Key:

JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X

CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

New in release OpenJDK 8u412 (2024-04-16):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u412

* CVEs

  - CVE-2024-21011

  - CVE-2024-21085

  - CVE-2024-21068

  - CVE-2024-21094

* Security fixes

  - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"

  - JDK-8318340: Improve RSA key implementations

  - JDK-8319851: Improve exception logging

  - JDK-8322114: Improve Pack 200 handling

  - JDK-8322122: Enhance generation of addresses

* Other changes

  - JDK-8011180: Delete obsolete scripts

  - JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build

  - JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios

  - JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X

  - JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows

  - JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)

  - JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache

  - JDK-8168518: rcache interop with krb5-1.15

  - JDK-8183503: Update hotspot tests to allow for unique test classes directory

  - JDK-8186095: upgrade to jtreg 4.2 b08

  - JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH

  - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails

  - JDK-8208655: use JTreg skipped status in hotspot tests

  - JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1

  - JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile

  - JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system

  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"

  - JDK-8224768: Test ActalisCA.java fails

  - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits

  - JDK-8251551: Use .md filename extension for README

  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired

  - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error

  - JDK-8270517: Add Zero support for LoongArch

  - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled

  - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test

  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests

  - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs

  - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash

  - JDK-8308592: Framework for CA interoperability testing

  - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955

  - JDK-8315042: NPE in PKCS7.parseOldSignedData

  - JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set

  - JDK-8320713: Bump update version of OpenJDK: 8u412

  - JDK-8321060: [8u] hotspot needs to recognise VS2022

  - JDK-8321408: Add Certainly roots R1 and E1

  - JDK-8322725: (tz) Update Timezone Data to 2023d

  - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray

  - JDK-8323202: [8u] Remove get_source.sh and hgforest.sh

  - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed

  - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"

  - JDK-8324530: Build error with gcc 10

  - JDK-8325150: (tz) Update Timezone Data to 2024a

Notes on individual issues:

===========================

security-libs/org.ietf.jgss:krb5:

JDK-8168518: rcache interop with krb5-1.15

==========================================

The hash algorithm used in the Kerberos 5 replay cache file (rcache)

has been changed from MD5 to SHA256. This is the same algorithm used

by MIT krb5-1.15 and is interoperable with earlier releases of MIT

krb5.

The MD5 algorithm can still be used by setting the new

jdk.krb5.rcache.useMD5 property to 'true':

java -Djdk.krb5.rcache.useMD5=true ...

This is useful where either the system has a coarse clock and has to

depend on hash values in replay attack detection, or interoperability

with the rcache files in older versions of OpenJDK is required.

client-libs/java.awt:

JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops

=======================================================================

The java.awt.SystemTray API is used to interact with the system's

desktop taskbar to provide notifications and may include an icon

representing an application. The GNOME desktop's support for taskbar

icons has not worked properly for several years, due to a platform

bug. This bug, in turn, affects the JDK's SystemTray support on GNOME

desktops.

Therefore, in accordance with the SystemTray API specification,

java.awt.SystemTray.isSupported() will now return false on systems

that exhibit this bug, which is assumed to be those running a version

of GNOME Shell below 45.

The impact of this change is likely to be minimal, as users of the

SystemTray API should already be able to handle isSupported()

returning false and the system tray on such platforms has already been

unsupported for a number of years for all applications.

security-libs/java.security:

JDK-8321408: Added Certainly R1 and E1 Root Certificates

========================================================

The following root certificate has been added to the cacerts

truststore:

Name: Certainly

Alias Name: certainlyrootr1

Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US

Name: Certainly

Alias Name: certainlyroote1

Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US

New in release OpenJDK 8u402 (2024-01-16):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u402

* CVEs

  - CVE-2024-20918

  - CVE-2024-20919

  - CVE-2024-20921

  - CVE-2024-20926

  - CVE-2024-20945

  - CVE-2024-20952

* Security fixes

  - JDK-8308204: Enhanced certificate processing

  - JDK-8314284: Enhance Nashorn performance

  - JDK-8314295: Enhance verification of verifier

  - JDK-8314307: Improve loop handling

  - JDK-8314468: Improve Compiler loops

  - JDK-8316976: Improve signature handling

  - JDK-8317547: Enhance TLS connection support

* Other changes

  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion

  - JDK-8029995: accept yes/no for boolean krb5.conf settings

  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.

