OpenJDK 11.0.20 Released
Andrew Hughes
gnu.andrew at redhat.com
Mon Jul 24 17:53:51 UTC 2023
We are pleased to announce the release of OpenJDK 11.0.20.
The source tarball is available from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.tar.xz
The tarball is accompanied by a digital signature available at:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.tar.xz.sig
This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint =3D CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F
SHA256 checksums:
4b3b4e827c9ceb99943f8d2f2dc071bf8abb1c94f7beb56033697b5b84e0cf23 openjdk-11.0.20+8.tar.xz
b25260a9b9751bbd9877b27fe19770347b9f3d395d0f30897462a807e044b8dd openjdk-11.0.20+8.tar.xz.sig
The checksums can be downloaded from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.sha256
New in release OpenJDK 11.0.20 (2023-07-18):
=============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11020
* CVEs
- CVE-2023-22006
- CVE-2023-22036
- CVE-2023-22041
- CVE-2023-22044
- CVE-2023-22045
- CVE-2023-22049
- CVE-2023-25193
* Security fixes
- JDK-8298676: Enhanced Look and Feel
- JDK-8300285: Enhance TLS data handling
- JDK-8300596: Enhance Jar Signature validation
- JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
- JDK-8302475: Enhance HTTP client file downloading
- JDK-8302483: Enhance ZIP performance
- JDK-8303376: Better launching of JDI
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
- JDK-8308682: Enhance AES performance
* Other changes
- JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with Stream closed
- JDK-8178806: Better exception logging in crypto code
- JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed out
- JDK-8209167: Use CLDR's time zone mappings for Windows
- JDK-8209546: Make sun/security/tools/keytool/autotest.sh to support macosx
- JDK-8209880: tzdb.dat is not reproducibly built
- JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails
- JDK-8214459: NSS source should be removed
- JDK-8214807: Improve handling of very old class files
- JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from tests
- JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
- JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
- JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError
- JDK-8232853: AuthenticationFilter.Cache::remove may throw ConcurrentModificationException
- JDK-8243936: NonWriteable system properties are actually writeable
- JDK-8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider
- JDK-8248701: On Windows generated modules-deps.gmk can contain backslash-r (CR) characters
- JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates
- JDK-8259530: Generated docs contain MIT/GPL-licenced works without reproducing the licence
- JDK-8263420: Incorrect function name in NSAccessibilityStaticText native peer implementation
- JDK-8264290: Create implementation for NSAccessibilityComponentGroup protocol peer
- JDK-8264304: Create implementation for NSAccessibilityToolbar protocol peer
- JDK-8265486: ProblemList javax/sound/midi/Sequencer/Recording.java on macosx-aarch64
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
- JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
- JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression
- JDK-8275721: Name of UTC timezone in a locale changes depending on previous code
- JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit)
- JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary
- JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905
- JDK-8278434: timeouts in test java/time/test/java/time/format/TestZoneTextPrinterParser.java
- JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption
- JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error
- JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test
- JDK-8282467: add extra diagnostics for JDK-8268184
- JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
- JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
- JDK-8285497: Add system property for Java SE specification maintenance version
- JDK-8286398: Address possibly lossy conversions in jdk.internal.le
- JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code
- JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider
- JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable
- JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies
- JDK-8289301: P11Cipher should not throw out of bounds exception during padding
- JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
- JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
- JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected
- JDK-8293232: Fix race condition in pkcs11 SessionManager
- JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
- JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316
- JDK-8294906: Memory leak in PKCS11 NSS TLS server
- JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
- JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not
- JDK-8297000: [jib] Add more friendly warning for proxy issues
- JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter
- JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
- JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
- JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
- JDK-8300205: Swing test bug8078268 make latch timeout configurable
- JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550
- JDK-8301119: Support for GB18030-2022
- JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns
- JDK-8301401: Allow additional characters for GB18030-2022 support
- JDK-8302151: BMPImageReader throws an exception reading BMP images
- JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
- JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN
- JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
- JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
- JDK-8303440: The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id
- JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates
- JDK-8303476: Add the runtime version in the release file of a JDK image
- JDK-8303482: Update LCMS to 2.15
- JDK-8303564: C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
- JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
- JDK-8303822: gtestMain should give more helpful output
- JDK-8303861: Error handling step timeouts should never be blocked by OnError and others
- JDK-8303937: Corrupted heap dumps due to missing retries for os::write()
- JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype
- JDK-8304291: [AIX] Broken build after JDK-8301998
- JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
- JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8305113: (tz) Update Timezone Data to 2023c
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305528: [11u] Backport of JDK-8259530 breaks build with JDK10 bootstrap VM
- JDK-8305682: Update the javadoc in the Character class to state support for GB 18030-2022 Implementation Level 2
- JDK-8305711: Arm: C2 always enters slowpath for monitorexit
- JDK-8305721: add `make compile-commands` artifacts to .gitignore
- JDK-8305975: Add TWCA Global Root CA
- JDK-8306543: GHA: MSVC installation is failing
- JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed
- JDK-8306664: GHA: Update MSVC version to latest stepping
- JDK-8306768: CodeCache Analytics reports wrong threshold
- JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
- JDK-8307134: Add GTS root CAs
- JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest fails after backport of JDK-8303861
- JDK-8308006: Missing NMT memory tagging in CMS
- JDK-8308884: [17u/11u] Backout JDK-8297951
- JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java fails intermittently
- JDK-8311465: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20
Notes on individual issues:
===========================
hotspot/compiler:
JDK-8308884: GregorianCalender.computeTime() JVM Crash
======================================================
A virtual machine crash was observed in JDK 11.0.19 when executing the
`GregorianCalender.computeTime()` method (JDK-8307683). It was found
that although the root cause of the crash is an old issue, a recent
fix for a rare issue in the C2 compiler (JDK-8297951) made the crash
much more likely. To mitigate this, the fix has been reverted in JDK
11.0.20 and will be reapplied once JDK-8307683 is resolved.
