OpenJDK 17.0.17 Released
Andrew Hughes
gnu.andrew at redhat.com
Thu Oct 23 00:03:36 UTC 2025
We are pleased to announce the release of OpenJDK 17.0.17.
The source tarball is available from:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.17+10.tar.xz
The tarball is accompanied by a digital signature available at:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.17+10.tar.xz.sig
This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net) Fingerprint
= CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F
SHA256 checksums:
8905a0cf7531b00e0a1f644a8ff29d46f602b838a6417311d1ca823e9c75a95b openjdk-17.0.17+10.tar.xz
0823308a961b6b6aada43e5ec12ee5e216698f74cdf4aac7425277c5157ba9e9 openjdk-17.0.17+10.tar.xz.sig
SHA512 checksums:
d8f3323b9f9158a5b93c28597f30ed6240764196a385e927326818af94e4e1280ccad21784af39876bb539a8f3882c6a684c848f8047badc622c36afc3d2105d openjdk-17.0.17+10.tar.xz
1fa30567ecc8309dd1c79bae54d109f9fee12cafe8c3c82bfeb2a812198c67387034184ad03e840a9d4d405a16921fdbc031f7b7a6c20a7847554316ad2337a7 openjdk-17.0.17+10.tar.xz.sig
The checksums can be downloaded from:
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.17+10.sha256
* https://openjdk-sources.osci.io/openjdk17/openjdk-17.0.17+10.sha512
New in release OpenJDK 17.0.17 (2025-10-21):
============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk17017
* CVEs
- CVE-2025-53057
- CVE-2025-53066
* Changes
- JDK-8042381: Test javax/swing/JRootPane/4670486/bug4670486.java fails with Action has not been received
- JDK-8079786: [macosx] Test java/awt/Frame/DisposeParentGC/DisposeParentGC.java fails for Mac only
- JDK-8132785: java/lang/management/ThreadMXBean/ThreadLists.java fails intermittently
- JDK-8136895: Writer not closed with disk full error, file resource leaked
- JDK-8167252: Some of Charset.availableCharsets() does not contain itself
- JDK-8185429: [macos] After a modal dialog is closed, no window becomes active
- JDK-8196017: java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails
- JDK-8202667: java/awt/Debug/DumpOnKey/DumpOnKey.java times out on Windows
- JDK-8203867: Delete test java/awt/TrayIcon/DblClickActionEventTest/DblClickActionEventTest.html
- JDK-8217914: java/net/httpclient/ConnectTimeoutHandshakeSync.java failed on connection refused while doing POST
- JDK-8225777: java/awt/Mixing/MixingOnDialog.java fails on Ubuntu
- JDK-8226919: attach in linux hangs due to permission denied accessing /proc/pid/root
- JDK-8249825: Tests sun/security/ssl/SSLSocketImpl/SetClientMode.java and NonAutoClose.java marked with @ignore
- JDK-8264207: CodeStrings does not honour fixed address assumption.
