authentication fail if user specified a different realm (P4) JDK-8168405: Pending exceptions in java.base/windows/native/libnet (P4) JDK-8177144: sun/net/www/http/HttpClient/B8025710.java should run in ovm mode core-libs/java.nio: (P2) JDK-8026876: (fs) Build issue with src/solaris/classes/sun/nio/fs/SolarisUserDefinedFileAttributeView.java (P2) JDK-8230085: (fs) FileStore::isReadOnly is always true on macOS Catalina (P2) JDK-8141491: Unaligned memory access in Bits.c (P3) JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to "Connection succeeded" (P3) JDK-7050570: (fs) FileSystemProvider fails to initializes if run with file.encoding set to Cp037 (P3) JDK-7184932: (sc) Replace use of temporary selectors in socket adapters with poll (P3) JDK-8020971: Fix doclint issues in java.nio.* (P3) JDK-8022594: Potential deadlock in of sun.nio.ch.Util/IOUtil (P4) JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions (P4) JDK-8196956: (ch) More channels cleanup (P4) JDK-8232003: (fs) Files.write can leak file descriptor in the exception case (P4) JDK-8002306: (se) Selector.open fails if invoked with thread interrupt status set [win] (P4) JDK-8165231: java.nio.Bits.unaligned() doesn't return true on ppc (P4) JDK-8028049: Tidy warnings cleanup for packages java.nio/java.io (P5) JDK-8068761: Test java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException core-libs/java.nio.charsets: (P2) JDK-8006799: Optimize sun.nio.cs.ISO_8859_1$Encode.encodeArrayLoop() (jdk part of 6896617) core-libs/java.rmi: (P2) JDK-8180582: After updating to Java8u131, the bind to rmiregistry is rejected by registryFilter even though registryFilter is set (P2) JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read (P3) JDK-8186539: [testlibrary] TestSocketFactory should allow triggers before match/replace (P4) JDK-8005226: [TEST_BUG]: java/rmi/transport/pinClientSocketFactory/PinClientSocketFactory.java fails intermittently (P4) JDK-8185719: [testlibrary] rmi TestSocketFactory does not flush (P4) JDK-8202996: Remove debug print statements from RMI fix (P4) JDK-8022440: suppress deprecation warnings in sun.rmi core-libs/java.text: (P4) JDK-8021108: Clean up doclint warnings and errors in java.text package core-libs/java.time: (P2) JDK-8151876: (tz) Support tzdata2016d (P2) JDK-8166875: (tz) Support tzdata2016g (P2) JDK-8170316: (tz) Support tzdata2016j (P2) JDK-8177449: (tz) Support tzdata2017b (P2) JDK-8190258: (tz) Support tzdata2017c (P2) JDK-8195837: (tz) Upgrade time-zone data to tzdata2018c (P2) JDK-8213085: (tz) Upgrade Timezone Data to tzdata2018g (P2) JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 (P3) JDK-8159684: (tz) Support tzdata2016f (P3) JDK-8169191: (tz) Support tzdata2016i (P3) JDK-8176044: (tz) Support tzdata2017a (P3) JDK-8274407: (tz) Update Timezone Data to 2021c (P3) JDK-8275766: (tz) Update Timezone Data to 2021e (P3) JDK-8224560: (tz) Upgrade Timezone Data to tzdata2019a (P3) JDK-8231098: (tz) Upgrade Timezone Data to tzdata2019c (P3) JDK-8243541: (tz) Upgrade Timezone Data to tzdata2020a (P3) JDK-8254177: (tz) Upgrade Timezone Data to tzdata2020b (P3) JDK-8254982: (tz) Upgrade Timezone Data to tzdata2020c (P3) JDK-8255226: (tz) Upgrade Timezone Data to tzdata2020d (P3) JDK-8260356: (tz) Upgrade Timezone Data to tzdata2021a (P3) JDK-8275849: TestZoneInfo310.java fails with tzdata2021e (P3) JDK-8225580: tzdata2018i integration causes test failures on jdk-13 (P4) JDK-8200359: (tz) Upgrade time-zone data to tzdata2018d (P4) JDK-8203233: (tz) Upgrade time-zone data to tzdata2018e (P4) JDK-8215982: (tz) Upgrade Timezone Data to tzdata2018i (P4) JDK-8228469: (tz) Upgrade Timezone Data to tzdata2019b (P4) JDK-8259048: (tz) Upgrade Timezone Data to tzdata2020f (P4) JDK-8190259: test tck.java.time.zone.TCKZoneRules is broken by tzdata2017c (P4) JDK-8274467: TestZoneInfo310.java fails with tzdata2021b (P4) JDK-8274468: TimeZoneTest.java fails with tzdata2021b core-libs/java.util: (P3) JDK-8146458: Improve exception reporting for Objects.checkIndex/checkFromToIndex/checkFromIndexSize (P3) JDK-7116997: Misc warnings in java.util.PropertyPermission (P3) JDK-8155794: Move Objects.checkIndex BiFunction accepting methods to an internal package (P3) JDK-8142493: Utility methods to check indexes and ranges doesn't specify behavior when function produces null (P4) JDK-7117249: clean up warnings in java.util.jar, .logging, .prefs (P4) JDK-7193406: Clean-up JDK Build Warnings in java.util, java.io (P4) JDK-8141243: Unexpected timezone returned after parsing a date (P4) JDK-7157893: Warnings Cleanup in java.util.