RELEASE NOTES FOR: openjdk8u252 ==================================================================================================== Notes generated: Wed Jul 02 07:52:14 CEST 2025 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/org.ietf.jgss:krb5: JDK-8005819: Support cross-realm MSSFU The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments. By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms. [1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94 security-libs/javax.security: JDK-8200400: Allow SASL Mechanisms to Be Restricted A security property named `jdk.sasl.disabledMechanisms` has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the `mechanisms` argument of `Sasl.createSaslClient` or the `mechanism` argument of `Sasl.createSaslServer`. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box. client-libs/2d: JDK-8143849: Marlin Renderer in JDK 8u Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property: `sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine` hotspot/svc: JDK-8144732: Binary format for HPROF updated When dumping the heap in binary format, HPROF format 1.0.2 is always used now. Previously, format 1.0.1 was used for heaps smaller than 2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the serviceability agent. security-libs/javax.crypto: JDK-8205445: RSASSA-PSS Signature Support Added to SunMSCAPI The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider. security-libs/java.security: JDK-8146293: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the `java.security.spec` and `javax.crypto.spec` packages for supporting additional RSASSA-PSS parameters. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs: (P4) JDK-8231991: Mouse wheel change focus on awt/swing windows client-libs/2d: (P2) JDK-8227662: freetype seeks to index at the end of the font data (P2) JDK-8145055: Marlin renderer causes unaligned write accesses (P2) JDK-8144526: Remove Marlin logging use of deleted internal API (P2) JDK-8232154: Update Mesa 3-D Headers to version 19.2.1 (P3) JDK-8241307: Marlin renderer should not be the default in 8u252 (P4) JDK-8144446: Automate the Marlin crash test (P4) JDK-8144654: Improve Marlin logging (P4) JDK-8235904: Infinite loop when rendering huge lines (P4) JDK-8143849: Integrate Marlin renderer per JEP 265 (P4) JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal (P4) JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with huge coordinates and round joins (P4) JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats client-libs/java.awt: (P3) JDK-8038631: Create wrapper for awt.Robot with additional functionality (P3) JDK-8215756: Memory leaks in the AWT on macOS (P3) JDK-8234107: Several AWT modal dialog tests failing on Linux after JDK-8231991 client-libs/javax.swing: (P2) JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception (P3) JDK-8223158: Docked MacBook cannot start any Java Swing applications (P4) JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 core-libs/java.io: (P4) JDK-8229022: BufferedReader performance can be improved by using StringBuilder core-libs/java.lang: (P2) JDK-8240521: Revert backport of 8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call core-libs/java.net: (P2) JDK-8068184: Fix for JDK-8032832 caused a deadlock (P4) JDK-8150460: (linux|bsd|aix)_close.c: file descriptor table may become large or may not work at all core-libs/java.nio: (P3) JDK-8216472: (se) Stack overflow during selection operation leads to crash (win) (P3) JDK-8034773: (zipfs) newOutputstream uses CREATE_NEW when no options specified (P3) JDK-8028480: (zipfs) NoSuchFileException on creating a file in ZipFileSystem with CREATE and WRITE (P4) JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions (P4) JDK-8232003: (fs) Files.write can leak file descriptor in the exception case (P4) JDK-8229872: (fs) Increase buffer size used with getmntent (P4) JDK-7143743: (zipfs) Potential memory leak with zip provider core-libs/java.rmi: (P2) JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read core-libs/java.util: (P3) JDK-8056313: TEST_BUG: java/util/Timer/NameConstructors.java fails intermittently core-libs/java.util:i18n: (P4) JDK-8150432: java/util/Locale/LocaleProviders.sh failed on Win10. (P4) JDK-8234288: Turkey Time Zone returns incorrect time zone name hotspot/compiler: (P2) JDK-8181872: C1: possible overflow when strength reducing integer multiply by constant (P3) JDK-8233023: assert(Opcode() == mem->Opcode() || phase->C->get_alias_index(adr_type()) == Compile::AliasIdxRaw) failed: no mismatched stores, except on raw memory (P3) JDK-8236179: C1 register allocation failure with T_ADDRESS (P3) JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type (P3) JDK-8146792: Predicate moved after partial peel may lead to broken graph (P3) JDK-8191227: Unsafe handle resolution in ConstantOopWriteValue::write_on() / print_on() and LIR_Assembler::jobject2reg() (P4) JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT (P4) JDK-8033215: clang: node.cpp:284 IDX_INIT macro use uninitialized field _out (P4) JDK-8167409: Invalid value passed to critical JNI function hotspot/gc: (P4) JDK-8135318: