RELEASE NOTES FOR: openjdk8u492 ==================================================================================================== Notes generated: Wed Apr 15 05:20:09 CEST 2026 Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry. JAVA ENHANCEMENT PROPOSALS (JEP): None. RELEASE NOTES: security-libs/javax.net.ssl: JDK-8369282: Distrust TLS Server Certificates Anchored by Chunghwa Root Certificates and Issued After March 17, 2026 The JDK will stop trusting TLS server certificates issued after March 17, 2026 and anchored by Chunghwa root certificates, in line with similar plans announced by Google and Mozilla. TLS server certificates issued on or before March 17, 2026 will continue to be trusted until they expire. Certificates issued after that date, and anchored by the Certificate Authority listed in the table below, will be rejected. The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after March 17, 2026. An application will receive an exception with a message indicating the trust anchor is not trusted, for example: ``` "TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW" ``` The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:
Root Certificates distrusted after 2026-03-17
Distinguished Name SHA-256 Fingerprint
OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW

C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5

You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows: keytool -v -list -alias -keystore If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server. ALL FIXED ISSUES, BY COMPONENT AND PRIORITY: client-libs: (P5) JDK-8274893: Update java.desktop classes to use try-with-resources client-libs/2d: (P3) JDK-8361748: Enforce limits on the size of an XBM image (P3) JDK-8373727: New XBM images parser regression: only the first line of the bitmap array is parsed (P3) JDK-8373290: Update FreeType to 2.14.1 (P3) JDK-8379158: Update FreeType to 2.14.2 client-libs/java.awt: (P3) JDK-8376352: [8u] Build failure on Windows 32-bit after JDK-8362308 (P3) JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above (P3) JDK-8328999: Update GIFlib to 5.2.2 (P3) JDK-8375063: Update Libpng to 1.6.54 (P4) JDK-8376272: [8u] Windows x86-32 fails to build after JDK-8359501 (P4) JDK-8225487: giflib legal file is missing attribution for openbsd-reallocarray.c. core-libs/java.net: (P3) JDK-8223145: Replace wildcard address with loopback or local host in tests - part 1 (P3) JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" (P4) JDK-8153147: Mark java/net/BindException/Test.java as intermittently failing core-libs/java.nio: (P4) JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points core-libs/java.time: (P3) JDK-8373476: (tz) Update Timezone Data to 2025c (P3) JDK-8379035: (tz) Update Timezone Data to 2026a core-libs/javax.naming: (P3) JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout (P4) JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout hotspot/compiler: (P3) JDK-8170464: Remove shell script from compiler/c2/cr7005594/Test7005594.java hotspot/gc: (P3) JDK-8186149: quarantine gc/survivorAlignment/TestPromotionFromSurvivorToTenuredAfterMinorGC.java hotspot/jfr: (P3) JDK-8360869: jcstress is able to crash jdk8 on aarch64 with jfr on hotspot/runtime: (P3) JDK-8313770: jdk/internal/platform/docker/TestSystemMetrics.java fails on Ubuntu (P3) JDK-8174734: Safepoint sync time did not increase (P4) JDK-8284758: [linux] improve print_container_info (P4) JDK-8056039: Hotspot does not compile with clang 3.4 on Linux (P4) JDK-8287011: Improve container information (P4) JDK-8220658: Improve the readability of container information in the error log (P4) JDK-8264524: jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working hotspot/test: (P4) JDK-8377344: [8u] Compilation failure on Windows for Linux-specific platform metric tests (P4) JDK-8376338: Test7005594.sh fails when given a memory value with decimals infrastructure/build: (P3) JDK-8157758: JDK9 does not compile on Linux with GCC 6.1 because left-shifting a negative number has undefined behavior (P4) JDK-8374917: [8u] C++ flags get passed to C compiles in the HotSpot build (P4) JDK-8374899: [8u] Fully handle clang as the toolchain in flags.m4 (P4) JDK-8376225: [8u] GHA: Apply work-around for missing JNF for MacOSX builds (P4) JDK-8374948: [8u] saproc & jsig builds add duplicate linker flags on Darwin/MacOS (P4) JDK-8369226: GHA: Switch to MacOS 15 infrastructure/release_eng: (P4) JDK-8373250: Bump update version of OpenJDK: 8u492 security-libs/java.security: (P4) JDK-8132786: java/security/cert/CertPathValidator/OCSP/AIACheck.java fails intermittently security-libs/javax.net.ssl: (P3) JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA tools/launcher: (P3) JDK-8074840: Resolve disabled warnings for libjli and libjli_static (P4) JDK-8353657: [8u] Test tools/launcher/VersionCheck.java fails with debug build