OpenJDK 17.0.15 Released
Andrew Hughes
gnu.andrew at redhat.com
Wed Apr 16 01:36:53 UTC 2025
We are pleased to announce the release of OpenJDK 17.0.15.
The source tarball is available from:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.15+6.tar.xz
The tarball is accompanied by a digital signature available at:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.15+6.tar.xz.sig
This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net) Fingerprint
= CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F
SHA256 checksums:
0ead550ff5abe15df9c2c8b3656198e6e6679186b544e1fa329436e90eb46b31 openjdk-17.0.15+6.tar.xz
55a6c9777110bca5d5a8d3dfae237f5caf3cdaa1728784e3619916f8bfe8b0ed openjdk-17.0.15+6.tar.xz.sig
SHA512 checksums:
3e375efb74ce6cbd93a638219f438d319f5405f9bc089ff4f54daab8128f3ad64a7ef768d7beb86193f8dafa6e07d0466df479fda471e64ff1921820bcff5c4d openjdk-17.0.15+6.tar.xz
4cee3307673eb077b9f85a6f279fac867e3ead3d1d4da615b6d8147fb66048e5bd4dd429940cbbbf065c6db2e52f362cf524e2df836e2c5449621767dd63607a openjdk-17.0.15+6.tar.xz.sig
The checksums can be downloaded from:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.15+6.sha256
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.15+6.sha512
New in release OpenJDK 17.0.15 (2025-04-15):
============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk17015
* CVEs
- CVE-2025-21587
- CVE-2025-30691
- CVE-2025-30698
* Changes
- JDK-6355567: AdobeMarkerSegment causes failure to read valid JPEG
- JDK-8065099: [macos] javax/swing/PopupFactory/6276087/NonOpaquePopupMenuTest.java fails: no background shine through
- JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
- JDK-8198237: [macos] Test java/awt/Frame/ExceptionOnSetExtendedStateTest/ExceptionOnSetExtendedStateTest.java fails
- JDK-8198666: Many java/awt/Modal/OnTop/ test fails on mac
- JDK-8208565: [TEST_BUG] javax\swing\PopupFactory\6276087\NonOpaquePopupMenuTest.java throws NPE
- JDK-8226933: [TEST_BUG]GTK L&F: There is no swatches or RGB tab in JColorChooser
- JDK-8226938: [TEST_BUG]GTK L&F: There is no Details button in FileChooser Dialog
- JDK-8266435: WBMPImageReader.read() should not truncate the input stream
- JDK-8267893: Improve jtreg test failure handler do get native/mixed stack traces for cores and live processes
- JDK-8270961: [TESTBUG] Move GotWrongOOMEException into vm.share.gc package
- JDK-8274893: Update java.desktop classes to use try-with-resources
- JDK-8276202: LogFileOutput.invalid_file_vm asserts when being executed from a read only working directory
- JDK-8277240: java/awt/Graphics2D/ScaledTransform/ScaledTransform.java dialog does not get disposed
- JDK-8281234: The -protected option is not always checked in keytool and jarsigner
- JDK-8282314: nsk/jvmti/SuspendThread/suspendthrd003 may leak memory
- JDK-8283387: [macos] a11y : Screen magnifier does not show selected Tab
- JDK-8283404: [macos] a11y : Screen magnifier does not show JMenu name
- JDK-8283664: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintTextTest.java
- JDK-8286779: javax.crypto.CryptoPolicyParser#isConsistent always returns 'true'
- JDK-8286875: ProgrammableUpcallHandler::on_entry/on_exit access thread fields from native
- JDK-8290400: Must run exe installers in jpackage jtreg tests without UI
- JDK-8292588: [macos] Multiscreen/MultiScreenLocationTest/MultiScreenLocationTest.java: Robot.mouseMove test failed on Screen #0
- JDK-8292704: sun/security/tools/jarsigner/compatibility/Compatibility.java use wrong key size for EC
- JDK-8292848: AWT_Mixing and TrayIcon tests fail on el8 with hard-coded isOel7
- JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- JDK-8293412: Remove unnecessary java.security.egd overrides
- JDK-8294067: [macOS] javax/swing/JComboBox/6559152/bug6559152.java Cannot select an item from popup with the ENTER key.
- JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x
- JDK-8295087: Manual Test to Automated Test Conversion
- JDK-8295176: some langtools test pollutes source tree
- JDK-8296591: Signature benchmark
- JDK-8296818: Enhance JMH tests java/security/Signatures.java
- JDK-8299077: [REDO] JDK-4512626 Non-editable JTextArea provides no visual indication of keyboard focus
- JDK-8299127: [REDO] JDK-8194048 Regression automated test '/open/test/jdk/javax/swing/text/DefaultCaret/HidingSelection/HidingSelectionTest.java' fails
- JDK-8299128: [REDO] JDK-8213562 Test javax/swing/text/DefaultCaret/HidingSelection/MultiSelectionTest.java fails
- JDK-8299739: HashedPasswordFileTest.java and ExceptionTest.java can fail with java.lang.NullPointerException
- JDK-8299994: java/security/Policy/Root/Root.java fails when home directory is read-only
- JDK-8301989: new javax.swing.text.DefaultCaret().setBlinkRate(N) results in NPE
- JDK-8302111: Serialization considerations
- JDK-8305853: java/text/Format/DateFormat/DateFormatRegression.java fails with "Uncaught exception thrown in test method Test4089106"
- JDK-8306711: Improve diagnosis of `IntlTest` framework
- JDK-8308341: JNI_GetCreatedJavaVMs returns a partially initialized JVM
- JDK-8309171: Test vmTestbase/nsk/jvmti/scenarios/jni_interception/JI05/ji05t001/TestDescription.java fails after JDK-8308341
- JDK-8309231: ProblemList vmTestbase/nsk/jvmti/scenarios/jni_interception/JI05/ji05t001/TestDescription.java
- JDK-8309740: Expand timeout windows for tests in JDK-8179502
- JDK-8309841: Jarsigner should print a warning if an entry is removed
- JDK-8310234: Refactor Locale tests to use JUnit
- JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready
- JDK-8311306: Test com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java failed: out of expected range
- JDK-8311546: Certificate name constraints improperly validated with leading period
- JDK-8311663: Additional refactoring of Locale tests to JUnit
- JDK-8312416: Tests in Locale should have more descriptive names
- JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above
- JDK-8313633: [macOS] java/awt/dnd/NextDropActionTest/NextDropActionTest.java fails with java.lang.RuntimeException: wrong next drop action!
- JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump
- JDK-8314225: SIGSEGV in JavaThread::is_lock_owned
- JDK-8314610: hotspot can't compile with the latest of gtest because of <iomanip>
- JDK-8314752: Use google test string comparison macros
- JDK-8314909: tools/jpackage/windows/Win8282351Test.java fails with java.lang.AssertionError: Expected [0]. Actual [1618]:
- JDK-8314975: JavadocTester should set source path if not specified
- JDK-8315486: vmTestbase/nsk/jdwp/ThreadReference/ForceEarlyReturn/forceEarlyReturn002/forceEarlyReturn002.java timed out
- JDK-8315825: Open some swing tests
- JDK-8315882: Open some swing tests 2
- JDK-8315883: Open source several Swing JToolbar tests
- JDK-8315952: Open source several Swing JToolbar JTooltip JTree tests
- JDK-8316056: Open source several Swing JTree tests
- JDK-8316146: Open some swing tests 4
- JDK-8316149: Open source several Swing JTree JViewport KeyboardManager tests
- JDK-8316218: Open some swing tests 5
- JDK-8316371: Open some swing tests 6
- JDK-8316559: Refactor some util/Calendar tests to JUnit
- JDK-8316627: JViewport Test headless failure
- JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest
- JDK-8317631: Refactor ChoiceFormat tests to use JUnit
- JDK-8317636: Improve heap walking API tests to verify correctness of field indexes
- JDK-8318442: java/net/httpclient/ManyRequests2.java fails intermittently on Linux
- JDK-8319567: Update java/lang/invoke tests to support vm flags
- JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags
- JDK-8319569: Several java/util tests should be updated to accept VM flags
- JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags
- JDK-8319648: java/lang/SecurityManager tests ignore vm flags
- JDK-8319672: Several classloader tests ignore VM flags
- JDK-8319673: Few security tests ignore VM flags
- JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags
- JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless
- JDK-8319818: Address GCC 13.2.0 warnings (stringop-overflow and dangling-pointer)
- JDK-8320372: test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed
- JDK-8320676: Manual printer tests have no Pass/Fail buttons, instructions close set 1
- JDK-8320691: Timeout handler on Windows takes 2 hours to complete
- JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing
- JDK-8320916: jdk/jfr/event/gc/stacktrace/TestParallelMarkSweepAllocationPendingStackTrace.java failed with "OutOfMemoryError: GC overhead limit exceeded"
- JDK-8321818: vmTestbase/nsk/stress/strace/strace015.java failed with 'Cannot read the array length because "<local4>" is null'
- JDK-8323196: jdk/jfr/api/consumer/filestream/TestOrdered.java failed with "Events are not ordered! Reuse = false"
- JDK-8324672: Update jdk/java/time/tck/java/time/TCKInstant.java now() to be more robust
- JDK-8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2
- JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information
- JDK-8325042: Remove unused JVMDITools test files
- JDK-8325529: Remove unused imports from `ModuleGenerator` test file
- JDK-8325659: Normalize Random usage by incubator vector tests
- JDK-8325906: Problemlist vmTestbase/vm/mlvm/meth/stress/compiler/deoptimize/Test.java#id1 until JDK-8320865 is fixed
- JDK-8325908: Finish removal of IntlTest and CollatorTest
- JDK-8325937: runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64
- JDK-8326421: Add jtreg test for large arrayCopy disjoint case.
