Key:

JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X

CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

New in release OpenJDK 8u362 (2023-01-17):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u362

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html

* CVEs

  - CVE-2023-21830

  - CVE-2023-21843

* Security fixes

  - JDK-8285021: Improve CORBA communication

  - JDK-8286496: Improve Thread labels

  - JDK-8288516: Enhance font creation

  - JDK-8289350: Better media supports

  - JDK-8293554: Enhanced DH Key Exchanges

  - JDK-8293598: Enhance InetAddress address handling

  - JDK-8293717: Objective view of ObjectView

  - JDK-8293734: Improve BMP image handling

  - JDK-8293742: Better Banking of Sounds

  - JDK-8295687: Better BMP bounds

* Other changes

  - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods

  - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable

  - JDK-8054066: com/sun/jdi/DoubleAgentTest.java fails with timeout

  - JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size.

  - JDK-8071530: Update OS detection code to reflect Windows 10 version change

  - JDK-8073464: GC workers do not have thread names

  - JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only

  - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails

  - JDK-8148005: One byte may be corrupted by get_datetime_string()

  - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java

  - JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations

  - JDK-8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1

  - JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp

  - JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems

  - JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64

  - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137

  - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS

  - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows

  - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn

  - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()

  - JDK-8265527: tools/javac/diags/CheckExamples.java fails after JDK-8078024 8u backport

  - JDK-8269039: Disable SHA-1 Signed JARs

  - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0

  - JDK-8270344: Session resumption errors

  - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity

  - JDK-8273176: handle latest VS2019 in abstract_vm_version

  - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening

  - JDK-8274840: Update OS detection code to recognize Windows 11

  - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

  - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

  - JDK-8283277: ISO 4217 Amendment 171 Update

  - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode

  - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer

  - JDK-8284622: Update versions of some Github Actions used in JDK workflow

  - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled

  - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)

  - JDK-8289549: ISO 4217 Amendment 172 Update

  - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents

  - JDK-8293181: Bump update version of OpenJDK: 8u362

  - JDK-8293461: Add a test for JDK-8290832

  - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening

  - JDK-8294307: ISO 4217 Amendment 173 Update

  - JDK-8294357: (tz) Update Timezone Data to 2022d

  - JDK-8294863: Enable partial tier1 testing in GHA for JDK8

  - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows

  - JDK-8295173: (tz) Update Timezone Data to 2022e

  - JDK-8295288: Some vm_flags tests associate with a wrong BugID

  - JDK-8295714: GHA ::set-output is deprecated and will be removed

  - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error

  - JDK-8295915: Problemlist compiler/rtm failures specific to 8u

  - JDK-8295950: Enable langtools/tier1 in GHA for 8u

  - JDK-8296108: (tz) Update Timezone Data to 2022f

  - JDK-8296239: ISO 4217 Amendment 174 Update

  - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u

  - JDK-8296715: CLDR v42 update for tzdata 2022f

  - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems

  - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u

  - JDK-8297804: (tz) Update Timezone Data to 2022g

  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR

  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java

Notes on individual issues:

===========================

client-libs/javax.imageio:

JDK-8295687: Better BMP bounds

==============================

Loading a linked ICC profile within a BMP image is now disabled by

default. To re-enable it, set the new system property

`sun.imageio.bmp.enabledLinkedProfiles` to `true`.  This new property

replaces the old property,

`sun.imageio.plugins.bmp.disableLinkedProfiles`.

client-libs/javax.sound:

JDK-8293742: Better Banking of Sounds

=====================================

Previously, the SoundbankReader implementation,

`com.sun.media.sound.JARSoundbankReader`, would download a JAR

soundbank from a URL.  This behaviour is now disabled by default. To

re-enable it, set the new system property `jdk.sound.jarsoundbank` to

`true`.

hotspot/runtime:

JDK-8274840: Release Now Recognises Windows 11

==============================================

This release now correctly sets the `os.name` property to `Windows

11`, as would be expected.

other-libs/corba:idl:

JDK-8285021: Improve CORBA communication

========================================

The JDK's CORBA implementation now refuses by default to deserialize

objects, unless they have the "IOR:" prefix.  The previous behaviour

can be re-enabled by setting the new property

`com.sun.CORBA.ORBAllowDeserializeObject` to `true`.

security-libs/java.security:

JDK-8269039: Disabled SHA-1 Signed JARs

=======================================

JARs signed with SHA-1 algorithms are now restricted by default and

treated as if they were unsigned. This applies to the algorithms used

to digest, sign, and optionally timestamp the JAR. It also applies to

the signature and digest algorithms of the certificates in the

certificate chain of the code signer and the Timestamp Authority, and

any CRLs or OCSP responses that are used to verify if those

certificates have been revoked. These restrictions also apply to

signed JCE providers.

