RELEASE NOTES: JDK openjdk8u272

Notes generated: Sat Nov 02 02:56:24 CET 2024

JEPs

None.

RELEASE NOTES

security-libs/javax.xml.crypto

Issue Description

Issue	Description
JDK-8236645	Oracle Specific JDK Update of System Property to Fall Back to Legacy Base64 Encoding Format Oracle JDK 8u231 has upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue in which XML signatures using Base64 encoding appended `&#xd` or `&#13` to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045. Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without `&#xd` or `&#13`. Therefore an Oracle specific JDK 8 Update of a new system property `com.sun.org.apache.xml.internal.security.lineFeedOnly` has been made available to fall back to legacy Base64 encoded format. Users can set this flag in one of two ways: `-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true` `System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")` This new system property is disabled by default. It has no effect on default behavior or when the `com.sun.org.apache.xml.internal.security.ignoreLineBreaks` property is set. Later JDK family versions will only support the recommended property: `com.sun.org.apache.xml.internal.security.ignoreLineBreaks`
JDK-8217878	com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property An Apache Santuario library version upgrade, used by the javax.xml.crypto.* packages, introduces a behavioral change where a new Base64 encoder uses "\r\n" as end-of-line terminator. By default, XML signatures signed using API calls form the javax.xml.crypto.dsig package includes the escaped '\r' character, encoded as " " or " ". A new `com.sun.org.apache.xml.internal.security.ignoreLineBreaks` system property may be set to a value of "true" if an application is unable to handle the encoded output data changes where " " or " " get appended to new lines in encoding operations. The effect of this property is to not include the carriage return character in base64-encoded fields in XML signature generated by calls to the javax.xml.crypto.* packages. Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
JDK-8177334	Updated xmldsig Implementation to Apache Santuario 2.1.1 The XMLDSig provider implementation in the `java.xml.crypto` module has been updated to version 2.1.1 of Apache Santuario. New features include: 1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931. 2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

Oracle Specific JDK Update of System Property to Fall Back to Legacy Base64 Encoding Format

Oracle JDK 8u231 has upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue in which XML signatures using Base64 encoding appended &#xd or &#13 to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without &#xd or &#13.

Therefore an Oracle specific JDK 8 Update of a new system property com.sun.org.apache.xml.internal.security.lineFeedOnly has been made available to fall back to legacy Base64 encoded format.

Users can set this flag in one of two ways:

-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")

This new system property is disabled by default. It has no effect on default behavior or when the com.sun.org.apache.xml.internal.security.ignoreLineBreaks property is set.

Later JDK family versions will only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks

JDK-8217878

com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property

An Apache Santuario library version upgrade, used by the javax.xml.crypto.* packages, introduces a behavioral change where a new Base64 encoder uses "\r\n" as end-of-line terminator. By default, XML signatures signed using API calls form the javax.xml.crypto.dsig package includes the escaped '\r' character, encoded as " " or " ".

A new com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of "true" if an application is unable to handle the encoded output data changes where " " or " " get appended to new lines in encoding operations. The effect of this property is to not include the carriage return character in base64-encoded fields in XML signature generated by calls to the javax.xml.crypto.* packages.

Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.

JDK-8177334

Updated xmldsig Implementation to Apache Santuario 2.1.1

The XMLDSig provider implementation in the java.xml.crypto module has been updated to version 2.1.1 of Apache Santuario. New features include: 1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931. 2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

security-libs/javax.security

Issue	Description
JDK-8239385	Support for canonicalize in krb5.conf The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested. The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).

