RELEASE NOTES FOR: openjdk8u432
====================================================================================================

Notes generated: Tue Oct 22 05:07:04 CEST 2024

Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry.

JAVA ENHANCEMENT PROPOSALS (JEP):

  None.

RELEASE NOTES:

core-libs/javax.naming:

    JDK-8290367: Update Default Value and Extend the Scope of com.sun.jndi.ldap.object.trustSerialData System Property

      In this release, the JDK implementation of the LDAP provider no longer supports
      deserialization of Java objects by default:
      
      * The default value of the `com.sun.jndi.ldap.object.trustSerialData` system property has been
      updated to `false`.
      
      * The scope of the `com.sun.jndi.ldap.object.trustSerialData` system property has been
      extended to cover the reconstruction of RMI remote objects from the `javaRemoteLocation` LDAP
      attribute.
      
      The transparent deserialization of Java objects from an LDAP context will now require an
      explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from
      the LDAP attributes would need to set the `com.sun.jndi.ldap.object.trustSerialData` system
      property to `true`.

core-libs/java.util.jar:

    JDK-8193682: Default JDK Compressor Will Be Closed when IOException Is Encountered

      `DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been modified to
      close out the associated default JDK compressor before propagating a Throwable up the stack.
      `ZIPOutputStream.closeEntry()` method has been modified to close out the associated default
      JDK compressor before propagating an IOException, not of type ZipException, up the stack.

security-libs/javax.net.ssl:

    JDK-8279164: Disabled TLS_ECDH Cipher Suites

      The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the
      `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. The
      TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note
      that some TLS_ECDH cipher suites were already disabled because they use algorithms that are
      disabled, such as 3DES and RC4. This action disables the rest.  Any attempts to use cipher
      suites starting with "TLS_ECDH_" will fail with an `SSLHandshakeException`. Users can, at
      their own risk, re-enable these cipher suites by removing "ECDH" from the
      `jdk.tls.disabledAlgorithms` security property.
      
      Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still
      enabled by default.

    JDK-8337664: Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

      The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored
      by Entrust root certificates, in line with similar plans recently announced by Google and
      Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which
      are managed by Entrust.
      
      TLS server certificates issued on or before November 11, 2024 will continue to be trusted
      until they expire. Certificates issued after that date, and anchored by any of the Certificate
      Authorities in the table below, will be rejected.
      
      The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java
      Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
      certificate chain is anchored by any of the Certificate Authorities in the table below and the
      certificate has been issued after November 11, 2024.
      
      An application will receive an Exception with a message indicating the trust anchor is not
      trusted, for example:
      
      ``` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust
      root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
      OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net ```
      
      If necessary, and at your own risk, you can work around the restrictions by removing
      "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the
      `java.security` configuration file.
      
      The restrictions are imposed on the following Entrust Root certificates included in the JDK:
      
      <table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root
      Certificates distrusted after 2024-11-11"> 	<caption>Root Certificates distrusted after
      2024-11-11</caption> 	<thead> 		<tr> 			<th scope="col">Distinguished Name</th> 			<th
      scope="col">SHA-256 Fingerprint</th> 		</tr> 	</thead> 	<tbody> 		<tr> 			<td>CN=Entrust Root
      Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
      reference, O=Entrust, Inc., C=US</td> 			<td>
      			<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999
      Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
      O=Entrust.net</td> 			<td>
      			<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td> 			<td>
      			<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td> 			<td>
      			<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td> 			<td>
      			<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td> 			<td>
      			<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
      			</td> 		</tr> 	</tbody> </table>
      
      You can also use the `keytool` utility from the JDK to print out details of the certificate
      chain, as follows:
      
      keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
      
      If any of the certificates in the chain are issued by one of the root CAs in the table above
      are listed in the output you will need to update the certificate or contact the organization
      that manages the server. 

    JDK-8341059: Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

      The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored
      by Entrust root certificates, in line with similar plans recently announced by Google and
      Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which
      are managed by Entrust.
      
      TLS server certificates issued on or before November 11, 2024 will continue to be trusted
      until they expire. Certificates issued after that date, and anchored by any of the Certificate
      Authorities in the table below, will be rejected.
      
      The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java
      Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
      certificate chain is anchored by any of the Certificate Authorities in the table below and the
      certificate has been issued after November 11, 2024.
      
      An application will receive an Exception with a message indicating the trust anchor is not
      trusted, for example:
      
      ``` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust
      root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
      OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net ```
      
      If necessary, and at your own risk, you can work around the restrictions by removing
      "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the
      `java.security` configuration file.
      
