59c63c
Key:
59c63c
59c63c
JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
59c63c
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
59c63c
59c63c
New in release OpenJDK 8u252 (2020-04-14):
59c63c
===========================================
59c63c
Live versions of these release notes can be found at:
59c63c
  * https://bitly.com/oj8u252
59c63c
  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u252.txt
59c63c
59c63c
* Security fixes
59c63c
  - JDK-8223898, CVE-2020-2754: Forward references to Nashorn
59c63c
  - JDK-8223904, CVE-2020-2755: Improve Nashorn matching
59c63c
  - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs
59c63c
  - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues
59c63c
  - JDK-8225603: Enhancement for big integers
59c63c
  - JDK-8227542: Manifest improved jar headers
59c63c
  - JDK-8231415, CVE-2020-2773: Better signatures in XML
59c63c
  - JDK-8233250: Better X11 rendering
59c63c
  - JDK-8233410: Better Build Scripting
59c63c
  - JDK-8234027: Better JCEKS key support
59c63c
  - JDK-8234408, CVE-2020-2781: Improve TLS session handling
59c63c
  - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers
59c63c
  - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers
59c63c
  - JDK-8235274, CVE-2020-2805: Enhance typing of methods
59c63c
  - JDK-8236201, CVE-2020-2830: Better Scanner conversions
59c63c
  - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap
59c63c
* Other changes
59c63c
  - JDK-8005819: Support cross-realm MSSFU
59c63c
  - JDK-8022263: use same Clang warnings on BSD as on Linux
59c63c
  - JDK-8038631: Create wrapper for awt.Robot with additional functionality
59c63c
  - JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor is invalid
59c63c
  - JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and some unit tests
59c63c
  - JDK-8068184: Fix for JDK-8032832 caused a deadlock
59c63c
  - JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature
59c63c
  - JDK-8132130: some docs cleanup
59c63c
  - JDK-8135318: CMS wrong max_eden_size for check_gc_overhead_limit
59c63c
  - JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal
59c63c
  - JDK-8144446: Automate the Marlin crash test
59c63c
  - JDK-8144526: Remove Marlin logging use of deleted internal API
59c63c
  - JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats
59c63c
  - JDK-8144654: Improve Marlin logging
59c63c
  - JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with huge coordinates and round joins
59c63c
  - JDK-8166976: TestCipherPBECons has wrong @run line
59c63c
  - JDK-8167409: Invalid value passed to critical JNI function
59c63c
  - JDK-8181872: C1: possible overflow when strength reducing integer multiply by constant
59c63c
  - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT
59c63c
  - JDK-8191227: issues with unsafe handle resolution
59c63c
  - JDK-8197441: Signature#initSign/initVerify for an invalid private/public key fails with ClassCastException for SunPKCS11 provider
59c63c
  - JDK-8204152: SignedObject throws NullPointerException for null keys with an initialized Signature object
59c63c
  - JDK-8215756: Memory leaks in the AWT on macOS
59c63c
  - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win)
59c63c
  - JDK-8219244: NMT: Change ThreadSafepointState's allocation type from mtInternal to mtThread
59c63c
  - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions
59c63c
  - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test
59c63c
  - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test
59c63c
  - JDK-8229022: BufferedReader performance can be improved by using StringBuilder
59c63c
  - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC
59c63c
  - JDK-8229872: (fs) Increase buffer size used with getmntent
59c63c
  - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception
59c63c
  - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type
59c63c
  - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64
59c63c
  - JDK-8235904: Infinite loop when rendering huge lines
59c63c
  - JDK-8236179: C1 register allocation error with T_ADDRESS
59c63c
  - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read
59c63c
  - JDK-8240521: Revert backport of 8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call
59c63c
  - JDK-8241296: Segfault in JNIHandleBlock::oops_do()
59c63c
  - JDK-8241307: Marlin renderer should not be the default in 8u252
59c63c
59c63c
Notes on individual issues:
59c63c
===========================
59c63c
59c63c
hotspot/svc:
59c63c
59c63c
JDK-8174881: Binary format for HPROF updated 
59c63c
============================================
59c63c
59c63c
When dumping the heap in binary format, HPROF format 1.0.2 is always
59c63c
used now. Previously, format 1.0.1 was used for heaps smaller than
59c63c
2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the
59c63c
serviceability agent.
59c63c
59c63c
security-libs/java.security:
59c63c
59c63c
JDK-8229518: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
59c63c
====================================================================================
59c63c
59c63c
The SunRsaSign and SunJCE providers have been enhanced with support
59c63c
for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS
59c63c
signature and OAEP using FIPS 180-4 digest algorithms. New
59c63c
constructors and methods have been added to relevant JCA/JCE classes
59c63c
under the `java.security.spec` and `javax.crypto.spec` packages for
59c63c
supporting additional RSASSA-PSS parameters.
59c63c
59c63c
security-libs/javax.crypto:
59c63c
59c63c
JDK-8205471: RSASSA-PSS Signature Support Added to SunMSCAPI
59c63c
============================================================
59c63c
59c63c
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.
59c63c
59c63c
security-libs/javax.security:
59c63c
59c63c
JDK-8227564: Allow SASL Mechanisms to Be Restricted
59c63c
===================================================
59c63c
59c63c
A security property named `jdk.sasl.disabledMechanisms` has been added
59c63c
that can be used to disable SASL mechanisms. Any disabled mechanism
59c63c
will be ignored if it is specified in the `mechanisms` argument of
59c63c
`Sasl.createSaslClient` or the `mechanism` argument of
59c63c
`Sasl.createSaslServer`. The default value for this security property
59c63c
is empty, which means that no mechanisms are disabled out-of-the-box.