Issue

Description

JDK-8239385

Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).

security-libs/javax.net.ssl

Issue Description

Issue	Description
JDK-8209965	supported_groups Extension Should Not be Present in ServerHello Handshake Message While the `supported_groups` extension should not be present in ServerHello handshake messages, previous releases have ignored its presence, so that misconfigured servers could continue to function. JDK 11 currently throws an exception if this extension is sent in the ServerHello handshake message.
JDK-8028518	Increase the priorities of GCM cipher suites In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider. In the SunJSSE provider, the following ciphersuites are now the most preferred by default: ``` TLSECDHEECDSAWITHAES256GCMSHA384 TLSECDHEECDSAWITHAES128GCMSHA256 TLSECDHERSAWITHAES256GCMSHA384 TLSRSAWITHAES256GCMSHA384 TLSECDHECDSAWITHAES256GCMSHA384 TLSECDHRSAWITHAES256GCMSHA384 TLSDHERSAWITHAES256GCMSHA384 TLSDHEDSSWITHAES256GCM_SHA384 TLSECDHERSAWITHAES128GCMSHA256 TLSRSAWITHAES128GCMSHA256 TLSECDHECDSAWITHAES128GCMSHA256 TLSECDHRSAWITHAES128GCMSHA256 TLSDHERSAWITHAES128GCMSHA256 TLSDHEDSSWITHAES128GCM_SHA256 ``` Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.

JDK-8209965

supported_groups Extension Should Not be Present in ServerHello Handshake Message

While the supported_groups extension should not be present in ServerHello handshake messages, previous releases have ignored its presence, so that misconfigured servers could continue to function. JDK 11 currently throws an exception if this extension is sent in the ServerHello handshake message.

JDK-8028518

Increase the priorities of GCM cipher suites

In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.

In the SunJSSE provider, the following ciphersuites are now the most preferred by default: ``` TLSECDHEECDSAWITHAES256GCMSHA384 TLSECDHEECDSAWITHAES128GCMSHA256

TLSECDHERSAWITHAES256GCMSHA384 TLSRSAWITHAES256GCMSHA384 TLSECDHECDSAWITHAES256GCMSHA384 TLSECDHRSAWITHAES256GCMSHA384 TLSDHERSAWITHAES256GCMSHA384 TLSDHEDSSWITHAES256GCM_SHA384

TLSECDHERSAWITHAES128GCMSHA256 TLSRSAWITHAES128GCMSHA256 TLSECDHECDSAWITHAES128GCMSHA256 TLSECDHRSAWITHAES128GCMSHA256 TLSDHERSAWITHAES128GCMSHA256 TLSDHEDSSWITHAES128GCM_SHA256 ``` Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.

security-libs/javax.crypto:pkcs11

Issue	Description
JDK-8080462	SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40 The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

Issue

Description

JDK-8080462

SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

security-libs/java.security

Issue Description

Issue	Description
JDK-8243320	Added 3 SSL Corporation Root CA Certificates The following root certificates have been added to the cacerts truststore: ``` + SSL Corporation + sslrootrsaca DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US sslrootevrsaca DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US sslrooteccca DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US ```
JDK-8243321	Added Entrust Root Certification Authority - G4 certificate The following root certificate has been added to the cacerts truststore: ` + Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US`

JDK-8243320

Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore: ``` + SSL Corporation + sslrootrsaca DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

sslrootevrsaca DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
sslrooteccca DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US ```

JDK-8243321

Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore: ` + Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US`

core-svc/java.lang.management

Issue Description

Issue	Description
JDK-8226575	OperatingSystemMXBean Methods Inside a Container Return Container Specific Data When executing in a container, or other virtualized operating environment, the following `OperatingSystemMXBean` methods in this release return container specific information, if available. Otherwise, they return host specific data: `getFreePhysicalMemorySize()` `getTotalPhysicalMemorySize()` `getFreeSwapSpaceSize()` `getTotalSwapSpaceSize()` `getSystemCpuLoad()`

JDK-8226575

OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

getFreePhysicalMemorySize()
getTotalPhysicalMemorySize()
getFreeSwapSpaceSize()
getTotalSwapSpaceSize()
getSystemCpuLoad()

