RELEASE NOTES FOR: openjdk8u302

Notes generated: Wed Aug 18 14:01:17 CEST 2021 Hint: Prefix bug IDs with https://bugs.openjdk.java.net/browse/ to reach the relevant JIRA entry.

JAVA ENHANCEMENT PROPOSALS (JEP)

None.

RELEASE NOTES, BY COMPONENT:

security-libs/javax.net.ssl: JDK-8265351: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property *`jdk.tls.alpnCharset`* to "UTF-8" revert the behavior. See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information. JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 Character Set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. ALPN values are now represented using the network byte representation expected by the peer, which should require no modification for standard 7-bit ASCII-based character Strings. However, SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property *`jdk.tls.alpnCharset`* to "UTF-8" revert the behavior. JDK-8244460: Support for certificate_authorities Extension The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection. With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection. Applications can enable this extension for server certificate selection by setting the `jdk.tls.client.enableCAExtension` system property to `true`. The default value of the property is `false`. Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when `jdk.tls.client.enableCAExtension` is set to `true` and the client trusts more CAs than the server implementation limit. JDK-8265351: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property *`jdk.tls.alpnCharset`* to "UTF-8" revert the behavior. See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information. JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 Character Set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. ALPN values are now represented using the network byte representation expected by the peer, which should require no modification for standard 7-bit ASCII-based character Strings. However, SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property *`jdk.tls.alpnCharset`* to "UTF-8" revert the behavior. JDK-8244460: Support for certificate_authorities Extension The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection. With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection. Applications can enable this extension for server certificate selection by setting the `jdk.tls.client.enableCAExtension` system property to `true`. The default value of the property is `false`. Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when `jdk.tls.client.enableCAExtension` is set to `true` and the client trusts more CAs than the server implementation limit. security-libs/java.security: JDK-8256902: Removed Root Certificates with 1024-bit Keys The following root certificates with weak 1024-bit RSA public keys have been removed from the `cacerts` keystore: ``` + alias name "thawtepremiumserverca [jdk]"   Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + alias name "verisignclass2g2ca [jdk]"   Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisignclass3ca [jdk]"   Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + alias name "verisignclass3g2ca [jdk]"   Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisigntsaca [jdk]"   Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA ``` JDK-8261361: Removed Telia Company's Sonera Class2 CA Certificate The following root certificate has been removed from the cacerts truststore: ``` + Telia Company + soneraclass2ca DN: CN=Sonera Class2 CA, O=Sonera, C=FI ``` JDK-8256902: Removed Root Certificates with 1024-bit Keys The following root certificates with weak 1024-bit RSA public keys have been removed from the `cacerts` keystore: ``` + alias name "thawtepremiumserverca [jdk]"   Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + alias name "verisignclass2g2ca [jdk]"   Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisignclass3ca [jdk]"   Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + alias name "verisignclass3g2ca [jdk]"   Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisigntsaca [jdk]"   Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA ``` JDK-8261361: Removed Telia Company's Sonera Class2 CA Certificate The following root certificate has been removed from the cacerts truststore: ``` + Telia Company + soneraclass2ca DN: CN=Sonera Class2 CA, O=Sonera, C=FI ```

ALL FIXED ISSUES, BY COMPONENT AND PRIORITY

client-libs: (P4) JDK-8028618: [TEST BUG] javax/swing/JScrollBar/bug4202954/bug4202954.java fails (P4) JDK-8035287: gcc warnings compiling various libraries files (P4) JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable client-libs/2d: (P4) JDK-8241829: Cleanup the code for PrinterJob on windows client-libs/java.awt: (P3) JDK-8262446: DragAndDrop hangs on Windows (P4) JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode (P4) JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome (P4) JDK-8134672: [TEST_BUG] Some tests should check isDisplayChangeSupported (P4) JDK-8261867: Backport relevant test changes & additions from JDK-8130125 (P4) JDK-8043646: libosxapp.dylib fails to build on Mac OS 10.9 with clang (P4) JDK-8225116: Test OwnedWindowsLeak.java intermittently fails client-libs/java.beans: (P3) JDK-8030123: java/beans/Introspector/Test8027648.java fails (P3) JDK-8159898: Negative array size in java/beans/Introspector/Test8027905.java client-libs/javax.accessibility: (P2) JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList (P4) JDK-7106851: Test should not use System.exit client-libs/javax.imageio: (P3) JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large (P4) JDK-7059970: Test case: javax/imageio/plugins/png/ITXtTest.java is not closing a file client-libs/javax.sound: (P3) JDK-8178403: DirectAudio in JavaSound may hang and leak (P4) JDK-8129511: PlatformMidi.c:83 uses malloc without malloc header client-libs/javax.swing: (P4) JDK-8078855: [TEST_BUG] javax/swing/JComboBox/8032878/bug8032878.java fails in WindowsClassicLookAndFeel (P4) JDK-8130430: [TEST_BUG] remove unnecessary internal calls from javax/swing/JRadioButton/8075609/bug8075609.java (P4) JDK-8081764: [TEST_BUG] Test javax/swing/plaf/aqua/CustomComboBoxFocusTest.java fails on Windows, Solaris Sparcv9 and Linux but passes on MacOSX (P4) JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails core-libs/java.io: (P4) JDK-8177809: File.lastModified() is losing milliseconds (always ends in 000) core-libs/java.lang: (P4) JDK-8241649: Optimize Character.toString core-libs/java.net: (P4) JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE core-libs/java.nio: (P4) JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream (P4) JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() core-libs/java.rmi: (P4) JDK-8036095: RMI tests using testlibrary.RMID and testlibrary.JavaVM do not pass through vmoptions (P4) JDK-8034999: TEST_BUG: change rmidRunning to a simple lookup (P4) JDK-8032050: TEST_BUG: Clean up for java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java (P4) JDK-8035000: TEST_BUG: remove ActivationLibrary.DestroyThread and have callers call rmid.destroy() instead (P4) JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated core-libs/java.util: (P2) JDK-8075071: [TEST_BUG] TimSortStackSize2.java: OOME: Java heap space: MaxHeap shrinked by MaxRAMFraction (P2) JDK-8199265: java/util/Arrays/TimSortStackSize2.java fails with OOM (P4) JDK-8190679: java/util/Arrays/TimSortStackSize2.java fails with "Initial heap size set to a larger value than the maximum heap size" core-libs/java.util.logging: (P3) JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows core-libs/java.util:i18n: (P3) JDK-8262110: DST starts from incorrect time in 2038 (P3) JDK-8073446: TimeZone getOffset API does not return a DST offset between years 2038-2137 (P3) JDK-8255086: Update the root locale display names core-libs/javax.naming: (P3) JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues core-svc: (P3) JDK-8206243: java -XshowSettings fails if memory.limit_in_bytes overflows LONG.max core-svc/java.lang.instrument: (P3) JDK-8035054: JarFacade.c should not include ctype.h core-svc/java.lang.management: (P4) JDK-8034857: gcc warnings compiling src/solaris/native/sun/management core-svc/tools: (P4) JDK-8037825: Fix warnings and enable "warnings as errors" in serviceability native libraries hotspot: (P2) JDK-8239400: [8u] clean up delete-non-virtual-dtor warnings in HotSpot (P4) JDK-8209996: [PPC64] Fix JFR profiling. (P4) JDK-8269388: default build of jdk8 fails on newer GCCs with warnings as errors on format-overflow hotspot/compiler: (P2) JDK-8267689: [8u] [aarch64] Crash due to bad shift in indirect addressing mode (P2) JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS (P2) JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() (P2) JDK-8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys (P2) JDK-8266191: Missing aarch64 parts of JDK-8181872(C1: possible overflow when strength reducing integer multiply by constant) (P3) JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node (P3) JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack (P3) JDK-8134883: C1 hard crash in range check elimination in Nashorn test262parallel (P3) JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect (P3) JDK-8071374: Native disassembler implementation may be not thread-safe (P4) JDK-8191955: AArch64: incorrect prefetch distance causes an internal error (P4) JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized (P4) JDK-8033289: clang: