OpenJDK 8u462 Released

Andrew Hughes gnu.andrew at redhat.com
Wed Jul 16 17:00:06 UTC 2025 

We are pleased to announce the release of OpenJDK 8u462.

The source tarball is available from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u462-b08.tar.xz

The tarball is accompanied by a digital signature available at:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u462-b08.tar.xz.sig

This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):

PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6  AC44 92EF 8D39 DC13 168F

SHA256 checksums:

a521738deb7676ce65af6577f8fc95bf5228ce18fdbccd232197c8d1f3ef50ad  openjdk8u462-b08.tar.xz
d45bd1aecad66aaa2396e5735f8a090c00e2e297b4c0546644c2b5e6f1a886c4  openjdk8u462-b08.tar.xz.sig

SHA512 checksums:

271914783adb59ae17c67d648fb497c0ada613787f2f059b4fa68f27a5a24134f3d0a98f117ebc4d1b052ab65fe6d950ea049ef4042fef9bd001e044bdc5e92b  openjdk8u462-b08.tar.xz
b56bbad4d5f8a031fcbafdf7a7860ea11a08b9e7d75321e7e49c1a9c85b9b8ba3493d97ff09a1fefdf394a2c1c3eb5567a7ae922b26fad2f24d00b7fe2ea51ef  openjdk8u462-b08.tar.xz.sig

The checksums can be downloaded from:

* https://openjdk-sources.osci.io/openjdk8/openjdk8u462-b08.sha256
* https://openjdk-sources.osci.io/openjdk8/openjdk8u462-b08.sha512

New in release OpenJDK 8u462 (2025-07-15):
===========================================
Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u462

* CVEs
  - CVE-2025-30749
  - CVE-2025-30754
  - CVE-2025-30761
  - CVE-2025-50106
* Changes
  - JDK-8026976: ECParameters, Point does not match field size
  - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
  - JDK-8046883: com/sun/jdi/ProcessAttachTest.sh gets "java.io.IOException: Invalid process identifier" on windows
  - JDK-8071996: split_if accesses NULL region of ConstraintCast
  - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
  - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names
  - JDK-8186787: clang-4.0 SIGSEGV in Unsafe_PutByte
  - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken
  - JDK-8274597: Some of the dnd tests time out and fail intermittently
  - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
  - JDK-8278472: Invalid value set to CANDIDATEFORM structure
  - JDK-8293107: GHA: Bump to Ubuntu 22.04
  - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
  - JDK-8303770: Remove Baltimore root certificate expiring in May 2025
  - JDK-8341946: [8u] sun/security/pkcs11/ec/ tests fail on RHEL9
  - JDK-8345133: Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout
  - JDK-8345625: Better HTTP connections
  - JDK-8346887: DrawFocusRect() may cause an assertion failure
  - JDK-8348989: Better Glyph drawing
  - JDK-8349111: Enhance Swing supports
  - JDK-8349594: Enhance TLS protocol support
  - JDK-8350498: Remove two Camerfirma root CA certificates
  - JDK-8351098: Bump update version of OpenJDK: 8u462
  - JDK-8351422: Improve scripting supports
  - JDK-8351439: [8u] test/java/util/TimeZone/tools/share/Makefile use wrong path to tzdb
  - JDK-8352716: (tz) Update Timezone Data to 2025b
  - JDK-8356096: ISO 4217 Amendment 179 Update
  - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
  - JDK-8360147: Better Glyph drawing redux

Notes on individual issues:
===========================

security-libs/java.security:

JDK-8303770: Remove Baltimore root certificate expiring in May 2025
===================================================================
The following root certificate from Baltimore has been removed from
the `cacerts` keystore:

Alias Name: baltimorecybertrustca [jdk]
Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

JDK-8350498: Remove two Camerfirma root CA certificates
=======================================================
The following expired root certificates from Camerfirma have been
removed from the `cacerts` keystore:

Alias name: camerfirmachamberscommerceca [jdk]
CN=Chambers of Commerce Root
OU=http://www.chambersign.org
O=AC Camerfirma SA CIF A82743287
C=EU
SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3

Alias name: camerfirmachambersignca [jdk]
CN=Global Chambersign Root - 2008
O=AC Camerfirma S.A.
SERIALNUMBER=A82743287
L=Madrid (see current address at www.camerfirma.com/address)
C=EU
SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
=============================================
The following root certificates have been added to the cacerts
truststore:

Name: Sectigo Limited
Alias Name: sectigocodesignroote46
Distinguished Name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigocodesignrootr46
Distinguished Name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigotlsroote46
Distinguished Name: Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB

Name: Sectigo Limited
Alias Name: sectigotlsrootr46
Distinguished Name: Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB

Happy hacking,
-- 
Andrew :)
Pronouns: he / him or they / them
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

Please contact via e-mail, not proprietary chat networks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk8u-dev/attachments/20250716/b01905ac/signature.asc>

More information about the jdk8u-dev mailing list