OpenJDK 13.0.9 released

Yuri Nesterenko yan at
Wed Oct 20 07:30:12 UTC 2021

Hi all,

let me announce the release of OpenJDK 13.0.9.

The release sources are in Git repository tagged jdk-13.0.9-ga.

For January release schedule see

* Security fixes in this release:
   - JDK-8267729: Improve TLS client handshaking
   - JDK-8268205: Enhance DTLS client handshake
   - JDK-8268199: Correct certificate requests
   - JDK-8268193: Improve requests of certificates
   - JDK-8269618: Better session identification
   - JDK-8269624: Enhance method selection support
   - JDK-8267735: Better BMP support
   - JDK-8267712: Better LDAP reference processing
   - JDK-8266689: More Constrained Delegation
   - JDK-8267086: ArrayIndexOutOfBoundsException in
   - JDK-8266103: Better specified spec values
   - JDK-8265580: Enhanced style for RTF kit
   - JDK-8265574: Improve handling of sheets
   - JDK-8269763: The JEditorPane is blank after JDK-8265167
   - JDK-8265167: Richer Text Editors
   - JDK-8263314: Enhance XML Dsig modes
   - JDK-8266137: Improve Keystore integrity
   - JDK-8266109: More Resilient Classloading
   - JDK-8268506: More Manifest Digests
   - JDK-8266115: More Manifest Jar Loading
   - JDK-8266097: Better hashing support
   - JDK-8270404: Better canonicalization
   - JDK-8270398: Enhance canonicalization
   - JDK-8265776: Improve Stream handling for SSL

* Other changes:
   - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3
   - JDK-8259271: gc/parallel/ still fails 
"assert(covered_region.contains(new_memregion)) failed: new region is 
not in covered_region"
   - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end
   - JDK-8257999: Parallel GC crash in 
gc/parallel/ new region is not in covered_region
   - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c 
with Xcode 12.5
   - JDK-8273671: Backport of 8260616 misses one JNF header inclusion 
   - JDK-8270317: Large Allocation in CipherSuite
   - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM 
is enabled
   - JDK-8270216: [macOS] Update named used for Java run loop mode
   - JDK-8269934: failed with 
EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
   - JDK-8206925: Support the certificate_authorities extension
   - JDK-8272602: [macos] not all KEY_PRESSED events sent when control 
modifier is used
   - JDK-8229254: solaris_x64 build fails after JDK-8191278
   - JDK-8215712: Parsing extension failure may alert decode_error
   - JDK-8254631: Better support ALPN byte wire values in SunJSSE
   - JDK-8241888: Mirror system property 
with a security one
   - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
   - JDK-8268775: Password is being converted to String in 
   - JDK-8254967: spins on TLS session close
   - JDK-8226878: zero crashes after JDK-8191278
   - JDK-8226871: invalid use of incomplete type class MacroAssembler 
when building minimal after JDK-8191278
   - JDK-8191278: MappedByteBuffer bulk access memory failures are not 
handled gracefully
   - JDK-8258373: Update the text handling in the JPasswordField
   - JDK-8257620: Do not use objc_msgSend_stret to get macOS version
   - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB 
   - JDK-8172404: Tools should warn if weak algorithms are used before 
restricting them
   - JDK-8253899: Make IsClassUnloadingEnabled signature match specification
   - JDK-8261109: [macOS] Remove disabled warning for JNF in 
   - JDK-8268635: Corrupt oop in ClassLoaderData
   - JDK-8268965: TCP Connection Reset when connecting simple socket to 
SSL server

* Notes on some issues:


   JDK-8206925: Support the certificate_authorities extension

The "certificate_authorities" extension is an optional extension 
introduced in TLS 1.3. It is used to indicate the certificate 
authorities (CAs) that an endpoint supports and should be used by the 
receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is 
supported for TLS 1.3 in both the client and the server sides. This 
extension is always present for client certificate selection, while it 
is optional for server certificate selection.

Applications can enable this extension for server certificate selection 
by setting the `jdk.tls.client.enableCAExtension` system property to 
`true`. The default value of the property is `false`.

Note that if the client trusts more CAs than the size limit of the 
extension (less than 2^16 bytes), the extension is not enabled. Also, 
some server implementations do not allow handshake messages to exceed 
2^14 bytes. Consequently, there may be interoperability issues when 
`jdk.tls.client.enableCAExtension` is set to `true` and the client 
trusts more CAs than the server implementation limit.

   JDK-8254631: Better support ALPN byte wire values in SunJSSE

Certain TLS ALPN values couldn't be properly read or written by the 
SunJSSE provider. This is due to the choice of Strings as the API 
interface and the undocumented internal use of the UTF-8 character set 
which converts characters larger than U+00007F (7-bit ASCII) into 
multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit 
ISO_8859_1/LATIN-1 characters. This means applications that used 
characters above U+000007F that were previously encoded using UTF-8 may 
need to either be modified to perform the UTF-8 conversion, or set the 
Java security property *`jdk.tls.alpnCharset`* to "UTF-8" revert the 

See the updated guide at 
for more information.


   JDK-8172404: Tools should warn if weak algorithms are used before 
restricting them

The `keytool` and `jarsigner` tools have been updated to warn users when 
weak cryptographic algorithms are used in keys, certificates, and signed 
JARs before they are disabled. The weak algorithms are set in the 
`` security property in the `` 
configuration file. In this release, the tools issue warnings for the 
SHA-1 hash algorithm and 1024-bit RSA/DSA keys.


More information about the jdk-updates-dev mailing list