      The restrictions are imposed on the following Entrust Root certificates included in the JDK:
      
      <table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root
      Certificates distrusted after 2024-11-11"> 	<caption>Root Certificates distrusted after
      2024-11-11</caption> 	<thead> 		<tr> 			<th scope="col">Distinguished Name</th> 			<th
      scope="col">SHA-256 Fingerprint</th> 		</tr> 	</thead> 	<tbody> 		<tr> 			<td>CN=Entrust Root
      Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
      reference, O=Entrust, Inc., C=US</td> 			<td>
      			<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015
      Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc.,
      C=US</td> 			<td>
      			<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
      			</td> 		</tr> 		<tr> 			<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999
      Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
      O=Entrust.net</td> 			<td>
      			<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td> 			<td>
      			<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td> 			<td>
      			<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td> 			<td>
      			<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
      			</td> 		</tr> 		<tr> 			<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td> 			<td>
      			<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
      			</td> 		</tr> 	</tbody> </table>
      
      You can also use the `keytool` utility from the JDK to print out details of the certificate
      chain, as follows:
      
      keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
      
      If any of the certificates in the chain are issued by one of the root CAs in the table above
      are listed in the output you will need to update the certificate or contact the organization
      that manages the server. 

security-libs/java.security:

    JDK-8341057: Added SSL.com TLS Root CA Certificates Issued in 2022

      The following root certificates have been added to the cacerts truststore: ``` + SSL.com   +
      ssltlsrootecc2022     DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
      
      + SSL.com   + ssltlsrootrsa2022     DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation,
      C=US ```


ALL FIXED ISSUES, BY COMPONENT AND PRIORITY:

client-libs:
  (P3) JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors

client-libs/2d:
  (P3) JDK-8318951: Additional negative value check in JPEG decoding
  (P3) JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
  (P4) JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097

client-libs/java.awt:
  (P4) JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.

client-libs/javax.sound:
  (P4) JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
  (P4) JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails

client-libs/javax.swing:
  (P3) JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
  (P4) JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
  (P4) JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04

core-libs:
  (P4) JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1

core-libs/java.net:
  (P4) JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel

core-libs/java.nio:
  (P4) JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option

core-libs/java.util:
  (P2) JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
  (P4) JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
  (P4) JDK-8299677: Formatter.format might take a long time to format an integer or floating-point

core-libs/java.util.jar:
  (P4) JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
  (P4) JDK-8193682: Infinite loop in ZipOutputStream.close()
  (P4) JDK-8315117: Update Zlib Data Compression Library to Version 1.3
  (P4) JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1

core-libs/java.util:i18n:
  (P3) JDK-8305400: ISO 4217 Amendment 175 Update
  (P3) JDK-8321480: ISO 4217 Amendment 176 Update
  (P3) JDK-8334653: ISO 4217 Amendment 177 Update

core-libs/javax.naming:
  (P3) JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
  (P3) JDK-8290367: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
  (P4) JDK-8251188: Update LDAP tests not to use wildcard addresses

core-svc/debugger:
  (P4) JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found 
  (P4) JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command

core-svc/javax.management:
  (P3) JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
  (P4) JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
  (P4) JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use

hotspot/compiler:
  (P3) JDK-8313626: C2 crash due to unexpected exception control flow
  (P3) JDK-8021775: compiler/8009761/Test8009761.java  "Failed: init recursive calls: 51. After deopt 50"
  (P4) JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp

hotspot/gc:
  (P3) JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes

hotspot/jfr:
  (P4) JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
  (P4) JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
  (P4) JDK-8326529: JFR: Test for CompilerCompile events fails due to time out

hotspot/runtime:
  (P4) JDK-8309138: Fix container tests for jdks with symlinked conf dir
  (P4) JDK-8152207: Perform array bound checks while getting a length of bytecode instructions

hotspot/test:
  (P4) JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory

infrastructure/build:
  (P4) JDK-8333669: [8u] GHA: Dead VS2010 download link
  (P4) JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
  (P4) JDK-8315863: [GHA] Update checkout action to use v4
  (P4) JDK-8137329: [windows] Build broken on VS2010 after  "8046148: JEP 158: Unified JVM Logging"
  (P4) JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
  (P4) JDK-8281096: Flags introduced by configure script are not passed to ADLC build
  (P4) JDK-8318039: GHA: Bump macOS and Xcode versions
  (P4) JDK-8336928: GHA: Bundle artifacts removal broken
  (P4) JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16

infrastructure/licensing:
  (P4) JDK-8338144: [8u] Remove duplicate license files

infrastructure/release_eng:
  (P4) JDK-8333126: Bump update version of OpenJDK: 8u432

security-libs/java.security:
  (P2) JDK-8341057: Add 2 SSL.com TLS roots

security-libs/javax.net.ssl:
  (P2) JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
  (P3) JDK-8279164: Disable TLS_ECDH_* cipher suites
  (P3) JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

tools:
  (P4) JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese