OpenJDK 11.0.21 Released
Andrew Hughes
gnu.andrew at redhat.com
Thu Oct 19 05:14:58 UTC 2023
We are pleased to announce the release of OpenJDK 11.0.21.
The source tarball is available from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.21+9.tar.xz
The tarball is accompanied by a digital signature available at:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.21+9.tar.xz.sig
This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F
SHA256 checksums:
e9352137a375c3e42cb367ca66d5f626b369b18baff18acec6a8b36f664834eb openjdk-11.0.21+9.tar.xz
ce741e03fdc6f80d8a2e43f87b05bb6e71c73dae25869d35640d73d0e970f2c2 openjdk-11.0.21+9.tar.xz.sig
The checksums can be downloaded from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.21+9.sha256
New in release OpenJDK 11.0.21 (2023-10-17):
============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11021
* CVEs
- CVE-2023-22081
* Security fixes
- JDK-8286503, JDK-8312367: Enhance security classes
- JDK-8296581: Better system proxy support
- JDK-8297856: Improve handling of Bidi characters
- JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
- JDK-8306881, JDK-8307286: Update FreeType to 2.13.0
- JDK-8309966: Enhanced TLS connections
* Other changes
- JDK-6176679: Application freezes when copying an animated gif image to the system clipboard
- JDK-8023980: JCE doesn't provide any class to handle RSA private key in PKCS#1
- JDK-8155246: Throw error if default java.security file is missing
- JDK-8158880: test/java/time/tck/java/time/format/TCKDateTimeFormatterBuilder.java fail with zh_CN locale
- JDK-8168261: Use server cipher suites preference by default
- JDK-8181383: com/sun/jdi/OptionTest.java fails intermittently with bind failed: Address already in use
- JDK-8201516: DebugNonSafepoints generates incorrect information
- JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
- JDK-8211343: nsk_jvmti_parseoptions should handle multiple suboptions
- JDK-8212045: Add back the tests that were removed from HashesTest.java and AddExportsTest.java
- JDK-8216059: nsk_jvmti_parseoptions still has dependency on tilde separator
- JDK-8217237: HttpClient does not deal well with multi-valued WWW-Authenticate challenge headers
- JDK-8217395: Update langtools shell tests to use ${EXE_SUFFIX}
- JDK-8217612: (CL)HSDB cannot show some JVM flags
- JDK-8217850: CompressedClassSpaceSizeInJmapHeap fails after JDK-8217612
- JDK-8218471: generate-unsafe-access-tests.sh does not correctly invoke build.tools.spp.Spp
- JDK-8219628: [TESTBUG] javadoc/doclet/InheritDocForUserTags fails with -othervm
- JDK-8220410: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed with missing expected output
- JDK-8221372: Test vmTestbase/nsk/jvmti/GetThreadState/thrstat001/TestDescription.java times out
- JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
- JDK-8223573: Replace wildcard address with loopback or local host in tests - part 4
- JDK-8223714: HTTPSetAuthenticatorTest could be made more resilient
- JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections
- JDK-8223856: Replace wildcard address with loopback or local host in tests - part 8
- JDK-8224617: (fs) java/nio/file/FileStore/Basic.java found filesystem twice
- JDK-8224729: Cleanups in sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
- JDK-8224768: Test ActalisCA.java fails
- JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java fails on Windows
- JDK-8226221: Update PKCS11 tests to use NSS 3.46 libs
- JDK-8228341: SignTwice.java fails intermittently on Windows
- JDK-8228403: SignTwice.java failed with java.io.FileNotFoundException: File name too long
- JDK-8229147: Linux os::create_thread() overcounts guardpage size with newer glibc (>=2.27)
- JDK-8229333: java/io/File/SetLastModified.java timed out
- JDK-8229338: clean up test/jdk/java/util/RandomAccess/Basic.java
- JDK-8229348: java/net/DatagramSocket/UnreferencedDatagramSockets.java fails intermittently
- JDK-8229481: sun/net/www/protocol/https/ChunkedOutputStream.java failed with a SSLException
- JDK-8229912: [TESTBUG] java/net/Socks/SocksIPv6Test fails without IPv6
- JDK-8230132: java/net/NetworkInterface/NetworkInterfaceRetrievalTests.java to skip Teredo Tunneling Pseudo-Interface
- JDK-8231037: java/net/InetAddress/ptr/Lookup.java fails intermittently due to reverse lookup failed
- JDK-8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using mozilla-nss-3.14
- JDK-8231516: network QuickAckTest.java failed due to "SocketException: maximum number of DatagramSockets reached"
- JDK-8232101: (sctp) Add minimal sanity tests for SCTP
- JDK-8232195: Enable BigInteger tests: DivisionOverflow, SymmetricRangeTests and StringConstructorOverflow