- JDK-8266246: Swing test PressedIconTest.java sometimes fails on macOS 11 ARM
- JDK-8266247: Swing test bug7154030.java sometimes fails on macOS 11 ARM
- JDK-8273539: [PPC64] gtest build error after JDK-8264207
- JDK-8274039: codestrings gtest fails when hsdis is present
- JDK-8274453: (sctp) com/sun/nio/sctp/SctpChannel/CloseDescriptors.java test should be resilient to lsof warnings
- JDK-8275079: Remove unnecessary conversion to String in java.net.http
- JDK-8276046: codestrings.validate_vm gtest fails on ppc64, s390
- JDK-8276175: codestrings.validate_vm gtest still broken on ppc64 after JDK-8276046
- JDK-8276401: Use blessed modifier order in java.net.http
- JDK-8276681: Additional malformed Javadoc inline tags in JDK source
- JDK-8277969: HttpClient SelectorManager shuts down when custom Executor rejects a task
- JDK-8279005: sun/tools/jstat tests do not check for test case exit codes after JDK-8245129
- JDK-8280818: Expand bug8033699.java to iterate over all LaFs
- JDK-8282144: RandomSupport.convertSeedBytesToLongs sign extension overwrites previous bytes
- JDK-8282147: [TESTBUG] waitForIdle after creating frame in JSpinnerMouseAndKeyPressTest.java
- JDK-8283467: runtime/Thread/StopAtExit.java needs updating
- JDK-8285032: vmTestbase/nsk/jdi/EventSet/suspendPolicy/suspendpolicy008/ fails with "eventSet.suspendPolicy() != policyExpected"
- JDK-8285773: Replace Algorithms.eatMemory(...) with WB.fullGC() in vmTestbase/gc/gctests/ReferencesGC/ReferencesGC.java
- JDK-8285951: Replace Algorithms.eatMemory(...) with WB.fullGC() in vmTestbase_vm_gc_ref tests
- JDK-8286171: HttpClient/2 : Expect:100-Continue blocks indefinitely when response is not 100
- JDK-8286194: ExecutorShutdown test fails intermittently
- JDK-8286660: codestrings gtest fails on AArch64: "udf" in padding
- JDK-8288209: SSL debug message wrong about unsupported authentication scheme
- JDK-8288746: HttpClient resources could be reclaimed more eagerly
- JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
- JDK-8292876: Do not include the deprecated userinfo component of the URI in HTTP/2 headers
- JDK-8293713: java/net/httpclient/BufferingSubscriberTest.java fails in timeout, blocked in submission publisher
- JDK-8293786: HttpClient will not send more than 64 kb of data from the 2nd request in http2
- JDK-8294509: The sign extension bug applies to 'public static int[] convertSeedBytesToInts(byte[] seed, int n, int z)' in RandomSupport
- JDK-8294839: Disable StressLongCountedLoop in compiler/loopopts/TestRemoveEmptyLoop.java
- JDK-8294916: Cancelling a request must eventually cause its response body subscriber to be unregistered
- JDK-8294985: SSLEngine throws IAE during parsing of X500Principal
- JDK-8295005: compiler/loopopts/TestRemoveEmptyLoop.java fails with release VMs after JDK-8294839
- JDK-8295210: IR framework should not whitelist -XX:-UseTLAB
- JDK-8297075: java/net/httpclient/CancelStreamedBodyTest.java fails with "java.lang.AssertionError: WARNING: tracker for HttpClientImpl(1) has outstanding operations"
- JDK-8297106: Remove the -Xcheck:jni local reference capacity checking
- JDK-8297149: REDO JDK-8296889: Race condition when cancelling a request
- JDK-8297200: java/net/httpclient/SpecialHeadersTest.java failed once in AssertionError due to selector thread remaining alive
- JDK-8297424: java/net/httpclient/AsyncExecutorShutdown.java fails in AssertionError due to misplaced assert
- JDK-8297499: Parallel: Missing iteration over klass when marking objArrays/objArrayOops during Full GC
- JDK-8297740: runtime/ClassUnload/UnloadTest.java failed with "Test failed: should still be live"
- JDK-8298340: java/net/httpclient/CancelRequestTest.java fails with AssertionError: Found some subscribers for testPostInterrupt
- JDK-8298514: vmTestbase/nsk/jdi/EventRequestManager/threadDeathRequests/thrdeathreq002/TestDescription.java fails with usage tracker