  - JDK-8176509: Use pandoc for converting build readme to html

  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value

  - JDK-8207404: MulticastSocket tests failing on AIX

  - JDK-8212677: X11 default visual support for IM status window on VNC

  - JDK-8239365: ProcessBuilder test modifications for AIX execution

  - JDK-8271838: AmazonCA.java interop test fails

  - JDK-8285398: Cache the results of constraint checks

  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null

  - JDK-8302017: Allocate BadPaddingException only if it will be thrown

  - JDK-8305329: [8u] Unify test libraries into single test library - step 1

  - JDK-8307837: [8u] Check step in GHA should also print errors

  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails

  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field

  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException

  - JDK-8315280: Bump update version of OpenJDK: 8u402

  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher

  - JDK-8317291: Missing null check for nmethod::is_native_method()

  - JDK-8317373: Add Telia Root CA v2

  - JDK-8317374: Add Let's Encrypt ISRG Root X2

  - JDK-8318759: Add four DigiCert root certificates

  - JDK-8319187: Add three eMudhra emSign roots

  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero

  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly

Notes on individual issues:

===========================

security-libs/org.ietf.jgss:krb5:

JDK-8029995: accept yes/no for boolean krb5.conf settings

=========================================================

The krb5.conf configuration file now also accepts "yes" and "no", as

alternatives to the existing "true" and "false" support, when using

settings that take boolean values.

security-libs/java.security:

JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

===============================================================================================================================

A maximum signature file size property, jdk.jar.maxSignatureFileSize,

was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a

default of 8MB. This default proved to be too small for some JAR

files. This release, 8u402, increases it to 16MB.

JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt

=================================================================

The following root certificate has been added to the cacerts

truststore:

Name: Let's Encrypt

Alias Name: letsencryptisrgx2

Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US

JDK-8318759: Added Four Root Certificates from DigiCert, Inc.

=============================================================

The following root certificates have been added to the cacerts

truststore:

Name: DigiCert, Inc.

Alias Name: digicertcseccrootg5

Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.

Alias Name: digicertcsrsarootg5

Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.

Alias Name: digicerttlseccrootg5

Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.

Alias Name: digicerttlsrsarootg5

Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited

============================================================================

The following root certificates have been added to the cacerts

truststore:

Name: eMudhra Technologies Limited

Alias Name: emsignrootcag1

Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

Name: eMudhra Technologies Limited

Alias Name: emsigneccrootcag3

Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

Name: eMudhra Technologies Limited

Alias Name: emsignrootcag2

Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

JDK-8317373: Added Telia Root CA v2 Certificate

===============================================

The following root certificate has been added to the cacerts

truststore:

Name: Telia Root CA v2

Alias Name: teliarootcav2

Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```

New in release OpenJDK 8u392 (2023-10-17):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u392

* CVEs

  - CVE-2023-22067

  - CVE-2023-22081

* Security fixes

  - JDK-8286503, JDK-8312367: Enhance security classes

  - JDK-8297856: Improve handling of Bidi characters

  - JDK-8303384: Improved communication in CORBA

  - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39

  - JDK-8309966: Enhanced TLS connections

* Other changes

  - JDK-6722928: Provide a default native GSS-API library on Windows

  - JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java

  - JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal

  - JDK-8139348: Deprecate 3DES and RC4 in Kerberos

  - JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"

  - JDK-8200468: Port the native GSS-API bridge to Windows

  - JDK-8202952: C2: Unexpected dead nodes after matching

  - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion

  - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update

  - JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to

  - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException

  - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors

  - JDK-8232225: Rework the fix for JDK-8071483

  - JDK-8242330: Arrays should be cloned in several JAAS Callback classes

  - JDK-8253269: The CheckCommonColors test should provide more info on failure

  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)

  - JDK-8284910: Buffer clean in PasswordCallback

  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()

  - JDK-8287663: Add a regression test for JDK-8287073

  - JDK-8295685: Update Libpng to 1.6.38

  - JDK-8295894: Remove SECOM certificate that is expiring in September 2023

  - JDK-8308788: [8u] Remove duplicate HaricaCA.java test

  - JDK-8309122: Bump update version of OpenJDK: 8u392

  - JDK-8309143: [8u] fix archiving inconsistencies in GHA

  - JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms

  - JDK-8314960: Add Certigna Root CA - 2

  - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()

