OpenJDK 8u302 Released

Andrew Hughes gnu.andrew at
Wed Jul 21 04:45:05 UTC 2021

We are pleased to announce the release of OpenJDK 8u302.

The source tarball is available from:


The tarball is accompanied by a digital signature available at:


This is signed by our Red Hat OpenJDK key (openjdk at

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

ab50669afd85086ba451cbc1560ae76e9bc7fc3c9c46e3d37ee5c6a48bb30124  openjdk8u302-ga.tar.xz
6642f62a5eb3c66f4118e4534a0db763f32ba166ea58a4cbb508b48d7d16ce25  openjdk8u302-ga.tar.xz.sig

The checksums can be downloaded from:


New in release OpenJDK 8u302 (2021-07-20):
Live versions of these release notes can be found at:

* Security fixes
  - JDK-8256157: Improve bytecode assembly
  - JDK-8256491: Better HTTP transport
  - JDK-8258432, CVE-2021-2341: Improve file transfers
  - JDK-8260453: Improve Font Bounding
  - JDK-8260960: Signs of jarsigner signing
  - JDK-8260967, CVE-2021-2369: Better jar file validation
  - JDK-8262380: Enhance XML processing passes
  - JDK-8262403: Enhanced data transfer
  - JDK-8262410: Enhanced rules for zones
  - JDK-8262477: Enhance String Conclusions
  - JDK-8262967: Improve Zip file support
  - JDK-8264066, CVE-2021-2388: Enhance compiler validation
  - JDK-8264079: Improve abstractions
  - JDK-8264460: Improve NTLM support
* Other changes
  - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream
  - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/ fails on gnome
  - JDK-7059970: Test case: javax/imageio/plugins/png/ is not closing a file
  - JDK-7106851: Test should not use System.exit
  - JDK-8019470: Changes needed to compile JDK 8 on MacOS with clang compiler
  - JDK-8028618: [TEST BUG] javax/swing/JScrollBar/bug4202954/ fails
  - JDK-8030123: java/beans/Introspector/ fails
  - JDK-8032050: Clean up for java/rmi/activation/Activatable/shutdownGracefully/
  - JDK-8033289: clang: clean up unused function warning
  - JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11
  - JDK-8034857: gcc warnings compiling src/solaris/native/sun/management
  - JDK-8035000: clean up ActivationLibrary.DestroyThread
  - JDK-8035054: JarFacade.c should not include ctype.h
  - JDK-8035287: gcc warnings compiling various libraries files
  - JDK-8036095: RMI tests using testlibrary.RMID and testlibrary.JavaVM do not pass through vmoptions
  - JDK-8037825: Fix warnings and enable "warnings as errors" in serviceability native libraries
  - JDK-8042891: Format issues embedded in macros for two g1 source files
  - JDK-8043264: hsdis library not picked up correctly on expected paths
  - JDK-8043646: libosxapp.dylib fails to build on Mac OS 10.9 with clang
  - JDK-8047939: [TESTBUG] Rewrite test/runtime/8001071/
  - JDK-8055754: filemap.cpp does not compile with clang
  - JDK-8064909: got OutOfMemoryError
  - JDK-8066508: JTReg tests timeout on slow devices when run using JPRT
  - JDK-8066807: langtools/test/Makefile should use -agentvm not -samevm
  - JDK-8071374: -XX:+PrintAssembly -XX:+PrintSignatureHandlers crash fastdebug VM with assert(limit == __null || limit <= nm->code_end()) in RelocIterator::initialize
  - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137
  - JDK-8074835: Resolve disabled warnings for libj2gss
  - JDK-8074836: Resolve disabled warnings for libosxkrb5
  - JDK-8075071: [TEST_BUG] OOME: Java heap space: MaxHeap shrinked by MaxRAMFraction
  - JDK-8077364: "if( !this )" construct prevents build on Xcode 6.3
  - JDK-8078855: [TEST_BUG] javax/swing/JComboBox/8032878/ fails in WindowsClassicLookAndFeel
  - JDK-8081764: [TEST_BUG] Test javax/swing/plaf/aqua/ fails on Windows, Solaris Sparcv9 and Linux but passes on MacOSX
  - JDK-8129511: PlatformMidi.c:83 uses malloc without malloc header
  - JDK-8130308: Too low memory usage in
  - JDK-8130430: [TEST_BUG] remove unnecessary internal calls from javax/swing/JRadioButton/8075609/
  - JDK-8132148: G1 hs_err region dump legend out of sync with region values
  - JDK-8132709: [TESTBUG] gc/g1/ might fail on embedded
  - JDK-8134672: [TEST_BUG] Some tests should check isDisplayChangeSupported
  - JDK-8134883: C1 hard crash in range check elimination in Nashorn test262parallel
  - JDK-8136592: [TEST_BUG] Fix 2 platform-specific closed regtests for jigsaw
  - JDK-8138820: JDK Hotspot build fails with Xcode 7.0.1
  - JDK-8151786: [TESTBUG] java/beans/XMLEncoder/ timed out intermittently
  - JDK-8159898: Negative array size in java/beans/Introspector/
  - JDK-8166046: [TESTBUG] compiler/stringopts/ fails with OOME
  - JDK-8166724: gc/g1/ fails with OOME
  - JDK-8172188: JDI tests fail due to "permission denied" when creating temp file
  - JDK-8177809: File.lastModified() is losing milliseconds (always ends in 000)
  - JDK-8178403: DirectAudio in JavaSound may hang and leak
  - JDK-8180478: tools/launcher/ fails on Windows because of extra-''
  - JDK-8183910: gc/arguments/ fails intermittently
  - JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large
  - JDK-8190679: java/util/Arrays/ fails with "Initial heap size set to a larger value than the maximum heap size"
  - JDK-8191955: AArch64: incorrect prefetch distance causes an internal error
  - JDK-8196092: javax/swing/JComboBox/8032878/ fails
  - JDK-8199265: java/util/Arrays/ fails with OOM
  - JDK-8200550: Xcode 9.3 produce warning -Wexpansion-to-defined
  - JDK-8202299: Java Keystore fails to load PKCS12/PFX certificates created in WindowsServer2016
  - JDK-8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys
  - JDK-8205014: com/sun/jndi/ldap/ failed with "Read timed out"
  - JDK-8206243: java -XshowSettings fails if memory.limit_in_bytes overflows LONG.max
  - JDK-8206925: Support the certificate_authorities extension
  - JDK-8209996: [PPC64] Fix JFR profiling
  - JDK-8214345: infinite recursion while checking super class
  - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
  - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
  - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021
  - JDK-8225116: Test intermittently fails
  - JDK-8228757: Fail fast if the handshake type is unknown
  - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
  - JDK-8231631: sun/net/ftp/ fails intermittently with NPE
  - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
  - JDK-8231949: [PPC64, s390]: Make async profiling more reliable
  - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
  - JDK-8239053: [8u] clean up undefined-var-template warnings
  - JDK-8239400: [8u] clean up undefined-var-template warnings
  - JDK-8241649: Optimize Character.toString
  - JDK-8241829: Cleanup the code for PrinterJob on windows
  - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled
  - JDK-8243559: Remove root certificates with 1024-bit keys
  - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
  - JDK-8249142: java/awt/FontClass/CreateFont/ is unstable
  - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
  - JDK-8250876: Fix issues with cross-compile on macos
  - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
  - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
  - JDK-8254631: Better support ALPN byte wire values in SunJSSE
  - JDK-8255086: Update the root locale display names
  - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too
  - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources
  - JDK-8257039: [8u] GenericTaskQueue destructor is incorrect
  - JDK-8257670: sun/security/ssl/SSLSocketImpl/ reports leaks
  - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/ as automatic test
  - JDK-8257997: sun/security/ssl/SSLSocketImpl/ again reports leaks after JDK-8257884
  - JDK-8257999: Parallel GC crash in gc/parallel/ new region is not in covered_region
  - JDK-8258419: RSA cipher buffer cleanup
  - JDK-8258669: fastdebug jvm crashes when do event based tracing for monitor inflation
  - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
  - JDK-8259271: gc/parallel/ still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
  - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect
  - JDK-8259886: Improve SSL session cache performance and scalability
  - JDK-8260029: aarch64: fix typo in verify_oop_array
  - JDK-8260236: better init AnnotationCollector _contended_group
  - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
  - JDK-8260484: / fail with jtreg 4.2
  - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end
  - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
  - JDK-8261867: Backport relevant test changes & additions from JDK-8130125
  - JDK-8262110: DST starts from incorrect time in 2038
  - JDK-8262446: DragAndDrop hangs on Windows
  - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
  - JDK-8262730: Enable jdk8u MacOS external debug symbols
  - JDK-8262864: No debug symbols in image for Windows --with-native-debug-symbols=external
  - JDK-8263061: copy wrong unpack200 debuginfo to bin directory after 8252395
  - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
  - JDK-8263600: change rmidRunning to a simple lookup
  - JDK-8264509: jdk8u MacOS zipped debug symbols won't build
  - JDK-8264562: assert(verify_field_bit(1)) failed: Attempting to write an uninitialized event field: type
  - JDK-8264640: CMS ParScanClosure misses a barrier
  - JDK-8264816: Weak handles leak causes GC to take longer
  - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
  - JDK-8265666: Enable AIX build platform to make external debug symbols
  - JDK-8265832: runtime/StackGap/ fails to compile in 8u
  - JDK-8265988: Fix sun/text/IntHashtable/Bug4170614 for JDK 8u
  - JDK-8266191: Missing aarch64 parts of JDK-8181872 (C1: possible overflow when strength reducing integer multiply by constant)
  - JDK-8266723: JFR periodic events are causing extra allocations
  - JDK-8266929: Unable to use algorithms from 3p providers
  - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
  - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM
  - JDK-8267545: [8u] Enable Xcode 12 builds on macOS
  - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode
  - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457
  - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow
  - JDK-8269468: JDK-8269388 breaks the build on older GCCs
  - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS

Notes on individual issues:


JDK-8256902: Removed Root Certificates with 1024-bit Keys
The following root certificates with weak 1024-bit RSA public keys
have been removed from the `cacerts` keystore:

Alias Name: thawtepremiumserverca [jdk]
Distinguished Name: EMAILADDRESS=premium-server at, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

Alias Name: verisignclass2g2ca [jdk]
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3ca [jdk]
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

Alias Name: verisignclass3g2ca [jdk]
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

Alias Name: verisigntsaca [jdk]
Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate

The following root certificate have been removed from the cacerts truststore:

Alias Name: soneraclass2ca
Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI


JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
Certain TLS ALPN values couldn't be properly read or written by the
SunJSSE provider. This is due to the choice of Strings as the API
interface and the undocumented internal use of the UTF-8 Character Set
which converts characters larger than U+00007F (7-bit ASCII) into
multi-byte arrays that may not be expected by a peer.

ALPN values are now represented using the network byte representation
expected by the peer, which should require no modification for
standard 7-bit ASCII-based character Strings. However, SunJSSE now
encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
characters.  This means applications that used characters above
U+000007F that were previously encoded using UTF-8 may need to either
be modified to perform the UTF-8 conversion, or set the Java security
property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.

See the updated guide at
for more information.

JDK-8244460: Support for certificate_authorities Extension
The "certificate_authorities" extension is an optional extension
introduced in TLS 1.3. It is used to indicate the certificate
authorities (CAs) that an endpoint supports and should be used by the
receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is
supported for TLS 1.3 in both the client and the server sides.  This
extension is always present for client certificate selection, while it
is optional for server certificate selection.

Applications can enable this extension for server certificate
selection by setting the `jdk.tls.client.enableCAExtension` system
property to `true`.  The default value of the property is `false`.

Note that if the client trusts more CAs than the size limit of the
extension (less than 2^16 bytes), the extension is not enabled.  Also,
some server implementations do not allow handshake messages to exceed
2^14 bytes.  Consequently, there may be interoperability issues when
`jdk.tls.client.enableCAExtension` is set to `true` and the client
trusts more CAs than the server implementation limit.

Andrew :)
Pronouns: he / him or they / them
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list