Key:

JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X

CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

New in release OpenJDK 8u272 (2020-10-20):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u272

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u272.txt

* New features

  - JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7

* Security fixes

  - JDK-8233624: Enhance JNI linkage

  - JDK-8236196: Improve string pooling

  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class

  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts

  - JDK-8237995, CVE-2020-14782: Enhance certificate processing

  - JDK-8240124: Better VM Interning

  - JDK-8241114, CVE-2020-14792: Better range handling

  - JDK-8242680, CVE-2020-14796: Improved URI Support

  - JDK-8242685, CVE-2020-14797: Better Path Validation

  - JDK-8242695, CVE-2020-14798: Enhanced buffer support

  - JDK-8243302: Advanced class supports

  - JDK-8244136, CVE-2020-14803: Improved Buffer supports

  - JDK-8244479: Further constrain certificates

  - JDK-8244955: Additional Fix for JDK-8240124

  - JDK-8245407: Enhance zoning of times

  - JDK-8245412: Better class definitions

  - JDK-8245417: Improve certificate chain handling

  - JDK-8248574: Improve jpeg processing

  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit

  - JDK-8253019: Enhanced JPEG decoding

* Other changes

  - JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes

  - JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/Test7177917.java

  - JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times

  - JDK-8025886: replace [[ and == bash extensions in regtest

  - JDK-8026236: Add PrimeTest for BigInteger

  - JDK-8031625: javadoc problems referencing inner class constructors

  - JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals

  - JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c

  - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails

  - JDK-8046274: Removing dependency on jakarta-regexp

  - JDK-8048933: -XX:+TraceExceptions output should include the message

  - JDK-8057003: Large reference arrays cause extremely long synchronization times

  - JDK-8060721: Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler

  - JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double

  - JDK-8062947: Fix exception message to correctly represent LDAP connection failure

  - JDK-8064319: Need to enable -XX:+TraceExceptions in release builds

  - JDK-8075774: Small readability and performance improvements for zipfs

  - JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/fileaccess/FontFile.java fails

  - JDK-8078334: Mark regression tests using randomness

  - JDK-8078880: Mark a few more intermittently failuring security-libs

  - JDK-8080462: Update SunPKCS11 provider with PKCS11 v2.40 support

  - JDK-8132206: move ScanTest.java into OpenJDK

  - JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API

  - JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java

  - JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/appletviewer/IOExceptionIfEncodedURLTest/IOExceptionIfEncodedURLTest.sh

  - JDK-8144539: Update PKCS11 tests to run with security manager

  - JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/MTGraphicsAccessTest.java hangs on Win. 8

  - JDK-8148754: C2 loop unrolling fails due to unexpected graph shape

  - JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent

  - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect

  - JDK-8151788: NullPointerException from ntlm.Client.type3

  - JDK-8151834: Test SmallPrimeExponentP.java times out intermittently

  - JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings

  - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout

  - JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public

  - JDK-8154313: Generated javadoc scattered all over the place

  - JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization

  - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider

  - JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working

  - JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k

  - JDK-8165936: Potential Heap buffer overflow when seaching timezone info files

  - JDK-8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite

  - JDK-8166148: Fix for JDK-8165936 broke solaris builds

  - JDK-8167300: Scheduling failures during gcm should be fatal

  - JDK-8167615: Opensource unit/regression tests for JavaSound

  - JDK-8168517: java/lang/ProcessBuilder/Basic.java failed

  - JDK-8169925: PKCS #11 Cryptographic Token Interface license

  - JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java

  - JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled

  - JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1

  - JDK-8177628: Opensource unit/regression tests for ImageIO

  - JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java

  - JDK-8183349: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java

  - JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh

  - JDK-8184762: ZapStackSegments should use optimized memset

  - JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test.

  - JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied

  - JDK-8193137: Nashorn crashes when given an empty script file

  - JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak

  - JDK-8194298: Add support for per Socket configuration of TCP keepalive

  - JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error

  - JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails

  - JDK-8201633: Problems with AES-GCM native acceleration

  - JDK-8203357: Container Metrics

  - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts

  - JDK-8210147: adjust some WSAGetLastError usages in windows network coding

  - JDK-8211049: Second parameter of "initialize" method is not used

  - JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean

  - JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions

  - JDK-8214862: assert(proj != __null) at compile.cpp:3251

  - JDK-8216283: Allow shorter method sampling interval than 10 ms

  - JDK-8217606: LdapContext#reconnect always opens a new connection

  - JDK-8217647: JFR: recordings on 32-bit systems unreadable

  - JDK-8217878: ENVELOPING XML signature no longer works in JDK 11

  - JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10

  - JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero

  - JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly

  - JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound

  - JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6

  - JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file

  - JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs

  - JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified

  - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp

  - JDK-8224217: RecordingInfo should use textual representation of path

  - JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)

  - JDK-8226575: OperatingSystemMXBean should be made container aware

  - JDK-8226697: Several tests which need the @key headful keyword are missing it.

  - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous

  - JDK-8228835: Memory leak in PKCS11 provider when using AES GCM

  - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow

  - JDK-8230303: JDB hangs when running monitor command

  - JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG

  - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo

  - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate

  - JDK-8233097: Fontmetrics for large Fonts has zero width

  - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name

  - JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion

  - JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version

  - JDK-8235325: build failure on Linux after 8235243

  - JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink

  - JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages

  - JDK-8237951: CTW: C2 compilation fails with "malformed control flow"

  - JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary

  - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10

  - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10

  - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10

  - JDK-8238898: Missing hash characters for header on license file

  - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

  - JDK-8239819: XToolkit: Misread of screen information memory

  - JDK-8240295: hs_err elapsed time in seconds is not accurate enough

  - JDK-8240676: Meet not symmetric failure when running lucene on jdk8

  - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one

  - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash

  - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array

  - JDK-8243138: Enhance BaseLdapServer to support starttls extended request

  - JDK-8243320: Add SSL root certificates to Oracle Root CA program

  - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program

  - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions

  - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26

  - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor

  - JDK-8245467: Remove 8u TLSv1.2 implementation files

  - JDK-8245469: Remove DTLS protocol implementation

  - JDK-8245470: Fix JDK8 compatibility issues

  - JDK-8245471: Revert JDK-8148188

  - JDK-8245472: Backport JDK-8038893 to JDK8

  - JDK-8245473: OCSP stapling support

  - JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712

  - JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default

  - JDK-8245477: Adjust TLS tests location

  - JDK-8245653: Remove 8u TLS tests

  - JDK-8245681: Add TLSv1.3 regression test from 11.0.7

  - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ

  - JDK-8246310: Clean commented-out code about ModuleEntry andPackageEntry in JFR

  - JDK-8246384: Enable JFR by default on supported architectures for October 2020 release

  - JDK-8248643: Remove extra leading space in JDK-8240295 8u backport

  - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read

  - JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase

  - JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public

  - JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior

  - JDK-8250546: Expect changed behaviour reported in JDK-8249846

  - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics

  - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java

  - JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update

  - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher

  - JDK-8251120: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false

  - JDK-8251341: Minimal Java specification change

  - JDK-8251478: Backport TLSv1.3 regression tests to JDK8u

  - JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds

  - JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled

  - JDK-8252573: 8u: Windows build failed after 8222079 backport

  - JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation failed

  - JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158

  - JDK-8254937: Revert JDK-8148854 for 8u272

Notes on individual issues:

===========================

core-svc/java.lang.management:

JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

============================================================================================

When executing in a container, or other virtualized operating

environment, the following `OperatingSystemMXBean` methods in this

release return container specific information, if

available. Otherwise, they return host specific data:

* getFreePhysicalMemorySize()

* getTotalPhysicalMemorySize()

* getFreeSwapSpaceSize()

* getTotalSwapSpaceSize()

* getSystemCpuLoad()

security-libs/java.security:

JDK-8250756: Added Entrust Root Certification Authority - G4 certificate

========================================================================

The Entrust root certificate has been added to the cacerts truststore:

Alias Name: entrustrootcag4

Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust,  Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

JDK-8250860: Added 3 SSL Corporation Root CA Certificates

=========================================================

The following root certificates have been added to the cacerts truststore for the SSL Corporation:

Alias Name: sslrootrsaca

Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

Alias Name: sslrootevrsaca

Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

Alias Name: sslrooteccca

Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US

security-libs/javax.crypto:pkcs11:

JDK-8221441: SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

=======================================================================

The SunPKCS11 provider has been updated with support for PKCS#11

v2.40. This version adds support for more algorithms such as the

AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message

digests, and RSASSA-PSS signatures when the corresponding PKCS11

mechanisms are supported by the underlying PKCS11 library.

security-libs/javax.security:

JDK-8242059: Support for canonicalize in krb5.conf

==================================================

The 'canonicalize' flag in the [krb5.conf file][0] is now supported by

the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name

canonicalization is requested by clients in TGT requests to KDC

services (AS protocol). Otherwise, and by default, it is not

requested.

The new default behavior is different from previous releases where

name canonicalization was always requested by clients in TGT requests

to KDC services (provided that support for RFC 6806[1] was not

explicitly disabled with the *sun.security.krb5.disableReferrals*

system or security properties).

[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html

[1]: https://tools.ietf.org/html/rfc6806

security-libs/javax.xml.crypto:

JDK-8202891: Updated xmldsig Implementation to Apache Santuario 2.1.1

=====================================================================

The XMLDSig provider implementation in the `java.xml.crypto` module has been updated to version 2.1.1 of Apache Santuario.

New features include:

1. Support for the SHA-224 and SHA-3 DigestMethod algorithms specified

in RFC 6931.

2. Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and

RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

JDK-8238185: New OpenJDK-specific JDK 8 Updates System Property to fallback to legacy Base64 Encoding format

============================================================================================================

The upgrade to the Apache Santuario libraries (see above) introduced

an issue where XML signature using Base64 encoding resulted in

appending `&#xd` or `&#13` to the encoded output. This behavioural

change was made in the Apache Santuario codebase to comply with RFC

2045. The Santuario team has adopted a position of keeping their

libraries compliant with RFC 2045.

Earlier versions of OpenJDK 8 using the legacy encoder returns encoded

data in a format without `&#xd` or `&#13`.

Therefore a new system property, specific to the 8 update stream,

`com.sun.org.apache.xml.internal.security.lineFeedOnly` is made

available to fall back to the legacy Base64 encoded format.

Users can set this flag in one of two ways:

1. -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true

2. System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")

This new system property is disabled by default. It has no effect on

default behaviour nor when

`com.sun.org.apache.xml.internal.security.ignoreLineBreaks` property

is set.

Later JDK family versions will only support the recommended property:

`com.sun.org.apache.xml.internal.security.ignoreLineBreaks`

JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b

====================================================================

Following JDK's update to tzdata2020b, the long-obsolete files

pacificnew and systemv have been removed. As a result, the

"US/Pacific-New" zone name declared in the pacificnew data file is no

longer available for use.