- JDK-8326525: com/sun/tools/attach/BasicTests.java does not verify AgentLoadException case
- JDK-8327098: GTest needs larger combination limit
- JDK-8327476: Upgrade JLine to 3.26.1
- JDK-8327505: Test com/sun/jmx/remote/NotificationMarshalVersions/TestSerializationMismatch.java fails
- JDK-8327857: Remove applet usage from JColorChooser tests Test4222508
- JDK-8327859: Remove applet usage from JColorChooser tests Test4319113
- JDK-8327986: ASAN reports use-after-free in DirectivesParserTest.empty_object_vm
- JDK-8328005: Convert java/awt/im/JTextFieldTest.java applet test to main
- JDK-8328085: C2: Use after free in PhaseChaitin::Register_Allocate()
- JDK-8328121: Remove applet usage from JColorChooser tests Test4759306
- JDK-8328130: Remove applet usage from JColorChooser tests Test4759934
- JDK-8328185: Convert java/awt/image/MemoryLeakTest/MemoryLeakTest.java applet test to main
- JDK-8328227: Remove applet usage from JColorChooser tests Test4887836
- JDK-8328368: Convert java/awt/image/multiresolution/MultiDisplayTest/MultiDisplayTest.java applet test to main
- JDK-8328370: Convert java/awt/print/Dialog/PrintApplet.java applet test to main
- JDK-8328380: Remove applet usage from JColorChooser tests Test6348456
- JDK-8328387: Convert java/awt/Frame/FrameStateTest/FrameStateTest.html applet test to main
- JDK-8328403: Remove applet usage from JColorChooser tests Test6977726
- JDK-8328553: Get rid of JApplet in test/jdk/sanity/client/lib/SwingSet2/src/DemoModule.java
- JDK-8328558: Convert javax/swing/JCheckBox/8032667/bug8032667.java applet test to main
- JDK-8328717: Convert javax/swing/JColorChooser/8065098/bug8065098.java applet test to main
- JDK-8328719: Convert java/awt/print/PageFormat/SetOrient.html applet test to main
- JDK-8328730: Convert java/awt/print/bug8023392/bug8023392.html applet test to main
- JDK-8328753: Open source few Undecorated Frame tests
- JDK-8328819: Remove applet usage from JFileChooser tests bug6698013
- JDK-8328827: Convert java/awt/print/PrinterJob/PrinterDialogsModalityTest/PrinterDialogsModalityTest.html applet test to main
- JDK-8329210: Delete Redundant Printer Dialog Modality Test
- JDK-8329320: Simplify awt/print/PageFormat/NullPaper.java test
- JDK-8329322: Convert PageFormat/Orient.java to use PassFailJFrame
- JDK-8329692: Add more details to FrameStateTest.java test instructions
- JDK-8330702: Update failure handler to don't generate Error message if cores actions are empty
- JDK-8331153: JFR: Improve logging of jdk/jfr/api/consumer/filestream/TestOrdered.java
- JDK-8331735: UpcallLinker::on_exit races with GC when copying frame anchor
- JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1
- JDK-8332158: [XWayland] test/jdk/java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java
- JDK-8332917: failure_handler should execute gdb "info threads" command on linux
- JDK-8333360: PrintNullString.java doesn't use float arguments
- JDK-8333391: Test com/sun/jdi/InterruptHangTest.java failed: Thread was never interrupted during sleep
- JDK-8333403: Write a test to check various components events are triggered properly
- JDK-8333427: langtools/tools/javac/newlines/NewLineTest.java is failing on Japanese Windows
- JDK-8334305: Remove all code for nsk.share.Log verbose mode
- JDK-8334490: Normalize string with locale invariant `toLowerCase()`
- JDK-8334777: Test javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java failed with NullPointerException
- JDK-8335150: Test LogGeneratedClassesTest.java fails on rpmbuild mock enviroment
- JDK-8335172: Add manual steps to run security/auth/callback/TextCallbackHandler/Password.java test
- JDK-8335789: [TESTBUG] XparColor.java test fails with Error. Parse Exception: Invalid or unrecognized bugid: @
- JDK-8336012: Fix usages of jtreg-reserved properties
- JDK-8336498: [macos] [build]: install-file macro may run into permission denied error
