Key:

JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X

CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

New in release OpenJDK 8u322 (2022-01-18):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u322

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt

* Security fixes

  - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization

  - JDK-8268488: More valuable DerValues

  - JDK-8268494: Better inlining of inlined interfaces

  - JDK-8268512: More content for ContentInfo

  - JDK-8268795: Enhance digests of Jar files

  - JDK-8268801: Improve PKCS attribute handling

  - JDK-8268813, CVE-2022-21283: Better String matching

  - JDK-8269151: Better construction of EncryptedPrivateKeyInfo

  - JDK-8269944: Better HTTP transport redux

  - JDK-8270392, CVE-2022-21293: Improve String constructions

  - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps

  - JDK-8270492, CVE-2022-21282: Better resolution of URIs

  - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management

  - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities

  - JDK-8271962: Better TrueType font loading

  - JDK-8271968: Better canonical naming

  - JDK-8271987: Manifest improved manifest entries

  - JDK-8272014, CVE-2022-21305: Better array indexing

  - JDK-8272026, CVE-2022-21340: Verify Jar Verification

  - JDK-8272236, CVE-2022-21341: Improve serial forms for transport

  - JDK-8272272: Enhance jcmd communication

  - JDK-8272462: Enhance image handling

  - JDK-8273290: Enhance sound handling

  - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering

  - JDK-8273756, CVE-2022-21360: Enhance BMP image support

  - JDK-8273838, CVE-2022-21365: Enhanced BMP processing

* Other changes

  - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken

  - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03

  - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108

  - JDK-8041928: MouseEvent.getModifiersEx gives wrong result

  - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402

  - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)

  - JDK-8048021: Remove @version tag in jaxp repo

  - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage

  - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java

  - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile

  - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS

  - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure

  - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade

  - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank

  - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated

  - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind

  - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator

  - JDK-8148915: Intermittent failures of bug6400879.java

  - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism

  - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black

  - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests

  - JDK-8182036: Load from initializing arraycopy uses wrong memory state

  - JDK-8183369: RFC unconformity of HttpURLConnection with proxy

  - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"

  - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll

  - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar

  - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride

  - JDK-8190793: Httpserver does not detect truncated request body

  - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail

  - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit

  - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing

  - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs

  - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021

  - JDK-8225083: Remove Google certificate that is expiring in December 2021

  - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread

  - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software

  - JDK-8231438: [macOS] Dark mode for the desktop is not supported

  - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina

  - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail

  - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails

  - JDK-8236897: Fix the copyright header for pkcs11gcm2.h

  - JDK-8237499: JFR: Include stack trace in the ThreadStart event

  - JDK-8239886: Minimal VM build fails after JDK-8237499

  - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0

  - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"

  - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions

  - JDK-8273308: PatternMatchTest.java fails on CI

  - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817

  - JDK-8273826: Correct Manifest file name and NPE checks

  - JDK-8273968: JCK javax_xml tests fail in CI

  - JDK-8274407: (tz) Update Timezone Data to 2021c

  - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b

  - JDK-8274468: TimeZoneTest.java fails with tzdata2021b

  - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused

  - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST

  - JDK-8275766: (tz) Update Timezone Data to 2021e

  - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e

  - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766

Notes on individual issues:

===========================

security-libs/java.security:

JDK-8271434: Removed IdenTrust Root Certificate

===============================================

The following root certificate from IdenTrust has been removed from

the `cacerts` keystore:

Alias Name: identrustdstx3 [jdk]

Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.