FIXED ISSUES

client-libs/2d

Priority	Bug	Summary
P2	JDK-8244818	[macos] Java2D Queue Flusher crash while moving application window to external monitor
P2	JDK-8233097	Fontmetrics for large Fonts has zero width
P3	JDK-8145808	[PIT] test java/awt/Graphics2D/MTGraphicsAccessTest/MTGraphicsAccessTest.java hangs on Win. 8
P3	JDK-8209113	Use WeakReference for lastFontStrike for created Fonts
P4	JDK-8177628	Opensource unit/regression tests for ImageIO

client-libs/java.awt

Priority	Bug	Summary
P2	JDK-8242498	Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
P3	JDK-8200313	java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails
P4	JDK-8137087	[TEST_BUG] Cygwin failure of java/awt/appletviewer/IOExceptionIfEncodedURLTest/IOExceptionIfEncodedURLTest.sh
P4	JDK-8039082	[TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails
P4	JDK-8132376	Add @requires os.family to the client tests with access to internal OS-specific API
P4	JDK-8239819	XToolkit: Misread of screen information memory

client-libs/javax.imageio

Priority	Bug	Summary
P4	JDK-8183341	Better cleanup for javax/imageio/AllowSearch.java
P4	JDK-8250755	Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
P4	JDK-8183349	Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
P4	JDK-8183351	Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh

client-libs/javax.sound

Priority	Bug	Summary
P3	JDK-8156169	Some sound tests rarely hangs because of incorrect synchronization
P4	JDK-8167615	Opensource unit/regression tests for JavaSound
P4	JDK-6574989	TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes

client-libs/javax.swing

Priority	Bug	Summary
P4	JDK-8172012	[TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java
P4	JDK-8198004	javax/swing/JFileChooser/6868611/bug6868611.java throws error
P4	JDK-8226697	Several tests which need the @key headful keyword are missing it.

core-libs

Priority	Bug	Summary
P3	JDK-8078334	Mark regression tests using randomness
P4	JDK-8238380	java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
P4	JDK-8250627	Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics

core-libs/java.io

Priority	Bug	Summary
P4	JDK-8211163	UNIX version of Java_java_io_Console_echo does not return a clean boolean

core-libs/java.lang

Priority	Bug	Summary
P4	JDK-8226809	Circular reference in printed stack trace is not correctly indented & ambiguous
P4	JDK-8168517	java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed"

core-libs/java.math

Priority	Bug	Summary
P5	JDK-8026236	Add PrimeTest for BigInteger

core-libs/java.net

Priority	Bug	Summary
P3	JDK-8251546	8u backport of JDK-8194298 breaks AIX and Solaris builds
P3	JDK-8194298	Add support for per Socket configuration of TCP keepalive
P3	JDK-8210147	adjust some WSAGetLastError usages in windows network coding
P3	JDK-8151788	NullPointerException from ntlm.Client.type3
P4	JDK-8238386	(sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
P5	JDK-8036088	Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c

core-libs/java.nio

Priority	Bug	Summary
P4	JDK-8075774	Small readability and performance improvements for zipfs

core-libs/java.text

Priority	Bug	Summary
P4	JDK-8231213	Migrate SimpleDateFormatConstTest to JDK Repo

core-libs/java.util

Priority	Bug	Summary
P1	JDK-8166148	Fix for JDK-8165936 broke Solaris builds
P4	JDK-8132745	TEST_BUG: minor cleanup of java/util/Scanner/ScanTest.java

core-libs/java.util.regex

Priority	Bug	Summary
P4	JDK-8132206	move ScanTest.java into OpenJDK

core-libs/java.util:i18n

Priority	Bug	Summary
P3	JDK-8152077	(cal) Calendar.roll does not always roll the hours during daylight savings changes
P3	JDK-8165936	Potential Heap buffer overflow when seaching timezone info files

core-libs/javax.naming

Priority	Bug	Summary
P2	JDK-8151678	com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
P2	JDK-8217606	LdapContext#reconnect always opens a new connection
P4	JDK-8160768	Add capability to custom resolve host/domain names within the default JNDI LDAP provider
P4	JDK-8243138	Enhance BaseLdapServer to support starttls extended request
P4	JDK-8062947	Fix exception message to correctly represent LDAP connection failure

core-libs/jdk.nashorn

Priority	Bug	Summary
P3	JDK-8193137	Nashorn crashes when given an empty script file.