- JDK-8298907: nsk JDI tests pass if the debuggee failed to launch
- JDK-8298931: java/net/httpclient/CancelStreamedBodyTest.java fails with AssertionError due to Pending TCP connections: 1
- JDK-8299338: AssertionError in ResponseSubscribers$HttpResponseInputStream::onSubscribe
- JDK-8300207: Add a pre-check for the number of canonical equivalent permutations in j.u.r.Pattern
- JDK-8301004: httpclient: Add more debug to HttpResponseInputStream
- JDK-8301169: java/net/httpclient/ThrowingSubscribersAsInputStream.java,ThrowingSubscribersAsInputStreamAsync.java, and other httpclient tests failing on windows: Unable to establish loopback connection
- JDK-8301255: Http2Connection may send too many GOAWAY frames
- JDK-8302635: Race condition in HttpBodySubscriberWrapper when cancelling request
- JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
- JDK-8307648: java/net/httpclient/ExpectContinueTest.java timed out
- JDK-8308185: Update Http2TestServerConnection to use SSLSocket.startHandshake()
- JDK-8312191: ColorConvertOp.filter for the default destination is too slow
- JDK-8312475: org.jline.util.PumpReader signed byte problem
- JDK-8313083: Print 'rss' and 'cache' as part of the container information
- JDK-8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation
- JDK-8314611: Provide more explicative error message parsing Currencies
- JDK-8314978: Multiple server call from connection failing with expect100 in getOutputStream
- JDK-8315505: CompileTask timestamp printed can overflow
- JDK-8316580: HttpClient with StructuredTaskScope does not close when a task fails
- JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong
- JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18
- JDK-8317808: HTTP/2 stream cancelImpl may leave subscriber registered
- JDK-8319174: Enhance robustness of some j.m.BigInteger constructors
- JDK-8319932: [JVMCI] class unloading related tests can fail on libgraal
- JDK-8320858: Move jpackage tests to tier3
- JDK-8325910: Rename jnihelper.h
- JDK-8326606: Test javax/swing/text/BoxView/6494356/bug6494356.java performs a synchronization on a value based class
- JDK-8327750: Convert javax/swing/JFileChooser/FileFilterDescription/FileFilterDescription.java applet test to main
- JDK-8327751: Convert javax/swing/JInternalFrame/6726866/bug6726866.java applet test to main
- JDK-8327752: Convert javax/swing/JOptionPane/4174551/bug4174551.java applet to main
- JDK-8327753: Convert javax/swing/JOptionPane/8024926/bug8024926.java applet to main
- JDK-8327754: Convert javax/swing/JPopupMenu/7160604/bug7160604.java applet to main
- JDK-8327755: Convert javax/swing/JScrollBar/8039464/Test8039464.java applet to main
- JDK-8327756: Convert javax/swing/JSlider/4987336/bug4987336.java applet to main
- JDK-8327826: Convert javax/swing/border/Test4243289.java applet test to main
- JDK-8327835: Convert java/awt/FileDialog/RegexpFilterTest/RegexpFilterTest applet test to main
- JDK-8327838: Convert java/awt/FileDialog/MultipleMode/MultipleMode.html applet test to main
- JDK-8327872: Convert javax/swing/JToolTip/4644444/bug4644444.java applet test to main
- JDK-8327873: Convert javax/swing/border/Test4247606.java applet test to main
- JDK-8327874: Convert javax/swing/JTree/4314199/bug4314199.java applet test to main
- JDK-8327876: Convert javax/swing/border/Test4252164.java applet test to main
- JDK-8327879: Convert javax/swing/border/Test4760089.java applet test to main
- JDK-8327969: Convert javax/swing/border/Test6910490.java applet test to main
- JDK-8327972: Convert java/awt/FileDialog/SaveFileNameOverrideTest/SaveFileNameOverrideTest.html applet test to main
- JDK-8328000: Convert /java/awt/im/8154816/bug8154816.java applet test to main
- JDK-8328012: Convert InputMethod (/java/awt/im) applet tests to main
- JDK-8328030: Convert javax/swing/text/GlyphView/4984669/bug4984669.java applet test to main
- JDK-8328035: Convert javax/swing/text/html/TableView/7030332/bug7030332.java applet test to main