JDK-8272535: Removed Google's GlobalSign Root Certificate

=========================================================

The following root certificate from Google has been removed from the

`cacerts` keystore:

Alias Name: globalsignr2ca [jdk]

Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

core-libs/java.time:

JDK-8274857:  Update Timezone Data to 2021c

===========================================

IANA Time Zone Database, on which JDK's Date/Time libraries are based,

has been updated to version 2021c

(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note

that with this update, some of the time zone rules prior to the year

1970 have been modified according to the changes which were introduced

with 2021b. For more detail, refer to the announcement of 2021b

(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)

New in release OpenJDK 8u312 (2021-10-19):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u312

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt

* Security fixes

  - JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0

  - JDK-8161016: Strange behavior of URLConnection with proxy

  - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference

  - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close

  - JDK-8263314: Enhance XML Dsig modes

  - JDK-8265167, CVE-2021-35556: Richer Text Editors

  - JDK-8265574: Improve handling of sheets

  - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit

  - JDK-8265776: Improve Stream handling for SSL

  - JDK-8266097, CVE-2021-35561: Better hashing support

  - JDK-8266103: Better specified spec values

  - JDK-8266109: More Resilient Classloading

  - JDK-8266115: More Manifest Jar Loading

  - JDK-8266137, CVE-2021-35564: Improve Keystore integrity

  - JDK-8266689, CVE-2021-35567: More Constrained Delegation

  - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic

  - JDK-8267712: Better LDAP reference processing

  - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking

  - JDK-8267735, CVE-2021-35586: Better BMP support

  - JDK-8268193: Improve requests of certificates

  - JDK-8268199: Correct certificate requests

  - JDK-8268506: More Manifest Digests

  - JDK-8269618, CVE-2021-35603: Better session identification

  - JDK-8269624: Enhance method selection support

  - JDK-8270398: Enhance canonicalization

  - JDK-8270404: Better canonicalization

* Other changes

  - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit

  - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection

  - JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline

  - JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime

  - JDK-8022323: [JavaSecurityScanner] review package com.sun.management.* Native methods should be private

  - JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails

  - JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated

  - JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser

  - JDK-8042557: compiler/uncommontrap/TestSpecTrapClassUnloading.java fails with: GC triggered before VM initialization completed

  - JDK-8054118: java/net/ipv6tests/UdpTest.java failed intermittently

  - JDK-8065215: Print warning summary at end of configure

  - JDK-8072767: DefaultCellEditor for comboBox creates ActionEvent with wrong source object

  - JDK-8079891: Store configure log in $BUILD/configure.log

  - JDK-8080082: configure fails if you create an empty directory and then run configure from it

  - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing

  - JDK-8131062: aarch64: add support for GHASH acceleration

  - JDK-8134869: AARCH64: GHASH intrinsic is not optimal

  - JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address

  - JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get

  - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream

  - JDK-8166673: The new implementation of Robot.waitForIdle() may hang

  - JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders

  - JDK-8194246: JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class

  - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails

  - JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore

  - JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error

  - JDK-8214418: half-closed SSLEngine status may cause application dead loop

  - JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11

  - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr

  - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail

  - JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4

  - JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces

  - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7

  - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers

  - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print

  - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)

  - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

  - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available

  - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.

  - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test

  - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"

  - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()

  - JDK-8263311: Watch registry changes for remote printers update instead of polling

  - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"

  - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M

  - JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode

  - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container

  - JDK-8265978: make test should look for more locations when searching for exit code

  - JDK-8266206: Build failure after JDK-8264752 with older GCCs

  - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836

  - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server

  - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark

  - JDK-8269763: The JEditorPane is blank after JDK-8265167

  - JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport

  - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers

  - JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as unsigned short

  - JDK-8269882: stack-use-after-scope in NewObjectA

  - JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891

  - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup

  - JDK-8271466: StackGap test fails on aarch64 due to "-m64"

  - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon

  - JDK-8272214: [8u] Build failure after backport of JDK-8248901

  - JDK-8272714: [8u] Build failure after backport of JDK-8248901 with MSVC 2013

* Shenandoah

  - [backport] JDK-8269661: JNI_GetStringCritical does not lock char array

  - Re-cast JNI critical strings patch to be Shenandoah-specific

Notes on individual issues:

===========================

core-libs/java.net:

JDK-8164200: Modified HttpURLConnection behavior when no suitable proxy is found

================================================================================

The behavior of HttpURLConnection when using a ProxySelector has been

modified with this JDK release. HttpURLConnection used to fall back to

a DIRECT connection attempt if the configured proxy(s) failed to make

a connection. This release introduces a change whereby no DIRECT

connection will be attempted in such a scenario. Instead, the

HttpURLConnection.connect() method will fail and throw an IOException

which occurred from the last proxy tested.

security-libs/javax.net.ssl:

JDK-8219551: Updated the Default Enabled Cipher Suites Preference

=================================================================

The preference of the default enabled cipher suites has been

changed. The compatibility impact should be minimal. If needed,

applications can customize the enabled cipher suites and the

preference. For more details, refer to the SunJSSE provider

documentation and the JSSE Reference Guide documentation.

New in release OpenJDK 8u302 (2021-07-20):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u302

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt

* Security fixes

  - JDK-8256157: Improve bytecode assembly

  - JDK-8256491: Better HTTP transport

  - JDK-8258432, CVE-2021-2341: Improve file transfers

  - JDK-8260453: Improve Font Bounding

  - JDK-8260960: Signs of jarsigner signing

  - JDK-8260967, CVE-2021-2369: Better jar file validation

  - JDK-8262380: Enhance XML processing passes

  - JDK-8262403: Enhanced data transfer

  - JDK-8262410: Enhanced rules for zones

  - JDK-8262477: Enhance String Conclusions

  - JDK-8262967: Improve Zip file support

  - JDK-8264066, CVE-2021-2388: Enhance compiler validation

  - JDK-8264079: Improve abstractions

  - JDK-8264460: Improve NTLM support

* Other changes

  - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream

  - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome

  - JDK-7059970: Test case: javax/imageio/plugins/png/ITXtTest.java is not closing a file

  - JDK-7106851: Test should not use System.exit

  - JDK-8019470: Changes needed to compile JDK 8 on MacOS with clang compiler

  - JDK-8028618: [TEST BUG] javax/swing/JScrollBar/bug4202954/bug4202954.java fails

  - JDK-8030123: java/beans/Introspector/Test8027648.java fails

  - JDK-8032050: Clean up for java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java

  - JDK-8033289: clang: clean up unused function warning

  - JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11

  - JDK-8034857: gcc warnings compiling src/solaris/native/sun/management

  - JDK-8035000: clean up ActivationLibrary.DestroyThread

  - JDK-8035054: JarFacade.c should not include ctype.h

  - JDK-8035287: gcc warnings compiling various libraries files

  - JDK-8036095: RMI tests using testlibrary.RMID and testlibrary.JavaVM do not pass through vmoptions

  - JDK-8037825: Fix warnings and enable "warnings as errors" in serviceability native libraries

  - JDK-8042891: Format issues embedded in macros for two g1 source files

  - JDK-8043264: hsdis library not picked up correctly on expected paths

  - JDK-8043646: libosxapp.dylib fails to build on Mac OS 10.9 with clang

  - JDK-8047939: [TESTBUG] Rewrite test/runtime/8001071/Test8001071.sh

  - JDK-8055754: filemap.cpp does not compile with clang

  - JDK-8064909: FragmentMetaspace.java got OutOfMemoryError

  - JDK-8066508: JTReg tests timeout on slow devices when run using JPRT

  - JDK-8066807: langtools/test/Makefile should use -agentvm not -samevm

  - JDK-8071374: -XX:+PrintAssembly -XX:+PrintSignatureHandlers crash fastdebug VM with assert(limit == __null || limit <= nm->code_end()) in RelocIterator::initialize

  - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137

  - JDK-8074835: Resolve disabled warnings for libj2gss

  - JDK-8074836: Resolve disabled warnings for libosxkrb5

  - JDK-8075071: [TEST_BUG] TimSortStackSize2.java: OOME: Java heap space: MaxHeap shrinked by MaxRAMFraction

  - JDK-8077364: "if( !this )" construct prevents build on Xcode 6.3

  - JDK-8078855: [TEST_BUG] javax/swing/JComboBox/8032878/bug8032878.java fails in WindowsClassicLookAndFeel