  - JDK-8317040: Exclude cleaner test failing on older releases

Notes on individual issues:

===========================

other-libs/corba:idl:

JDK-8303384: Improved communication in CORBA

============================================

The JDK's CORBA implementation now provides the option to limit

serialisation in stub objects to those with the "IOR:" prefix.  For

ORB constrained stub classes:

* _DynArrayStub

* _DynEnumStub

* _DynFixedStub

* _DynSequenceStub

* _DynStructStub

* _DynUnionStub

* _DynValueStub

* _DynAnyStub

* _DynAnyFactoryStub

this is enabled by default and may be disabled by setting the system

property org.omg.DynamicAny.disableIORCheck to 'true'.

For remote service stub classes:

* _NamingContextStub

* _BindingIteratorStub

* _NamingContextExtStub

* _ServantActivatorStub

* _ServantLocatorStub

* _ServerManagerStub

* _ActivatorStub

* _RepositoryStub

* _InitialNameServiceStub

* _LocatorStub

* _ServerStub

it is disabled by default and may be enabled by setting the system

property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.

security-libs/org.ietf.jgss:

JDK-6722928: Added a Default Native GSS-API Library on Windows

==============================================================

A native GSS-API library named `sspi_bridge.dll` has been added to the

JDK on the Windows platform.  As with native GSS-API library provision

on other operating systems, it will only be loaded when the

`sun.security.jgss.native` system property is set to "true". A user

can still load a third-party native GSS-API library instead by setting

the `sun.security.jgss.lib` system property to the appropriate path.

The library is client-side only and uses the default credentials.

Native GSS support automatically uses cached credentials from the

underlying operating system, so the

`javax.security.auth.useSubjectCredsOnly` system property should be

set to false.

The `com.sun.security.auth.module.Krb5LoginModule` does not call

native JGSS and so its use in your JAAS config should be avoided.

security-libs/org.ietf.jgss:krb5:

JDK-8139348: Deprecate 3DES and RC4 in Kerberos

===============================================

The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)

are now deprecated and disabled by default.  To re-enable them, you

can either enable all weak crypto (which also includes `des-cbc-crc`

and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the

`krb5.conf` configuration file or explicitly list all the preferred

encryption types using the `default_tkt_enctypes`,

`default_tgs_enctypes`, or `permitted_enctypes` settings.

security-libs/java.security:

JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate

==================================================================

The following root certificate from SECOM Trust System has been

removed from the `cacerts` keystore:

Alias Name: secomscrootca1 [jdk]

Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP

JDK-8314960: Added Certigna Root CA Certificate

===============================================

The following root certificate has been added to the cacerts

truststore:

Name: Certigna (Dhimyotis)

Alias Name: certignarootca

Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

security-libs/javax.security:

JDK-8242330: Arrays should be cloned in several JAAS Callback classes

=====================================================================

In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays

were not cloned when passed into a constructor or returned. This

allowed an external program to get access to the internal fields of

these classes. The classes have been updated to return cloned arrays.

New in release OpenJDK 8u382 (2023-07-18):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u382

* CVEs

  - CVE-2023-22045

  - CVE-2023-22049

* Security fixes

  - JDK-8298676: Enhanced Look and Feel

  - JDK-8300596: Enhance Jar Signature validation

  - JDK-8304468: Better array usages

  - JDK-8305312: Enhanced path handling

* Other changes

  - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace

  - JDK-8151460: Metaspace counters can have inconsistent values

  - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode

  - JDK-8185736: missing default exception handler in calls to rethrow_Stub

  - JDK-8186801: Add regression test to test mapping based charsets (generated at build time)

  - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color

  - JDK-8241311: Move some charset mapping tests from closed to open

  - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert

  - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped

  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key

  - JDK-8276841: Add support for Visual Studio 2022

  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode

  - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms

  - JDK-8282345: handle latest VS2022 in abstract_vm_version

  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary

  - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4

  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding

  - JDK-8293232: Fix race condition in pkcs11 SessionManager

  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation

  - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13

  - JDK-8298108: Add a regression test for JDK-8297684

  - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows

  - JDK-8301119: Support for GB18030-2022

  - JDK-8301400: Allow additional characters for GB18030-2022 support

  - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message

  - JDK-8303028: Update system property for Java SE specification maintenance version

