OpenJDK 8u362 Released

Andrew Hughes gnu.andrew at
Thu Jan 19 01:59:08 UTC 2023

We are pleased to announce the release of OpenJDK 8u362.

The source tarball is available from:


The tarball is accompanied by a digital signature available at:


This is signed by our Red Hat OpenJDK key (openjdk at

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

5d832213502d17ee0a4dd70779cabc811a8643ab2fc780d5cd24b6612f07ab93  openjdk8u362-b09.tar.xz
7cba773ebf1fe68946cc6a9cf837f36ab795e4529f4915a68abea4d1955ca81f  openjdk8u362-b09.tar.xz.sig

The checksums can be downloaded from:


New in release OpenJDK 8u362 (2023-01-17):
Live versions of these release notes can be found at:

* CVEs
  - CVE-2023-21830
  - CVE-2023-21843
* Security fixes
  - JDK-8285021: Improve CORBA communication
  - JDK-8286496: Improve Thread labels
  - JDK-8288516: Enhance font creation
  - JDK-8289350: Better media supports
  - JDK-8293554: Enhanced DH Key Exchanges
  - JDK-8293598: Enhance InetAddress address handling
  - JDK-8293717: Objective view of ObjectView
  - JDK-8293734: Improve BMP image handling
  - JDK-8293742: Better Banking of Sounds
  - JDK-8295687: Better BMP bounds
* Other changes
  - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods
  - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable
  - JDK-8054066: com/sun/jdi/ fails with timeout
  - JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size.
  - JDK-8071530: Update OS detection code to reflect Windows 10 version change
  - JDK-8073464: GC workers do not have thread names
  - JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only
  - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/ fails
  - JDK-8148005: One byte may be corrupted by get_datetime_string()
  - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/
  - JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations
  - JDK-8195607: sun/security/pkcs11/Secmod/ failed with "NSS initialization failed" on NSS 3.34.1
  - JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp
  - JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems
  - JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64
  - JDK-8224506: [TESTBUG] fails with exitValue = 137
  - JDK-8233551: [TESTBUG] fails on MacOS
  - JDK-8241086: Test runtime/NMT/ is failing on 32bit Windows
  - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn
  - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
  - JDK-8265527: tools/javac/diags/ fails after JDK-8078024 8u backport
  - JDK-8269039: Disable SHA-1 Signed JARs
  - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
  - JDK-8270344: Session resumption errors
  - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
  - JDK-8273176: handle latest VS2019 in abstract_vm_version
  - JDK-8274563: jfr/event/oldobject/ fails when GC cycles are not happening
  - JDK-8274840: Update OS detection code to recognize Windows 11
  - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
  - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
  - JDK-8283277: ISO 4217 Amendment 171 Update
  - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
  - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
  - JDK-8284622: Update versions of some Github Actions used in JDK workflow
  - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
  - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
  - JDK-8289549: ISO 4217 Amendment 172 Update
  - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents
  - JDK-8293181: Bump update version of OpenJDK: 8u362
  - JDK-8293461: Add a test for JDK-8290832
  - JDK-8293828: JFR: jfr/event/oldobject/ still fails when GC cycles are not happening
  - JDK-8294307: ISO 4217 Amendment 173 Update
  - JDK-8294357: (tz) Update Timezone Data to 2022d
  - JDK-8294863: Enable partial tier1 testing in GHA for JDK8
  - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows
  - JDK-8295173: (tz) Update Timezone Data to 2022e
  - JDK-8295288: Some vm_flags tests associate with a wrong BugID
  - JDK-8295714: GHA ::set-output is deprecated and will be removed
  - JDK-8295723: security/infra/wycheproof/ fails with Assertion Error
  - JDK-8295915: Problemlist compiler/rtm failures specific to 8u
  - JDK-8295950: Enable langtools/tier1 in GHA for 8u
  - JDK-8296108: (tz) Update Timezone Data to 2022f
  - JDK-8296239: ISO 4217 Amendment 174 Update
  - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u
  - JDK-8296715: CLDR v42 update for tzdata 2022f
  - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems
  - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/ for 8u
  - JDK-8297804: (tz) Update Timezone Data to 2022g
  - JDK-8299439: java/text/Format/NumberFormat/ fails for hr_HR
  - JDK-8299483: ProblemList java/text/Format/NumberFormat/
  - JDK-8300178: JDK-8286496 causes build failure on older GCC
  - JDK-8300225: JDK-8288516 causes build failure on Windows + VS2010

Notes on individual issues:


JDK-8295687: Better BMP bounds
Loading a linked ICC profile within a BMP image is now disabled by
default. To re-enable it, set the new system property
`sun.imageio.bmp.enabledLinkedProfiles` to `true`.  This new property
replaces the old property,


JDK-8293742: Better Banking of Sounds
Previously, the SoundbankReader implementation,
``, would download a JAR
soundbank from a URL.  This behaviour is now disabled by default. To
re-enable it, set the new system property `jdk.sound.jarsoundbank` to


JDK-8274840: Release Now Recognises Windows 11
This release now correctly sets the `` property to `Windows
11`, as would be expected.


JDK-8285021: Improve CORBA communication
The JDK's CORBA implementation now refuses by default to deserialize
objects, unless they have the "IOR:" prefix.  The previous behaviour
can be re-enabled by setting the new property
`com.sun.CORBA.ORBAllowDeserializeObject` to `true`.


JDK-8269039: Disabled SHA-1 Signed JARs
JARs signed with SHA-1 algorithms are now restricted by default and
treated as if they were unsigned. This applies to the algorithms used
to digest, sign, and optionally timestamp the JAR. It also applies to
the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and
any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to
signed JCE providers.

To reduce the compatibility risk for JARs that have been previously
timestamped, there is one exception to this policy:

- Any JAR signed with SHA-1 algorithms and timestamped prior to
  January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if
your signed JARs are affected by this change, run:

$ jarsigner -verify -verbose -certs`

on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
"disabled" and a warning that the JAR will be treated as unsigned in
the output.

For example:

   Signed by "CN="Signer""
   Digest algorithm: SHA-1 (disabled)
   Signature algorithm: SHA1withRSA (disabled), 2048-bit key

   WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

   jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or
re-signed with stronger algorithms.

Users can, *at their own risk*, remove these restrictions by modifying
the `` configuration file (or override it by using the
`` system property) and removing "SHA1 usage
SignedJAR & denyAfter 2019-01-01" from the
`jdk.certpath.disabledAlgorithms` security property and "SHA1
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security

Andrew :)
Pronouns: he / him or they / them
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <>

More information about the jdk8u-dev mailing list