OpenJDK 11.0.28 Released

Andrew Hughes gnu.andrew at redhat.com
Wed Jul 16 17:31:01 UTC 2025 

We are pleased to announce the release of OpenJDK 11.0.28.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.28+6.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.28+6.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

712334ebfe8ad2acb8befee7ec7e57aec7205356b3696e7f181e342a771dbaa9  openjdk-11.0.28+6.tar.xz
8efbbfab10cbcdb389330deb7e97416cd3ceceec08ee0ed652143cc696add9d1  openjdk-11.0.28+6.tar.xz.sig

SHA512 checksums:

d3bb00237a5c1197a800e6d6aa614061aba2d04e4642c9afaecf2a2e8085c6e0ad5a9ca533f493120e0ee20fbe75c851a31807a3a5bec68bc793010b776df43b  openjdk-11.0.28+6.tar.xz
3a5820bebce6ee63d6285545835e63c5350f3750f131e61724eb669cd016c75d3c0d60422abd54b5cba364abfb2a357a23ffcd4708f0e4edbdfedc5d69c0eaa8  openjdk-11.0.28+6.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.28+6.sha256
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.28+6.sha512

New in release OpenJDK 11.0.28 (2025-07-15):
============================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk11028

* CVEs
  - CVE-2025-30749
  - CVE-2025-30754
  - CVE-2025-30761
  - CVE-2025-50059
  - CVE-2025-50106
* Changes
  - JDK-8026976: ECParameters, Point does not match field size
  - JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong value
  - JDK-8231058: VerifyOops crashes with assert(_offset >= 0) failed: offset for non comment?
  - JDK-8232625: HttpClient redirect policy should be more conservative
  - JDK-8258483: [TESTBUG] gtest CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is too small
  - JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
  - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
  - JDK-8301753: AppendFile/WriteFile has differences between make 3.81 and 4+
  - JDK-8303770: Remove Baltimore root certificate expiring in May 2025
  - JDK-8315380: AsyncGetCallTrace crash in frame::safe_for_sender
  - JDK-8327476: Upgrade JLine to 3.26.1
  - JDK-8328957: Update PKCS11Test.java to not use hardcoded path
  - JDK-8331959: Update PKCS#11 Cryptographic Token Interface to v3.1
  - JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms
  - JDK-8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class
  - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout
  - JDK-8345625: Better HTTP connections
  - JDK-8346887: DrawFocusRect() may cause an assertion failure
  - JDK-8347629: Test FailOverDirectExecutionControlTest.java fails with -Xcomp
  - JDK-8348110: Update LCMS to 2.17
  - JDK-8348596: Update FreeType to 2.13.3
  - JDK-8348598: Update Libpng to 1.6.47
  - JDK-8348989: Better Glyph drawing
  - JDK-8349111: Enhance Swing supports
  - JDK-8349594: Enhance TLS protocol support
  - JDK-8350469: [11u] Test AbsPathsInImage.java fails - JDK-8239429 public clone
  - JDK-8350498: Remove two Camerfirma root CA certificates
  - JDK-8350991: Improve HTTP client header handling
  - JDK-8351099: Bump update version of OpenJDK: 11.0.28
  - JDK-8351422: Improve scripting supports
  - JDK-8352302: Test sun/security/tools/jarsigner/TimestampCheck.java is failing
  - JDK-8352716: (tz) Update Timezone Data to 2025b
  - JDK-8356096: ISO 4217 Amendment 179 Update
  - JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS
  - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
  - JDK-8360147: Better Glyph drawing redux

Notes on individual issues:
===========================

security-libs/javax.crypto:pkcs11:

JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
==========================================================================
In OpenJDK 14, the notion of legacy mechanisms was introduced into the
SunPKCS11 provider.  If a mechanism was found to be using a weak
algorithm, it was determined to be legacy and disabled.

However, this approach has proved inflexible. There was no way for the
user to override the legacy determination and enable the mechanism
anyway.  Also, a mechanism being used for signing would be declared
legacy and disabled if it had a weak encryption algorithm, even though
encryption was not being used. Similarly, a weak signing algorithm
would prevent the mechanism's use as a cipher for encryption or
decryption.

This OpenJDK release resolves these issues. It introduces the PKCS11
provider configuration attribute "allowLegacy" which can be set to
`true` if the user wishes to override the legacy determination. By
default, it is set to `false`. The legacy determination now also
considers the service type and will only check encryption algorithms
for Ciphers and only signature algorithms for Signatures.

security-libs/java.security:

JDK-8303770: Remove Baltimore root certificate expiring in May 2025
===================================================================
The following root certificate from Baltimore has been removed from
the `cacerts` keystore:

Alias Name: baltimorecybertrustca [jdk]
Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

JDK-8350498: Remove two Camerfirma root CA certificates
=======================================================
The following expired root certificates from Camerfirma have been
removed from the `cacerts` keystore:

Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3

Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
=============================================
The following root certificates have been added to the cacerts
truststore:

Name: Sectigo Limited
Alias Name: sectigocodesignroote46
Distinguished Name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigocodesignrootr46
Distinguished Name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigotlsroote46
Distinguished Name: Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigotlsrootr46
Distinguished Name: Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20250716/ffa95f01/signature-0001.asc>

More information about the jdk-updates-dev mailing list