To reduce the compatibility risk for JARs that have been previously

timestamped, there is one exception to this policy:

- Any JAR signed with SHA-1 algorithms and timestamped prior to

  January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if

your signed JARs are affected by this change, run:

$ jarsigner -verify -verbose -certs`

on the signed JAR, and look for instances of "SHA1" or "SHA-1" and

"disabled" and a warning that the JAR will be treated as unsigned in

the output.

For example:

   Signed by "CN="Signer""

   Digest algorithm: SHA-1 (disabled)

   Signature algorithm: SHA1withRSA (disabled), 2048-bit key

   WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

   jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or

re-signed with stronger algorithms.

Users can, *at their own risk*, remove these restrictions by modifying

the `java.security` configuration file (or override it by using the

`java.security.properties` system property) and removing "SHA1 usage

SignedJAR & denyAfter 2019-01-01" from the

`jdk.certpath.disabledAlgorithms` security property and "SHA1

denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security

property.

New in release OpenJDK 8u352 (2022-10-18):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u352

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt

* Security fixes

  - JDK-8282252: Improve BigInteger/Decimal validation

  - JDK-8285662: Better permission resolution

  - JDK-8286511: Improve macro allocation

  - JDK-8286519: Better memory handling

  - JDK-8286526, CVE-2022-21619: Improve NTLM support

  - JDK-8286533, CVE-2022-21626: Key X509 usages

  - JDK-8286910, CVE-2022-21624: Improve JNDI lookups

  - JDK-8286918, CVE-2022-21628: Better HttpServer service

  - JDK-8288508: Enhance ECDSA usage

* Other changes

  - JDK-7131823: bug in GIFImageReader

  - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate

  - JDK-8028265: Add legacy tz tests to OpenJDK

  - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]

  - JDK-8049228: Improve multithreaded scalability of InetAddress cache

  - JDK-8071507: (ref) Clear phantom reference as soft and weak references do

  - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation

  - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9

  - JDK-8136354: [TEST_BUG] Test  java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script

  - JDK-8139668: Generate README-build.html from markdown

  - JDK-8143847: Remove REF_CLEANER reference category

  - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl

  - JDK-8150669: C1 intrinsic for Class.isPrimitive

  - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows

  - JDK-8173339: AArch64: Fix minimum stack size computations

  - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load

  - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing

  - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored

  - JDK-8183107: PKCS11 regression regarding checkKeySize

  - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property

  - JDK-8194873: right ALT key hotkeys no longer work in Swing components

  - JDK-8201793: (ref) Reference object should not support cloning

  - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()

  - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.

  - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit

  - JDK-8235218: Minimal VM is broken after JDK-8173361

  - JDK-8235385: Crash on aarch64 JDK due to long offset

  - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles

  - JDK-8254178: Remove .hgignore

  - JDK-8254318: Remove .hgtags

  - JDK-8256722: handle VC++:1927 VS2019 in  abstract_vm_version

  - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)

  - JDK-8280963: Incorrect PrintFlags formatting on Windows

  - JDK-8282538: PKCS11 tests fail on CentOS Stream 9

  - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee

  - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3

  - JDK-8285497: Add system property for Java SE specification maintenance version

  - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE

  - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11

  - JDK-8287521: Bump update version of OpenJDK: 8u352

  - JDK-8288763: Pack200 extraction failure with invalid size

  - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses

  - JDK-8290000: Bump macOS GitHub actions to macOS 11

  - JDK-8292579: (tz) Update Timezone Data to 2022c

  - JDK-8292688: Support Security properties in security.testlibrary.Proc

Notes on individual issues:

===========================

core-libs/java.lang:

JDK-8201793: (ref) Reference object should not support cloning

==============================================================

`java.lang.ref.Reference::clone` method always throws

`CloneNotSupportedException`. `Reference` objects cannot be

meaningfully cloned. To create a new Reference object, call the

constructor to create a `Reference` object with the same referent and

reference queue instead.

JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing

===============================================================================================

`java.lang.ref.Reference.enqueue` method clears the reference object

before it is added to the registered queue. When the `enqueue` method

is called, the reference object is cleared and `get()` method will

return null in OpenJDK 8u352.

Typically when a reference object is enqueued, it is expected that the

reference object is cleared explicitly via the `clear` method to avoid

memory leak because its referent is no longer referenced. In other

words the `get` method is expected not to be called in common cases

once the `enqueue`method is called. In the case when the `get` method

from an enqueued reference object and existing code attempts to access

members of the referent, `NullPointerException` may be thrown. Such

code will need to be updated.

JDK-8071507: (ref) Clear phantom reference as soft and weak references do

=========================================================================

This enhancement changes phantom references to be automatically

cleared by the garbage collector as soft and weak references.

An object becomes phantom reachable after it has been finalized. This

change may cause the phantom reachable objects to be GC'ed earlier -

previously the referent is kept alive until PhantomReference objects

are GC'ed or cleared by the application. This potential behavioral

change might only impact existing code that would depend on

PhantomReference being enqueued rather than when the referent be freed

from the heap.

core-libs/java.net:

JDK-8286918: Better HttpServer service

======================================

The HttpServer can be optionally configured with a maximum connection

limit by setting the jdk.httpserver.maxConnections system property. A

value of 0 or a negative integer is ignored and considered to

represent no connection limit. In the case of a positive integer

value, any newly accepted connections will be first checked against

the current count of established connections and, if the configured

limit has been reached, then the newly accepted connection will be

closed immediately.

core-libs/java.net:

JDK-8286918: Better HttpServer service

======================================

The HttpServer can be optionally configured with a maximum connection

limit by setting the jdk.httpserver.maxConnections system property. A

value of 0 or a negative integer is ignored and considered to

represent no connection limit. In the case of a positive integer

value, any newly accepted connections will be first checked against

the current count of established connections and, if the configured

limit has been reached, then the newly accepted connection will be

closed immediately.

security-libs/javax.net.ssl:

JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles

================================================================

The TLSv1.3 implementation is now enabled by default for client roles

in 8u352. It has been enabled by default for server roles since 8u272.

Note that TLS 1.3 is not directly compatible with previous

versions. Enabling it on the client may introduce compatibility issues

on either the server or the client side. Here are some more details on

potential compatibility issues that you should be aware of:

* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions

  use a duplex-close policy. For applications that depend on the

  duplex-close policy, there may be compatibility issues when

  upgrading to TLS 1.3.

* The signature_algorithms_cert extension requires that pre-defined

  signature algorithms are used for certificate authentication. In

  practice, however, an application may use non-supported signature

  algorithms.

* The DSA signature algorithm is not supported in TLS 1.3. If a server

  is configured to only use DSA certificates, it cannot upgrade to TLS

  1.3.

* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2

  and prior versions. If an application hard-codes cipher suites which

  are no longer supported, it may not be able to use TLS 1.3 without

  modifying the application code.

* The TLS 1.3 session resumption and key update behaviors are

  different from TLS 1.2 and prior versions. The compatibility should

  be minimal, but it could be a risk if an application depends on the

  handshake details of the TLS protocols.

The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols

system property:

java -Djdk.tls.client.protocols="TLSv1.2" ...

Alternatively, an application can explicitly set the enabled protocols

with the javax.net.ssl APIs e.g.

sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});

or:

SSLParameters params = sslSocket.getSSLParameters();

params.setProtocols(new String[] {"TLSv1.2"});

sslSocket.setSSLParameters(params);

New in release OpenJDK 8u345 (2022-08-01):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u345

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u345.txt

* Other changes

  - JDK-8290832: It is no longer possible to change "user.dir" in the JDK8

  - JDK-8291568: Bump update version of OpenJDK: 8u345

Notes on individual issues:

===========================

core-libs/java.io:

JDK-8290832: It is no longer possible to change "user.dir" in the JDK8

======================================================================

A change, JDK-8194154, was introduced in the 8u342 release of OpenJDK

causing the JDK to ignore attempts to set the `user.dir` property.