- JDK-8328087: Automate javax/swing/JTable/TAB/TAB.java applet test
- JDK-8328089: Automate javax/swing/JTable/4222153/bug4222153.java applet test
- JDK-8328154: Convert sun/java2d/loops/CopyAreaSpeed.java applet test to main
- JDK-8328190: Convert AWTPanelSmoothWheel.html applet test to main
- JDK-8328225: Convert ImageDecoratedDnD.html applet test to main
- JDK-8328244: Convert javax/swing/JSlider/6742358/bug6742358.java applet test to main
- JDK-8328248: Convert javax/swing/JSlider/6587742/bug6587742.java applet test to main
- JDK-8328262: Convert javax/swing/JSplitPane/8132123/bug8132123.java applet test to main
- JDK-8328279: Convert java/awt/Cursor/CursorOverlappedPanelsTest test to main
- JDK-8328328: Convert javax/swing/JTabbedPane/4666224/bug4666224.java applet test to main
- JDK-8328367: Convert java/awt/Component/UpdatingBootTime test to main
- JDK-8328378: Convert java/awt/FileDialog/FileDialogForDirectories test to main
- JDK-8328382: Convert java/awt/FileDialog/FileDialogForPackages test to main
- JDK-8328384: Convert java/awt/FileDialog/FileDialogOpenDirTest test to main
- JDK-8328385: Convert java/awt/FileDialog/FileDialogReturnTest test to main
- JDK-8328386: Convert java/awt/FileDialog/FileNameOverrideTest test to main
- JDK-8328398: Convert java/awt/im/4490692/bug4490692.html applet test to main
- JDK-8328401: Convert java/awt/Frame/InitialMaximizedTest/InitialMaximizedTest.html applet test to automated
- JDK-8328570: Convert closed JViewport manual applet tests to main
- JDK-8328631: Convert java/awt/InputMethods/InputMethodsTest/InputMethodsTest.java applet test to manual
- JDK-8330022: Failure test/hotspot/jtreg/vmTestbase/nsk/sysdict/share/BTreeTest.java: Could not initialize class java.util.concurrent.ThreadLocalRandom
- JDK-8330106: C2: VectorInsertNode::make() shouldn't call ConINode::make() directly
- JDK-8330535: Update nsk/jdb tests to use driver instead of othervm
- JDK-8332252: Clean up vmTestbase/vm/share
- JDK-8332494: java/util/zip/EntryCount64k.java failing with java.lang.RuntimeException: '\\A\\Z' missing from stderr
- JDK-8332551: Test vmTestbase/nsk/monitoring/MemoryNotificationInfo/from/from001/TestDescription.java timed out
- JDK-8334016: Make PrintNullString.java automatic
- JDK-8334320: Replace vmTestbase/metaspace/share/TriggerUnloadingWithWhiteBox.java with ClassUnloadCommon from testlibrary
- JDK-8334394: Race condition in Class::protectionDomain
- JDK-8334457: Test javax/swing/JTabbedPane/bug4666224.java fail on macOS with because pressing the ‘C’ key does not switch the layout to WRAP_TAB_LAYOUT
- JDK-8335131: Test "javax/swing/JColorChooser/Test6977726.java" failed on ubuntu x64 because "Preview" title is missing for GTK L&F
- JDK-8335181: Incorrect handling of HTTP/2 GOAWAY frames in HttpClient
- JDK-8335252: Reduce size of j.u.Formatter.Conversion#isValid
- JDK-8335468: [XWayland] JavaFX hangs when calling java.awt.Robot.getPixelColor
- JDK-8336499: Failure when creating non-CRT RSA private keys in SunPKCS11
- JDK-8337506: Disable "best-fit" mapping on Windows command line
- JDK-8339561: The test/jdk/java/awt/Paint/ListRepaint.java may fail after JDK-8327401
- JDK-8339725: Concurrent GC crashed due to GetMethodDeclaringClass
- JDK-8339834: Replace usages of -mx and -ms in some tests
- JDK-8340146: ZGC: TestAllocateHeapAt.java should not run with UseLargePages
- JDK-8340185: Use make -k on GHA to catch more build errors
- JDK-8340389: vmTestbase/gc/gctests/PhantomReference/phantom001/TestDescription.java Test exit code: 97 with -Xcomp UseAVX=3
- JDK-8340554: Improve MessageFormat readObject checks
- JDK-8341311: [Accessibility,macOS,VoiceOver] VoiceOver announces incorrect number of items in submenu of JPopupMenu
- JDK-8341370: Test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails intermittently on macOS-aarch64