clean up unused function warning (P4) JDK-8230428: Cleanup dead CastIP node code in formssel.cpp (P4) JDK-8263504: Some OutputMachOpcodes fields are uninitialized hotspot/gc: (P1) JDK-8064909: FragmentMetaspace.java got OutOfMemoryError (P2) JDK-8264640: CMS ParScanClosure misses a barrier (P2) JDK-8183910: gc/arguments/TestAggressiveHeap.java fails intermittently (P2) JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" (P2) JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region (P2) JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end (P2) JDK-8200550: Xcode 9.3 produce warning -Wexpansion-to-defined (P4) JDK-8257039: [8u] GenericTaskQueue destructor is incorrect (P4) JDK-8042891: Format issues embedded in macros for two g1 source files (P4) JDK-8132148: G1 hs_err region dump legend out of sync with region values (P4) JDK-8166724: gc/g1/TestHumongousShrinkHeap.java fails with OOME (P4) JDK-8130308: Too low memory usage in TestPromotionFromSurvivorToTenuredAfterMinorGC.java hotspot/jfr: (P3) JDK-8266723: JFR periodic events are causing extra allocations (P4) JDK-8264562: assert(verify_field_bit(1)) failed: Attempting to write an uninitialized event field: type (P4) JDK-8258669: fastdebug jvm crashes when do event based tracing for monitor inflation hotspot/jvmti: (P3) JDK-8217348: assert(thread->is_Java_thread()) failed: just checking hotspot/runtime: (P2) JDK-8239053: [8u] clean up undefined-var-template warnings (P2) JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash (P3) JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too (P4) JDK-8231949: [PPC64, s390]: Make async profiling more reliable (P4) JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns (P4) JDK-8260029: aarch64: fix typo in verify_oop_array (P4) JDK-8260236: better init AnnotationCollector _contended_group (P4) JDK-8055754: filemap.cpp does not compile with clang (P4) JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) (P4) JDK-8265832: runtime/StackGap/testme.sh fails to compile in 8u (P4) JDK-8264816: Weak handles leak causes GC to take longer hotspot/svc: (P3) JDK-8172188: JDI tests fail due to "permission denied" when creating temp file (P4) JDK-8043264: hsdis library not picked up correctly on expected paths hotspot/test: (P4) JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM infrastructure: (P4) JDK-8267545: [8u] Enable Xcode 12 builds on macOS infrastructure/build: (P2) JDK-8138820: JDK Hotspot build fails with Xcode 7.0.1 (P3) JDK-8019470: Changes needed to compile JDK 8 on MacOS with clang compiler (P4) JDK-8077364: "if( !this )" construct prevents build on Xcode 6.3 (P4) JDK-8263061: copy wrong unpack200.diz to bin directory on linux after 8252395 (P4) JDK-8265666: Enable AIX build platform to make external debug symbols (P4) JDK-8262730: Enable jdk8u MacOS external debug symbols (P4) JDK-8250876: Fix issues with cross-compile on macos (P4) JDK-8269468: JDK-8269388 breaks the build on older GCCs (P4) JDK-8264509: jdk8u MacOS zipped debug symbols won't build (P4) JDK-8066508: JTReg tests timeout on slow devices when run using JPRT (P4) JDK-8262864: No debug symbols in image for Windows --with-native-debug-symbols=external security-libs: (P4) JDK-8205014: com/sun/jndi/ldap/DeadSSLLdapTimeoutTest.java failed with "Read timed out" security-libs/java.security: (P2) JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get (P3) JDK-8202299: Java Keystore fails to load PKCS12/PFX certificates created in WindowsServer2016 (P3) JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled (P3) JDK-8243559: Remove root certificates with 1024-bit keys (P3) JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 (P3) JDK-8266929: Unable to use algorithms from 3p providers (P4) JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457 security-libs/javax.crypto: (P3) JDK-8258419: RSA cipher buffer cleanup security-libs/javax.crypto:pkcs11: (P4) JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11 (P4) JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod (P4) JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding security-libs/javax.net.ssl: (P2) JDK-8256818: SSLSocket that is never bound or connected leaks socket resources (P3) JDK-8254631: Better support ALPN byte wire values in SunJSSE (P3) JDK-8228757: Fail fast if the handshake type is unknown (P3) JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 (P3) JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks (P3) JDK-8206925: Support the certificate_authorities extension (P4) JDK-8259886: Improve SSL session cache performance and scalability (P4) JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test security-libs/org.ietf.jgss: (P3) JDK-8074835: Resolve disabled warnings for libj2gss security-libs/org.ietf.jgss:krb5: (P3) JDK-8074836: Resolve disabled warnings for libosxkrb5 tools: (P4) JDK-8180478: tools/launcher/MultipleJRE.sh fails on Windows because of extra-'' tools/javac: (P3) JDK-8260484: CheckExamples.java / NoJavaLangTest.java fail with jtreg 4.2 (P3) JDK-8066807: langtools/test/Makefile should use -agentvm not -samevm (P4) JDK-8214345: infinite recursion while checking super class