While this change is suitable for a major release (it was originally

introduced in the initial release of OpenJDK 11), changing the

behaviour of such a property in an update release creates

compatibility issues in software that relies on the behaviour in prior

versions of OpenJDK 8.  As a result, we have reverted this change in

8u345.

New in release OpenJDK 8u342 (2022-07-19):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u342

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt

* Security fixes

  - JDK-8272243: Improve DER parsing

  - JDK-8272249: Better properties of loaded Properties

  - JDK-8277608: Address IP Addressing

  - JDK-8281859, CVE-2022-21540: Improve class compilation

  - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations

  - JDK-8283190: Improve MIDI processing

  - JDK-8284370: Improve zlib usage

  - JDK-8285407, CVE-2022-34169: Improve Xalan supports

* Other changes

  - JDK-8031567: Better model for storing source revision information

  - JDK-8076190: Customizing the generation of a PKCS12 keystore

  - JDK-8129572: Cleanup usage of getResourceAsStream in jaxp

  - JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/bcel/internal/util/ClassPath.java

  - JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow

  - JDK-8170385: JDK-8031567 broke source bundles

  - JDK-8170392: JDK-8031567 broke builds from source bundles

  - JDK-8170530: bash configure output contains a typo in a suggested library name

  - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream

  - JDK-8194154: System property user.dir should not be changed

  - JDK-8202142: jfr/event/io/TestInstrumentation is unstable

  - JDK-8209771: jdk.test.lib.Utils::runAndCheckException error

  - JDK-8221988: add possibility to build with Visual Studio 2019

  - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp

  - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target

  - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file

  - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"

  - JDK-8248876: LoadObject with bad base address created for exec file on linux

  - JDK-8253424: Add support for running pre-submit testing using GitHub Actions

  - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably

  - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command

  - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow

  - JDK-8254175: Build no-pch configuration in debug mode for submit checks

  - JDK-8254282: Add Linux x86_32 builds to submit workflow

  - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale

  - JDK-8255305: Add Linux x86_32 tier1 to submit workflow

  - JDK-8255352: Archive important test outputs in submit workflow

  - JDK-8255373: Submit workflow artifact name is always "test-results_.zip"

  - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch

  - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow

  - JDK-8256277: Github Action build on macOS should define OS and Xcode versions

  - JDK-8256354: Github Action build on Windows should define OS and MSVC versions

  - JDK-8256393: Github Actions build on Linux should define OS and GCC versions

  - JDK-8256414: add optimized build to submit workflow

  - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing

  - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors

  - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"

  - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"

  - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)

  - JDK-8263667: Avoid running GitHub actions on branches named pr/*

  - JDK-8266187: Memory leak in appendBootClassPath()

  - JDK-8274658: ISO 4217 Amendment 170 Update

  - JDK-8274751: Drag And Drop hangs on Windows

  - JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017

  - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition

  - JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936

  - JDK-8282225: GHA: Allow one concurrent run per PR only

  - JDK-8282458: Update .jcheck/conf file for 8u move to git

  - JDK-8282552: Bump update version of OpenJDK: 8u342

  - JDK-8283350: (tz) Update Timezone Data to 2022a

  - JDK-8284620: CodeBuffer may leak _overflow_arena

  - JDK-8284772: 8u GHA: Use GCC Major Version Dependencies Only

  - JDK-8285445: cannot open file "NUL:"

  - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java

  - JDK-8285591: [11] add signum checks in DSA.java engineVerify

  - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head

  - JDK-8286989: Build failure on macOS after 8281814

  - JDK-8287537: 8u JDK-8284620 backport broke AArch64 build

Notes on individual issues:

===========================

security-libs/java.security:

JDK-8215293: Customizing PKCS12 keystore Generation

===================================================

New system and security properties have been added to enable users to

customize the generation of PKCS #12 keystores. This includes

algorithms and parameters for key protection, certificate protection,

and MacData. The detailed explanation and possible values for these

properties can be found in the "PKCS12 KeyStore properties" section of

the `java.security` file.

