OpenJDK 8u402 Released

Andrew Hughes gnu.andrew at redhat.com
Fri Jan 19 00:56:26 UTC 2024 

We are pleased to announce the release of OpenJDK 8u402.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u402-b06.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u402-b06.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

2a0b36d73ce9d70552ddaac5a7d162a505fb3ed965083be2dfeb17d837374ec5  openjdk8u402-b06.tar.xz
f37de1a002a4fcc347fb674464728bac59a26b7a0b4fdc8389c7016e90cee272  openjdk8u402-b06.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u402-b06.sha256

New in release OpenJDK 8u402 (2024-01-16):
===========================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u402

* CVEs
  - CVE-2024-20918
  - CVE-2024-20919
  - CVE-2024-20921
  - CVE-2024-20926
  - CVE-2024-20945
  - CVE-2024-20952
* Security fixes
  - JDK-8308204: Enhanced certificate processing
  - JDK-8314284: Enhance Nashorn performance
  - JDK-8314295: Enhance verification of verifier
  - JDK-8314307: Improve loop handling
  - JDK-8314468: Improve Compiler loops
  - JDK-8316976: Improve signature handling
  - JDK-8317547: Enhance TLS connection support
* Other changes
  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
  - JDK-8029995: accept yes/no for boolean krb5.conf settings
  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
  - JDK-8176509: Use pandoc for converting build readme to html
  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
  - JDK-8207404: MulticastSocket tests failing on AIX
  - JDK-8212677: X11 default visual support for IM status window on VNC
  - JDK-8239365: ProcessBuilder test modifications for AIX execution
  - JDK-8271838: AmazonCA.java interop test fails
  - JDK-8285398: Cache the results of constraint checks
  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
  - JDK-8307837: [8u] Check step in GHA should also print errors
  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
  - JDK-8315280: Bump update version of OpenJDK: 8u402
  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
  - JDK-8317291: Missing null check for nmethod::is_native_method()
  - JDK-8317373: Add Telia Root CA v2
  - JDK-8317374: Add Let's Encrypt ISRG Root X2
  - JDK-8318759: Add four DigiCert root certificates
  - JDK-8319187: Add three eMudhra emSign roots
  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly

Notes on individual issues:
===========================

security-libs/org.ietf.jgss:krb5:

JDK-8029995: accept yes/no for boolean krb5.conf settings
=========================================================
The krb5.conf configuration file now also accepts "yes" and "no", as
alternatives to the existing "true" and "false" support, when using
settings that take boolean values.

security-libs/java.security:

JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
===============================================================================================================================
A maximum signature file size property, jdk.jar.maxSignatureFileSize,
was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
default of 8MB. This default proved to be too small for some JAR
files. This release, 8u402, increases it to 16MB.

JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
=================================================================
The following root certificate has been added to the cacerts
truststore:

Name: Let's Encrypt
Alias Name: letsencryptisrgx2
Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US

JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
=============================================================
The following root certificates have been added to the cacerts
truststore:

Name: DigiCert, Inc.
Alias Name: digicertcseccrootg5
Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.
Alias Name: digicertcsrsarootg5
Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.
Alias Name: digicerttlseccrootg5
Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

Name: DigiCert, Inc.
Alias Name: digicerttlsrsarootg5
Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
============================================================================
The following root certificates have been added to the cacerts
truststore:

Name: eMudhra Technologies Limited
Alias Name: emsignrootcag1
Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

Name: eMudhra Technologies Limited
Alias Name: emsigneccrootcag3
Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

Name: eMudhra Technologies Limited
Alias Name: emsignrootcag2
Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

JDK-8317373: Added Telia Root CA v2 Certificate
===============================================
The following root certificate has been added to the cacerts
truststore:

Name: Telia Root CA v2
Alias Name: teliarootcav2
Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```

Thanks,
-- 
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk8u-dev/attachments/20240119/9a41f84e/signature.asc>

More information about the jdk8u-dev mailing list