- JDK-8341964: Add mechanism to disable different parts of TLS cipher suite
- JDK-8342075: HttpClient: improve HTTP/2 flow control checks
- JDK-8342330: C2: "node pinned on loop exit test?" assert failure
- JDK-8343074: test/jdk/com/sun/net/httpserver/docs/test1/largefile.txt could be generated
- JDK-8343618: Stack smashing in awt_InputMethod.c on Linux s390x
- JDK-8343804: Show the default time zone with -XshowSettings option
- JDK-8343855: HTTP/2 ConnectionWindowUpdateSender may miss some unprocessed DataFrames from closed streams
- JDK-8343977: Convert java/awt/TextArea/TextAreaCursorTest/HoveringAndDraggingTest to main
- JDK-8344137: Update XML Security for Java to 3.0.5
- JDK-8344338: javax/swing/JTextArea/bug4265784.java fails on Ubuntu 24.04.1
- JDK-8344671: Few JFR streaming tests fail with application not alive error on MacOS 15
- JDK-8345173: BlockLocationPrinter::print_location misses a ResourceMark
- JDK-8345471: Clean up compiler/intrinsics/sha/cli tests
- JDK-8345566: Deproblemlist test/jdk/javax/swing/JComboBox/6559152/bug6559152.java
- JDK-8345767: javax/swing/JSplitPane/4164779/JSplitPaneKeyboardNavigationTest.java fails in ubuntu22.04
- JDK-8346285: Update jarsigner compatibility test for change in default digest algorithm
- JDK-8346751: Internal java compiler error with type annotations in constants expression in constant fields
- JDK-8346871: Improve robustness of java/util/zip/EntryCount64k.java test
- JDK-8346998: Test nsk/jvmti/ResourceExhausted/resexhausted003 fails with java.lang.OutOfMemoryError when CDS is off
- JDK-8347004: vmTestbase/metaspace/shrink_grow/ShrinkGrowTest/ShrinkGrowTest.java fails with CDS disabled
- JDK-8347302: Mark test tools/jimage/JImageToolTest.java as flagless
- JDK-8347373: HTTP/2 flow control checks may count unprocessed data twice
- JDK-8347381: Upgrade jQuery UI to version 1.14.1
- JDK-8348328: Update IANA Language Subtag Registry to Version 2025-05-15
- JDK-8348365: Bad format string in CLDRDisplayNamesTest
- JDK-8348760: RadioButton is not shown if JRadioButtonMenuItem is rendered with ImageIcon in WindowsLookAndFeel
- JDK-8349151: Refactor test/java/security/cert/CertificateFactory/slowstream.sh to java test
- JDK-8349214: Improve size optimization flags for MSVC builds
- JDK-8349583: Add mechanism to disable signature schemes based on their TLS scope
- JDK-8349849: PKCS11 SunTlsKeyMaterial crashes when used with TLS1.2 TlsKeyMaterialParameterSpec
- JDK-8350483: AArch64: turn on signum intrinsics by default on Ampere CPUs
- JDK-8350582: Correct the parsing of the ssl value in javax.net.debug
- JDK-8350767: Fix -Wzero-as-null-pointer-constant warnings in nsk jni stress tests
- JDK-8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
- JDK-8350830: Values converted incorrectly when reading TLS session tickets
- JDK-8350964: Add an ArtifactResolver.fetch(clazz) method
- JDK-8351277: Remove pipewire from AIX build
- JDK-8351601: [JMH] test UnixSocketChannelReadWrite failed for 2 threads config
- JDK-8351884: Refactor bug8033699.java test code
- JDK-8351907: [XWayland] [OL10] Robot.mousePress() is delivered to wrong place
- JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool
- JDK-8351997: AArch64: Interpreter volatile reference stores with G1 are not sequentially consistent
- JDK-8352509: Update jdk.test.lib.SecurityTools jar method to accept List<String> parameter
- JDK-8352624: Add missing {@code} to PassFailJFrame.Builder.splitUI
- JDK-8352637: Enhance bytecode verification
- JDK-8352677: Opensource JMenu tests - series2
- JDK-8352719: Add an equals sign to the modules statement
- JDK-8352860: Open source events tests batch0
- JDK-8352879: TestPeriod.java and TestGetContentType.java run wrong test class
- JDK-8352895: UserCookie.java runs wrong test class
- JDK-8352896: LambdaExpr02.java runs wrong test class
- JDK-8352946: SEGV_BND signal code of SIGSEGV missing from our signal-code table