core-svc

Priority	Bug	Summary
P3	JDK-8203357	Container Metrics

core-svc/debugger

Priority	Bug	Summary
P3	JDK-8230303	JDB hangs when running monitor command
P4	JDK-8229378	jdwp library loader in linker_md.c quietly truncates on buffer overflow

core-svc/java.lang.management

Priority	Bug	Summary
P2	JDK-8192953	sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
P3	JDK-8061616	HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double
P3	JDK-8226575	OperatingSystemMXBean should be made container aware
P5	JDK-8025886	replace [[ and == bash extensions in regtest

hotspot/compiler

Priority	Bug	Summary
P1	JDK-8148754	C2 loop unrolling fails due to unexpected graph shape
P2	JDK-8252573	8u: Windows build failed after 8222079 backport
P3	JDK-8214862	assert(proj != __null) at compile.cpp:3251
P3	JDK-8234617	C1: Incorrect result of field load due to missing narrowing conversion
P3	JDK-8230711	ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG
P3	JDK-8240676	Meet not symmetric failure when running lucene on jdk8
P4	JDK-8237951	CTW: C2 compilation fails with "malformed control flow"
P4	JDK-8222079	Don't use memset to initialize fields decode_env constructor in disassembler.cpp
P4	JDK-8219919	RuntimeStub's name lost with PrintFrameConverterAssembly
P4	JDK-8167300	Scheduling failures during gcm should be fatal

hotspot/gc

Priority	Bug	Summary
P2	JDK-8248851	CMS: Missing memory fences between free chunk check and klass read
P3	JDK-8231779	crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
P3	JDK-8057003	Large reference arrays cause extremely long synchronization times
P4	JDK-8153583	Make OutputAnalyzer.reportDiagnosticSummary public

hotspot/jfr

Priority	Bug	Summary
P3	JDK-8216283	Allow shorter method sampling interval than 10 ms
P3	JDK-8221569	JFR tool produces incorrect output when both --categories and --events are specified
P3	JDK-8217647	JFR: recordings on 32-bit systems unreadable
P3	JDK-8224217	RecordingInfo should use textual representation of path
P4	JDK-8246310	Clean commented-out code about ModuleEntry andPackageEntry in JFR
P4	JDK-8246384	Enable JFR by default on supported architectures for October 2020 release
P4	JDK-8219566	JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero
P4	JDK-8220555	JFR tool shows potentially misleading message when it cannot access a file
P4	JDK-8252084	Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled
P4	JDK-8243489	Thread CPU Load event may contain wrong data for CPU time under certain conditions

hotspot/jvmti

Priority	Bug	Summary
P3	JDK-8254673	call for JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158
P3	JDK-8035493	JVMTI PopFrame capability must instruct compilers not to prune locals
P4	JDK-8249158	THREAD_START and THREAD_END event posted in primordial phase

hotspot/runtime

Priority	Bug	Summary
P2	JDK-8235325	build failure on Linux after 8235243
P2	JDK-8060721	Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
P3	JDK-8148854	Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
P3	JDK-8064319	Need to enable -XX:+TraceExceptions in release builds
P4	JDK-8048933	-XX:+TraceExceptions output should include the message
P4	JDK-8023697	failed class resolution reports different class name in detail message for the first and subsequent times
P4	JDK-8235243	handle VS2017 15.9 and VS2019 in abstract_vm_version
P4	JDK-8240295	hs_err elapsed time in seconds is not accurate enough
P4	JDK-8250875	Incorrect parameter type for update_number in JDK_Version::jdk_update
P4	JDK-8211714	Need to update vm_version.cpp to recognise VS2017 minor versions
P4	JDK-8248643	Remove extra leading space in JDK-8240295 8u backport
P4	JDK-8254937	Revert JDK-8148854 for 8u272
P4	JDK-8193234	When using -Xcheck:jni an internally allocated buffer can leak
P4	JDK-8184762	ZapStackSegments should use optimized memset