Also, support for the following SHA-2 based HmacPBE algorithms has

been added to the SunJCE provider:

* HmacPBESHA224

* HmacPBESHA256

* HmacPBESHA384

* HmacPBESHA512

* HmacPBESHA512/224

* HmacPBESHA512/256

core-libs/java.io:

JDK-8285660: Enable Windows Alternate Data Streams by default

=============================================================

The Windows implementation of `java.io.File` has been changed so that

strict validity checks are **not** performed by default on file

paths. This includes allowing colons (':') in the path other than only

immediately after a single drive letter. It also allows paths that

represent NTFS Alternate Data Streams (ADS), such as

"filename:streamname". This restores the default behavior of

`java.io.File` to what it was prior to the April 2022 CPU in which

strict validity checks were not performed by default on file paths on

Windows. To re-enable strict path checking in `java.io.File`, the

system property `jdk.io.File.enableADS` should be set to `false` (case

ignored). This might be preferable, for example, if Windows special

device paths such as `NUL:` are *not* used.

New in release OpenJDK 8u332 (2022-04-22):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u332

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt

* Security fixes

  - JDK-8269938: Enhance XML processing passes redux

  - JDK-8270504, CVE-2022-21426: Better XPath expression handling

  - JDK-8272255: Completely handle MIDI files

  - JDK-8272261: Improve JFR recording file processing

  - JDK-8272594: Better record of recordings

  - JDK-8274221: More definite BER encodings

  - JDK-8275151, CVE-2022-21443: Improved Object Identification

  - JDK-8277227: Better identification of OIDs

  - JDK-8277672, CVE-2022-21434: Better invocation handler handling

  - JDK-8278008, CVE-2022-21476: Improve Santuario processing

  - JDK-8278356: Improve file creation

  - JDK-8278449: Improve keychain support

  - JDK-8278805: Enhance BMP image loading

  - JDK-8278972, CVE-2022-21496: Improve URL supports

  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo

* Other changes

  - JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl

  - JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl

  - JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java

  - JDK-8037259: xerces update: xpointer update

  - JDK-8041523: Xerces Update: Serializer improvements from Xalan

  - JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type

  - JDK-8162572: Update License Header for all JAXP sources

  - JDK-8167014: jdeps: Missing message: warn.skipped.entry

  - JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5

  - JDK-8202822: Add .git to .hgignore

  - JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 <cont> commands

  - JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request

  - JDK-8210283: Support git as an SCM alternative in the build

  - JDK-8218682: [TEST_BUG] DashOffset fails in mach5

  - JDK-8225690: Multiple AttachListener threads can be created

  - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"

  - JDK-8227815: Minimal VM: set_state is not a member of AttachListener

  - JDK-8240633: Memory leaks in the implementations of FileChooserUI

  - JDK-8241768: git needs .gitattributes

  - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn

  - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens

  - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node

  - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems

  - JDK-8270290: NTLM authentication fails if HEAD request is used

  - JDK-8273229: Update OS detection code to recognize Windows Server 2022

  - JDK-8273341: Update Siphash to version 1.0

  - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated

  - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake

  - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE

  - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022

  - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler

  - JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack()

  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972

  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character

  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException

  - JDK-8284920: Incorrect Token type causes XPath expression to return empty result

  - JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream

* Shenandoah

  - JDK-8260632: Build failures after JDK-8253353

  - JDK-8282458: Update .jcheck/conf file for sh-jdk8u move to git

New in release OpenJDK 8u322 (2022-01-18):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u322