- JDK-8353000: Open source several swing tests batch2
- JDK-8353126: Open source events tests batch1
- JDK-8353213: Open source several swing tests batch3
- JDK-8353235: Test jdk/jfr/api/metadata/annotations/TestPeriod.java fails with IllegalArgumentException
- JDK-8353293: Open source several swing tests batch4
- JDK-8353304: Open source two JTabbedPane tests
- JDK-8353489: Increase timeout and improve Windows compatibility in test/jdk/java/lang/ProcessBuilder/Basic.java
- JDK-8353549: Open source events tests batch2
- JDK-8353568: SEGV_BNDERR signal code adjust definition
- JDK-8353655: Clean up and open source KeyEvent related tests (Part 1)
- JDK-8353662: Add test for non-local file URL fallback to FTP
- JDK-8353713: Improve Currency.getInstance exception handling
- JDK-8353748: Open source several swing tests batch6
- JDK-8354285: Open source Swing tests Batch 3
- JDK-8354327: Rewrite runtime/LoadClass/LoadClassNegative.java
- JDK-8354415: [Ubuntu25.04] api/java_awt/GraphicsDevice/indexTGF.html#SetDisplayMode - setDisplayMode_REFRESH_RATE_UNKNOWN fails: Height is different on vnc
- JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision
- JDK-8355051: Problemlist java/awt/Graphics2D/CopyAreaOOB.java on macosx-aarch64
- JDK-8355249: Remove the use of WMIC from the entire source code
- JDK-8355262: Test sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java failed: accept timed out
- JDK-8355366: Fix the wrong usage of PassFailJFrame.forcePass() in some manual tests
- JDK-8355370: Include server name in HTTP test server thread names to improve diagnostics
- JDK-8355429: Open source ProgressMonitor test
- JDK-8355441: Remove antipattern from PassFailJFrame.forcePass javadoc
- JDK-8355453: nsk.share.jdi.Debugee.waitingEvent() does not timeout properly
- JDK-8355475: UNCTest should use an existing UNC path
- JDK-8355515: Clarify the purpose of forcePass() and forceFail() methods
- JDK-8355528: Update HarfBuzz to 11.2.0
- JDK-8355578: [java.net] Use @requires tag instead of exiting based on "os.name" property value
- JDK-8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension
- JDK-8356294: Enhance Path Factories
- JDK-8357173: Split jtreg test group jdk tier3
- JDK-8357253: Test test/jdk/sun/security/ssl/SSLSessionImpl/ResumeClientTLS12withSNI.java writes in src dir
- JDK-8357285: JSR166 Test case testShutdownNow_delayedTasks failed
- JDK-8357672: Extreme font sizes can cause font substitution
- JDK-8357793: [PPC64] VM crashes with -XX:-UseSIGTRAP -XX:-ImplicitNullChecks
- JDK-8357968: RISC-V: Interpreter volatile reference stores with G1 are not sequentially consistent
- JDK-8358004: Delete applications/scimark/Scimark.java test
- JDK-8358452: JNI exception pending in Java_sun_awt_screencast_ScreencastHelper_remoteDesktopKeyImpl of screencast_pipewire.c:1214 (ID: 51119)
- JDK-8358538: Update GHA Windows runner to 2025
- JDK-8358617: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails with 403 due to system proxies
- JDK-8358660: Bump update version for OpenJDK: jdk-17.0.17
- JDK-8358697: TextLayout/MyanmarTextTest.java passes if no Myanmar font is found
- JDK-8359272: Several vmTestbase/compact tests timed out on large memory machine
- JDK-8360042: GHA: Bump MSVC to 14.44
- JDK-8360647: [XWayland] [OL10] NumPad keys are not triggered
- JDK-8360937: Enhance certificate handling
- JDK-8361212: Remove AffirmTrust root CAs
- JDK-8361478: GHA: Use MSYS2 from GHA runners
- JDK-8362390: AIX make fails in awt_GraphicsEnv.c
- JDK-8362582: GHA: Increase bundle retention time to deal with infra overload better
- JDK-8362839: [21u] Problem list more tests that fail in 21 and would be fixed by 8309622
- JDK-8363965: GHA: Switch cross-compiling sysroots to Debian bookworm
- JDK-8365375: Method SU3.setAcceleratorSelectionForeground assigns to acceleratorForeground
- JDK-8365389: Remove static color fields from SwingUtilities3 and WindowsMenuItemUI
