OpenJDK 8u452 Released

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 16 01:28:53 UTC 2025 

We are pleased to announce the release of OpenJDK 8u452.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u452-b09.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u452-b09.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

a5a4de7eb042a00b0cdec5ebe02cf7da61062c934a55af1b60435b04515d9937  openjdk8u452-b09.tar.xz
14fcb2d9c26dcd5e15afcbd6d0463f3c28191fc4a954c1c562572d7662e7cdb1  openjdk8u452-b09.tar.xz.sig

SHA512 checksums:

18e910641d298a69d874ef2f7fba75739661eb74c4ef4cbda9423732729eafde32366933eff4a0aacc5609babb07b11b0a36576036bd4ef32bd5391641e18e05  openjdk8u452-b09.tar.xz
2618d534d51cedcddc4f520fbe4d2d2f4f1cf99045805ab892b0f5e44c1bf2de0789c261686bf45fc5eacb49f843647956802330b9bb972403d54458386563fc  openjdk8u452-b09.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u452-b09.sha256
* https://openjdk-sources.osci.io/openjdk8/openjdk8u452-b09.sha512

New in release OpenJDK 8u452 (2025-04-15):
===========================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u452

* CVEs
  - CVE-2025-21587
  - CVE-2025-30691
  - CVE-2025-30698
* Changes
  - JDK-8037013: [TESTBUG] Fix test/java/lang/ClassLoader/Assert.sh on AIX
  - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo
  - JDK-8068305: [TEST_BUG] Test java/awt/Mixing/HWDisappear.java fails with GTKL&F
  - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
  - JDK-8227651: Tests fail with SSLProtocolException: Input record too big
  - JDK-8240235: jdk.test.lib.util.JarUtils updates jar files incorrectly
  - JDK-8244966: Add .vscode to .hgignore and .gitignore
  - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field
  - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0
  - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
  - JDK-8265019: Update tests for additional TestNG test permissions
  - JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java
  - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
  - JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests
  - JDK-8309841: Jarsigner should print a warning if an entry is removed
  - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak
  - JDK-8326110: [8u] The Marlin tests should be updated after JDK-8241307
  - JDK-8337494: Clarify JarInputStream behavior
  - JDK-8337692: Better TLS connection support
  - JDK-8338430: Improve compiler transformations
  - JDK-8339560: Unaddressed comments during code review of JDK-8337664
  - JDK-8339637: (tz) Update Timezone Data to 2024b
  - JDK-8339644: Improve parsing of Day/Month in tzdata rules
  - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
  - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names
  - JDK-8340660: [8u] Test com/sun/jdi/PrivateTransportTest.sh fails on MacOS
  - JDK-8342562: Enhance Deflater operations
  - JDK-8343007: Enhance Buffered Image handling
  - JDK-8345504: Bump update version of OpenJDK: 8u452
  - JDK-8346140: [8u] tools/jar/ExtractFilesTest.java and tools/jar/MultipleManifestTest.java fails with jtreg5.1
  - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
  - JDK-8347847: Enhance jar file support
  - JDK-8347965: (tz) Update Timezone Data to 2025a
  - JDK-8348211: [8u] sun/management/jmxremote/startstop/JMXStartStopTest.java fails after backport of JDK-8066708
  - JDK-8349166: Bad indentation in backport of JDK-8250825
  - JDK-8350816: [8u] Update TzdbZoneRulesCompiler to ignore HST/EST/MST links
  - JDK-8352097: (tz) zone.tab update missed in 2025a backport
  - JDK-8353433: XCG currency code not recognized in JDK 8u

Notes on individual issues:
===========================

security-libs/java.security:

JDK-8309841: Jarsigner should print a warning if an entry is removed
====================================================================
In previous OpenJDK releases, the jarsigner tool did not detect the
case where a file was removed from a signed JAR file but its signature
was still present. With this release, `jarsigner -verify` checks that
every signature has a matching file entry and prints a warning if this
is not the case. The `-verbose` option can also be added to the
command to see the names of the mismatched entries.

security-libs/javax.net.ssl:

JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
=============================================================================
In accordance with similar plans recently announced by Google,
Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer
Security (TLS) certificates issued after the 15th of April 2025 which
are anchored by Camerfirma root certificates.

Certificates issued on or before April 15th, 2025 will continue to
be trusted until they expire.

If a server's certificate chain is anchored by an affected
certificate, attempts to negotiate a TLS session will fail with an
Exception that indicates the trust anchor is not trusted. For example,

"TLS server certificate issued after 2025-04-15 and anchored by a
distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root -
2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see
current address at www.camerfirma.com/address), C=EU"

To check whether a certificate in a JDK keystore is affected by this
change, you can the `keytool` utility:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are affected by this change,
then you will need to update the certificate or contact the
organisation responsible for managing the certificate.

These restrictions apply to the following Camerfirma root certificates
included in the JDK:

Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3

Alias name: camerfirmachambersca [jdk]
CN=Chambers of Commerce Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0

Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "CAMERFIRMA_TLS" is no
longer listed in the `jdk.security.caDistrustPolicies` security
property.

core-libs/java.time:

JDK-8339637: (tz) Update Timezone Data to 2024b
===============================================
This OpenJDK release upgrades the in-tree copy of the IANA timezone
database to 2024b.  This timezone update is primarily concerned with
improving historical data for Mexico, Monogolia and Portugal. It also
makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET
timezone the same as CET.

The 2024b update also makes a number of legacy timezone IDs equal to
geographical names rather than fixed offsets, as follows:

* EST => America/Panama instead of -5:00
* MST => America/Phoenix instead of -7:00
* HST => Pacific/Honolulu instead of -10:00

For long term support releases of OpenJDK, this change is overridden
locally to retain the existing fixed offset mapping.

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them
Principal Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
Available on Libera Chat & OFTC IRC networks as gnu_andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk8u-dev/attachments/20250416/b427b80b/signature-0001.asc>

More information about the jdk8u-dev mailing list