  - JDK-8081764: [TEST_BUG] Test javax/swing/plaf/aqua/CustomComboBoxFocusTest.java fails on Windows, Solaris Sparcv9 and Linux but passes on MacOSX

  - JDK-8129511: PlatformMidi.c:83 uses malloc without malloc header

  - JDK-8130308: Too low memory usage in TestPromotionFromSurvivorToTenuredAfterMinorGC.java

  - JDK-8130430: [TEST_BUG] remove unnecessary internal calls from javax/swing/JRadioButton/8075609/bug8075609.java

  - JDK-8132148: G1 hs_err region dump legend out of sync with region values

  - JDK-8132709: [TESTBUG] gc/g1/TestHumongousShrinkHeap.java might fail on embedded

  - JDK-8134672: [TEST_BUG] Some tests should check isDisplayChangeSupported

  - JDK-8134883: C1 hard crash in range check elimination in Nashorn test262parallel

  - JDK-8136592: [TEST_BUG] Fix 2 platform-specific closed regtests for jigsaw

  - JDK-8138820: JDK Hotspot build fails with Xcode 7.0.1

  - JDK-8151786: [TESTBUG] java/beans/XMLEncoder/Test4625418.java timed out intermittently

  - JDK-8159898: Negative array size in java/beans/Introspector/Test8027905.java

  - JDK-8166046: [TESTBUG] compiler/stringopts/TestStringObjectInitialization.java fails with OOME

  - JDK-8166724: gc/g1/TestHumongousShrinkHeap.java fails with OOME

  - JDK-8172188: JDI tests fail due to "permission denied" when creating temp file

  - JDK-8177809: File.lastModified() is losing milliseconds (always ends in 000)

  - JDK-8178403: DirectAudio in JavaSound may hang and leak

  - JDK-8180478: tools/launcher/MultipleJRE.sh fails on Windows because of extra-''

  - JDK-8183910: gc/arguments/TestAggressiveHeap.java fails intermittently

  - JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large

  - JDK-8190679: java/util/Arrays/TimSortStackSize2.java fails with "Initial heap size set to a larger value than the maximum heap size"

  - JDK-8191955: AArch64: incorrect prefetch distance causes an internal error

  - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails

  - JDK-8199265: java/util/Arrays/TimSortStackSize2.java fails with OOM

  - JDK-8200550: Xcode 9.3 produce warning -Wexpansion-to-defined

  - JDK-8202299: Java Keystore fails to load PKCS12/PFX certificates created in WindowsServer2016

  - JDK-8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys

  - JDK-8205014: com/sun/jndi/ldap/DeadSSLLdapTimeoutTest.java failed with "Read timed out"

  - JDK-8206243: java -XshowSettings fails if memory.limit_in_bytes overflows LONG.max

  - JDK-8206925: Support the certificate_authorities extension

  - JDK-8209996: [PPC64] Fix JFR profiling

  - JDK-8214345: infinite recursion while checking super class

  - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()

  - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking

  - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021

  - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails

  - JDK-8228757: Fail fast if the handshake type is unknown

  - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp

  - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE

  - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns

  - JDK-8231949: [PPC64, s390]: Make async profiling more reliable

  - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()

  - JDK-8239053: [8u] clean up undefined-var-template warnings

  - JDK-8239400: [8u] clean up undefined-var-template warnings

  - JDK-8241649: Optimize Character.toString

  - JDK-8241829: Cleanup the code for PrinterJob on windows

  - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled

  - JDK-8243559: Remove root certificates with 1024-bit keys

  - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node

  - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable

  - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList

  - JDK-8250876: Fix issues with cross-compile on macos

  - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows

  - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)

  - JDK-8254631: Better support ALPN byte wire values in SunJSSE

  - JDK-8255086: Update the root locale display names

  - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too

  - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources

  - JDK-8257039: [8u] GenericTaskQueue destructor is incorrect

  - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks

  - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test

  - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884

  - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region

  - JDK-8258419: RSA cipher buffer cleanup

  - JDK-8258669: fastdebug jvm crashes when do event based tracing for monitor inflation

  - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues

  - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"

  - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect

  - JDK-8259886: Improve SSL session cache performance and scalability

  - JDK-8260029: aarch64: fix typo in verify_oop_array

  - JDK-8260236: better init AnnotationCollector _contended_group

  - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized

  - JDK-8260484: CheckExamples.java / NoJavaLangTest.java fail with jtreg 4.2

  - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end

  - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding

  - JDK-8261867: Backport relevant test changes & additions from JDK-8130125

  - JDK-8262110: DST starts from incorrect time in 2038

  - JDK-8262446: DragAndDrop hangs on Windows

  - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack

  - JDK-8262730: Enable jdk8u MacOS external debug symbols

  - JDK-8262864: No debug symbols in image for Windows --with-native-debug-symbols=external

  - JDK-8263061: copy wrong unpack200 debuginfo to bin directory after 8252395

  - JDK-8263504: Some OutputMachOpcodes fields are uninitialized

  - JDK-8263600: change rmidRunning to a simple lookup

  - JDK-8264509: jdk8u MacOS zipped debug symbols won't build

  - JDK-8264562: assert(verify_field_bit(1)) failed: Attempting to write an uninitialized event field: type

  - JDK-8264640: CMS ParScanClosure misses a barrier

  - JDK-8264816: Weak handles leak causes GC to take longer

  - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod

  - JDK-8265666: Enable AIX build platform to make external debug symbols

  - JDK-8265832: runtime/StackGap/testme.sh fails to compile in 8u

  - JDK-8265988: Fix sun/text/IntHashtable/Bug4170614 for JDK 8u

  - JDK-8266191: Missing aarch64 parts of JDK-8181872 (C1: possible overflow when strength reducing integer multiply by constant)

  - JDK-8266723: JFR periodic events are causing extra allocations

  - JDK-8266929: Unable to use algorithms from 3p providers

  - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash

  - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM

  - JDK-8267545: [8u] Enable Xcode 12 builds on macOS

  - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode

  - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457

  - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow

  - JDK-8269468: JDK-8269388 breaks the build on older GCCs

  - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS

* Shenandoah

  - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState

  - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp

  - [backport] JDK-8261251: Shenandoah: Use object size for full GC humongous

  - [backport] JDK-8261413: Shenandoah: Disable class-unloading in I-U mode

  - [backport] JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1

  - [backport] JDK-8266802: Shenandoah: Round up region size to page size unconditionally

  - [backport] JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC

  - [backport] JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size

  - [backport] JDK-8268699: Shenandoah: Add test for JDK-8268127

  - Shenandoah: Process weak roots during class unloading cycle

Notes on individual issues:

===========================

security-libs/java.security:

JDK-8256902: Removed Root Certificates with 1024-bit Keys

=========================================================

The following root certificates with weak 1024-bit RSA public keys

have been removed from the `cacerts` keystore:

Alias Name: thawtepremiumserverca [jdk]

Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

Alias Name: verisignclass2g2ca [jdk]

Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3ca [jdk]

Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3g2ca [jdk]

Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisigntsaca [jdk]

Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate

=================================================================

The following root certificate have been removed from the cacerts truststore:

Alias Name: soneraclass2ca

Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI

security-libs/javax.net.ssl:

JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

=========================================================================================

Certain TLS ALPN values couldn't be properly read or written by the

SunJSSE provider. This is due to the choice of Strings as the API

interface and the undocumented internal use of the UTF-8 Character Set

which converts characters larger than U+00007F (7-bit ASCII) into

multi-byte arrays that may not be expected by a peer.

ALPN values are now represented using the network byte representation

expected by the peer, which should require no modification for

standard 7-bit ASCII-based character Strings. However, SunJSSE now

encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1

characters.  This means applications that used characters above

U+000007F that were previously encoded using UTF-8 may need to either

be modified to perform the UTF-8 conversion, or set the Java security

property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.

See the updated guide at

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html

for more information.

JDK-8244460: Support for certificate_authorities Extension

==========================================================

The "certificate_authorities" extension is an optional extension

introduced in TLS 1.3. It is used to indicate the certificate

authorities (CAs) that an endpoint supports and should be used by the

receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is

supported for TLS 1.3 in both the client and the server sides.  This

extension is always present for client certificate selection, while it

is optional for server certificate selection.