* core-libs/java.util.concurrent: (P3) JDK-8021417: Fix doclint issues in java.util.concurrent (P3) JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError (P4) JDK-8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check (P4) JDK-7103570: AtomicIntegerFieldUpdater does not work when SecurityManager is installed (P4) JDK-7117360: Warnings in java.util.concurrent.atomic package core-libs/java.util.jar: (P2) JDK-8189789: tomcat gzip-compressed response bodies appear to be broken in update 151 (P4) JDK-7098755: test/sun/misc/JarIndex/metaInfFilenames/Basic.java should use supported compiler interface (P4) JDK-8196854: TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException (P4) JDK-8166248: tools/pack200/Pack200Test.java fails on Win32: Could not reserve enough space (P5) JDK-7143230: fix warnings in java.util.jar, sun.tools.jar, zipfs demo, etc. core-libs/java.util.logging: (P3) JDK-8153955: increase java.util.logging.FileHandler MAX_LOCKS limit core-libs/java.util.regex: (P3) JDK-6854417: [TEST_BUG]: java/util/regex/RegExTest.java fails intermittently core-libs/java.util:collections: (P3) JDK-8016252: More defensive HashSet.readObject (P4) JDK-6904367: (coll) IdentityHashMap is resized before exceeding the expected maximum size (P4) JDK-8068427: Hashtable deserialization reconstitutes table with wrong capacity core-libs/java.util:i18n: (P2) JDK-8202088: Japanese new era implementation (P2) JDK-8210153: localized currency symbol of VES (P2) JDK-8207152: Placeholder for Japanese new era should be two characters (P2) JDK-8195478: sun/text/resources/LocaleDataTest.java fails with java.lang.Exception (P3) JDK-8075667: (tz) Support tzdata2015b (P3) JDK-8077685: (tz) Support tzdata2015d (P3) JDK-8148446: (tz) Support tzdata2016a (P3) JDK-8206120: Add test cases for lenient Japanese era parsing (P3) JDK-8219890: Calendar.getDisplayName() returns empty string for new Japanese Era on some locales (P3) JDK-7092447: Clarify the default locale used in each locale sensitive operation (P3) JDK-8145952: Currency update needed for ISO 4217 Amendment #161 (P3) JDK-8164784: Currency update needed for ISO 4217 Amendment #162. (P3) JDK-8193552: ISO 4217 Amendment #165 Update (P3) JDK-8202026: ISO 4217 Amendment #166 Update (P3) JDK-8204269: ISO 4217 Amendment #167 Update (P3) JDK-8208746: ISO 4217 Amendment #168 Update (P3) JDK-8209775: ISO 4217 Amendment #169 Update (P3) JDK-8129361: ISO 4217 amendment 160 (P3) JDK-8218781: Localized names for Japanese Era Reiwa in COMPAT provider (P3) JDK-8003846: Override mechanism for currency data should not require creating currency.properties in java.home (P3) JDK-8205432: Replace the placeholder Japanese era name (P3) JDK-8187946: Support ISO 4217 Amendments 163 and 164 (P4) JDK-8208656: Move java/util/Calendar/CalendarTestScripts tests into OpenJDK (P4) JDK-8074350: Support ISO 4217 "Current funds codes" table (A.2) (P4) JDK-7117487: Warnings Cleanup: some i18n classes in java.util and sun.util core-libs/javax.naming: (P2) JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect (P2) JDK-8205330: InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection (P2) JDK-8211107: LDAPS communication failure with jdk 1.8.0_181 (P3) JDK-8210695: Create test to cover JDK-8205330 InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection (P3) JDK-8169465: Deadlock in com.sun.jndi.ldap.pool.Connections (P3) JDK-8149450: LdapCtx.processReturnCode() throwing Null Pointer Exception (P4) JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider (P4) JDK-8035105: DNS provider cleanups (P4) JDK-7059542: JNDI name operations should be locale independent core-libs/javax.script: (P4) JDK-8068279: (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName (P4) JDK-7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error core-svc/debugger: (P2) JDK-8044419: [TEST_BUG]: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root (P3) JDK-8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events. (P3) JDK-8197943: Unable to use JDWP API in JDK 8 to debug JDK 9 VM (P4) JDK-8074146: [TEST_BUG] jdb has succeded to read an unreadable file (P4) JDK-8036132: [TEST_BUG] Tab characters in test/com/sun/jdi files (P4) JDK-4858370: JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command core-svc/java.lang.instrument: (P3) JDK-8035054: JarFacade.c should not include ctype.h core-svc/java.lang.management: (P2) JDK-8077953: [TEST_BUG] com/sun/management/OperatingSystemMXBean/TestTotalSwap.java Compilation failed after JDK-8077387 (P2) JDK-8139870: sun.management.LazyCompositeData.isTypeMatched() fails for composite types with items of ArrayType (P3) JDK-8145982: JMXInterfaceBindingTest is failing intermittently (P3) JDK-8146015: JMXInterfaceBindingTest is failing intermittently for IPv6 addresses (P4) JDK-8034857: gcc warnings compiling src/solaris/native/sun/management (P4) JDK-7117570: Warnings in sun.mangement.