  - JDK-8303462: Bump update version of OpenJDK: 8u382

  - JDK-8304760: Add 2 Microsoft TLS roots

  - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue

  - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support

  - JDK-8305975: Add TWCA Global Root CA

  - JDK-8307134: Add GTS root CAs

  - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8

  - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow

  - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119

Notes on individual issues:

===========================

core-libs/java.lang:

JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support

===========================================================================

In order to support "Implementation Level 2" of the GB18030-2022

standard, the JDK must be able to use characters from the CJK Unified

Ideographs Extension E block of Unicode 8.0.  The addition of these

characters forms Maintenance Release 5 of the Java SE 8 specification,

which is implemented in this release of OpenJDK via the addition of a

new UnicodeBlock instance,

Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.

core-libs/java.util.jar:

8300596: Enhance Jar Signature validation

=========================================

A System property "jdk.jar.maxSignatureFileSize" is introduced to

configure the maximum number of bytes allowed for the

signature-related files in a JAR file during verification. The default

value is 8000000 bytes (8 MB).

security-libs/java.security:

JDK-8307134: Added 4 GTS Root CA Certificates

=============================================

The following root certificates have been added to the cacerts

truststore:

Name: Google Trust Services LLC

Alias Name: gtsrootcar1

Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US

Name: Google Trust Services LLC

Alias Name: gtsrootcar2

Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US

Name: Google Trust Services LLC

Alias Name: gtsrootcar3

Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US

Name: Google Trust Services LLC

Alias Name: gtsrootcar4

Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US

JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates

=====================================================================

The following root certificates has been added to the cacerts

truststore:

Name: Microsoft Corporation

Alias Name: microsoftecc2017

Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

Name: Microsoft Corporation

Alias Name: microsoftrsa2017

Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

JDK-8305975: Added TWCA Root CA Certificate

===========================================

The following root certificate has been added to the cacerts

truststore:

Name: TWCA

Alias Name: twcaglobalrootca

Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

New in release OpenJDK 8u372 (2023-04-18):

===========================================

Live versions of these release notes can be found at:

  * https://bit.ly/openjdk8u372

* CVEs

  - CVE-2023-21930

  - CVE-2023-21937

  - CVE-2023-21938

  - CVE-2023-21939

  - CVE-2023-21954

  - CVE-2023-21967

  - CVE-2023-21968

* Security fixes

  - JDK-8287404: Improve ping times

  - JDK-8288436: Improve Xalan supports

  - JDK-8294474: Better AES support

  - JDK-8295304: Runtime support improvements

  - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation

  - JDK-8296676, JDK-8296622: Improve String platform support

  - JDK-8296684: Improve String platform support

  - JDK-8296692: Improve String platform support

  - JDK-8296700: Improve String platform support

  - JDK-8296832: Improve Swing platform support

  - JDK-8297371: Improve UTF8 representation redux

  - JDK-8298191: Enhance object reclamation process

  - JDK-8298310: Enhance TLS session negotiation

  - JDK-8298667: Improved path handling

  - JDK-8299129: Enhance NameService lookups

* New features

  - JDK-8230305: Cgroups v2: Container awareness

* Other changes

  - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html

  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows

  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails

  - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be

  - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation

  - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java

  - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows

  - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled

  - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB

  - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error

  - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing

  - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu

  - JDK-8156579: Two JavaBeans tests failed

  - JDK-8156581: Cleanup of ProblemList.txt

  - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail

  - JDK-8177560: @headful key can be removed from the tests for JavaSound

  - JDK-8196196: Headful tests should not be run in headless mode

  - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails

  - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp

  - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow

  - JDK-8205959: Do not restart close if errno is EINTR

  - JDK-8216366: Add rationale to PER_CPU_SHARES define

  - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails

  - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes)

  - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12

  - JDK-8229202: Docker reporting causes secondary crashes in error handling

  - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy

  - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation

  - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos

  - JDK-8234484: Add ability to configure third port for remote JMX

  - JDK-8237479: 8230305 causes slowdebug build failure

  - JDK-8239559: Cgroups: Incorrect detection logic on some systems

  - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot

  - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual

  - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111

  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873

  - JDK-8242468: VS2019 build missing vcruntime140_1.dll

  - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails

  - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java

  - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)

