OpenJDK 11.0.27 Released

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 16 01:32:54 UTC 2025 

We are pleased to announce the release of OpenJDK 11.0.27.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.27+6.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.27+6.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

b5860fb5202d60530273a57a1a2a9b18af90bfd836705cd562963f2d41436578  openjdk-11.0.27+6.tar.xz
d4b28b154c8b65ba37d89646e9d75bfb8143cd74d40ba231a34ded7239fab364  openjdk-11.0.27+6.tar.xz.sig

SHA512 checksums:

dacb1f49688cdbbc7584b114874b973c6ff753729cd07e1773bde9c686ac710b1d4efb2d94154f0eab1942747878c92957a2bd771febe5b2691becc0561e8fa0  openjdk-11.0.27+6.tar.xz
6464c7870c77a07afdc5f9b6c11c1c36381a92a30fed52e74efe0f2d1b278f70b94243315876fdd57c36a778e2b53cfa6bf6d9318d997a1820a7188a2ef0f095  openjdk-11.0.27+6.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.27+6.sha256
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.27+6.sha512

New in release OpenJDK 11.0.27 (2025-04-15):
============================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk11027

* CVEs
  - CVE-2025-21587
  - CVE-2025-30691
  - CVE-2025-30698
* Changes
  - JDK-8195675: Call to insertText with single character from custom Input Method ignored
  - JDK-8202926: Test java/awt/Focus/WindowUpdateFocusabilityTest/WindowUpdateFocusabilityTest.html fails
  - JDK-8216539: tools/jar/modularJar/Basic.java timed out
  - JDK-8268364: jmethod clearing should be done during unloading
  - JDK-8273914: Indy string concat changes order of operations
  - JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x
  - JDK-8306408: Fix the format of several tables in building.md
  - JDK-8309841: Jarsigner should print a warning if an entry is removed
  - JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved
  - JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded"
  - JDK-8327650: Test java/nio/channels/DatagramChannel/StressNativeSignal.java timed out
  - JDK-8328242: Add a log area to the PassFailJFrame
  - JDK-8331863: DUIterator_Fast used before it is constructed
  - JDK-8336012: Fix usages of jtreg-reserved properties
  - JDK-8337494: Clarify JarInputStream behavior
  - JDK-8337692: Better TLS connection support
  - JDK-8338430: Improve compiler transformations
  - JDK-8339560: Unaddressed comments during code review of JDK-8337664
  - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
  - JDK-8339931: Update problem list for WindowUpdateFocusabilityTest.java
  - JDK-8340387: Update OS detection code to recognize Windows Server 2025
  - JDK-8341424: GHA: Collect hs_errs from build time failures
  - JDK-8342562: Enhance Deflater operations
  - JDK-8342704: GHA: Report truncation is broken after JDK-8341424
  - JDK-8343007: Enhance Buffered Image handling
  - JDK-8343474: [updates] Customize README.md to specifics of update project
  - JDK-8343599: Kmem limit and max values swapped when printing container information
  - JDK-8343786: [11u] GHA: Bump macOS and Xcode versions to macos-13 and XCode 14.3.1
  - JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19
  - JDK-8345509: Bump update version of OpenJDK: 11.0.27
  - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
  - JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header
  - JDK-8347847: Enhance jar file support
  - JDK-8347965: (tz) Update Timezone Data to 2025a
  - JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates
  - JDK-8352097: (tz) zone.tab update missed in 2025a backport
  - JDK-8354087: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.27

Notes on individual issues:
===========================

security-libs/java.security:

JDK-8309841: Jarsigner should print a warning if an entry is removed
====================================================================
In previous OpenJDK releases, the jarsigner tool did not detect the
case where a file was removed from a signed JAR file but its signature
was still present. With this release, `jarsigner -verify` checks that
every signature has a matching file entry and prints a warning if this
is not the case. The `-verbose` option can also be added to the
command to see the names of the mismatched entries.

security-libs/javax.net.ssl:

JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
=============================================================================
In accordance with similar plans recently announced by Google,
Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer
Security (TLS) certificates issued after the 15th of April 2025 which
are anchored by Camerfirma root certificates.

Certificates issued on or before April 15th, 2025 will continue to
be trusted until they expire.

If a server's certificate chain is anchored by an affected
certificate, attempts to negotiate a TLS session will fail with an
Exception that indicates the trust anchor is not trusted. For example,

"TLS server certificate issued after 2025-04-15 and anchored by a
distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root -
2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see
current address at www.camerfirma.com/address), C=EU"

To check whether a certificate in a JDK keystore is affected by this
change, you can the `keytool` utility:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are affected by this change,
then you will need to update the certificate or contact the
organisation responsible for managing the certificate.

These restrictions apply to the following Camerfirma root certificates
included in the JDK:

Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3

Alias name: camerfirmachambersca [jdk]
CN=Chambers of Commerce Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0

Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "CAMERFIRMA_TLS" is no
longer listed in the `jdk.security.caDistrustPolicies` security
property.

tools/javac:

JDK-8273914: Indy string concat changes order of operations
===========================================================
The implementation of JEP-280, "Indify String Concatenation", in
OpenJDK 9's javac compiler introduced a regression in the order in
which string concatenation expressions are evaluated.  Section 15.7.1
in the Java Language Specification (JLS) requires the operands to be
fully evaluated in left-to-right order.  The conversion to using
invokedynamic calls for this evaluation caused all operands to be
evaluated and then separately converted to strings.  This release
resolves the regression by eagerly converting each argument to a
string after evaluation.

As an example, consider the following code:

StringBuilder builder = new StringBuilder("good");
return "" + builder + builder.append("bye");

The third argument of the concatenation has the side-effect of
altering the value of builder to be "goodbye". If the arguments are
evaluated eagerly, the concatenation becomes "" + "good" + "goodbye",
resulting in "goodgoodbye" as the output. This is the result when
compiled with a version of javac prior to OpenJDK 9 or when running
javac with the -XDstringConcat=inline command line option to use the
previous concatenation approach.

If the JEP-280 string concatenation option (the default) is used to
compile the code with versions of OpenJDK which suffer from the
regression (which was first resolved in OpenJDK 19), the second
argument is not converted to a string until after the builder.append
method has altered the StringBuilder object.  The concatenation
wrongly becomes "" + "goodbye" + "goodbye", resulting in
"goodbyegoodbye" as the output.

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20250416/daa437ce/signature.asc>

More information about the jdk-updates-dev mailing list