- JDK-8336692: Redo fix for JDK-8284620
- JDK-8336942: Improve test coverage for class loading elements with annotations of different retentions
- JDK-8337222: gc/TestDisableExplicitGC.java fails due to unexpected CodeCache GC
- JDK-8337494: Clarify JarInputStream behavior
- JDK-8337692: Better TLS connection support
- JDK-8337826: Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754
- JDK-8337886: java/awt/Frame/MaximizeUndecoratedTest.java fails in OEL due to a slight color difference
- JDK-8337951: Test sun/security/validator/samedn.sh CertificateNotYetValidException: NotBefore validation
- JDK-8338100: C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop
- JDK-8338426: Test java/nio/channels/Selector/WakeupNow.java failed
- JDK-8338430: Improve compiler transformations
- JDK-8338571: [TestBug] DefaultCloseOperation.java test not working as expected wrt instruction after JDK-8325851 fix
- JDK-8338595: Add more linesize for MIME decoder in macro bench test Base64Decode
- JDK-8338668: Test javax/swing/JFileChooser/8080628/bug8080628.java doesn't test for GTK L&F
- JDK-8339154: Cleanups and JUnit conversion of test/jdk/java/util/zip/Available.java
- JDK-8339261: Logs truncated in test javax/net/ssl/DTLS/DTLSRehandshakeTest.java
- JDK-8339356: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine
- JDK-8339524: Clean up a few ExtendedRobot tests
- JDK-8339687: Rearrange reachabilityFence()s in jdk.test.lib.util.ForceGC
- JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class
- JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
- JDK-8339883: Open source several AWT/2D related tests
- JDK-8339902: Open source couple TextField related tests
- JDK-8339943: Frame not disposed in java/awt/dnd/DropActionChangeTest.java
- JDK-8340078: Open source several 2D tests
- JDK-8340116: test/jdk/sun/security/tools/jarsigner/PreserveRawManifestEntryAndDigest.java can fail due to regex
- JDK-8340411: open source several 2D imaging tests
- JDK-8340480: Bad copyright notices in changes from JDK-8339902
- JDK-8340687: Open source closed frame tests #1
- JDK-8340719: Open source AWT List tests
- JDK-8340969: jdk/jfr/startupargs/TestStartDuration.java should be marked as flagless
- JDK-8341037: Use standard layouts in DefaultFrameIconTest.java and MenuCrash.java
- JDK-8341111: open source several AWT tests including menu shortcut tests
- JDK-8341316: [macos] javax/swing/ProgressMonitor/ProgressMonitorEscapeKeyPress.java fails sometimes in macos
- JDK-8341412: Various test failures after JDK-8334305
- JDK-8341424: GHA: Collect hs_errs from build time failures
- JDK-8341453: java/awt/a11y/AccessibleJTableTest.java fails in some cases where the test tables are not visible
- JDK-8341722: Fix some warnings as errors when building on Linux with toolchain clang
- JDK-8341881: [REDO] java/nio/file/attribute/BasicFileAttributeView/CreationTime.java#tmp fails on alinux3
- JDK-8341978: Improve JButton/bug4490179.java
- JDK-8341982: Simplify JButton/bug4323121.java
- JDK-8342098: Write a test to compare the images
- JDK-8342145: File libCreationTimeHelper.c compile fails on Alpine
- JDK-8342270: Test sun/security/pkcs11/Provider/RequiredMechCheck.java needs write access to src tree
- JDK-8342498: Add test for Allocation elimination after use as alignment reference by SuperWord
- JDK-8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay
- JDK-8342541: Exclude List/KeyEventsTest/KeyEventsTest.java from running on macOS
- JDK-8342562: Enhance Deflater operations
- JDK-8342602: Remove JButton/PressedButtonRightClickTest test
- JDK-8342607: Enhance register printing on x86_64 platforms
- JDK-8342609: jpackage test helper function incorrectly removes a directory instead of its contents only
- JDK-8342634: javax/imageio/plugins/wbmp/WBMPStreamTruncateTest.java creates temp file in src dir