Applications can enable this extension for server certificate

selection by setting the `jdk.tls.client.enableCAExtension` system

property to `true`.  The default value of the property is `false`.

Note that if the client trusts more CAs than the size limit of the

extension (less than 2^16 bytes), the extension is not enabled.  Also,

some server implementations do not allow handshake messages to exceed

2^14 bytes.  Consequently, there may be interoperability issues when

`jdk.tls.client.enableCAExtension` is set to `true` and the client

trusts more CAs than the server implementation limit.

New in release OpenJDK 8u292 (2021-04-20):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u292

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u292.txt

* Security fixes

  - JDK-8227467: Better class method invocations

  - JDK-8244473: Contextualize registration for JNDI

  - JDK-8244543: Enhanced handling of abstract classes

  - JDK-8249906, CVE-2021-2163: Enhance opening JARs

  - JDK-8250568, CVE-2021-2161: Less ambiguous processing

  - JDK-8253799: Make lists of normal filenames

* Other changes

  - JDK-6345095: regression test EmptyClipRenderingTest fails

  - JDK-6896810: TEST_BUG: java/lang/ref/SoftReference/Pin.java fails with OOME during System.out.println

  - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop

  - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled

  - JDK-7112454: TEST_BUG: java/awt/Choice/PopdownGeneratesMouseEvents/PopdownGeneratesMouseEvents.html failed

  - JDK-7131835: [TEST_BUG] Test does not consider that the rounded edges of the window in Mac OS 10.7

  - JDK-7185221: [macosx] Regtest should not throw exception if a suitable display mode found

  - JDK-8031126: java/lang/management/ThreadMXBean/ThreadUserTime.java fails intermittently

  - JDK-8035166: Remove dependency on EC classes from pkcs11 provider

  - JDK-8035186: j2se_jdk/jdk/test/java/lang/invoke/lambda/LogGeneratedClassesTest.java - assertion error

  - JDK-8038723: Openup some PrinterJob tests

  - JDK-8041464: [TEST_BUG] CustomClassLoaderTransferTest does not support OS X

  - JDK-8041561: Inconsistent opacity behaviour between JCheckBox and JRadioButton

  - JDK-8061777: (zipfs) IllegalArgumentException in ZipCoder.toString when using Shitft_JIS

  - JDK-8078024: javac, several incorporation steps are silently failing when an error should be reported

  - JDK-8078450: Implement consistent process for quarantine of tests

  - JDK-8078614: WindowsClassicLookAndFeel MetalComboBoxUI.getbaseLine fails with IllegalArgumentException

  - JDK-8080953: [TEST_BUG]Test java/awt/FontClass/DebugFonts.java fails due to wrongly typed bugid

  - JDK-8081547: Prepare client libs regression tests for running in a concurrent, headless jtreg environment

  - JDK-8129626: G1: set_in_progress() and clear_started() needs a barrier on non-TSO platforms

  - JDK-8141457: keytool default cert fingerprint algorithm should be SHA-256

  - JDK-8145051: Wrong parameter name in synthetic lambda method leads to verifier error

  - JDK-8150204: (fs) Enhance java/nio/file/Files/probeContentType/Basic.java debugging output

  - JDK-8158525: Update a few java/net tests to use the loopback address instead of the host address

  - JDK-8160217: JavaSound should clean up resources better

  - JDK-8167281: IIOMetadataNode bugs in getElementsByTagName and NodeList.item methods

  - JDK-8168996: C2 crash at postaloc.cpp:140 : assert(false) failed: unexpected yanked node

  - JDK-8171410: aarch64: long multiplyExact shifts by 31 instead of 63

  - JDK-8172404: Tools should warn if weak algorithms are used before restricting them

