OpenJDK 8u412 Released

Andrew Hughes gnu.andrew at redhat.com
Thu Apr 18 00:53:47 UTC 2024 

We are pleased to announce the release of OpenJDK 8u412.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u412-b08.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u412-b08.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

530f41efa5ad4a5b76aa6160d55c32c45b3dd0bb3103988da32bb5d6c7ffc073  openjdk8u412-b08.tar.xz
3c5feba06fe0949534d4db9dfff113fae9e17ddb755f94b3bfd816779e6eb7e5  openjdk8u412-b08.tar.xz.sig

SHA512 checksums:

1f88b24393abb022a1f6eb9c70594df444797428248bd124715d7eae777e8a360ac2c8dbc3402decd98d138d089617c151d01a0c29c625d76ba6c3e5db02e6ef  openjdk8u412-b08.tar.xz
cf0ee203824cee10d63b288be291506dbbbf37275bca0f835cfc78a3d8643c78fa3893435499ac28e6470a85128b347a5ca12f579f5b4beffe6adf02520a2b64  openjdk8u412-b08.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u412-b08.sha256
* https://openjdk-sources.osci.io/openjdk8/openjdk8u412-b08.sha512

New in release OpenJDK 8u412 (2024-04-16):
===========================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u412

* CVEs
  - CVE-2024-21011
  - CVE-2024-21085
  - CVE-2024-21068
  - CVE-2024-21094
* Security fixes
  - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
  - JDK-8318340: Improve RSA key implementations
  - JDK-8319851: Improve exception logging
  - JDK-8322114: Improve Pack 200 handling
  - JDK-8322122: Enhance generation of addresses
* Other changes
  - JDK-8011180: Delete obsolete scripts
  - JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
  - JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
  - JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
  - JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
  - JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
  - JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
  - JDK-8168518: rcache interop with krb5-1.15
  - JDK-8183503: Update hotspot tests to allow for unique test classes directory
  - JDK-8186095: upgrade to jtreg 4.2 b08
  - JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
  - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
  - JDK-8208655: use JTreg skipped status in hotspot tests
  - JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
  - JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
  - JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
  - JDK-8224768: Test ActalisCA.java fails
  - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
  - JDK-8251551: Use .md filename extension for README
  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
  - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error
  - JDK-8270517: Add Zero support for LoongArch
  - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
  - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests
  - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
  - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
  - JDK-8308592: Framework for CA interoperability testing
  - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
  - JDK-8315042: NPE in PKCS7.parseOldSignedData
  - JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
  - JDK-8320713: Bump update version of OpenJDK: 8u412
  - JDK-8321060: [8u] hotspot needs to recognise VS2022
  - JDK-8321408: Add Certainly roots R1 and E1
  - JDK-8322725: (tz) Update Timezone Data to 2023d
  - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
  - JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
  - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
  - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
  - JDK-8324530: Build error with gcc 10
  - JDK-8325150: (tz) Update Timezone Data to 2024a

Notes on individual issues:
===========================

security-libs/org.ietf.jgss:krb5:

JDK-8168518: rcache interop with krb5-1.15
==========================================
The hash algorithm used in the Kerberos 5 replay cache file (rcache)
has been changed from MD5 to SHA256. This is the same algorithm used
by MIT krb5-1.15 and is interoperable with earlier releases of MIT
krb5.

The MD5 algorithm can still be used by setting the new
jdk.krb5.rcache.useMD5 property to 'true':

java -Djdk.krb5.rcache.useMD5=true ...

This is useful where either the system has a coarse clock and has to
depend on hash values in replay attack detection, or interoperability
with the rcache files in older versions of OpenJDK is required.

client-libs/java.awt:

JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
=======================================================================
The java.awt.SystemTray API is used to interact with the system's
desktop taskbar to provide notifications and may include an icon
representing an application. The GNOME desktop's support for taskbar
icons has not worked properly for several years, due to a platform
bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
desktops.

Therefore, in accordance with the SystemTray API specification,
java.awt.SystemTray.isSupported() will now return false on systems
that exhibit this bug, which is assumed to be those running a version
of GNOME Shell below 45.

The impact of this change is likely to be minimal, as users of the
SystemTray API should already be able to handle isSupported()
returning false and the system tray on such platforms has already been
unsupported for a number of years for all applications.

security-libs/java.security:

JDK-8321408: Added Certainly R1 and E1 Root Certificates
========================================================
The following root certificate has been added to the cacerts
truststore:

Name: Certainly
Alias Name: certainlyrootr1
Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US

Name: Certainly
Alias Name: certainlyroote1
Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk8u-dev/attachments/20240418/83fcdf7b/signature-0001.asc>

More information about the jdk8u-dev mailing list