* and its subpackages core-svc/javax.management: (P3) JDK-8065764: [TEST_BUG] javax/management/monitor/CounterMonitorTest.java hangs (P3) JDK-8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC (P4) JDK-6425769: Allow specifying an address to bind JMX remote connector (P4) JDK-8147857: RMIConnector logs attribute names incorrectly core-svc/tools: (P3) JDK-8075773: jps running as root fails after the fix of JDK-8050807 (P3) JDK-8140244: Port fix of JDK-8075773 to AIX and possibly MacOSX globalization/translation: (P3) JDK-8025215: jdk8 l10n resource file translation update 4 (P3) JDK-8059177: jdk8u40 l10n resource file translation update 1 (P3) JDK-8083601: jdk8u60 l10n resource file translation update 2 (P3) JDK-8025974: l10n for policytool (P4) JDK-8191840: Update localizations with positional arguments following JDK-8191137 hotspot/compiler: (P1) JDK-6675699: need comprehensive fix for unconstrained ConvI2L with narrowed type (P1) JDK-8072753: Nondeterministic wrong answer on arithmetic (P1) JDK-8177095: Range check dependent CastII/ConvI2L is prematurely eliminated (P1) JDK-8068881: SIGBUS in C2 compiled method weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory$SimulatedWsdlDefinitions. (P2) JDK-8215265: C2: range check elimination may allow illegal out of bound access (P2) JDK-8154831: CastII/ConvI2L for a range check is prematurely eliminated (P2) JDK-8050972: Concurrency problem in PcDesc cache (P2) JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) (P2) JDK-8164480: Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same (P2) JDK-8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled (P2) JDK-8158260: PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions (P3) JDK-8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME (P3) JDK-8078666: JVM fastdebug build compiled with GCC 5 asserts with "widen increases" (P3) JDK-8033168: PPC64: gcc 4.8 warning in output_c.cpp (P3) JDK-8149543: range check CastII nodes should not be split through Phi (P3) JDK-8174164: SafePointNode::_replaced_nodes breaks with irreducible loops (P3) JDK-8162603: Unrecognized VM option 'UseCountedLoopSafepoints' (P4) JDK-6869327: Add new C2 flag to keep safepoints in counted loops. (P4) JDK-8194859: Bad backport of 8024468 breaks Zero build due to lack of 8010862 in OpenJDK 7 (P4) JDK-8026796: Make replace_in_map() on parent maps generic (P4) JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8 (P4) JDK-8185502: No overflow operator on OpenJDK 7 (P4) JDK-8185716: OpenJDK 7 PPC64 port uses a different ins_encode format in ppc.ad (P4) JDK-8019517: PPC64 (part 102): cppInterpreter: implement G1 support (P4) JDK-8019518: PPC64 (part 104) : cppInterpreter: implement support for compressed Oops (P4) JDK-8037915: PPC64/AIX: Several smaller fixes (P4) JDK-8033117: PPC64: Adapt to 8002074: Support for AES on SPARC (P4) JDK-8165807: PPC64: Backport PPC64 port to OpenJDK 7 (P4) JDK-8080190: PPC64: Fix wrong rotate instructions in the .ad file (P4) JDK-8035647: PPC64: Support for elf v2 abi. (P4) JDK-8139421: PPC64LE: MacroAssembler::bxx64_patchable kills register R12 (P4) JDK-8078482: ppc: pass thread to throw_AbstractMethodError (P4) JDK-8048703: ReplacedNodes dumps it's content to tty (P4) JDK-8042309: Some bugfixes for the ppc64 port. (P4) JDK-8002074: Support for AES on SPARC (P4) JDK-8145096: Undefined behaviour in HotSpot (P5) JDK-8008321: compile.cpp verify_graph_edges uses "bool" as "int" hotspot/gc: (P1) JDK-8180048: Interned string and symbol table leak memory during parallel unlinking (P1) JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries (P2) JDK-8179084: HotSpot VM fails to start when AggressiveHeap is set (P3) JDK-8059661: [TEST_BUG] Test SoftReference and OOM behavior (P3) JDK-7112912: Message "Error occurred during initialization of VM" on boxes with lots of RAM (P4) JDK-8016302: Change type of the number of GC workers to unsigned int (2) (P4) JDK-8064786: Fix debug build after 8062808: Turn on the -Wreturn-type warning (P4) JDK-8161993: G1 crashes if active_processor_count changes during startup (P4) JDK-8048214: Linker error when compiling G1SATBCardTableModRefBS after include order changes (P4) JDK-8014489: tests/gc/arguments/Test(Serial|CMS|Parallel|G1)HeapSizeFlags jtreg tests invoke wrong class (P4) JDK-8062808: Turn on the -Wreturn-type warning (P5) JDK-8043723: max_heap_for_compressed_oops() declared with size_t, but defined with uintx hotspot/runtime: (P2) JDK-8207151: JVM 7u181 crash with SIGSEGV when Tomcat 7 starts (P2) JDK-8157548: JVM crashes sometimes while starting (P3) JDK-8170888: [linux] Experimental support for cgroup memory limits in container (ie Docker) environments (P3) JDK-8130183: InnerClasses: VM permits wrong inner_class_info_index value of zero (P3) JDK-8075118: JVM stuck in infinite loop during verification (P3) JDK-8059803: Update use of GetVersionEx to get correct Windows version in hs_err files (P4) JDK-8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command (P4) JDK-8087120: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms (P4) JDK-8034797: AIX: Fix os::naked_short_sleep() in os_aix.cpp after 8028280 (P4) JDK-8147910: Cache initial active_processor_count (P4) JDK-8048169: Change 8037816 breaks HS build on PPC64 and CPP-Interpreter platforms (P4) JDK-8187667: Disable deprecation warning for readdir_r (P4) JDK-8197510: fastdebug builds fail due to lack of p2i (P4) JDK-8202850: Fix for 8189123 doesn't include precompiled headers (P4) JDK-8035396: Introduce accessor for tmp_oop in frame. (P4) JDK-8226318: Placeholder for Class Loader improvements (P4) JDK-8050942: PPC64: implement template interpreter for ppc64le (P4) JDK-8036976: PPC64: implement the template interpreter (P4) JDK-8036767: PPC64: Support for little endian execution model (P4) JDK-8139258: PPC64LE: argument passing problem when passing 15 floats in native call (P4) JDK-8218798: slowdebug build broken by JDK-8205714 (P4) JDK-8150490: Update OS detection code to recognize Windows Server 2016 (P4) JDK-8143245: Zero build requires disabled warnings (P4) JDK-8197801: Zero debug build fails on "assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries + 1)) failed: bad stack limit" (P4) JDK-8154210: Zero: Better byte behaviour (P5) JDK-8078628: linux-zero does not build without precompiled header hotspot/svc: (P1) JDK-8072932: Test fails with java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getDomainCombiner") (P3) JDK-8069590: AIX port of "8050807: Better performing performance data handling" (P4) JDK-8081475: SystemTap does not work when JDK is compiled with GCC 5 (P4) JDK-8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true infrastructure: (P2) JDK-8068491: Update the protocol for references of docs.oracle.com to HTTPS. (P4) JDK-8173849: [TEST] Fix use of java.util.Base64 in test cases (P4) JDK-8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760 infrastructure/build: (P2) JDK-7069870: Parts of the JDK erroneously rely on generic array initializers with diamond (P3) JDK-8074312: Enable hotspot builds on 4.x Linux kernels (P3) JDK-7172012: Make test-in-build an option (Queens) (P4) JDK-8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp (P4) JDK-8167144: AIX: 8022507: SIGSEGV at ParMarkBitMap::verify_clear() (P4) JDK-8167198: AIX: Changes to make AIX compile after latest upstream changes (P4) JDK-8133966: Allow OpenJDK to build on PaX-enabled kernels (P4) JDK-8151841: Build needs additional flags to compile with GCC 6 (P4) JDK-8232643: Building error in jdk7u241 after 7068616 (P4) JDK-8043029: Change 8037816 breaks HS build with older GCC versions which don't support diagnostic pragmas (P4) JDK-7068617: Core libraries don't build with javac -Xlint:all -Werror (P4) JDK-7060849: Eliminate pack200 build warnings (P4) JDK-8133967: Fix build where PAX_COMMAND is not specified (P4) JDK-8222449: freetypecheck compares versions using lexicographic comparison (P4) JDK-8076506: Increment minor version of HSx for 7u91 and initialize the build number (P4) JDK-8131181: Increment minor version of HSx for 7u95 and initialize the build number (P4) JDK-8068674: Increment minor version of HSx for 8u51 and initialize the build number (P4) JDK-8078529: Increment the build value to b02 for hs25.51 in 8u51-b10 (P4) JDK-8081622: Increment the build value to b03 for hs25.51 in 8u51-b15 (P4) JDK-8196978: JDK-8187667 fails on GCC 4.4.7 as found on RHEL 6 (P4) JDK-7072353: JNDI libraries do not build with javac -Xlint:all -Werror (P4) JDK-7068616: NIO libraries do not build with javac -Xlint:all,-deprecation -Werror (P4) JDK-8133970: Only apply PaX-marking when needed by a running PaX kernel (P4) JDK-7077389: Reflection classes do not build with javac -Xlint:all -Werror (P4) JDK-8217753: Remove Linux version check from HotSpot builds (P4) JDK-7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror infrastructure/licensing: (P2) JDK-8213154: Update copyright headers of files in src tree that are missing Classpath exception other-libs/corba: (P2) JDK-8164908: ReflectionFactory support for IIOP and custom serialization (P4) JDK-8167335: Fix build on Linux with 64kb default page size (P4) JDK-8200760: java.security-linux was missed in backport of JDK-8160104 other-libs/other: (P3) JDK-7104650: rawtype warnings in several net, nio and security source files (P4) JDK-8142927: Feed some text to STDIN in ProcessTools.executeProcess() (P4) JDK-7116722: Miscellaneous warnings sun.misc ( and related classes ) (P4) JDK-8000970: Multi-core compilation of the jdk is prevented by auxiliary classes hidden inside java source files. (P4) JDK-8142926: OutputAnalyzer's shouldXXX() calls return this (P4) JDK-7117357: Warnings in sun.instrument, tools and other sun.