- JDK-8232840: java/math/BigInteger/largeMemory/SymmetricRangeTests.java fails due to "OutOfMemoryError: Requested array size exceeds VM limit"
- JDK-8232922: Add java/math/BigInteger/largeMemory/SymmetricRangeTests.java to ProblemList-Xcomp
- JDK-8234808: jdb quoted option parsing broken
- JDK-8236045: [TESTBUG] MismatchedWhiteBox test fails with missing WhiteBox$WhiteBoxPermission.class
- JDK-8237183: Bug ID missing for test in patch which fixed JDK-8230665
- JDK-8238157: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java test failures because of revocation date
- JDK-8239007: java/math/BigInteger/largeMemory/ tests should be disabled on 32-bit platforms
- JDK-8239264: Clearup the legacy ObjectIdentifier constructor from int array
- JDK-8239333: Mark test AmazonCA.java with intermittent key
- JDK-8239537: cgroup MetricsTester testMemorySubsystem fails sometimes when testing memory.kmem.tcp.usage_in_bytes
- JDK-8240193: loadLibrary("osxsecurity") should not be removed
- JDK-8241097: java/math/BigInteger/largeMemory/SymmetricRangeTests.java requires -XX:+CompactStrings
- JDK-8242151: Improve OID mapping and reuse among JDK security providers for aliases registration
- JDK-8242330: Arrays should be cloned in several JAAS Callback classes
- JDK-8242897: KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException
- JDK-8243210: ClhsdbScanOops fails with NullPointerException in FileMapHeader.inCopiedVtableSpace
- JDK-8244078: ProcessTools executeTestJvm and createJavaProcessBuilder have inconsistent handling of test.*.opts
- JDK-8247895: SHA1PRNGReseed.java is calling setSeed(0)
- JDK-8247968: test/jdk/javax/crypto/SecretKeyFactory/security.properties has wrong header
- JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken
- JDK-8249699: java/io/ByteArrayOutputStream/MaxCapacity.java should use @requires instead of @ignore
- JDK-8251517: [TESTBUG] com/sun/net/httpserver/bugs/B6393710.java does not scale socket timeout
- JDK-8252530: Fix inconsistencies in hotspot whitebox
- JDK-8254350: CompletableFuture.get may swallow InterruptedException
- JDK-8255348: NPE in PKIXCertPathValidator event logging code
- JDK-8257993: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine/TestDescription.java crash intermittently
- JDK-8259796: timed CompletableFuture.get may swallow InterruptedException
- JDK-8260274: Cipher.init(int, key) does not use highest priority provider for random bytes
- JDK-8260878: com/sun/jdi/JdbOptions.java fails without jfr
- JDK-8260934: java/lang/StringBuilder/HugeCapacity.java fails without Compact Strings
- JDK-8263970: Manual test javax/swing/JTextField/JapaneseReadingAttributes/JapaneseReadingAttributes.java failed
- JDK-8265980: Fix systemDictionary and loaderConstraints printing
- JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
- JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
- JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java failed with ArrayIndexOutOfBoundsException: Array index out of range: -4
- JDK-8270331: [TESTBUG] Error: Not a test or directory containing tests: java/awt/print/PrinterJob/InitToBlack.java
- JDK-8271838: AmazonCA.java interop test fails
- JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
- JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
- JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
- JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
- JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java fails with D3D basic render driver
- JDK-8276651: java/lang/ProcessHandle tests fail with "RuntimeException: Input/output error" in java.lang.ProcessHandleImpl$Info.info0
- JDK-8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out
- JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out
- JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream should only check inflated bytes
- JDK-8284524: Create an automated test for JDK-4422362
- JDK-8284767: Create an automated test for JDK-4422535
- JDK-8284772: GHA: Use GCC Major Version Dependencies Only
- JDK-8284910: Buffer clean in PasswordCallback
- JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java failed with Default Button not pressed for L&F: com.sun.java.swing.plaf.motif.MotifLookAndFeel
- JDK-8286172: Create an automated test for JDK-4516019
- JDK-8286481: Exception printed to stdout on Windows when storing transparent image in clipboard
- JDK-8286620: Create regression test for verifying setMargin() of JRadioButton
- JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling
- JDK-8289748: C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
- JDK-8291444: GHA builds/tests won't run manually if disabled from automatic running
- JDK-8291830: jvmti/RedefineClasses/StressRedefine failed: assert(!is_null(v)) failed: narrow klass value can never be zero
