OpenJDK 8u272 Released

Andrew Hughes gnu.andrew at
Wed Oct 21 06:08:04 UTC 2020

We are pleased to announce the release of OpenJDK 8u272.

The source tarball is available from:


The tarball is accompanied by a digital signature available at:


This is signed by our Red Hat OpenJDK key (openjdk at

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

ce77e0a3d2b7ff3e2e17e25dd4e1d1499ca950a539c56e5020416957ea7eac6f  openjdk8u272-ga.tar.xz
aec51ca092db93c57de810886d3c3ba18bd93f5f6f99cf2ba257e01eaeb1eaa2  openjdk8u272-ga.tar.xz.sig

The checksums can be downloaded from:


New in release OpenJDK 8u272 (2020-10-20):
Live versions of these release notes can be found at:

* New features
  - JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
* Security fixes
  - JDK-8233624: Enhance JNI linkage
  - JDK-8236196: Improve string pooling
  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
  - JDK-8237995, CVE-2020-14782: Enhance certificate processing
  - JDK-8240124: Better VM Interning
  - JDK-8241114, CVE-2020-14792: Better range handling
  - JDK-8242680, CVE-2020-14796: Improved URI Support
  - JDK-8242685, CVE-2020-14797: Better Path Validation
  - JDK-8242695, CVE-2020-14798: Enhanced buffer support
  - JDK-8243302: Advanced class supports
  - JDK-8244136, CVE-2020-14803: Improved Buffer supports
  - JDK-8244479: Further constrain certificates
  - JDK-8244955: Additional Fix for JDK-8240124
  - JDK-8245407: Enhance zoning of times
  - JDK-8245412: Better class definitions
  - JDK-8245417: Improve certificate chain handling
  - JDK-8248574: Improve jpeg processing
  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
  - JDK-8253019: Enhanced JPEG decoding
* Other changes
  - JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/ fails sometimes
  - JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/
  - JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times
  - JDK-8025886: replace [[ and == bash extensions in regtest
  - JDK-8026236: Add PrimeTest for BigInteger
  - JDK-8031625: javadoc problems referencing inner class constructors
  - JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals
  - JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c
  - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/ fails
  - JDK-8046274: Removing dependency on jakarta-regexp
  - JDK-8048933: -XX:+TraceExceptions output should include the message
  - JDK-8057003: Large reference arrays cause extremely long synchronization times
  - JDK-8060721: Test runtime/SharedArchiveFile/ fails in jdk 9 fcs new platforms/compiler
  - JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double
  - JDK-8062947: Fix exception message to correctly represent LDAP connection failure
  - JDK-8064319: Need to enable -XX:+TraceExceptions in release builds
  - JDK-8075774: Small readability and performance improvements for zipfs
  - JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/fileaccess/ fails
  - JDK-8078334: Mark regression tests using randomness
  - JDK-8078880: Mark a few more intermittently failuring security-libs
  - JDK-8080462: Update SunPKCS11 provider with PKCS11 v2.40 support
  - JDK-8132206: move into OpenJDK
  - JDK-8132376: Add @requires to the client tests with access to internal OS-specific API
  - JDK-8132745: minor cleanup of java/util/Scanner/
  - JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/appletviewer/IOExceptionIfEncodedURLTest/
  - JDK-8144539: Update PKCS11 tests to run with security manager
  - JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/ hangs on Win. 8
  - JDK-8148754: C2 loop unrolling fails due to unexpected graph shape
  - JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
  - JDK-8151678: com/sun/jndi/ldap/ failed due to timeout on DeadServerNoTimeoutTest is incorrect
  - JDK-8151788: NullPointerException from ntlm.Client.type3
  - JDK-8151834: Test times out intermittently
  - JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings
  - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout
  - JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public
  - JDK-8154313: Generated javadoc scattered all over the place
  - JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization
  - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider
  - JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
  - JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k
  - JDK-8165936: Potential Heap buffer overflow when seaching timezone info files
  - JDK-8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite
  - JDK-8166148: Fix for JDK-8165936 broke solaris builds
  - JDK-8167300: Scheduling failures during gcm should be fatal
  - JDK-8167615: Opensource unit/regression tests for JavaSound
  - JDK-8168517: java/lang/ProcessBuilder/ failed
  - JDK-8169925: PKCS #11 Cryptographic Token Interface license
  - JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/
  - JDK-8173300: [TESTBUG]compiler/tiered/ fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled
  - JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1
  - JDK-8177628: Opensource unit/regression tests for ImageIO
  - JDK-8183341: Better cleanup for javax/imageio/
  - JDK-8183349: Better cleanup for jdk/test/javax/imageio/plugins/shared/ and
  - JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/
  - JDK-8184762: ZapStackSegments should use optimized memset
  - JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test.
  - JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
  - JDK-8193137: Nashorn crashes when given an empty script file
  - JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak
  - JDK-8194298: Add support for per Socket configuration of TCP keepalive
  - JDK-8198004: javax/swing/JFileChooser/6868611/ throws error
  - JDK-8200313: java/awt/Gtk/GtkVersionTest/ fails
  - JDK-8201633: Problems with AES-GCM native acceleration
  - JDK-8203357: Container Metrics
  - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts
  - JDK-8210147: adjust some WSAGetLastError usages in windows network coding
  - JDK-8211049: Second parameter of "initialize" method is not used
  - JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean
  - JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions
  - JDK-8214862: assert(proj != __null) at compile.cpp:3251
  - JDK-8216283: Allow shorter method sampling interval than 10 ms
  - JDK-8217606: LdapContext#reconnect always opens a new connection
  - JDK-8217647: JFR: recordings on 32-bit systems unreadable
  - JDK-8217878: ENVELOPING XML signature no longer works in JDK 11
  - JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
  - JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero
  - JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly
  - JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound
  - JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6
  - JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file
  - JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs
  - JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified
  - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp
  - JDK-8224217: RecordingInfo should use textual representation of path
  - JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
  - JDK-8226575: OperatingSystemMXBean should be made container aware
  - JDK-8226697: Several tests which need the @key headful keyword are missing it.
  - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous
  - JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
  - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow
  - JDK-8230303: JDB hangs when running monitor command
  - JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG
  - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
  - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
  - JDK-8233097: Fontmetrics for large Fonts has zero width
  - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name
  - JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion
  - JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version
  - JDK-8235325: build failure on Linux after 8235243
  - JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
  - JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages
  - JDK-8237951: CTW: C2 compilation fails with "malformed control flow"
  - JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
  - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
  - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
  - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
  - JDK-8238898: Missing hash characters for header on license file
  - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD
  - JDK-8239819: XToolkit: Misread of screen information memory
  - JDK-8240295: hs_err elapsed time in seconds is not accurate enough
  - JDK-8240676: Meet not symmetric failure when running lucene on jdk8
  - JDK-8241888: Mirror system property with a security one
  - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
  - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array
  - JDK-8243138: Enhance BaseLdapServer to support starttls extended request
  - JDK-8243320: Add SSL root certificates to Oracle Root CA program
  - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
  - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
  - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26
  - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor
  - JDK-8245467: Remove 8u TLSv1.2 implementation files
  - JDK-8245469: Remove DTLS protocol implementation
  - JDK-8245470: Fix JDK8 compatibility issues
  - JDK-8245471: Revert JDK-8148188
  - JDK-8245472: Backport JDK-8038893 to JDK8
  - JDK-8245473: OCSP stapling support
  - JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712
  - JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default
  - JDK-8245477: Adjust TLS tests location
  - JDK-8245653: Remove 8u TLS tests
  - JDK-8245681: Add TLSv1.3 regression test from 11.0.7
  - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
  - JDK-8246310: Clean commented-out code about ModuleEntry andPackageEntry in JFR
  - JDK-8246384: Enable JFR by default on supported architectures for October 2020 release
  - JDK-8248643: Remove extra leading space in JDK-8240295 8u backport
  - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read
  - JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase
  - JDK-8249610: Make keys) method public
  - JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior
  - JDK-8250546: Expect changed behaviour reported in JDK-8249846
  - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
  - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/
  - JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update
  - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
  - JDK-8251120: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false
  - JDK-8251341: Minimal Java specification change
  - JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
  - JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds
  - JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled
  - JDK-8252573: 8u: Windows build failed after 8222079 backport
  - JDK-8252886: [TESTBUG] sun/security/ec/ : Compilation failed
  - JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158
  - JDK-8254937: Revert JDK-8148854 for 8u272