- JDK-8365811: test/jdk/java/net/CookieHandler/B6644726.java failure - "Should have 5 cookies. Got only 4, expires probably didn't parse correctly"
- JDK-8367388: Tests start to fail on JDK-21 after JDK-8351907
- JDK-8368308: ISO 4217 Amendment 180 Update
- JDK-8369641: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.17
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8342075: HttpClient: improve HTTP/2 flow control checks
===========================================================
This release of OpenJDK 21 enhances the HTTP/2 client implementation
in `java.net.http.HttpClient` to report flow control errors back to
the server. While this should be transparent in most cases, it may
lead to streams being reset or connections being closed if connecting
to a HTTP/2 server that does not correctly handle these errors.
Flow control limits can be adjusted using the following existing
properties:
* `jdk.httpclient.connectionWindowSize`
- Specifies the HTTP/2 client connection window size in bytes.
- Default value: `67108864` (2^26, 64 MiB)
- Range: `2^16-1` to `2^31-1`.
* `jdk.httpclient.windowSize`
- Specifies the HTTP/2 client stream window size in bytes.
- Default value: `16777216` (2^24, 16 MiB)
- Range: `2^14` to `2^31-1`
Specifying an invalid value leads to the default value being used.
The implementation guarantees that the actual value used for the
connection window size will be no smaller than the stream window size.
security-libs/javax.xml.crypto:
JDK-8344137: Update XML Security for Java to 3.0.5
==================================================
The XML Signature implementation has been updated to Apache Santuario
3.0.5 from 3.0.3. This adds support for four new SHA-3 based ECDSA
`SignatureMethod` algorithms.
The `SignatureMethod` constants for these new algorithms are only
available in Java 25. Users will instead need to use the string
literals listed below to obtain instances of these new algorithms:
* ECDSA_SHA3_224: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224
* ECDSA_SHA3_256: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256
* ECDSA_SHA3_384: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384
* ECDSA_SHA3_512: http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512
core-libs/javax.naming:
JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
===================================================================================================
In the April 2021 security updates, `jdk.jndi.object.factoriesFilter`
was introduced as both a System and Security property to control
whether a specific object factory was permitted to instantiate objects
from the remote object references obtained using the protocols used in
JNDI. By default, it was set to `*` to allow all object factory
classes.
With this update, two additional properties are introduced for more
granular control of each JNDI protocol:
* `jdk.jndi.ldap.object.factoriesFilter` which filters object factory
classes used with object references obtained from a JNDI/LDAP context.
Its default value is `java.naming/com.sun.jndi.ldap.**;!*` to allow
only object factories defined in the `java.naming` module.
* `jdk.jndi.rmi.object.factoriesFilter` which filters object factory
classes used with object references obtained from a JNDI/RMI context.
Its default value is `jdk.naming.rmi/com.sun.jndi.rmi.**;!*` to allow
only object factories defined in the `jdk.naming.rmi` module.
All three properties are available as both System and Security
properties, with the System property taking precedence over the
Security property where the default is defined.
Each filter can return a result of ALLOWED, REJECTED and UNDECIDED
using the Status enumeration from `java.io.ObjectInputFilter`. For an
object factory class to be accepted, either the global filter,
`jdk.jndi.object.factoriesFilter`, or the filter for the specific
protocol must return ALLOWED and neither must return REJECTED.