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt

* Security fixes

  - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization

  - JDK-8268488: More valuable DerValues

  - JDK-8268494: Better inlining of inlined interfaces

  - JDK-8268512: More content for ContentInfo

  - JDK-8268795: Enhance digests of Jar files

  - JDK-8268801: Improve PKCS attribute handling

  - JDK-8268813, CVE-2022-21283: Better String matching

  - JDK-8269151: Better construction of EncryptedPrivateKeyInfo

  - JDK-8269944: Better HTTP transport redux

  - JDK-8270392, CVE-2022-21293: Improve String constructions

  - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps

  - JDK-8270492, CVE-2022-21282: Better resolution of URIs

  - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management

  - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities

  - JDK-8271962: Better TrueType font loading

  - JDK-8271968: Better canonical naming

  - JDK-8271987: Manifest improved manifest entries

  - JDK-8272014, CVE-2022-21305: Better array indexing

  - JDK-8272026, CVE-2022-21340: Verify Jar Verification

  - JDK-8272236, CVE-2022-21341: Improve serial forms for transport

  - JDK-8272272: Enhance jcmd communication

  - JDK-8272462: Enhance image handling

  - JDK-8273290: Enhance sound handling

  - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering

  - JDK-8273756, CVE-2022-21360: Enhance BMP image support

  - JDK-8273838, CVE-2022-21365: Enhanced BMP processing

* Other changes

  - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken

  - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03

  - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108

  - JDK-8041928: MouseEvent.getModifiersEx gives wrong result

  - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402

  - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)

  - JDK-8048021: Remove @version tag in jaxp repo

  - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage

  - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java

  - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile

  - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS

  - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure

  - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade

  - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank

  - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated

  - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind

  - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator

  - JDK-8148915: Intermittent failures of bug6400879.java

  - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism

  - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black

  - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests

  - JDK-8182036: Load from initializing arraycopy uses wrong memory state

  - JDK-8183369: RFC unconformity of HttpURLConnection with proxy

  - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"

  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll

  - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar

  - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride

  - JDK-8190793: Httpserver does not detect truncated request body

  - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail

  - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit

  - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing

  - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs

  - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021

  - JDK-8225083: Remove Google certificate that is expiring in December 2021

  - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread

  - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software

  - JDK-8231438: [macOS] Dark mode for the desktop is not supported

  - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina

  - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail

  - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails

  - JDK-8236897: Fix the copyright header for pkcs11gcm2.h

  - JDK-8237499: JFR: Include stack trace in the ThreadStart event

  - JDK-8239886: Minimal VM build fails after JDK-8237499

  - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0

  - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"

  - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions

  - JDK-8273308: PatternMatchTest.java fails on CI

  - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817

  - JDK-8273826: Correct Manifest file name and NPE checks

  - JDK-8273968: JCK javax_xml tests fail in CI

  - JDK-8274407: (tz) Update Timezone Data to 2021c

  - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b

  - JDK-8274468: TimeZoneTest.java fails with tzdata2021b

  - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused

  - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST

  - JDK-8275766: (tz) Update Timezone Data to 2021e

  - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e

  - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766

Notes on individual issues:

===========================

security-libs/java.security:

JDK-8271434: Removed IdenTrust Root Certificate

===============================================

The following root certificate from IdenTrust has been removed from

the `cacerts` keystore:

Alias Name: identrustdstx3 [jdk]

Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.

JDK-8272535: Removed Google's GlobalSign Root Certificate

=========================================================

The following root certificate from Google has been removed from the

`cacerts` keystore:

Alias Name: globalsignr2ca [jdk]

Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

core-libs/java.time:

JDK-8274857:  Update Timezone Data to 2021c

===========================================

IANA Time Zone Database, on which JDK's Date/Time libraries are based,

has been updated to version 2021c

(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note

that with this update, some of the time zone rules prior to the year

1970 have been modified according to the changes which were introduced

with 2021b. For more detail, refer to the announcement of 2021b

(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)

New in release OpenJDK 8u312 (2021-10-19):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u312

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt

* Security fixes

  - JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0

  - JDK-8161016: Strange behavior of URLConnection with proxy

  - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference

  - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close

  - JDK-8263314: Enhance XML Dsig modes

  - JDK-8265167, CVE-2021-35556: Richer Text Editors

  - JDK-8265574: Improve handling of sheets

  - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit

  - JDK-8265776: Improve Stream handling for SSL

  - JDK-8266097, CVE-2021-35561: Better hashing support

  - JDK-8266103: Better specified spec values

  - JDK-8266109: More Resilient Classloading

  - JDK-8266115: More Manifest Jar Loading

  - JDK-8266137, CVE-2021-35564: Improve Keystore integrity

  - JDK-8266689, CVE-2021-35567: More Constrained Delegation

  - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic

  - JDK-8267712: Better LDAP reference processing

  - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking

  - JDK-8267735, CVE-2021-35586: Better BMP support

  - JDK-8268193: Improve requests of certificates

  - JDK-8268199: Correct certificate requests

  - JDK-8268506: More Manifest Digests