CMS: wrong max_eden_size for check_gc_overhead_limit (P4) JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and some unit tests hotspot/runtime: (P2) JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC (P2) JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor is invalid (P2) JDK-8241296: Segfault in JNIHandleBlock::oops_do() (P4) JDK-8231201: hs_err should print coalesced safepoint operations in Events section (P4) JDK-8234264: Incorrect 8047434 JDK 8 backport in 8219677 (P4) JDK-8219244: NMT: Change ThreadSafepointState's allocation type from mtInternal to mtThread (P4) JDK-8041620: Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope (P4) JDK-8232355: Two obsolete flags have the wrong obsolete version in 8u hotspot/svc: (P2) JDK-8144732: VM_HeapDumper hits assert with bad dump_len hotspot/svc-agent: (P3) JDK-8235637: jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled infrastructure/build: (P2) JDK-8233995: java.vm.vendor (and potentially other properties/fields) not correctly set in Windows/Hotspot build of OpenJDK8 (P3) JDK-8237523: 8u backport of JDK-8216354 didn't include generated-configure.sh changes (P3) JDK-8225392: Comparison builds are failing due to cacerts file (P3) JDK-8216354: Syntax error in toolchain_windows.m4 (P4) JDK-8227397: Add --with-extra-asflags configure option (P4) JDK-8235142: JDK-8193255 backport broke bootstrap with JDK 10 (P4) JDK-8193255: Root Certificates should be stored in text format and assembled at build time (P4) JDK-8022263: use same Clang warnings on BSD as on Linux security-libs: (P1) JDK-8241823: SignedObject throws NullPointerException for null keys with an initialized Signature object (P4) JDK-8132130: Some docs cleanup (P4) JDK-8233404: System property to set the number of PBE iterations in JCEKS keystores security-libs/java.security: (P2) JDK-8146293: Add support for RSASSA-PSS Signature algorithm (P2) JDK-8230978: Add support for RSASSA-PSS Signature algorithm (Java SE 8) (P2) JDK-8205720: KeyFactory#getKeySpec and translateKey throws NullPointerException with Invalid key (P2) JDK-8197441: Signature#initSign/initVerify for an invalid private/public key fails with ClassCastException for SunPKCS11 provider (P2) JDK-8225180: SignedObject with invalid Key not throwing the InvalidKeyException in Windows (P2) JDK-8175029: StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider) (P2) JDK-8234245: sun/security/lib/cacerts/VerifyCACerts.java fails due to wrong checksum (P3) JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId (P3) JDK-8215694: keytool cannot generate RSASSA-PSS certificates (P3) JDK-8225745: NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support (P3) JDK-8206171: Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized (P3) JDK-8214096: sun.security.util.SignatureUtil passes null parameter, so JCE validation fails (P3) JDK-8166976: TestCipherPBECons has wrong @run line (P4) JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test (P4) JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test (P4) JDK-8218553: Enhance keystore load debug output security-libs/javax.crypto: (P2) JDK-8205445: Add RSASSA-PSS Signature support to SunMSCAPI (P3) JDK-8223003: SunMSCAPI keys are not cleaned up (P3) JDK-8238502: sunmscapi.dll causing EXCEPTION_ACCESS_VIOLATION (P4) JDK-8193262: JNI array not released in libsunmscapi convertToLittleEndian (P4) JDK-8213009: Refactoring existing SunMSCAPI classes (P4) JDK-8223063: Support CNG RSA keys (P4) JDK-8213010: Supporting keys created with certmgr.exe (P4) JDK-8221407: Windows 32bit build error in libsunmscapi/security.cpp security-libs/javax.net.ssl: (P1) JDK-8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension (P2) JDK-8158978: ALPN not working when values are set directly on a SSLServerSocket (P2) JDK-8170282: Enable ALPN parameters to be supplied during the TLS handshake (P2) JDK-8230977: JEP 244: TLS Application-Layer Protocol Negotiation Extension (Java SE 8) (P2) JDK-8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange (P3) JDK-8171443: (spec) An ALPN callback function may also ignore ALPN (P3) JDK-8145849: ALPN: getHandshakeApplicationProtocol() always return null (P3) JDK-8218580: endpoint identification algorithm should be case-insensitive security-libs/javax.security: (P3) JDK-8200400: Allow Sasl mechanisms to be restricted (P4) JDK-8229767: Typo in java.security: Sasl.createClient and Sasl.createServer security-libs/javax.xml.crypto: (P3) JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature (P3) JDK-8162723: Array index overflow in Base64 utility class (P3) JDK-8079140: IgnoreAllErrorHandler should use doPrivileged when it reads system properties (P3) JDK-8046724: XML Signature ECKeyValue elements cannot be marshalled or unmarshalled (P4) JDK-8038431: Close InputStream when finished retrieving XML Signature HTTP References (P4) JDK-8046044: Fix raw and unchecked lint warnings in XML Signature Impl (P4) JDK-8031191: Warning exception when XMLSignature logging is enabled security-libs/org.ietf.jgss:krb5: (P4) JDK-8005819: Support cross-realm MSSFU tools/jconsole: (P3) JDK-8236873: Worker has a deadlock bug