OpenJDK 11.0.20 Released

Andrew Hughes gnu.andrew at redhat.com
Fri Jul 28 00:52:20 UTC 2023


On 18:53 Mon 24 Jul     , Andrew Hughes wrote:
> We are pleased to announce the release of OpenJDK 11.0.20.
> 
> The source tarball is available from:
> 
> * https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.tar.xz
> 
> The tarball is accompanied by a digital signature available at:
> 
> * https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.tar.xz.sig
> 
> This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
> 
> PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
> Fingerprint =3D CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F
> 
> SHA256 checksums:
> 
> 4b3b4e827c9ceb99943f8d2f2dc071bf8abb1c94f7beb56033697b5b84e0cf23  openjdk-11.0.20+8.tar.xz
> b25260a9b9751bbd9877b27fe19770347b9f3d395d0f30897462a807e044b8dd  openjdk-11.0.20+8.tar.xz.sig
> 
> The checksums can be downloaded from:
> 
> * https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.20+8.sha256
> 
> New in release OpenJDK 11.0.20 (2023-07-18):
> =============================================
> Live versions of these release notes can be found at:
>   * https://bit.ly/openjdk11020
> 
> * CVEs
>   - CVE-2023-22006
>   - CVE-2023-22036
>   - CVE-2023-22041
>   - CVE-2023-22044
>   - CVE-2023-22045
>   - CVE-2023-22049
>   - CVE-2023-25193
> * Security fixes
>   - JDK-8298676: Enhanced Look and Feel
>   - JDK-8300285: Enhance TLS data handling
>   - JDK-8300596: Enhance Jar Signature validation
>   - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
>   - JDK-8302475: Enhance HTTP client file downloading
>   - JDK-8302483: Enhance ZIP performance
>   - JDK-8303376: Better launching of JDI
>   - JDK-8304468: Better array usages
>   - JDK-8305312: Enhanced path handling
>   - JDK-8308682: Enhance AES performance
> * Other changes
>   - JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with Stream closed
>   - JDK-8178806: Better exception logging in crypto code
>   - JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed out
>   - JDK-8209167: Use CLDR's time zone mappings for Windows
>   - JDK-8209546: Make sun/security/tools/keytool/autotest.sh to support macosx
>   - JDK-8209880: tzdb.dat is not reproducibly built
>   - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails
>   - JDK-8214459: NSS source should be removed
>   - JDK-8214807: Improve handling of very old class files
>   - JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from tests
>   - JDK-8215575: C2 crash:  assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
>   - JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
>   - JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError
>   - JDK-8232853: AuthenticationFilter.Cache::remove may throw ConcurrentModificationException
>   - JDK-8243936: NonWriteable system properties are actually writeable
>   - JDK-8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider
>   - JDK-8248701: On Windows generated modules-deps.gmk can contain backslash-r (CR) characters
>   - JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates
>   - JDK-8259530: Generated docs contain MIT/GPL-licenced works without reproducing the licence
>   - JDK-8263420: Incorrect function name in NSAccessibilityStaticText native peer implementation
>   - JDK-8264290: Create implementation for NSAccessibilityComponentGroup protocol peer
>   - JDK-8264304: Create implementation for NSAccessibilityToolbar protocol peer
>   - JDK-8265486: ProblemList javax/sound/midi/Sequencer/Recording.java on macosx-aarch64
>   - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
>   - JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
>   - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
>   - JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression
>   - JDK-8275721: Name of UTC timezone in a locale changes depending on previous code
>   - JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit)
>   - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary
>   - JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905
>   - JDK-8278434: timeouts in test  java/time/test/java/time/format/TestZoneTextPrinterParser.java
>   - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption
>   - JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error
>   - JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test
>   - JDK-8282467: add extra diagnostics for JDK-8268184
>   - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
>   - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
>   - JDK-8285497: Add system property for Java SE specification maintenance version
>   - JDK-8286398: Address possibly lossy conversions in jdk.internal.le
>   - JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code
>   - JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider
>   - JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable
>   - JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies
>   - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
>   - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
>   - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
>   - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
>   - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
>   - JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected
>   - JDK-8293232: Fix race condition in pkcs11 SessionManager
>   - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
>   - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316
>   - JDK-8294906: Memory leak in PKCS11 NSS TLS server
>   - JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
>   - JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not
>   - JDK-8297000: [jib] Add more friendly warning for proxy issues
>   - JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter
>   - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
>   - JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
>   - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
>   - JDK-8300205: Swing test bug8078268 make latch timeout configurable
>   - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550
>   - JDK-8301119: Support for GB18030-2022
>   - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns
>   - JDK-8301401: Allow additional characters for GB18030-2022 support
>   - JDK-8302151: BMPImageReader throws an exception reading BMP images
>   - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
>   - JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN
>   - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
>   - JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
>   - JDK-8303440: The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id
>   - JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates
>   - JDK-8303476: Add the runtime version in the release file of a JDK image
>   - JDK-8303482: Update LCMS to 2.15
>   - JDK-8303564: C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
>   - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
>   - JDK-8303822: gtestMain should give more helpful output
>   - JDK-8303861: Error handling step timeouts should never be blocked by OnError and others