  - JDK-8245654: Add Certigna Root CA

  - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows

  - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked

  - JDK-8252359: HotSpot Not Identifying it is Running in a Container

  - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota

  - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist

  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high

  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly

  - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems

  - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code

  - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection

  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards

  - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes

  - JDK-8257620: Do not use objc_msgSend_stret to get macOS version

  - JDK-8262379: Add regression test for JDK-8257746

  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec

  - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics

  - JDK-8270317: Large Allocation in CipherSuite

  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11

  - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc

  - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10

  - JDK-8280048: Missing comma in copyright header

  - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired

  - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template

  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions

  - JDK-8283277: ISO 4217 Amendment 171 Update

  - JDK-8283606: Tests may fail with zh locale on MacOS

  - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124

  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox

  - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem

  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist

  - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3

  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller

  - JDK-8287109: Distrust.java failed with CertificateExpiredException

  - JDK-8287463: JFR: Disable TestDevNull.java on Windows

  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete

  - JDK-8289549: ISO 4217 Amendment 172 Update

  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun

  - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u

  - JDK-8292083: Detected container memory limit may exceed physical machine memory

  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory

  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present

  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts

  - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings

  - JDK-8294307: ISO 4217 Amendment 173 Update

  - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features

  - JDK-8295322: Tests for JDK-8271459 were not backported to 11u

  - JDK-8295952: Problemlist existing compiler/rtm tests also on x86

  - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process

  - JDK-8296239: ISO 4217 Amendment 174 Update

  - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing

  - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException

  - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent

  - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2

  - JDK-8297329: [8u] hotspot needs to recognise VS2019

  - JDK-8297739: Bump update version of OpenJDK: 8u372

  - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's

  - JDK-8298027: Remove SCCS id's from awt jtreg tests

  - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u

  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR

  - JDK-8299445: EndingDotHostname.java fails because of compilation errors

  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java

  - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u

  - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u

  - JDK-8300014: Some backports placed the tests in the wrong location

  - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems

  - JDK-8301122: [8u] Fix unreliable vs2010 download link

  - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper

  - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig

  - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport

  - JDK-8301550: [8u] Enable additional linux build testing in GitHub

  - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors

  - JDK-8301760: Fix possible leak in SpNegoContext dispose

  - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391

  - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391

  - JDK-8304053: Revert os specific stubs for SystemMetrics

  - JDK-8305113: (tz) Update Timezone Data to 2023c

Notes on individual issues:

===========================

hotspot:

core-libs:

JDK-8305562: Cgroups v2: Container awareness

============================================

The HotSpot runtime code as well as the core libraries code in the JDK

has been updated in order to detect a cgroup v2 host system when

running OpenJDK within a Linux container.

Since the 8u202 release of OpenJDK, the container detection code

recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later

releases, both versions of the underlying cgroups pseudo filesystem

will be detected and corresponding container limits applied to the

OpenJDK runtime.

Without this enhancement, OpenJDK would not apply container resource

limits when running on a cgroup v2 Linux host system, but would use

the underlying hosts' resource limits instead.

client-libs/javax.swing:

JDK-8296832: Improve Swing platform support

===========================================

Earlier OpenJDK releases would always render HTML object tags embedded in

Swing HTML components. With this release, rendering only occurs when the

new system property "swing.html.object" is set to true. By default, it

is set to false.

core-svc/javax.management:

JDK-8234484: Added Ability to Configure Third Port for Remote JMX

=================================================================

A local access port can now be configured for JMX connections by

setting the property `com.sun.management.jmxremote.local.port`. This

local port was previously selected at random, which could lead to port

collisions. The property works in the same way as the existing

properties for configuring the remote access port

(`com.sun.management.jmxremote.port`) and the RMI port

(`com.sun.management.jmxremote.rmi.port`)

security-libs/java.security:

JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate

==========================================================

The following root certificate has been added to the cacerts truststore:

Name: Certigna (Dhimyotis)

Alias Name: certignarootca

Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR

New in release OpenJDK 8u362 (2023-01-17):

===========================================

Live versions of these release notes can be found at: