RELEASE NOTES FOR: openjdk8u272 ==================================================================================================== Notes generated: Mon Apr 01 23:19:08 CEST 2024 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.xml.crypto: JDK-8236645: Oracle Specific JDK Update of System Property to Fall Back to Legacy Base64 Encoding Format Oracle JDK 8u231 has upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue in which XML signatures using Base64 encoding appended ` ` or ` ` to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045. Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without ` ` or ` `. Therefore an Oracle specific JDK 8 Update of a new system property `com.sun.org.apache.xml.internal.security.lineFeedOnly` has been made available to fall back to legacy Base64 encoded format. Users can set this flag in one of two ways: 1. `-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true` 2. `System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")` This new system property is disabled by default. It has no effect on default behavior or when the `com.sun.org.apache.xml.internal.security.ignoreLineBreaks` property is set. Later JDK family versions will only support the recommended property: `com.sun.org.apache.xml.internal.security.ignoreLineBreaks` JDK-8217878: com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property An Apache Santuario library version upgrade, used by the javax.xml.crypto.* packages, introduces a behavioral change where a new Base64 encoder uses "\r\n" as end-of-line terminator. By default, XML signatures signed using API calls form the javax.xml.crypto.dsig package includes the escaped '\r' character, encoded as " " or " ". A new `com.sun.org.apache.xml.internal.security.ignoreLineBreaks` system property may be set to a value of "true" if an application is unable to handle the encoded output data changes where " " or " " get appended to new lines in encoding operations. The effect of this property is to not include the carriage return character in base64-encoded fields in XML signature generated by calls to the javax.xml.crypto.* packages. Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482. JDK-8177334: Updated xmldsig Implementation to Apache Santuario 2.1.1 The XMLDSig provider implementation in the `java.xml.crypto` module has been updated to version 2.1.1 of Apache Santuario. New features include: 1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931. 2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931. security-libs/javax.security: JDK-8239385: Support for canonicalize in krb5.conf The 'canonicalize' flag in the [krb5.conf file][1] is now supported by the JDK Kerberos implementation. When set to *true*, [RFC 6806][2] name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested. The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for [RFC 6806][2] was not explicitly disabled with the *sun.security.krb5.disableReferrals* system or security properties). [1]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html [2]: https://tools.ietf.org/html/rfc6806 security-libs/javax.net.ssl: JDK-8209965: supported_groups Extension Should Not be Present in ServerHello Handshake Message While the `supported_groups` extension should not be present in ServerHello handshake messages, previous releases have ignored its presence, so that misconfigured servers could continue to function. JDK 11 currently throws an exception if this extension is sent in the ServerHello handshake message. JDK-8028518: Increase the priorities of GCM cipher suites In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider. In the SunJSSE provider, the following ciphersuites are now the most preferred by default: ``` TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 ``` Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases. security-libs/javax.crypto:pkcs11: JDK-8080462: SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40 The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library. security-libs/java.security: JDK-8243320: Added 3 SSL Corporation Root CA Certificates The following root certificates have been added to the cacerts truststore: ``` + SSL Corporation + sslrootrsaca DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrootevrsaca DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrooteccca DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US ``` JDK-8243321: Added Entrust Root Certification Authority - G4 certificate The following root certificate has been added to the cacerts truststore: ``` + Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US ``` core-svc/java.lang.management: JDK-8226575: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data When executing in a container, or other virtualized operating environment, the following `OperatingSystemMXBean` methods in this release return container specific information, if available. Otherwise, they return host specific data: - `getFreePhysicalMemorySize()` - `getTotalPhysicalMemorySize()` - `getFreeSwapSpaceSize()` - `getTotalSwapSpaceSize()` - `getSystemCpuLoad()` ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs/2d: (P2) JDK-8244818: [macos] Java2D Queue Flusher crash while moving application window to external monitor (P2) JDK-8233097: Fontmetrics for large Fonts has zero width (P3) JDK-8145808: [PIT] test java/awt/Graphics2D/MTGraphicsAccessTest/MTGraphicsAccessTest.java hangs on Win. 8 (P3) JDK-8209113: Use WeakReference for lastFontStrike for created Fonts (P4) JDK-8177628: Opensource unit/regression tests for ImageIO client-libs/java.awt: (P2) JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash (P3) JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails (P4) JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/appletviewer/IOExceptionIfEncodedURLTest/IOExceptionIfEncodedURLTest.sh (P4) JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails (P4) JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API (P4) JDK-8239819: XToolkit: Misread of screen information memory client-libs/javax.imageio: (P4) JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java (P4) JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java (P4) JDK-8183349: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java (P4) JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh client-libs/javax.sound: (P3) JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization (P4) JDK-8167615: Opensource unit/regression tests for JavaSound (P4) JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes client-libs/javax.swing: (P4) JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java (P4) JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error (P4) JDK-8226697: Several tests which need the @key headful keyword are missing it. core-libs: (P3) JDK-8078334: Mark regression tests using randomness (P4) JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 (P4) JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics core-libs/java.io: (P4) JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean core-libs/java.lang: (P4) JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous (P4) JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" core-libs/java.math: (P5) JDK-8026236: Add PrimeTest for BigInteger core-libs/java.net: (P3) JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds (P3) JDK-8194298: Add support for per Socket configuration of TCP keepalive (P3) JDK-8210147: adjust some WSAGetLastError usages in windows network coding (P3) JDK-8151788: NullPointerException from ntlm.Client.type3 (P4) JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 (P5) JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c core-libs/java.nio: (P4) JDK-8075774: Small readability and performance improvements for zipfs core-libs/java.text: (P4) JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo core-libs/java.util: (P1) JDK-8166148: Fix for JDK-8165936 broke Solaris builds (P4) JDK-8132745: TEST_BUG: minor cleanup of java/util/Scanner/ScanTest.java core-libs/java.util.regex: (P4) JDK-8132206: move ScanTest.java into OpenJDK core-libs/java.util:i18n: (P3) JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes (P3) JDK-8165936: Potential Heap buffer overflow when seaching timezone info files core-libs/javax.naming: (P2) JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect (P2) JDK-8217606: LdapContext#reconnect always opens a new connection (P4) JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider (P4) JDK-8243138: Enhance BaseLdapServer to support starttls extended request (P4) JDK-8062947: Fix exception message to correctly represent LDAP connection failure core-libs/jdk.nashorn: (P3) JDK-8193137: Nashorn crashes when given an empty script file. core-svc: (P3) JDK-8203357: Container Metrics core-svc/debugger: (P3) JDK-8230303: JDB hangs when running monitor command (P4) JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow core-svc/java.lang.management: (P2) JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied (P3) JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double (P3) JDK-8226575: OperatingSystemMXBean should be made container aware (P5) JDK-8025886: replace [[ and == bash extensions in regtest hotspot: (P4) JDK-8254937: Revert JDK-8148854 for 8u272 hotspot/compiler: (P1) JDK-8148754: C2 loop unrolling fails due to unexpected graph shape (P2) JDK-8252573: 8u: Windows build failed after 8222079 backport (P3) JDK-8214862: assert(proj != __null) at compile.cpp:3251 (P3) JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion (P3) JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG (P3) JDK-8240676: Meet not symmetric failure when running lucene on jdk8 (P4) JDK-8237951: CTW: C2 compilation fails with "malformed control flow" (P4) JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp (P4) JDK-8219919: RuntimeStub's name lost with PrintFrameConverterAssembly (P4) JDK-8167300: Scheduling failures during gcm should be fatal hotspot/gc: (P2) JDK-8248851: CMS: Missing memory fences between free chunk check and klass read (P3) JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate (P3) JDK-8057003: Large reference arrays cause extremely long synchronization times (P4) JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public hotspot/jfr: (P3) JDK-8216283: Allow shorter method sampling interval than 10 ms (P3) JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified (P3) JDK-8217647: JFR: recordings on 32-bit systems unreadable (P3) JDK-8224217: RecordingInfo should use textual representation of path (P4) JDK-8246310: Clean commented-out code about ModuleEntry andPackageEntry in JFR (P4) JDK-8246384: Enable JFR by default on supported architectures for October 2020 release (P4) JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero (P4) JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file (P4) JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled (P4) JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions hotspot/jvmti: (P3) JDK-8254673: call for JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158 (P3) JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals (P4) JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase hotspot/runtime: (P2) JDK-8235325: build failure on Linux after 8235243 (P2) JDK-8060721: Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler (P3) JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent (P3) JDK-8064319: Need to enable -XX:+TraceExceptions in release builds (P4) JDK-8048933: -XX:+TraceExceptions output should include the message (P4) JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times (P4) JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version (P4) JDK-8240295: hs_err elapsed time in seconds is not accurate enough (P4) JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update (P4) JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions (P4) JDK-8248643: Remove extra leading space in JDK-8240295 8u backport (P4) JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak (P4) JDK-8184762: ZapStackSegments should use optimized memset infrastructure/build: (P2) JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink (P3) JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary (P4) JDK-8251120: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false (P4) JDK-8154313: Generated javadoc scattered all over the place security-libs: (P4) JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712 (P4) JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 (P4) JDK-8245477: Adjust TLS tests location (P4) JDK-8245472: Backport JDK-8038893 to JDK8 (P4) JDK-8251478: Backport TLSv1.3 regression tests to JDK8u (P4) JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default (P4) JDK-8245470: Fix JDK8 compatibility issues (P4) JDK-8245473: OCSP stapling support (P4) JDK-8245467: Remove 8u TLSv1.2 implementation files (P4) JDK-8245469: Remove DTLS protocol implementation (P4) JDK-8245471: Revert JDK-8148188 security-libs/java.security: (P3) JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program (P3) JDK-8243320: Add SSL root certificates to Oracle Root CA program (P3) JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array (P3) JDK-8211049: Second parameter of "initialize" method is not used (P4) JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 (P4) JDK-8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite (P4) JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working (P4) JDK-8151834: Test SmallPrimeExponentP.java times out intermittently security-libs/javax.crypto: (P2) JDK-8220165: Encryption using GCM results in RuntimeException: input length out of bound (P2) JDK-8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll (P3) JDK-8078880: Mark a few more intermittently failing security-libs tests (P3) JDK-8201633: Problems with AES-GCM native acceleration security-libs/javax.crypto:pkcs11: (P1) JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) (P2) JDK-8238898: Missing hash characters for header on license file (P3) JDK-8228835: Memory leak in PKCS11 provider when using AES GCM (P3) JDK-8165275: Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey (P3) JDK-8144539: Update PKCS11 tests to run with security manager (P3) JDK-8080462: Update SunPKCS11 provider with PKCS11 v2.40 support (P4) JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher security-libs/javax.net.ssl: (P1) JDK-8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy (P2) JDK-8206929: Check session context for TLS 1.3 session resumption (P2) JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 (P2) JDK-8209916: NPE in SupportedGroupsExtension (P2) JDK-8206176: Remove the temporary tls13VN field (P2) JDK-8214129: SSL session resumption/SNI with TLS1.2 causes StackOverflowError (P2) JDK-8145854: SSLContextImpl.statusResponseManager should be generated if required (P2) JDK-8206355: SSLSessionImpl.getLocalPrincipal() throws NPE (P2) JDK-8216326: SSLSocket stream close() does not close the associated socket (P2) JDK-8207237: SSLSocket#setEnabledCipherSuites is accepting empty string (P2) JDK-8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 (P2) JDK-8214098: sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards. (P2) JDK-8216045: The size of key_exchange may be wrong on FFDHE (P2) JDK-8207009: TLS 1.3 half-close and synchronization issues (P2) JDK-8211806: TLS 1.3 handshake server name indication is missing on a session resume (P2) JDK-8196584: TLS 1.3 Implementation (P2) JDK-8210334: TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes (P2) JDK-8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth (P2) JDK-8207029: Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21 (P3) JDK-8245681: Add TLSv1.3 regression test from 11.0.7 (P3) JDK-8207058: Backport System Property jdk.tls.server.protocols (P3) JDK-8245466: Backport TLSv1.3 protocol implementation (P3) JDK-8225766: Curve in certificate should not affect signature scheme when using TLSv1.3 (P3) JDK-8219389: Delegated task created by SSLEngine throws BufferUnderflowException (P3) JDK-8215790: Delegated task created by SSLEngine throws java.nio.BufferUnderflowException (P3) JDK-8221270: Duplicated synchronized keywords in SSLSocketImpl (P3) JDK-8215524: Finished message validation failure should be decrypt_error alert (P3) JDK-8218889: Improperly use of the Optional API (P3) JDK-8212738: Incorrectly named signature scheme ecdsa_secp512r1_sha512 (P3) JDK-8028518: Increase the priorities of GCM cipher suites (P3) JDK-8203687: javax/net/ssl/compatibility/Compatibility.java supports TLS 1.3 (P3) JDK-8231810: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java fails intermittently with "java.lang.Exception: Unexpected EOF" (P3) JDK-8233621: Mismatch in jsse.enableMFLNExtension property name (P3) JDK-8210974: No extensions debug log for ClientHello (P3) JDK-8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers (P3) JDK-8213202: Possible race condition in TLS 1.3 session resumption (P3) JDK-8210989: RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2 (P3) JDK-8207223: SSL Handshake failures are reported with more generic SSLException (P3) JDK-8214339: SSLSocketImpl erroneously wraps SocketException (P3) JDK-8209965: The "supported_groups" extension in ServerHellos (P3) JDK-8211866: TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms (P3) JDK-8212885: TLS 1.3 resumed session does not retain peer certificate chain (P3) JDK-8214688: TLS 1.3 session resumption with hello retry request failed with "illegal_parameter" (P3) JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11 (P3) JDK-8221253: TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes (P4) JDK-4919790: Errors in alert ssl message does not reflect the actual certificate status (P4) JDK-8234724: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java supports TLSv1.3 (P4) JDK-8234723: javax/net/ssl/TLS tests support TLSv1.3 (P4) JDK-8251341: Minimal Java specification change (P4) JDK-8214321: Misleading code in SSLCipher (P4) JDK-8245653: Remove 8u TLS tests (P4) JDK-8223482: Unsupported ciphersuites may be offered by a TLS client security-libs/javax.security: (P3) JDK-8239385: Support the 'canonicalize' setting (krb5.conf) in the Kerberos client (P4) JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public security-libs/javax.smartcardio: (P3) JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k (P4) JDK-8244151: Update MUSCLE PC/SC-Lite headers to1.8.26 security-libs/javax.xml.crypto: (P2) JDK-8217878: ENVELOPING XML signature no longer works (P3) JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages (P3) JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1 (P3) JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 security-libs/jdk.security: (P4) JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one security-libs/org.ietf.jgss:krb5: (P3) JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ tools/javadoc(tool): (P2) JDK-8031625: javadoc problems referencing inner class constructors tools/jlink: (P3) JDK-8169925: Organize licenses by module in source, JMOD file, and run-time image xml/jaxp: (P3) JDK-8046274: Removing dependency on jakarta-regexp