Notes on individual issues:


JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
When executing in a container, or other virtualized operating
environment, the following `OperatingSystemMXBean` methods in this
release return container specific information, if
available. Otherwise, they return host specific data:

* getFreePhysicalMemorySize()
* getTotalPhysicalMemorySize()
* getFreeSwapSpaceSize()
* getTotalSwapSpaceSize()
* getSystemCpuLoad()


JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
The Entrust root certificate has been added to the cacerts truststore:

Alias Name: entrustrootcag4
Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust,  Inc. - for authorized use only", OU=See, O="Entrust, Inc.", C=US

JDK-8250860: Added 3 SSL Corporation Root CA Certificates
The following root certificates have been added to the cacerts truststore for the SSL Corporation:

Alias Name: sslrootrsaca
Distinguished Name: Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

Alias Name: sslrootevrsaca
Distinguished Name: EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

Alias Name: sslrooteccca
Distinguished Name: Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US


JDK-8221441: SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11
v2.40. This version adds support for more algorithms such as the
AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message
digests, and RSASSA-PSS signatures when the corresponding PKCS11
mechanisms are supported by the underlying PKCS11 library.


JDK-8242059: Support for canonicalize in krb5.conf
The 'canonicalize' flag in the [krb5.conf file][0] is now supported by
the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name
canonicalization is requested by clients in TGT requests to KDC
services (AS protocol). Otherwise, and by default, it is not

The new default behavior is different from previous releases where
name canonicalization was always requested by clients in TGT requests
to KDC services (provided that support for RFC 6806[1] was not
explicitly disabled with the **
system or security properties).



JDK-8202891: Updated xmldsig Implementation to Apache Santuario 2.1.1
The XMLDSig provider implementation in the `java.xml.crypto` module has been updated to version 2.1.1 of Apache Santuario.

New features include:

1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified
in RFC 6931.
2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and
RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

JDK-8238185: New OpenJDK-specific JDK 8 Updates System Property to fallback to legacy Base64 Encoding format
The upgrade to the Apache Santuario libraries (see above) introduced
an issue where XML signature using Base64 encoding resulted in
appending `&#xd` or `&#13` to the encoded output. This behavioural
change was made in the Apache Santuario codebase to comply with RFC
2045. The Santuario team has adopted a position of keeping their
libraries compliant with RFC 2045.

Earlier versions of OpenJDK 8 using the legacy encoder returns encoded
data in a format without `&#xd` or `&#13`.

Therefore a new system property, specific to the 8 update stream,
`` is made
available to fall back to the legacy Base64 encoded format.

Users can set this flag in one of two ways:


2. System.setProperty("", "true")

This new system property is disabled by default. It has no effect on
default behaviour nor when
`` property
is set.

Later JDK family versions will only support the recommended property:


Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list