  - JDK-8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

  - JDK-8191915: JCK tests produce incorrect results with C2

  - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode

  - JDK-8202343: Disable TLS 1.0 and 1.1

  - JDK-8209333: Socket reset issue for TLS 1.3 socket close

  - JDK-8211301: [macos] support full window content options

  - JDK-8211339: NPE during SSL handshake caused by HostnameChecker

  - JDK-8216987: ciMethodData::load_data() unpacks MDOs with non-atomic copy

  - JDK-8217338: [Containers] Improve systemd slice memory limit support

  - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl

  - JDK-8221408: Windows 32bit build build errors/warnings in hotspot

  - JDK-8223186: HotSpot compile warnings from GCC 9

  - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14

  - JDK-8225805: Java Access Bridge does not close the logger

  - JDK-8226899: Problemlist compiler/rtm tests

  - JDK-8227642: [TESTBUG] Make docker tests podman compatible

  - JDK-8228434: jdk/net/Sockets/Test.java fails after JDK-8227642

  - JDK-8229284: jdk/internal/platform/cgroup/TestCgroupMetrics.java fails for - memory:getMemoryUsage

  - JDK-8230388: Problemlist additional compiler/rtm tests

  - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

  - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3

  - JDK-8234728: Some security tests should support TLSv1.3

  - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions

  - JDK-8235311: Tag mismatch may alert bad_record_mac

  - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property.

  - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory

  - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read

  - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code.

  - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1

  - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE"

  - JDK-8242141: New System Properties to configure the TLS signature schemes

  - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11

  - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit

  - JDK-8249183: JVM crash in "AwtFrame::WmSize" method

  - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel

  - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows

  - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets

  - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities

  - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray

  - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows

  - JDK-8253368: TLS connection always receives close_notify exception

  - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities

  - JDK-8253932: SSL debug log prints incorrect caller info

  - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations

  - JDK-8255880: UI of Swing components is not redrawn after their internal state changed

  - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem

  - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java

  - JDK-8256421: Add 2 HARICA roots to cacerts truststore

  - JDK-8256642: [TEST_BUG] jdk/test/javax/sound/midi/MidiSystem/DefaultProperties.java failed

  - JDK-8258079: Eliminate ParNew's use of klass_or_null()

  - JDK-8256682: JDK-8202343 is incomplete

  - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines

  - JDK-8258241: [8u] Missing doPrivileged() hunks from JDK-8226575

  - JDK-8258247: Couple of issues in fix for JDK-8249906

  - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk()

  - JDK-8258430: 8u backport of JDK-8063107 missing test/javax/swing/JRadioButton/8041561/bug8041561.java changes

  - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures

  - JDK-8258933: G1 needs klass_or_null_acquire

  - JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f

  - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will

  - JDK-8259384: CUP version wrong in THIRD_PARTY_README after JDK-8233548

  - JDK-8259428: AlgorithmId.getEncodedParams() should return copy

  - JDK-8259568: PPC64 builds broken after JDK-8221408 8u backport

  - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS

  - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a

  - JDK-8260930: AARCH64: Invalid value passed to critical JNI function

  - JDK-8261183: Follow on to Make lists of normal filenames

  - JDK-8261231: Windows IME was disabled after DnD operation

  - JDK-8261766: [8u] hotspot needs to recognise cl.exe 19.16 to build with VS2017

  - JDK-8262073: assert(allocates2(pc)) failed: not in CodeBuffer memory

  - JDK-8262075: sun/security/krb5/auto/UseCacheAndStoreKey.java timed out intermittently

  - JDK-8263008: AARCH64: Add debug info for libsaproc.so

  - JDK-8264171: Missing aarch64 parts of JDK-8236179 (C1 register allocation failure with T_ADDRESS)

* Shenandoah

  - Normalise whitespace in AArch64 sources prior to merge of upstreamed version in 8u292-b01.