- JDK-8342635: javax/swing/JFileChooser/FileSystemView/WindowsDefaultIconSizeTest.java creates tmp file in src dir
- JDK-8342704: GHA: Report truncation is broken after JDK-8341424
- JDK-8342811: java/net/httpclient/PlainProxyConnectionTest.java failed: Unexpected connection count: 5
- JDK-8342858: Make target mac-jdk-bundle fails on chmod command
- JDK-8342988: GHA: Build JTReg in single step
- JDK-8343007: Enhance Buffered Image handling
- JDK-8343100: Consolidate EmptyFolderTest and EmptyFolderPackageTest jpackage tests into single java file
- JDK-8343101: Rework BasicTest.testTemp test cases
- JDK-8343118: [TESTBUG] java/awt/PrintJob/PrintCheckboxTest/PrintCheckboxManualTest.java fails with rror. Can't find HTML file PrintCheckboxManualTest.html
- JDK-8343128: PassFailJFrame.java test result: Error. Bad action for script: build}
- JDK-8343129: Disable unstable check of ThreadsListHandle.sanity_vm ThreadList values
- JDK-8343178: Test BasicTest.java javac compile fails cannot find symbol
- JDK-8343378: Exceptions in javax/management DeadLockTest.java do not cause test failure
- JDK-8343491: javax/management/remote/mandatory/connection/DeadLockTest.java failing with NoSuchObjectException: no such object in table
- JDK-8343599: Kmem limit and max values swapped when printing container information
- JDK-8343724: [PPC64] Disallow OptoScheduling
- JDK-8343882: BasicAnnoTests doesn't handle multiple annotations at the same position
- JDK-8344581: [TESTBUG] java/awt/Robot/ScreenCaptureRobotTest.java failing on macOS
- JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19
- JDK-8344646: The libjsig deprecation warning should go to stderr not stdout
- JDK-8345296: AArch64: VM crashes with SIGILL when prctl is disallowed
- JDK-8345368: java/io/File/createTempFile/SpecialTempFile.java fails on Windows Server 2025
- JDK-8345371: Bump update version for OpenJDK: jdk-17.0.15
- JDK-8345375: Improve debuggability of test/jdk/java/net/Socket/CloseAvailable.java
- JDK-8345414: Google CAInterop test failures
- JDK-8345468: test/jdk/javax/swing/JScrollBar/4865918/bug4865918.java fails in ubuntu22.04
- JDK-8346055: javax/swing/text/StyledEditorKit/4506788/bug4506788.java fails in ubuntu22.04
- JDK-8346324: javax/swing/JScrollBar/4865918/bug4865918.java fails in CI
- JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
- JDK-8346671: java/nio/file/Files/probeContentType/Basic.java fails on Windows 2025
- JDK-8346828: javax/swing/JScrollBar/4865918/bug4865918.java still fails in CI
- JDK-8346887: DrawFocusRect() may cause an assertion failure
- JDK-8346908: Update JDK 17 javadoc man page
- JDK-8346972: Test java/nio/channels/FileChannel/LoopingTruncate.java fails sometimes with IOException: There is not enough space on the disk
- JDK-8347424: Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test
- JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header
- JDK-8347740: java/io/File/createTempFile/SpecialTempFile.java failing
- JDK-8347847: Enhance jar file support
- JDK-8347965: (tz) Update Timezone Data to 2025a
- JDK-8348625: [21u, 17u] Revert JDK-8185862 to restore old java.awt.headless behavior on Windows
- JDK-8348675: TrayIcon tests fail in Ubuntu 24.10 Wayland
- JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates
- JDK-8352097: (tz) zone.tab update missed in 2025a backport
- JDK-8353905: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.15
Notes on individual issues:
===========================
security-libs/javax.net.ssl:
JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
=============================================================================
In accordance with similar plans recently announced by Google,
Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer
Security (TLS) certificates issued after the 15th of April 2025 which
are anchored by Camerfirma root certificates.
