OpenJDK 13.0.13 released

Yuri Nesterenko yan at azul.com
Wed Oct 19 08:20:56 UTC 2022 

Hi all,

the release of OpenJDK 13.0.13 has been published on Oct 19, 2022.

The release sources are in https://github.com/openjdk/jdk13u Git repository
tagged jdk-13.0.13-ga.
For January release schedule see https://wiki.openjdk.java.net/display/JDKUpdates/JDK+13u

* Security fixes in this release:
=================================
   - JDK-8289366: Improve HTTP/2 client usage
   - JDK-8288508: Enhance ECDSA usage
   - JDK-8286918: Better HttpServer service
   - JDK-8287446: Enhance icon presentations
   - JDK-8286910: Improve JNDI lookups
   - JDK-8286511: Improve macro allocation
   - JDK-8286526: Improve NTLM support
   - JDK-8286533: Key X509 usages
   - JDK-8286077: Wider MultiByte conversions
   - JDK-8286519: Better memory handling
   - JDK-8285662: Better permission resolution
   - JDK-8282252: Improve BigInteger/Decimal validation

* Other changes:
================
   - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled
   - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
   - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
   - JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c
   - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
   - JDK-8266172: -Wstringop-overflow happens in vmError.cpp
   - JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp
   - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
   - JDK-8292579: (tz) Update Timezone Data to 2022c
   - JDK-8028265: Add legacy tz tests to OpenJDK
   - JDK-8269285: Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998
   - JDK-8247818: GCC 10 warning stringop-overflow with symbol code
   - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
   - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
   - JDK-8268361: Fix the infinite loop in next_line
   - JDK-8287463: JFR: Disable TestDevNull.java on Windows
   - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
   - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
   - JDK-7131823: bug in GIFImageReader
   - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
   - JDK-8282071: Update java.xml module-info
   - JDK-8261354: SIGSEGV at MethodIteratorHost
   - JDK-8269039: Disable SHA-1 Signed JARs
   - JDK-8289549: ISO 4217 Amendment 172 Update
   - JDK-8283277: ISO 4217 Amendment 171 Update
   - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
   - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in 
nightly run
   - JDK-8257569: Failure observed with JfrVirtualMemory::initialize
   - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
   - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
   - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
   - JDK-8289486: Improve XSLT XPath operators count efficiency
   - JDK-8290334: Update FreeType to 2.12.1
   - JDK-8289853: Update HarfBuzz to 4.4.1
   - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font
   - JDK-8286277: CDS VerifyError when calling clone() on object array
   - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
   - JDK-8285081: Improve XPath operators count accuracy
   - JDK-8282280: Update Xerces to Version 2.12.2
   - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
   - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
   - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong 
number of expression stack elements during deopt"
   - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
   - JDK-8277795: LDAP connection timeout not honoured under contention
   - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
   - JDK-8286855: javac error on invalid jar should only print filename
   - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause

* Notes on some issues:
=========================

core-libs/java.time
   JDK-8292579: (tz) Update Timezone Data to 2022c
   ===============================================
     JDK 13.0.13 contains IANA time zone data 2022c
     https://mm.icann.org/pipermail/tz-announce/2022-August/000072.html

security-libs/java.security
   JDK-8269039: Disable SHA-1 Signed JARs
   ======================================
     (see JDK-8259640 release note)
     JARs signed with SHA-1 algorithms are now restricted by default and treated as if
     they were unsigned. This applies to the algorithms used to digest, sign, and
     optionally timestamp the JAR. It also applies to the signature and digest algorithms of
     the certificates in the certificate chain of the code signer and the Timestamp Authority,
     and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

     In order to reduce the compatibility risk for applications that have been previously
      timestamped or use private CAs, there are two exceptions to this policy:

     - Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will
         not be restricted.
     - Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included
         by default in the JDK `cacerts` keystore will not be restricted.

     These exceptions may be removed in a future JDK release.

     Users can, at their own risk, remove these restrictions by modifying
     the `java.security` configuration file
     (or overriding it using the `java.security.properties` system property)
     and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01"
     from the `jdk.certpath.disabledAlgorithms` security property
     and "SHA1 jdkCA & denyAfter 2019-01-01"
     from the `jdk.jar.disabledAlgorithms` security property.

core-libs/java.net
   JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
   ================================================================
     Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication
     over HTTPS through javax.net.HttpsURLConnection.

     Channel binding tokens are increasingly required as an enhanced form of security.
     They work by communicating from a client to a server the client's understanding of
     the binding between connection security, as represented by a TLS server cert,
     and higher level authentication credentials, such as a username and password.
     The server can then detect if the client has been fooled by a MITM and
     shutdown the session or connection.

     The feature is controlled through a new system property `jdk.https.negotiate.cbt`
     which is described fully in
     src/java.base/share/classes/java/net/doc-files/net-properties.html

core-libs/java.net
   JDK-8286918: Better HttpServer service
   ======================================
     The server can be optionally configured with a maximum connection limit
     by setting jdk.httpserver.maxConnections system property. A value of 0 or
     negative integer is ignored and considered to represent no connection limit. In case of a
     positive integer value, any newly accepted connections will be first checked against the
     current count of established connections and if the
     configured limit has reached, then the newly accepted connection will be closed immediately.


Thank you,
--yan

More information about the jdk-updates-dev mailing list