Information regarding the update can be viewed at

https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html

New in release OpenJDK 8u265 (2020-07-27):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/openjdk8u265

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u265.txt

* Bug fixes

  - JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior

  - JDK-8250546: Expect changed behaviour reported in JDK-8249846

New in release OpenJDK 8u262 (2020-07-14):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/oj8u262

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u262.txt

* New features

  - JDK-8223147: JFR Backport

* Security fixes

  - JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)

  - JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()

  - JDK-8230613: Better ASCII conversions

  - JDK-8231800: Better listing of arrays

  - JDK-8232014: Expand DTD support

  - JDK-8233255: Better Swing Buttons

  - JDK-8234032: Improve basic calendar services

  - JDK-8234042: Better factory production of certificates

  - JDK-8234418: Better parsing with CertificateFactory

  - JDK-8234836: Improve serialization handling

  - JDK-8236191: Enhance OID processing

  - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior

  - JDK-8237592, CVE-2020-14577: Enhance certificate verification

  - JDK-8238002, CVE-2020-14581: Better matrix operations

  - JDK-8238804: Enhance key handling process

  - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable

  - JDK-8238843: Enhanced font handing

  - JDK-8238920, CVE-2020-14583: Better Buffer support

  - JDK-8238925: Enhance WAV file playback

  - JDK-8240119, CVE-2020-14593: Less Affine Transformations

  - JDK-8240482: Improved WAV file playback

  - JDK-8241379: Update JCEKS support

  - JDK-8241522: Manifest improved jar headers redux

  - JDK-8242136, CVE-2020-14621: Better XML namespace handling

* Other changes

  - JDK-4949105: Access Bridge lacks html tags parsing

  - JDK-7147060: com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java doesn't run in agentvm mode

  - JDK-8003209: JFR events for network utilization

  - JDK-8030680: 292 cleanup from default method code assessment

  - JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and some tests failed on windows intermittently

  - JDK-8037866: Replace the Fun class in tests with lambdas

  - JDK-8041626: Shutdown tracing event

  - JDK-8041915: Move 8 awt tests to OpenJDK regression tests tree

  - JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null

  - JDK-8076475: Misuses of strncpy/strncat

  - JDK-8130737: AffineTransformOp can't handle child raster with non-zero x-offset

  - JDK-8141056: Erroneous assignment in HeapRegionSet.cpp

  - JDK-8146612: C2: Precedence edges specification violated

  - JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering

  - JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN coordinates

  - JDK-8150986: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java failing because expects HPROF JAVA PROFILE 1.0.1 file format

  - JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to "Connection succeeded"

  - JDK-8165675: Trace event for thread park has incorrect unit for timeout

  - JDK-8171934: ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does not recognize OpenJDK's HotSpot VM

  - JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in java/awt/image/Raster/TestChildRasterOp.java

  - JDK-8176182: 4 security tests are not run

  - JDK-8178374: Problematic ByteBuffer handling in CipherSpi.bufferCrypt method

  - JDK-8178910: Problemlist sample tests

  - JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds

  - JDK-8183925: Decouple crash protection from watcher thread

  - JDK-8191393: Random crashes during cfree+0x1c

  - JDK-8195817: JFR.stop should require name of recording

  - JDK-8195818: JFR.start should increase autogenerated name by one

  - JDK-8195819: Remove recording=x from jcmd JFR.check output

  - JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE

  - JDK-8199712: Flight Recorder

  - JDK-8202578: Revisit location for class unload events

  - JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing events

  - JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder)

  - JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant

  - JDK-8203664: JFR start failure after AppCDS archive created with JFR StartFlightRecording

  - JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552

  - JDK-8203929: Limit amount of data for JFR.dump

  - JDK-8205516: JFR tool

  - JDK-8207392: [PPC64] Implement JFR profiling

  - JDK-8207829: FlightRecorderMXBeanImpl is leaking the first classloader which calls it

  - JDK-8209960: -Xlog:jfr* doesn't work with the JFR

  - JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()

  - JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7

  - JDK-8211239: Build fails without JFR: empty JFR events signatures mismatch

  - JDK-8212232: Wrong metadata for the configuration of the cutoff for old object sample events

  - JDK-8213015: Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions

  - JDK-8213421: Line number information for execution samples always 0

  - JDK-8213617: JFR should record the PID of the recorded process

  - JDK-8213734: SAXParser.parse(File, ..) does not close resources when Exception occurs.

  - JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests

  - JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test

  - JDK-8213966: The ZGC JFR events should be marked as experimental

  - JDK-8214542: JFR: Old Object Sample event slow on a deep heap in debug builds

  - JDK-8214750: Unnecessary 
 tags in jfr classes

  - JDK-8214896: JFR Tool left files behind

  - JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with UnsatisfiedLinkError

  - JDK-8214925: JFR tool fails to execute

  - JDK-8215175: Inconsistencies in JFR event metadata

  - JDK-8215237: jdk.jfr.Recording javadoc does not compile

  - JDK-8215284: Reduce noise induced by periodic task getFileSize()

  - JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1)

  - JDK-8215362: JFR GTest JfrTestNetworkUtilization fails

  - JDK-8215771: The jfr tool should pretty print reference chains

  - JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly

  - JDK-8216486: Possibility of integer overflow in JfrThreadSampler::run()

  - JDK-8216528: test/jdk/java/rmi/transport/runtimeThreadInheritanceLeak/RuntimeThreadInheritanceLeak.java failing with Xcomp

  - JDK-8216559: [JFR] Native libraries not correctly parsed from /proc/self/maps

  - JDK-8216578: Remove unused/obsolete method in JFR code

  - JDK-8216995: Clean up JFR command line processing

  - JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems due to process surviving SIGINT

  - JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR TestShutdownEvent

  - JDK-8218935: Make jfr strncpy uses GCC 8.x friendly

  - JDK-8220293: Deadlock in JFR string pool

  - JDK-8223689: Add JFR Thread Sampling Support

  - JDK-8223690: Add JFR BiasedLock Event Support

  - JDK-8223691: Add JFR G1 Region Type Change Event Support

  - JDK-8223692: Add JFR G1 Heap Summary Event Support

  - JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant

  - JDK-8224475: JTextPane does not show images in HTML rendering

  - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020

  - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020

  - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden.

  - JDK-8226779: [TESTBUG] Test JFR API from Java agent

  - JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys

  - JDK-8227011: Starting a JFR recording in response to JVMTI VMInit and / or Java agent premain corrupts memory

  - JDK-8227269: Slow class loading when running with JDWP

  - JDK-8227605: Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant"

  - JDK-8229366: JFR backport allows unchecked writing to memory

  - JDK-8229401: Fix JFR code cache test failures

  - JDK-8229708: JFR backport code does not initialize

  - JDK-8229873: 8229401 broke jdk8u-jfr-incubator

  - JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions

  - JDK-8229899: Make java.io.File.isInvalid() less racy

  - JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows

  - JDK-8230597: Update GIFlib library to the 5.2.1

  - JDK-8230707: JFR related tests are failing

  - JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return

  - JDK-8230782: Robot.createScreenCapture() fails if ?awt.robot.gtk? is set to false

  - JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return

  - JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout

  - JDK-8230947: TestLookForUntestedEvents.java is failing after JDK-8230707

  - JDK-8231995: two jtreg tests failed after 8229366 is fixed

  - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing

  - JDK-8233623: Add classpath exception to copyright in EventHandlerProxyCreator.java file

  - JDK-8233880: Support compilers with multi-digit major version numbers

  - JDK-8236002: CSR for JFR backport suggests not leaving out the package-info

  - JDK-8236008: Some backup files were accidentally left in the hotspot tree

  - JDK-8236074: Missed package-info

  - JDK-8236174: Should update javadoc since tags

  - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing

  - JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport

  - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01

  - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB

  - JDK-8238589: Necessary code cleanup in JFR for JDK8u

  - JDK-8238590: Enable JFR by default during compilation in 8u

  - JDK-8239055: Wrong implementation of VMState.hasListener

  - JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair

  - JDK-8239479: minimal1 and zero builds are failing

  - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed

  - JDK-8239867: correct over use of INCLUDE_JFR macro

  - JDK-8240375: Disable JFR by default for July 2020 release

  - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges

  - JDK-8241444: Metaspace::_class_vsm not initialized if compressed class pointers are disabled

  - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set

  - JDK-8241750: x86_32 build failure after JDK-8227269

  - JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR Backport)

  - JDK-8242788: Non-PCH build is broken after JDK-8191393

  - JDK-8242883: Incomplete backport of JDK-8078268: backport test part

  - JDK-8243059: Build fails when --with-vendor-name contains a comma

  - JDK-8243474: [TESTBUG] removed three tests of 0 bytes

  - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638

  - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a

  - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in

  - JDK-8244461: [JDK 8u] Build fails with glibc 2.32

  - JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result

  - JDK-8244777: ClassLoaderStats VM Op uses constant hash value

  - JDK-8244843: JapanEraNameCompatTest fails

  - JDK-8245167: Top package in method profiling shows null in JMC

  - JDK-8246223: Windows build fails after JDK-8227269

  - JDK-8246703: [TESTBUG] Add test for JDK-8233197

  - JDK-8248399: Build installs jfr binary when JFR is disabled

  - JDK-8248715: New JavaTimeSupplementary localisation for 'in' installed in wrong package

Notes on individual issues:

===========================

hotspot/jfr:

JDK-8240687: JDK Flight Recorder Integrated to OpenJDK 8u

=========================================================

OpenJDK 8u now contains the backport of JEP 328: Flight Recorder

(https://openjdk.java.net/jeps/328) from later versions of OpenJDK.

JFR is a low-overhead framework to collect and provide data helpful to

troubleshoot the performance of the OpenJDK runtime and of Java

applications. It consists of a new API to define custom events under

the jdk.jfr namespace and a JMX interface to interact with the

framework. The recording can also be initiated with the application

startup using the -XX:+FlightRecorder flag or via jcmd. JFR replaces

the +XX:EnableTracing feature introduced in JEP 167, providing a more

efficient way to retrieve the same information. For compatibility

reasons, +XX:EnableTracing is still accepted, however no data will be

printed.

While JFR is not built by default upstream, it is included in Red Hat

binaries for supported architectures (x86_64, AArch64 & PowerPC 64)

hotspot/runtime:

JDK-8205622: JFR Start Failure After AppCDS Archive Created with JFR StartFlightRecording

=========================================================================================

JFR will be disabled with a warning message if it is enabled during

CDS dumping. The user will see the following warning message:

OpenJDK 64-Bit Server VM warning: JFR will be disabled during CDS dumping

if JFR is enabled during CDS dumping such as in the following command

line:

$ java -Xshare:dump -XX:StartFlightRecording=dumponexit=true

security-libs/java.security:

JDK-8244167: Removal of Comodo Root CA Certificate

==================================================

The following expired Comodo root CA certificate was removed from the

`cacerts` keystore: + alias name "addtrustclass1ca [jdk]"

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

JDK-8244166: Removal of DocuSign Root CA Certificate

====================================================

The following expired DocuSign root CA certificate was removed from

 the `cacerts` keystore: + alias name "keynectisrootca [jdk]"

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

security-libs/javax.crypto:pkcs11:

JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database

============================================================================================================================

The SunPKCS11 security provider can now be initialized with NSS when

FIPS-enabled external modules are configured in the Security Modules

Database (NSSDB). Prior to this change, the SunPKCS11 provider would

throw a RuntimeException with the message: "FIPS flag set for

non-internal module" when such a library was configured for NSS in

non-FIPS mode.

This change allows the JDK to work properly with recent NSS releases

on GNU/Linux operating systems when the system-wide FIPS policy is

turned on.

Further information can be found in JDK-8238555.