Certificates issued on or before April 15th, 2025 will continue to
be trusted until they expire.
If a server's certificate chain is anchored by an affected
certificate, attempts to negotiate a TLS session will fail with an
Exception that indicates the trust anchor is not trusted. For example,
"TLS server certificate issued after 2025-04-15 and anchored by a
distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root -
2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see
current address at www.camerfirma.com/address), C=EU"
To check whether a certificate in a JDK keystore is affected by this
change, you can the `keytool` utility:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are affected by this change,
then you will need to update the certificate or contact the
organisation responsible for managing the certificate.
These restrictions apply to the following Camerfirma root certificates
included in the JDK:
Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
Alias name: camerfirmachambersca [jdk]
CN=Chambers of Commerce Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "CAMERFIRMA_TLS" is no
longer listed in the `jdk.security.caDistrustPolicies` security
property.
security-libs/javax.crypto:pkcs11:
JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
==========================================================================
In OpenJDK 14, the notion of legacy mechanisms was introduced into the
SunPKCS11 provider. If a mechanism was found to be using a weak
algorithm, it was determined to be legacy and disabled.
However, this approach has proved inflexible. There was no way for the
user to override the legacy determination and enable the mechanism
anyway. Also, a mechanism being used for signing would be declared
legacy and disabled if it had a weak encryption algorithm, even though
encryption was not being used. Similarly, a weak signing algorithm
would prevent the mechanism's use as a cipher for encryption or
decryption.
This OpenJDK release resolves these issues. It introduces the PKCS11
provider configuration attribute "allowLegacy" which can be set to
`true` if the user wishes to override the legacy determination. By
default, it is set to `false`. The legacy determination now also
considers the service type and will only check encryption algorithms
for Ciphers and only signature algorithms for Signatures.
hotspot/runtime:
JDK-8308341: JNI_GetCreatedJavaVMs returns a partially initialized JVM
======================================================================
In previous OpenJDK releases, the JNI method `jint
JNI_GetCreatedJavaVMs(JavaVM **vm_buf, jsize bufLen, jsize *numVMs)`
could return a VM in the `vm_buf` array which was still in the process
of being initialised. With this release, the method now only returns
fully initialised VMs.
Before making use of the `vm_buf` array, please ensure that the number
of VMs returned in `numVMs` is greater than zero.
security-libs/java.security:
JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
=============================================================
This OpenJDK release introduces three new properties which allow
greater control over the timeouts for OCSP connections and certificate
retrieval:
* `com.sun.security.ocsp.readtimeout` is paired with the existing
`com.sun.security.ocsp.timeout` to allow the timeout for reading data
to be set separately from the timeout for the transport layer. If
`com.sun.security.ocsp.readtimeout` is not set, it will default to the
value of `com.sun.security.ocsp.timeout` as before, which itself has a
default of 15 seconds.
* `com.sun.security.cert.timeout` is used to set the connection timeout
for the download of certificates for certificate authorities. It defaults
to 15 seconds.
* `com.sun.security.crl.readtimeout` is used to set the data read timeout
for the download of certificates for certificate authorities. It defaults
to 15 seconds.
Note that certificate downloads only take place if the
``com.sun.security.enableAIAcaIssuers` property is set to `true`.
The syntax of all four property values has also been improved. The
value is still expected to be a positive decimal integer value, but an
optional suffix can be appended to cause the value to be interpreted
as either seconds ("s") or milliseconds ("ms"). If no suffix is given,
the value is assumed to be in seconds as before. Anything other than a
decimal digit prior to the suffix will be rejected and the default
used instead. For example, "-5", "0xA" and "6.2" are all invalid
values.
JDK-8309841: Jarsigner should print a warning if an entry is removed
====================================================================
In previous OpenJDK releases, the jarsigner tool did not detect the
case where a file was removed from a signed JAR file but its signature
was still present. With this release, `jarsigner -verify` checks that
every signature has a matching file entry and prints a warning if this
is not the case. The `-verbose` option can also be added to the
command to see the names of the mismatched entries.
Happy hacking,
--
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20250416/88712b1f/signature-0001.asc>
More information about the jdk-updates-dev
mailing list