infrastructure/build

Priority	Bug	Summary
P2	JDK-8235687	Contents/MacOS/libjli.dylib cannot be a symlink
P3	JDK-8238225	Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
P4	JDK-8251120	[8u] HotSpot build assumes ENABLE_JFR is set to either true or false
P4	JDK-8154313	Generated javadoc scattered all over the place

security-libs

Priority	Bug	Summary
P4	JDK-8245474	Add TLS_KRB5 cipher suites support according to RFC-2712
P4	JDK-8245468	Add TLSv1.3 implementation classes from 11.0.7
P4	JDK-8245477	Adjust TLS tests location
P4	JDK-8245472	Backport JDK-8038893 to JDK8
P4	JDK-8251478	Backport TLSv1.3 regression tests to JDK8u
P4	JDK-8245476	Disable TLSv1.3 protocol in the ClientHello message by default
P4	JDK-8245470	Fix JDK8 compatibility issues
P4	JDK-8245473	OCSP stapling support
P4	JDK-8245467	Remove 8u TLSv1.2 implementation files
P4	JDK-8245469	Remove DTLS protocol implementation
P4	JDK-8245471	Revert JDK-8148188

security-libs/java.security

Priority	Bug	Summary
P3	JDK-8243321	Add Entrust root CA - G4 to Oracle Root CA program
P3	JDK-8243320	Add SSL root certificates to Oracle Root CA program
P3	JDK-8242556	Cannot load RSASSA-PSS public key with non-null params from byte array
P3	JDK-8211049	Second parameter of "initialize" method is not used
P4	JDK-8238388	libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
P4	JDK-8165996	PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite
P4	JDK-8161973	PKIXRevocationChecker.getSoftFailExceptions() not working
P4	JDK-8151834	Test SmallPrimeExponentP.java times out intermittently

security-libs/javax.crypto

Priority	Bug	Summary
P2	JDK-8220165	Encryption using GCM results in RuntimeException: input length out of bound
P2	JDK-8233954	UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
P3	JDK-8078880	Mark a few more intermittently failing security-libs tests
P3	JDK-8201633	Problems with AES-GCM native acceleration

security-libs/javax.crypto:pkcs11

Priority	Bug	Summary
P1	JDK-8225695	32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
P2	JDK-8238898	Missing hash characters for header on license file
P3	JDK-8228835	Memory leak in PKCS11 provider when using AES GCM
P3	JDK-8165275	Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
P3	JDK-8144539	Update PKCS11 tests to run with security manager
P3	JDK-8080462	Update SunPKCS11 provider with PKCS11 v2.40 support
P4	JDK-8251117	Cannot check P11Key size in P11Cipher and P11AEADCipher