core-libs/java.lang:
JDK-8301401: Allow additional characters for GB18030-2022 support
=================================================================
In order to support "Implementation Level 1" of the GB18030-2022
standard, the JDK must be able to use five additional characters
beyond Unicode 10, upon which JDK 11 is based. The addition of these
characters forms Maintenance Release 2 of the Java SE 11
specification, which is implemented in this release of OpenJDK.
The additional characters are as follows:
* 0x82359632 U+9FEB
* 0x82359633 U+9FEC
* 0x82359634 U+9FED
* 0x82359635 U+9FEE
* 0x82359636 U+9FEF
core-libs/java.nio.charsets:
JDK-8301119: Support for GB18030-2022
=====================================
The China National Standard body (CESI) recently published
GB18030-2022 as an update to the GB18030 standard, synchronising the
character set with Unicode 11.0. This updated version of GB18030 is
now the default GB18030 character set used in this release of
OpenJDK. However, this updated character set contains incompatible
changes compared with GB18030-2000, which was used in previous
releases of OpenJDK 11. To use the previous version of the character
set, the new system property `jdk.charset.GB18030` should be set to
`2000`.
core-libs/java.util.jar:
JDK-8300596: Enhance Jar Signature validation
=============================================
A System property "jdk.jar.maxSignatureFileSize" is introduced to
configure the maximum number of bytes allowed for the
signature-related files in a JAR file during verification. The default
value is 8000000 bytes (8 MB).
JDK-8302483: Enhance ZIP performance
====================================
This release of OpenJDK includes stronger checks on the Zip64 fields
of zip files. In the event that these checks cause failures on trusted
zip files, the checks can be disabled by setting the new system
property, `jdk.util.zip.disableZip64ExtraFieldValidation` to `true`.
tools/javadoc:
JDK-8259530: Legal Headers for Generated Files
==============================================
The javadoc tool has been enhanced to allow the inclusion of legal
files which pertain to the licensing of the files generated by the
Standard Doclet. The new command-line option, `--legal-notices`, can
be used to configure this behaviour as appropriate.
security-libs/java.security:
JDK-8307134: Added 4 GTS Root CA Certificates
=============================================
The following root certificates have been added to the cacerts
truststore:
Name: Google Trust Services LLC
Alias Name: gtsrootcar1
Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar2
Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar3
Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
Name: Google Trust Services LLC
Alias Name: gtsrootcar4
Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
=====================================================================
The following root certificates has been added to the cacerts
truststore:
Name: Microsoft Corporation
Alias Name: microsoftecc2017
Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
Name: Microsoft Corporation
Alias Name: microsoftrsa2017
Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
JDK-8305975: Added TWCA Root CA Certificate
===========================================
The following root certificate has been added to the cacerts
truststore:
Name: TWCA
Alias Name: twcaglobalrootca
Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
JDK-8303465: Enhance Contents (Trusted Certificate Entries) of macOS KeychainStore
==================================================================================
Recent changes to the MacOS KeychainStore implementation were
incomplete and only considered certificates within the user domain.
With this release, the implementation exposes certificates from both
the user and admin domain, and will exclude those certificates that
include a "deny" entry in their trust settings.
Thanks,
--
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20230724/a78e6e39/signature.asc>
More information about the jdk-updates-dev
mailing list