If an application depends on custom object factories to instantiate
objects from remote RMI or LDAP object references, the appropriate
filter property will need to be adjusted to allow these factories to
function. Failure to do so will lead to the factory being blocked by
the filter and a plain `javax.naming.Reference` instance returned
instead.
security-libs/javax.net.ssl:
JDK-8341964: Add mechanism to disable different parts of TLS cipher suite
=========================================================================
The mechanisms in previous releases of OpenJDK for disabling TLS
algorithm were either too broad or too specific. Specifying an
algorithm (e.g. "RSA") would disable all suites using that algorithm.
The only alternative was to specify every suite. With this release,
the `jdk.tls.disabledAlgorithms` security property supports wildcards
for patterns that begin with "TLS_", so "TLS_RSA_*" can be used to
disable all suites that start with "TLS_RSA_".
JDK-8349583: Add mechanism to disable signature schemes based on their TLS scope
================================================================================
In this release, the `jdk.tls.disabledAlgorithms` property now
supports specifying the usage of a particular algorithm. An algorithm
can be limited to use only in a TLS handshake exchange or only in a
TLS certificate.
The usage is specified by adding a suffix to the algorithm, consisting
of the word "usage" and either `HandshakeSignature` for TLS handshake
exchanges or `CertificateSignature` for TLS certificates. For
example, `rsa_pkcs1_sha1 usage HandshakeSignature` restricts the
`rsa_pkcs1_sha1` algorithm to use in TLS handshake exchanges only and
it can not be used to sign TLS certificates.
tools/launcher:
JDK-8337506: Disable "best-fit" mapping on Windows command line
===============================================================
On Windows, the Java launcher in previous releases of OpenJDK used the
ANSI version of the GetCommandLine() Win32 API call to obtain
command-line arguments. If the arguments contained Unicode characters
that did not exist in the ANSI code page, they would be converted to
other characters using the Windows "best fit" mapping [0]. This
mapping could introduce unexpected characters and differed between
code pages. With this release, the JDK reads the command line
arguments as Unicode and then converts them to the ANSI codepage
itself, using the default replacement character for any that can not
be mapped. For cases where such Unicode characters need to be
retained as is, select UTF-8 in the Windows regional settings.
[0] https://www.unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/readme.txt
hotspot/runtime:
JDK-8313083: Print 'rss' and 'cache' as part of the container information
=========================================================================
In this release, the information provided for containers is improved
by inclusion of the memory usage information for the Resident Set Size
(RSS) and the cache, in bytes. This is visible in the output of `jcmd
<PID> VM.info`, where `<PID>` is the running JVM, and in the `hs_err`
file generated on abrupt JVM termination.
security-libs/java.security:
JDK-8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation
=============================================================================
The SunMSCAPI provider in previous releases of OpenJDK required
administrator privileges to access the local computer key store. The
store is now accessed with the `CERT_STORE_MAXIMUM_ALLOWED_FLAG` set
so that non-elevated processes will be able to access the key store in
read only mode.
JDK-8361212: Remove AffirmTrust root CAs
========================================
The following root certificates from AffirmTrust, which were
deactivated in the 17.0.13 release of October 2024, have been removed
from the `cacerts` keystore:
Alias name: affirmtrustcommercialca [jdk]
CN=AffirmTrust Commercial
O=AffirmTrust
C=US
SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
Alias name: affirmtrustnetworkingca [jdk]
CN=AffirmTrust Networking
O=AffirmTrust
C=US
SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
Alias name: affirmtrustpremiumca [jdk]
CN=AffirmTrust Premium
O=AffirmTrust
C=US
SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
Alias name: affirmtrustpremiumeccca [jdk]
CN=AffirmTrust Premium ECC
O=AffirmTrust
C=US
SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
Happy hacking,
--
Andrew :)
Pronouns: he / him or they / them
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20251023/d18ee7d5/signature-0001.asc>
More information about the jdk-updates-dev
mailing list