New in release OpenJDK 8u252 (2020-04-14):

===========================================

Live versions of these release notes can be found at:

  * https://bitly.com/oj8u252

  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u252.txt

* Security fixes

  - JDK-8223898, CVE-2020-2754: Forward references to Nashorn

  - JDK-8223904, CVE-2020-2755: Improve Nashorn matching

  - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs

  - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues

  - JDK-8225603: Enhancement for big integers

  - JDK-8227542: Manifest improved jar headers

  - JDK-8231415, CVE-2020-2773: Better signatures in XML

  - JDK-8233250: Better X11 rendering

  - JDK-8233410: Better Build Scripting

  - JDK-8234027: Better JCEKS key support

  - JDK-8234408, CVE-2020-2781: Improve TLS session handling

  - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers

  - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers

  - JDK-8235274, CVE-2020-2805: Enhance typing of methods

  - JDK-8236201, CVE-2020-2830: Better Scanner conversions

  - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap

* Other changes

  - JDK-8005819: Support cross-realm MSSFU

  - JDK-8022263: use same Clang warnings on BSD as on Linux

  - JDK-8038631: Create wrapper for awt.Robot with additional functionality

  - JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor is invalid

  - JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and some unit tests

  - JDK-8068184: Fix for JDK-8032832 caused a deadlock

  - JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature

  - JDK-8132130: some docs cleanup

  - JDK-8135318: CMS wrong max_eden_size for check_gc_overhead_limit

  - JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal

  - JDK-8144446: Automate the Marlin crash test

  - JDK-8144526: Remove Marlin logging use of deleted internal API

  - JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats

  - JDK-8144654: Improve Marlin logging

  - JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with huge coordinates and round joins

  - JDK-8166976: TestCipherPBECons has wrong @run line

  - JDK-8167409: Invalid value passed to critical JNI function

  - JDK-8181872: C1: possible overflow when strength reducing integer multiply by constant

  - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT

  - JDK-8191227: issues with unsafe handle resolution

  - JDK-8197441: Signature#initSign/initVerify for an invalid private/public key fails with ClassCastException for SunPKCS11 provider

  - JDK-8204152: SignedObject throws NullPointerException for null keys with an initialized Signature object

  - JDK-8215756: Memory leaks in the AWT on macOS

  - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win)

  - JDK-8219244: NMT: Change ThreadSafepointState's allocation type from mtInternal to mtThread

  - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions

  - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test

  - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test

  - JDK-8229022: BufferedReader performance can be improved by using StringBuilder

  - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC

  - JDK-8229872: (fs) Increase buffer size used with getmntent

  - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception

  - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type

  - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64

  - JDK-8235904: Infinite loop when rendering huge lines

  - JDK-8236179: C1 register allocation error with T_ADDRESS

  - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read

  - JDK-8240521: Revert backport of 8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call

  - JDK-8241296: Segfault in JNIHandleBlock::oops_do()

  - JDK-8241307: Marlin renderer should not be the default in 8u252

Notes on individual issues:

===========================

hotspot/svc:

JDK-8174881: Binary format for HPROF updated 

============================================

When dumping the heap in binary format, HPROF format 1.0.2 is always

used now. Previously, format 1.0.1 was used for heaps smaller than

2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the

serviceability agent.

security-libs/java.security:

JDK-8229518: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature

====================================================================================

The SunRsaSign and SunJCE providers have been enhanced with support

for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS

signature and OAEP using FIPS 180-4 digest algorithms. New

constructors and methods have been added to relevant JCA/JCE classes

under the `java.security.spec` and `javax.crypto.spec` packages for

supporting additional RSASSA-PSS parameters.

security-libs/javax.crypto:

JDK-8205471: RSASSA-PSS Signature Support Added to SunMSCAPI

============================================================

The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.

security-libs/javax.security:

JDK-8227564: Allow SASL Mechanisms to Be Restricted

===================================================

A security property named `jdk.sasl.disabledMechanisms` has been added

that can be used to disable SASL mechanisms. Any disabled mechanism

will be ignored if it is specified in the `mechanisms` argument of

`Sasl.createSaslClient` or the `mechanism` argument of

`Sasl.createSaslServer`. The default value for this security property

is empty, which means that no mechanisms are disabled out-of-the-box.