>   - JDK-8303937: Corrupted heap dumps due to missing retries for os::write()
>   - JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype
>   - JDK-8304291: [AIX] Broken build after JDK-8301998
>   - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
>   - JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0
>   - JDK-8304760: Add 2 Microsoft TLS roots
>   - JDK-8305113: (tz) Update Timezone Data to 2023c
>   - JDK-8305400: ISO 4217 Amendment 175 Update
>   - JDK-8305528: [11u] Backport of JDK-8259530 breaks build with JDK10 bootstrap VM
>   - JDK-8305682: Update the javadoc in the Character class to state support for GB 18030-2022 Implementation Level 2
>   - JDK-8305711: Arm: C2 always enters slowpath for monitorexit
>   - JDK-8305721: add `make compile-commands` artifacts to .gitignore
>   - JDK-8305975: Add TWCA Global Root CA
>   - JDK-8306543: GHA: MSVC installation is failing
>   - JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed
>   - JDK-8306664: GHA: Update MSVC version to latest stepping
>   - JDK-8306768: CodeCache Analytics reports wrong threshold
>   - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
>   - JDK-8307134: Add GTS root CAs
>   - JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest fails after backport of JDK-8303861
>   - JDK-8308006: Missing NMT memory tagging in CMS
>   - JDK-8308884: [17u/11u] Backout JDK-8297951
>   - JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java fails intermittently
>   - JDK-8311465: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20
> 
> Notes on individual issues:
> ===========================
> 
> hotspot/compiler:
> 
> JDK-8308884: GregorianCalender.computeTime() JVM Crash
> ======================================================
> A virtual machine crash was observed in JDK 11.0.19 when executing the
> `GregorianCalender.computeTime()` method (JDK-8307683). It was found
> that although the root cause of the crash is an old issue, a recent
> fix for a rare issue in the C2 compiler (JDK-8297951) made the crash
> much more likely. To mitigate this, the fix has been reverted in JDK
> 11.0.20 and will be reapplied once JDK-8307683 is resolved.
> 
> core-libs/java.lang:
> 
> JDK-8301401: Allow additional characters for GB18030-2022 support
> =================================================================
> In order to support "Implementation Level 1" of the GB18030-2022
> standard, the JDK must be able to use five additional characters
> beyond Unicode 10, upon which JDK 11 is based.  The addition of these
> characters forms Maintenance Release 2 of the Java SE 11
> specification, which is implemented in this release of OpenJDK.
> The additional characters are as follows:
> 
> * 0x82359632 U+9FEB
> * 0x82359633 U+9FEC
> * 0x82359634 U+9FED
> * 0x82359635 U+9FEE
> * 0x82359636 U+9FEF
> 
> core-libs/java.nio.charsets:
> 
> JDK-8301119: Support for GB18030-2022
> =====================================
> The China National Standard body (CESI) recently published
> GB18030-2022 as an update to the GB18030 standard, synchronising the
> character set with Unicode 11.0.  This updated version of GB18030 is
> now the default GB18030 character set used in this release of
> OpenJDK. However, this updated character set contains incompatible
> changes compared with GB18030-2000, which was used in previous
> releases of OpenJDK 11. To use the previous version of the character
> set, the new system property `jdk.charset.GB18030` should be set to
> `2000`.
> 
> core-libs/java.util.jar:
> 
> JDK-8300596: Enhance Jar Signature validation
> =============================================
> A System property "jdk.jar.maxSignatureFileSize" is introduced to
> configure the maximum number of bytes allowed for the
> signature-related files in a JAR file during verification. The default
> value is 8000000 bytes (8 MB).
> 
> JDK-8302483: Enhance ZIP performance
> ====================================
> This release of OpenJDK includes stronger checks on the Zip64 fields
> of zip files. In the event that these checks cause failures on trusted
> zip files, the checks can be disabled by setting the new system
> property, `jdk.util.zip.disableZip64ExtraFieldValidation` to `true`.
> 
> tools/javadoc:
> 
> JDK-8259530: Legal Headers for Generated Files
> ==============================================
> The javadoc tool has been enhanced to allow the inclusion of legal
> files which pertain to the licensing of the files generated by the
> Standard Doclet.  The new command-line option, `--legal-notices`, can
> be used to configure this behaviour as appropriate.
> 
> security-libs/java.security:
> 
> JDK-8307134: Added 4 GTS Root CA Certificates
> =============================================
> The following root certificates have been added to the cacerts
> truststore:
> 
> Name: Google Trust Services LLC
> Alias Name: gtsrootcar1
> Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
> 
> Name: Google Trust Services LLC
> Alias Name: gtsrootcar2
> Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
> 
> Name: Google Trust Services LLC
> Alias Name: gtsrootcar3
> Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
> 
> Name: Google Trust Services LLC
> Alias Name: gtsrootcar4
> Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
> 
> JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
> =====================================================================
> The following root certificates has been added to the cacerts
> truststore:
> 
> Name: Microsoft Corporation
> Alias Name: microsoftecc2017
> Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
> 
> Name: Microsoft Corporation
> Alias Name: microsoftrsa2017
> Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
> 
> JDK-8305975: Added TWCA Root CA Certificate
> ===========================================
> The following root certificate has been added to the cacerts
> truststore:
> 
> Name: TWCA
> Alias Name: twcaglobalrootca
> Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
> 
> JDK-8303465: Enhance Contents (Trusted Certificate Entries) of macOS KeychainStore
> ==================================================================================
> Recent changes to the MacOS KeychainStore implementation were
> incomplete and only considered certificates within the user domain.
> With this release, the implementation exposes certificates from both
> the user and admin domain, and will exclude those certificates that
> include a "deny" entry in their trust settings.
> 
> Thanks,
> -- 
> Andrew :)
> Pronouns: he / him or they / them
> Principal Free Java Software Engineer
> OpenJDK Package Owner
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
> 
> Please contact via e-mail, not proprietary chat networks
> Available on Libera Chat & OFTC IRC networks as gnu_andrew

Apologies. CVE-2023-22044 does not apply to the 11u update,
in line with the advisory:

https://openjdk.org/groups/vulnerability/advisories/2023-07-18

Thanks,
-- 
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20230728/845cab56/signature-0001.asc>


More information about the jdk-updates-dev mailing list