security-libs/javax.net.ssl

Priority	Bug	Summary
P1	JDK-8207317	SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
P2	JDK-8206929	Check session context for TLS 1.3 session resumption
P2	JDK-8236039	JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
P2	JDK-8209916	NPE in SupportedGroupsExtension
P2	JDK-8206176	Remove the temporary tls13VN field
P2	JDK-8214129	SSL session resumption/SNI with TLS1.2 causes StackOverflowError
P2	JDK-8145854	SSLContextImpl.statusResponseManager should be generated if required
P2	JDK-8206355	SSLSessionImpl.getLocalPrincipal() throws NPE
P2	JDK-8216326	SSLSocket stream close() does not close the associated socket
P2	JDK-8207237	SSLSocket#setEnabledCipherSuites is accepting empty string
P2	JDK-8208166	Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
P2	JDK-8214098	sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
P2	JDK-8216045	The size of key_exchange may be wrong on FFDHE
P2	JDK-8207009	TLS 1.3 half-close and synchronization issues
P2	JDK-8211806	TLS 1.3 handshake server name indication is missing on a session resume
P2	JDK-8196584	TLS 1.3 Implementation
P2	JDK-8210334	TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
P2	JDK-8210846	TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
P2	JDK-8207029	Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
P3	JDK-8245681	Add TLSv1.3 regression test from 11.0.7
P3	JDK-8207058	Backport System Property jdk.tls.server.protocols
P3	JDK-8245466	Backport TLSv1.3 protocol implementation
P3	JDK-8225766	Curve in certificate should not affect signature scheme when using TLSv1.3
P3	JDK-8219389	Delegated task created by SSLEngine throws BufferUnderflowException
P3	JDK-8215790	Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
P3	JDK-8221270	Duplicated synchronized keywords in SSLSocketImpl
P3	JDK-8215524	Finished message validation failure should be decrypt_error alert
P3	JDK-8218889	Improperly use of the Optional API
P3	JDK-8212738	Incorrectly named signature scheme ecdsa_secp512r1_sha512
P3	JDK-8028518	Increase the priorities of GCM cipher suites
P3	JDK-8203687	javax/net/ssl/compatibility/Compatibility.java supports TLS 1.3
P3	JDK-8231810	javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java fails intermittently with "java.lang.Exception: Unexpected EOF"
P3	JDK-8233621	Mismatch in jsse.enableMFLNExtension property name
P3	JDK-8210974	No extensions debug log for ClientHello
P3	JDK-8213782	NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
P3	JDK-8213202	Possible race condition in TLS 1.3 session resumption
P3	JDK-8210989	RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
P3	JDK-8207223	SSL Handshake failures are reported with more generic SSLException
P3	JDK-8214339	SSLSocketImpl erroneously wraps SocketException
P3	JDK-8209965	The "supported_groups" extension in ServerHellos
P3	JDK-8211866	TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
P3	JDK-8212885	TLS 1.3 resumed session does not retain peer certificate chain
P3	JDK-8214688	TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"
P3	JDK-8217610	TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
P3	JDK-8221253	TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
P4	JDK-4919790	Errors in alert ssl message does not reflect the actual certificate status
P4	JDK-8234724	javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java supports TLSv1.3
P4	JDK-8234723	javax/net/ssl/TLS tests support TLSv1.3
P4	JDK-8251341	Minimal Java specification change
P4	JDK-8214321	Misleading code in SSLCipher
P4	JDK-8245653	Remove 8u TLS tests
P4	JDK-8223482	Unsupported ciphersuites may be offered by a TLS client

security-libs/javax.security

Priority	Bug	Summary
P3	JDK-8239385	Support the 'canonicalize' setting (krb5.conf) in the Kerberos client
P4	JDK-8249610	Make sun.security.krb5.Config.getBooleanObject(String... keys) method public

security-libs/javax.smartcardio

Priority	Bug	Summary
P3	JDK-8163251	Hard coded loop limit prevents reading of smart card data greater than 8k
P4	JDK-8244151	Update MUSCLE PC/SC-Lite headers to1.8.26

security-libs/javax.xml.crypto

Priority	Bug	Summary
P2	JDK-8217878	ENVELOPING XML signature no longer works
P3	JDK-8236645	JDK 8u231 introduces a regression with incompatible handling of XML messages
P3	JDK-8177334	Update xmldsig implementation to Apache Santuario 2.1.1
P3	JDK-8218629	XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10

security-libs/jdk.security

Priority	Bug	Summary
P4	JDK-8241888	Mirror jdk.security.allowNonCaAnchor system property with a security one

security-libs/org.ietf.jgss:krb5

Priority	Bug	Summary
P3	JDK-8246193	Possible NPE in ENC-PA-REP search in AS-REQ

tools/javadoc(tool)

Priority	Bug	Summary
P2	JDK-8031625	javadoc problems referencing inner class constructors

tools/jlink

Priority	Bug	Summary
P3	JDK-8169925	Organize licenses by module in source, JMOD file, and run-time image

xml/jaxp

Priority	Bug	Summary
P3	JDK-8046274	Removing dependency on jakarta-regexp