  - Revert differences against upstream 8u

  - [backport] 8202976: Add C1 lea patching support for x86

  - [backport] 8221507: Implement JFR Events for Shenandoah

  - [backport] 8224573: Fix windows build after JDK-8221507

  - [backport] 8228369: Shenandoah: Refactor LRB C1 stubs

  - [backport] 8229474: Shenandoah: Cleanup CM::update_roots()

  - [backport] 8229709: x86_32 build and test failures after JDK-8228369 (Shenandoah: Refactor LRB C1 stubs)

  - [backport] 8231087: Shenandoah: Self-fixing load reference barriers for C1/C2

  - [backport] 8232747: Shenandoah: Concurrent GC should deactivate SATB before processing weak roots

  - [backport] 8232992: Shenandoah: Implement self-fixing interpreter LRB

  - [backport] 8233021: Shenandoah: SBSC2::is_shenandoah_lrb_call should match all LRB shapes

  - [backport] 8233165: Shenandoah:SBSA::gen_load_reference_barrier_stub() should use pointer register for address on aarch64

  - [backport] 8233574: Shenandoah: build is broken without jfr

  - [backport] 8237837: Shenandoah: assert(mem == __null) failed: only one safepoint

  - [backport] 8238153: CTW: C2 (Shenandoah) compilation fails with "Unknown node in get_load_addr: CreateEx"

  - [backport] 8238851: Shenandoah: C1: Resolve into registers of correct type

  - [backport] 8240315: Shenandoah: Rename ShLBN::get_barrier_strength()

  - [backport] 8240751: Shenandoah: fold ShenandoahTracer definition

  - [backport] 8241765: Shenandoah: AARCH64 need to save/restore call clobbered registers before calling keepalive barrier

  - [backport] 8244510: Shenandoah: invert SHC2Support::is_in_cset condition

  - [backport] 8244663: Shenandoah: C2 assertion fails in Matcher::collect_null_checks

  - [backport] 8244721: CTW: C2 (Shenandoah) compilation fails with "unexpected infinite loop graph shape"

  - [backport] 8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U

  - [backport] 8252660: Shenandoah: support manageable SoftMaxHeapSize option

  - [backport] 8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()

  - [backport] 8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads

  - [backport] 8255457: Shenandoah: cleanup ShenandoahMarkTask

  - [backport] 8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback

  - [backport] 8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test

  - [backport] 8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false

  - Fix register allocation for thread register is 32bit LRB

  - Fix Shenandoah bindings in ADLC formssel

  - Shenandoah: Backed out weak roots cleaning during full gc

Notes on individual issues:

===========================

security-libs/java.security:

JDK-8260597: Added 2 HARICA Root CA Certificates

================================================

The following root certificates have been added to the cacerts truststore:

Alias Name: haricarootca2015

Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

Alias Name: haricaeccrootca2015

Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

===================================================================================

Weak named curves are disabled by default by adding them to the

following `disabledAlgorithms` security properties:

* jdk.tls.disabledAlgorithms

* jdk.certpath.disabledAlgorithms

* jdk.jar.disabledAlgorithms

Red Hat has always disabled many of the curves provided by upstream,

so the only addition in this release is:

* secp256k1

The curves that remain enabled are:

* secp256r1

* secp384r1

* secp521r1

* X25519

* X448

When large numbers of weak named curves need to be disabled, adding

individual named curves to each `disabledAlgorithms` property would be

overwhelming. To relieve this, a new security property,

`jdk.disabled.namedCurves`, is implemented that can list the named

curves common to all of the `disabledAlgorithms` properties. To use

the new property in the `disabledAlgorithms` properties, precede the

full property name with the keyword `include`.  Users can still add

individual named curves to `disabledAlgorithms` properties separate

from this new property.  No other properties can be included in the

`disabledAlgorithms` properties.

To restore the named curves, remove the `include

jdk.disabled.namedCurves` either from specific or from all

`disabledAlgorithms` security properties. To restore one or more

curves, remove the specific named curve(s) from the

`jdk.disabled.namedCurves` property.

JDK-8244286: Tools Warn If Weak Algorithms Are Used

===================================================

The `keytool` and `jarsigner` tools have been updated to warn users

when weak cryptographic algorithms are used in keys, certificates, and

signed JARs before they are disabled. The weak algorithms are set in

the `jdk.security.legacyAlgorithms` security property in the

`java.security` configuration file. In this release, the tools issue

warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.