* classes security-libs: (P3) JDK-8006951: Avoid storing duplicate PKCS12 attributes (P3) JDK-8017325: Cleanup of the javadoc tag in java.security.cert (P3) JDK-8017326: Cleanup of the javadoc tag in java.security.spec (P3) JDK-8158116: com/sun/crypto/provider/KeyAgreement/SupportedDHParamGens.java failed with timeout (P3) JDK-8190690: Impact on krb5 test cases in the 8u nightly (P3) JDK-8057810: New defaults for DSA keys in jarsigner and keytool (P4) JDK-8191845: [TEST_BUG] Too many new-lines in backport of WeakAlg test (P4) JDK-8033271: Manual security tests have @ignore rather than @run main/manual (P4) JDK-8165463: Native implementation of sunmscapi should use operator new (nothrow) for allocations (P4) JDK-8007607: security native code doesn't always use malloc, realloc, and calloc correctly security-libs/java.security: (P1) JDK-8029788: Certificate validation - java.lang.ClassCastException (P1) JDK-8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID (P2) JDK-8021191: Add isAuthorized check to limited doPrivileged methods (P2) JDK-8167591: Add MD5 to signed JAR restrictions (P2) JDK-8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions (P2) JDK-8049171: Additional tests for jarsigner's warnings (P2) JDK-8216280: Allow later Symantec Policy distrust date for two Apple SubCAs (P2) JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR (P2) JDK-8175251: Failed to load RSA private key from pkcs12 (P2) JDK-8184673: Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers (P2) JDK-8176536: Improved algorithm constraints checking (P2) JDK-8184993: Jar file verification failing with SecurityException: digest missing xxx (P2) JDK-8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar (P2) JDK-8005408: KeyStore API enhancements (P2) JDK-8177569: keytool should not warn if signature algorithm used in cacerts is weak (P2) JDK-8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms (P2) JDK-8050374: More Signature tests (P2) JDK-8041787: Need new regressions tests for buffer handling for PBE algorithms (P2) JDK-8010112: NullPointerException in sun.security.provider.certpath.CertId() (P2) JDK-8062552: Support keystore type detection for JKS and PKCS12 keystores (P3) JDK-8166362: [TEST_BUG] test sun/net/www/http/HttpClient/B8025710.java failing with cert error in 8u121 b01 (P3) JDK-8014097: add doPrivileged methods with limited privilege scope (P3) JDK-8038837: Add support to jarsigner for specifying timestamp hash algorithm (P3) JDK-8165367: Additional tests for JEP 288: Disable SHA-1 Certificates (P3) JDK-8007483: attributes are ignored when loading keys from a PKCS12 keystore (P3) JDK-7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException (P3) JDK-8178728: Check the AlgorithmParameters in algorithm constraints (P3) JDK-8019360: Cleanup of the javadoc tag in java.security.* (P3) JDK-7162687: enhance KDC server availability detection (P3) JDK-8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 (P3) JDK-8130132: jarsigner should emit warning if weak algorithms or keysizes are used (P3) JDK-8191438: jarsigner should print when a timestamp will expire (P3) JDK-8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires (P3) JDK-8191137: keytool fails to format resource strings for keys for some languages after JDK-8171319 (P3) JDK-8179564: Missing @bug for tests added with JDK-8165367 (P3) JDK-6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package (P3) JDK-7044060: Need to support NSA Suite B Cryptography algorithms (P3) JDK-8015571: OCSP validation fails if ocsp.responderCertSubjectName is set (P3) JDK-8006946: PKCS12 test failure due to incorrect alias name (P3) JDK-8149411: PKCS12KeyStore cannot extract AES Secret Keys (P3) JDK-7142339: PKCS7.java is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done (P3) JDK-8039921: SHA1WithDSA with key > 1024 bits not working (P3) JDK-7187051: ShortRSAKey1024.sh tests should do cleanup before start test (P3) JDK-7184246: Simplify Config.get() of krb5 (P3) JDK-8153146: sun/security/krb5/auto/MaxRetries.java failed with timeout (P3) JDK-8023546: sun/security/mscapi/ShortRSAKey1024.sh fails intermittently (P3) JDK-8137255: sun/security/provider/NSASuiteB/TestDSAGenParameterSpec.java timeouts intermittently (P3) JDK-8159805: sun/security/tools/jarsigner/warnings/NoTimestampTest.java fails after JDK-8027781 (P3) JDK-8157898: SupportedDSAParamGen.java failed with timeout (P3) JDK-8146377: test/sun/security/tools/jarsigner/concise_jarsigner.sh failing (cert expired?) (P3) JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream (P3) JDK-8037550: Update RFC references in javadoc to RFC 5280 (P3) JDK-8161571: Verifying ECDSA signatures permits trailing bytes (P4) JDK-7024771: "\\<>" in attribute value part of X500Principal constructor parameter makes strange effect (P4) JDK-8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again (P4) JDK-8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor (P4) JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds (P4) JDK-6637288: Add OCSP support to PKIX CertPathBuilder implementation (P4) JDK-7196855: autotest.sh fails on ubuntu because libsoftokn.so not found (P4) JDK-8164846: CertificateException missing cause of underlying exception (P4) JDK-8006994: Cleanup PKCS12 tests to ensure streams get closed (P4) JDK-7198901: correct the field size check when decoding a point on ECC curve (P4) JDK-7115744: Do not call File::deleteOnExit in security tests (P4) JDK-6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory (P4) JDK-8076117: EndEntityChecker should not process custom extensions after PKIX validation (P4) JDK-8022439: Fix lint warnings in sun.security.ec (P4) JDK-8133991: Fix mistake in 8075374 backport (P4) JDK-7175041: HttpTimestamper should accept https URI (P4) JDK-8006863: javadoc cleanup for 8005408 (P4) JDK-8029659: Keytool, print key algorithm of certificate or key entry (P4) JDK-7111579: klist starttime, renewtill, ticket etype (P4) JDK-7192202: Make sure keytool prints both unknown and unparseable extensions (P4) JDK-7152176: More krb5 tests (P4) JDK-8143913: MSCAPI keystore should accept Certificate[] in setEntry() (P4) JDK-8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() (P4) JDK-8027781: New jarsigner timestamp warning is grammatically incorrect (P4) JDK-7054969: Null-check-in-finally pattern in java/security documentation (P4) JDK-8028431: NullPointerException in DerValue.equals(DerValue) (P4) JDK-8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java (P4) JDK-7152582: PKCS11 tests should use the NSS libraries available in the OS (P4) JDK-7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified (P4) JDK-8147969: Print size of DH keysize when errors are encountered (P4) JDK-8035974: Refactor DigestBase.engineUpdate() method for better code generation by JIT compiler (P4) JDK-7102686: Restructure timestamp code so that jars and modules can more easily share the same code (P4) JDK-7126011: ReverseBuilder.getMatchingCACerts may throws NPE (P4) JDK-6854712: Revocation checking enhancements (JEP-124) (P4) JDK-7088502: Security libraries don't build with javac -Werror (P4) JDK-7194449: String resources for Key Tool and Policy Tool should be in their respective packages (P4) JDK-8139436: sun.security.mscapi.KeyStore might load incomplete data (P4) JDK-8176183: sun/security/mscapi/SignedObjectChain.java fails on Windows (P4) JDK-7142888: sun/security/tools/jarsigner/ec.sh fail on sparc (P4) JDK-7081817: test/sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java failing (P4) JDK-7152169: TEST_BUG: sun/security/tools/jarsigner/ec.sh occasionally fail due to keytool error on sparc (P4) JDK-8049834: Two security tools tests do not run with only JRE (P4) JDK-7194075: Various classes of sunec.jar are duplicated in rt.jar (P5) JDK-7147336: clarification on warning of keytool -printcrl (P5) JDK-6880619: reg test for 6879540 security-libs/javax.crypto: (P2) JDK-8075286: Additional tests for signature algorithm OIDs and transformation string (P2) JDK-8170157: Enable unlimited cryptographic policy by default in Oracle JDK builds (P2) JDK-8048819: Implement reliability test for DH algorithm (P2) JDK-8041781: Need new regression tests for PBE keys (P2) JDK-8044193: Need to add tests for AES cipher (P2) JDK-8072452: Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits (P2) JDK-8048601: Tests for JCE crypto ciphers (part 1) (P3) JDK-8170245: [TEST_BUG] Cipher tests fail when running with unlimited policy (P3) JDK-8196952: Bad primeCertainty value setting in DSAParameterGenerator (P3) JDK-8207775: Better management of CipherCore buffers (P3) JDK-8208583: Better management of internal KeyStore buffers (P3) JDK-8203228: Branch-free output conversion for X25519 and X448 (P3) JDK-8012900: CICO ignores AAD in GCM mode (P3) JDK-8209862: CipherCore performance improvement (P3) JDK-8064546: CipherInputStream throws BadPaddingException if stream is not fully read (P3) JDK-8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) (P3) JDK-8181594: Efficient and constant-time modular arithmetic (P3) JDK-8019772: Fix doclint issues in javax.crypto and javax.security subpackages (P3) JDK-4963723: Implement SHA-224 (P3) JDK-6483657: MSCAPI provider does not create unique alias names (P3) JDK-8165751: NPE hit with java.security.debug=provider (P3) JDK-6383200: PBE: need new algorithm support in password based encryption (P3) JDK-8035166: Remove dependency on EC classes from pkcs11 provider (P3) JDK-8157561: Ship the unlimited policy files in JDK Updates (P3) JDK-8182999: SunEC throws ProviderException on invalid curves (P3) JDK-8157603: TestCipher.java doesn't check one of the decrypted message as expected (P4) JDK-8190449: [TEST_BUG] sun/security/pkcs11/KeyPairGenerator/TestDH2048.java fails on Solaris x64 5.10 (P4) JDK-8001419: Build the JCE portion of JDK-8000970 (P4) JDK-7171982: Cipher getParameters() throws RuntimeException: Cannot find SunJCE provider (P4) JDK-8208648: ECC Field Arithmetic Enhancements (P4) JDK-8029475: Fix more doclint issues in javax.security (P4) JDK-8209129: Further improvements to cipher buffer management (P4) JDK-8150530: Improve javax.crypto.BadPaddingException messages (P4) JDK-8208698: Improved ECC Implementation (P4) JDK-8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length (P4) JDK-8219570: JDK-6383200 wrongly extends PBEParameterSpec API (P4) JDK-8158517: Minor optimizations to ISO10126PADDING (P4) JDK-8162344: The API changes made by CR 7064075 need to be reverted (P4) JDK-7065233: To interpret case-insensitive string locale independently (P4) JDK-8201317: X25519/X448 code improvements (P5) JDK-8098854: Do cleanup in a proper order in sunmscapi code security-libs/javax.crypto:pkcs11: (P2) JDK-8048357: PKCS basic tests (P2) JDK-8143377: Test PKCS8Test.java fails (P3) JDK-8134232: KeyStore.load() throws an IOException with a wrong cause in case of wrong password (P3) JDK-6414899: P11Digest should support cloning (P3) JDK-7196382: PKCS11 provider should support 2048-bit DH (P4) JDK-8078348: [TEST_BUG] sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with BindException (P4) JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11 (P4) JDK-8051972: sun/security/pkcs11/ec/ReadCertificates.java fails intermittently (P5) JDK-8203182: Release session if initialization of SunPKCS11 Signature fails security-libs/javax.net.ssl: (P1) JDK-7093640: Enable client-side TLS 1.2 by default (P1) JDK-8173783: IllegalArgumentException: jdk.tls.namedGroups (P2) JDK-8167459: Add debug output for indicating if a chosen ciphersuite was legacy (P2) JDK-8167472: Chrome interop regression with JDK-8148516 (P2) JDK-8202343: Disable TLS 1.0 and 1.1 (P2) JDK-8074462: Handshake messages can be strictly ordered (P2) JDK-8148516: Increase the minimum strength of EC keys (P2) JDK-8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210 (P2) JDK-8132082: Let OracleUcrypto accept RSAPrivateKey (P2) JDK-6956398: make ephemeral DH key match the length of the certificate key (P2) JDK-8049432: New tests for TLS property jdk.tls.client.protocols (P2) JDK-8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883 (P2) JDK-8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension (P3) JDK-8146387: [TEST BUG] Test SSLSession/SessionCacheSizeTests socket accept timed out (P3) JDK-8022228: [TEST_BUG] Intermittent test failures in sun/security/ssl/javax/net/ssl/NewAPIs (P3) JDK-8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property (P3) JDK-8208350: Disable all DES cipher suites (P3) JDK-8211883: Disable anon and NULL cipher suites (P3) JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs (P3) JDK-8133070: Hot lock on BulkCipher.isAvailable (P3) JDK-8193683: Increase the number of clones in the CloneableDigest (P3) JDK-8162362: Introduce system property to control enabled ciphersuites (P3) JDK-8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u (P3) JDK-8163237: Restrict the use of EXPORT cipher suites (P3) JDK-8203190: SessionId.hashCode generates too many collisions (P3) JDK-8024068: sun/security/ssl/javax/net/ssl/ServerName/IllegalSNIName.java fails (P3) JDK-8029661: Support TLS v1.2 algorithm in SunPKCS11 provider (P3) JDK-8146669: Test SessionTimeOutTests fails intermittently (P3) JDK-8163326: Update the default enabled cipher suites preference (P3) JDK-8170035: When determining the ciphersuite lists there is no debug output for disabled suites. (P4) JDK-8037557: [TEST BUG] test SessionCacheSizeTests.java timeout (P4) JDK-8164533: [TEST_BUG] sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with "Error while cleaning up threads after test" (P4) JDK-7105780: Add SSLSocket client/SSLEngine server to templates directory (P4) JDK-8193892: Impact of noncloneable MessageDigest implementation (P4) JDK-8026119: Regression test DHEKeySizing.java failing intermittently (P4) JDK-6996372: synchronizing handshaking hash. (P4) JDK-8144313: Test SessionTimeOutTests can be timeout (P4) JDK-8019341: Update CookieHttpsClientTest to use the newer framework. (P4) JDK-8156502: Use short name of SupportedEllipticCurvesExtension.java security-libs/javax.security: (P2) JDK-8075299: Additional tests for krb5 settings (P2) JDK-8048147: Privilege tests with JAAS Subject.doAs (P2) JDK-8075301: Tests for sun.security.krb5.principal system property (P3) JDK-8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes (P3) JDK-8200400: Allow Sasl mechanisms to be restricted (P3) JDK-8240621: Build failure on Windows after JDK-8044500 (P3) JDK-8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace (P4) JDK-8020557: javadoc cleanup in javax.security (P4) JDK-8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt (P4) JDK-8229767: Typo in java.security: Sasl.createClient and Sasl.createServer (P4) JDK-8163104: Unexpected NPE still possible on some Kerberos ticket calls (P4) JDK-8147772: Update KerberosTicket to describe behavior if it has been destroyed and fix NullPointerExceptions security-libs/javax.smartcardio: (P3) JDK-6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException (P4) JDK-8050893: (smartcardio) Invert reset argument in tests in sun/security/smartcardio (P4) JDK-8059212: Modify sun/security/smartcardio manual regression tests so that they do not just fail if no cardreader found security-libs/javax.xml.crypto: (P1) JDK-8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails (P2) JDK-8151893: Add security property to configure XML Signature secure validation mode (P3) JDK-8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks (P3) JDK-8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits (P3) JDK-8011547: Update XML Signature implementation to Apache Santuario 1.5.4 (P3) JDK-8012288: XML DSig API allows wrong tag names and extra elements in SignedInfo (P3) JDK-8049244: XML Signature performance issue caused by unbuffered signature data (P4) JDK-8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String security-libs/jdk.security: (P3) JDK-8185628: Backport jdk/test/lib/testlibrary/CompilerUtils.java to jdk8u which is helpful in test development (P3) JDK-8172529: Use PKIXValidator in jarsigner (P4) JDK-8173622: Backport of 7180907 is incomplete security-libs/org.ietf.jgss: (P2) JDK-8078439: SPNEGO auth fails if client proposes MS krb5 OID (P3) JDK-8187218: GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days. (P3) JDK-8014310: JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679 (P3) JDK-8197518: Kerberos krb5 authentication: AuthList's put method leads to performance issue (P4) JDK-8048194: GSSContext.acceptSecContext fails when a supported mech is initiator preferred security-libs/org.ietf.jgss:krb5: (P2) JDK-8075297: Tests for RFEs 4515853 and 4745056 (P3) JDK-8132111: Do not request for addresses for forwarded TGT (P3) JDK-8031111: fix krb5 caddr (P3) JDK-8131051: KDC might issue a renewable ticket even if not requested (P3) JDK-8186831: Kerberos ignores PA-DATA with a non-null s2kparams (P3) JDK-8201627: Kerberos sequence number issues (P3) JDK-8036971: krb5.conf does not accept directive lines before the first section (P3) JDK-8017453: ReplayCache tests fail on multiple platforms (P3) JDK-8036779: sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec (P3) JDK-8087144: sun/security/krb5/auto/MaxRetries.java fails with Retry count is -1 less (P4) JDK-7172701: KDC tests cleanup (P4) JDK-8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime (P4) JDK-8012679: Let allow_weak_crypto default to false (P4) JDK-8011124: Make KerberosTime immutable (P4) JDK-6966259: should a principalname object always have a realm? (P4) JDK-8077670: sun/security/krb5/auto/MaxRetries.java may fail with BindException (P4) JDK-8186884: Test native KDC, Java krb5 lib, and native krb5 lib in one test tools: (P4) JDK-8237604: [TEST_BUG] sun/security/tools/jarsigner/EntriesOrder.java not adapted for changes in JDK-7194449 tools/jar: (P4) JDK-8078668: jar usage string mentions unsupported option tools/javadoc(tool): (P2) JDK-8024756: method grouping tabs are not selectable (P3) JDK-6978886: javadoc shows stacktrace after print error resulting from disk full (P3) JDK-8008949: javadoc stopped copying doc-files (P4) JDK-8001669: javadoc internal DocletAbortException should set cause when appropriate (P4) JDK-8000418: javadoc should used a standard "generated by javadoc" string (P4) JDK-8000666: javadoc should write directly to Writer instead of composing strings (P4) JDK-8000673: remove dead code from HtmlWriter and subtypes tools/jconsole: (P4) JDK-7015157: String "Tabular Navigation" should be rephrased for avoiding mistranslation tools/launcher: (P4) JDK-7127906: (launcher) convert the launcher regression tests to java xml/javax.xml.parsers: (P2) JDK-8029955: AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars xml/jaxb: (P2) JDK-8046817: JDK 8 schemagen tool does not generate xsd files for enum types (P3) JDK-8073357: schema1.xsd has wrong content. Sequence of the enum values has been changed (P3) JDK-8159240: XSOM parser incorrectly processes type names with whitespaces xml/jaxp: (P2) JDK-8076290: JCK test api/xsl/conf/string/string17 starts failing after JDK-8074297 (P3) JDK-8073385: Bad error message on parsing illegal character in XML attribute (P3) JDK-8167179: Make XSL generated namespace prefixes local to transformation process (P3) JDK-8074297: substring in XSLT returns wrong character if string contains supplementary chars (P3) JDK-8144593: Suppress not recognized property/feature warning messages from SAXParser (P4) JDK-8185501: Missing import in JAXP code