- JDK-8292033: Move jdk.X509Certificate event logic to JCA layer
- JDK-8292297: Fix up loading of override java.security properties file
- JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases
- JDK-8293180: JQuery UI license file not updated
- JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
- JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
- JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
- JDK-8295737: macOS: Print content cut off when width > height with portrait orientation
- JDK-8295894: Remove SECOM certificate that is expiring in September 2023
- JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java fails intermittently on a VM
- JDK-8297437: javadoc cannot link to old docs (with old style anchors)
- JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check
- JDK-8297587: Upgrade JLine to 3.22.0
- JDK-8297681: Unnecessary color conversion during 4BYTE_ABGR_PRE to INT_ARGB_PRE blit
- JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception
- JDK-8297887: Update Siphash
- JDK-8297923: java.awt.ScrollPane broken after multiple scroll up/down
- JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
- JDK-8298921: Create a regression test for JDK-8139581
- JDK-8298974: Add ftcolor.c to imported freetype sources
- JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit
- JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge
- JDK-8299713: Test javax/swing/JTableHeader/6889007/bug6889007.java failed: Wrong type of cursor
- JDK-8300098: java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3
- JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api for host values
- JDK-8300751: [17u] Remove duplicate entry in javac.properties
- JDK-8301269: Update Commons BCEL to Version 6.7.0
- JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
- JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
- JDK-8301959: Compile command in compiler.loopopts.TestRemoveEmptyCountedLoop does not work
- JDK-8302161: Upgrade jQuery UI to version 1.13.2
- JDK-8302182: Update Public Suffix List to 88467c9
- JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling
- JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
- JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed
- JDK-8304498: JShell does not switch to raw mode when there is no /bin/test
- JDK-8304867: Explicitly disable dtrace for ppc builds
- JDK-8305074: ProblemList javax/net/ssl/DTLS/RespondToRetransmit.java
- JDK-8305421: Work around JDK-8305420 in CDSJDITest.java
- JDK-8305763: Parsing a URI with an underscore goes through a silent exception, negatively impacting performance
- JDK-8305766: ProblemList runtime/CompressedOops/CompressedClassPointers.java
- JDK-8305950: Have -XshowSettings option display tzdata version
- JDK-8306133: Open source few AWT Drag & Drop related tests
- JDK-8306137: Open source several AWT ScrollPane related tests
- JDK-8306484: Open source several AWT Choice jtreg tests
- JDK-8306636: Disable compiler/c2/Test6905845.java with -XX:TieredStopAtLevel=3
- JDK-8306638: Open source some AWT tests related to datatransfer and Toolkit
- JDK-8306682: Open source a few more AWT Choice tests
- JDK-8306718: Optimize and opensource some old AWT tests
- JDK-8306954: Open source five Focus related tests
- JDK-8306955: Open source several JComboBox jtreg tests
- JDK-8307078: Opensource and clean up five more AWT Focus related tests
- JDK-8307080: Open source some more JComboBox jtreg tests
- JDK-8307128: Open source some drag and drop tests 4
- JDK-8307133: Open source some JTable jtreg tests
- JDK-8307135: java/awt/dnd/NotReallySerializableTest/NotReallySerializableTest.java failed
- JDK-8307301: Update HarfBuzz to 7.2.0
- JDK-8307569: Build with gcc8 is broken after JDK-8307301
- JDK-8307572: AArch64: Vector registers are clobbered by some macroassemblers
- JDK-8307603: [AIX] Broken build after JDK-8307301
- JDK-8307604: gcc12 based Alpine build broken build after JDK-8307301
- JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has invalid jtreg `@requires` clause
- JDK-8308156: VerifyCACerts.java misses blank in error output
- JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
- JDK-8309108: Bump update version for OpenJDK: jdk-11.0.21
- JDK-8309138: Fix container tests for jdks with symlinked conf dir
- JDK-8310054: ScrollPane insets are incorrect
- JDK-8310176: JDK 11 G1 crash during full GC with +UseStringDeduplication
- JDK-8310620: [11u] Problemlist failing aot tests on macos x64
- JDK-8311033: [macos] PrinterJob does not take into account Sides attribute
- JDK-8311689: Wrong visible amount in Adjustable of ScrollPane
- JDK-8312138: jcmd VM.metaspace vslist has no newline character before the Class: label.
- JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1)
- JDK-8313159: [11u] Fix test SSLEngineKeyLimit.java after Merge error
- JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer
- JDK-8313803: [11u] Exclude jdk/jfr/event/sampling/TestStackFrameLineNumbers.java
- JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le
- JDK-8314086: [11u] A typo in the fix for JDK-8312462 is causing test failure in ChildAlwaysOnTopTest.java
- JDK-8314950: CMS may miss NMT tag after mark stack expansion
- JDK-8314960: Add Certigna Root CA - 2
- JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
- JDK-8315529: [11u] Exclude some failing Z-GC tests
- JDK-8317040: Exclude cleaner test failing on older releases
- JDK-8317644: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.21
Notes on individual issues:
===========================
security-libs/javax.net.ssl:
JDK-8301700: The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit
===================================================================================================
The JDK implementation of TLS 1.2 now uses a default Diffie Hellman
keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and
either the client or server does not support FFDHE.
The JDK TLS implementation supports FFDHE, which can negotiate a
stronger keysize, and this is enabled by default.
As a workaround, users can revert to the previous key size by setting
the `jdk.tls.ephemeralDHKeySize` system property to 1024 (at their own
risk).
This change does not affect TLS 1.3 as the minimum DH group size is
already 2048 bits.
JDK-8168261: Use Server Cipher Suites Preference by Default
===========================================================
The SunJSSE provider has been updated to use the local server-side
cipher suite preferences by default. Previously, the server would use
the preferences specified by the connecting client. To revert to the
previous behaviour, use `SSLParameters.setUseCipherSuitesOrder(false)`
on the server side.
security-libs/javax.crypto:
JDK-8023980: JDK Now Accepts RSA Keys in PKCS#1 Format
======================================================
RSA private and public keys in PKCS#1 format can now be accepted by
JDK providers, such as the RSA `KeyFactory.impl` from the SunRsaSign
provider. The RSA private or public key object should have the PKCS#1
format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA
private key and public key.
security-libs/javax.security:
JDK-8242330: Arrays should be cloned in several JAAS Callback classes
=====================================================================
In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
were not cloned when passed into a constructor or returned. This
allowed an external program to get access to the internal fields of
these classes. The classes have been updated to return cloned arrays.
tools/launcher:
JDK-8305950: `-XshowSettings:locale` Output Now Includes Tzdata Version
=======================================================================
The `-XshowSettings` launcher option has been enhanced to print the
tzdata version used by the JDK. The tzdata version is displayed as
part of the `locale` showSettings option.
Example output using `-X:showSettings:locale`:
Locale settings:
default locale = English
default display locale = English
default format locale = English
tzdata version = 2023c
security-libs/java.security:
JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
==================================================================
The following root certificate from SECOM Trust System has been
removed from the `cacerts` keystore:
Alias Name: secomscrootca1 [jdk]
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
JDK-8314960: Added Certigna Root CA Certificate
===============================================
The following root certificate has been added to the cacerts
truststore:
Name: Certigna (Dhimyotis)
Alias Name: certignarootca
Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
JDK-8155246: Throw Error If Default java.security File Fails to Load
====================================================================
A hardcoded set of security properties was used in previous releases
when the `java.security` file could not be loaded. This set of
properties were poorly maintained and it was not obvious to the user
that they were being utilised. This release instead throws an
`InternalError` if the `java.security` file can not be loaded.
Thanks,
--
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20231019/ac4d690d/signature-0001.asc>
More information about the jdk-updates-dev
mailing list