Liberica JDK 11.0.28+12: Release Notes

JDK-8293345

Summary: Legacy Mechanism Check in SunPKCS11 Provider Is Enhanced with Service Type

Description: "Native PKCS11 mechanisms, which support decryption but not encryption, or signature verification but not signing, are considered legacy and are disabled by default. The legacy mechanism check in SunPKCS11 provider is enhanced with the service type. For example, prior to this fix, a mechanism supporting encryption, decryption, and verification but not signing, is considered legacy and can’t be used at all. After this fix, the corresponding Cipher service using this mechanism is available since both encryption and decryption are supported. However, the corresponding Signature service is not since only verification is supported. To bypass the legacy mechanism check, set the PKCS11 provider configuration attribute "allowLegacy" to true. The default value is false. Note that it is the caller’s responsibility to make sure the legacy mechanism is not used for the unsupported functionality."

JDK-8303770

Summary: Removed Baltimore CyberTrust Root Certificate After Expiry Date

Description: The following expired root certificate has been removed from the cacerts keystore: alias name baltimorecybertrustca [jdk], Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE.

JDK-8309841

Summary: Jarsigner should print a warning if an entry is removed

Description: If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the JarFile API, since the getJarEntry method returns null as if the entry had never existed. With this change, the jarsigner -verify command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: 'This JAR contains signed entries for files that do not exist'. Users can further find out the names of these entries by adding the -verbose option to the command.

JDK-8350498

Summary: Removed Two Camerfirma Root Certificates

Description: The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore: alias name camerfirmachamberscommerceca [jdk], Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU; alias name camerfirmachambersignca [jdk], Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU.

JDK-8352716

Summary: Update Timezone Data to 2025b

Description: The 2025b release of the tz code and data contains the following changes: New zone for Aysén Region in Chile which moves from -04/-03 to -03.

JDK-8359170

Summary: Added 4 New Root Certificates from Sectigo Limited

Description: The following Sectigo Limited root certificates have been added to the cacerts truststore: sectigocodesignroote46, DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB; sectigocodesignrootr46, DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB; sectigotlsroote46, DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB; sectigotlsrootr46, DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB.

JDK-8026976

ECParameters, Point does not match field size

JDK-8211400

nsk.share.gc.Memory::getArrayLength returns wrong value

JDK-8231058

VerifyOops crashes with assert(_offset >= 0) failed: offset for non comment?

JDK-8232625

HttpClient redirect policy should be more conservative

JDK-8258483

[TESTBUG] gtest CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is too small

JDK-8293345

SunPKCS11 provider checks on PKCS11 Mechanism are problematic

JDK-8296631

NSS tests failing on OL9 linux-aarch64 hosts

JDK-8301753

AppendFile/WriteFile has differences between make 3.81 and 4+

JDK-8303770

Remove Baltimore root certificate expiring in May 2025

JDK-8309841

Jarsigner should print a warning if an entry is removed

JDK-8315380

AsyncGetCallTrace crash in frame::safe_for_sender

JDK-8327476

Upgrade JLine to 3.26.1

JDK-8328957

Update PKCS11Test.java to not use hardcoded path

JDK-8331959

Update PKCS#11 Cryptographic Token Interface to v3.1

JDK-8339300

CollectorPolicy.young_scaled_initial_ergo_vm gtest fails on ppc64 based platforms

JDK-8339728

[Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class

JDK-8339810

Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract

JDK-8345133

Test sun/security/tools/jarsigner/TsacertOptionTest.java failed: Warning found in stdout

JDK-8345625

Better HTTP connections

JDK-8346887

DrawFocusRect() may cause an assertion failure

JDK-8347629

Test FailOverDirectExecutionControlTest.java fails with -Xcomp

JDK-8348110

Update LCMS to 2.17

JDK-8348596

Update FreeType to 2.13.3

JDK-8348598

Update Libpng to 1.6.47

JDK-8348989

Better Glyph drawing

JDK-8349111

Enhance Swing supports

JDK-8349594

Enhance TLS protocol support

JDK-8350469

[11u] Test AbsPathsInImage.java fails - JDK-8239429 public clone

JDK-8350498

Remove two Camerfirma root CA certificates

JDK-8350991

Improve HTTP client header handling

JDK-8351099

Bump update version of OpenJDK: 11.0.28

JDK-8351422

Improve scripting supports

JDK-8352302

Test sun/security/tools/jarsigner/TimestampCheck.java is failing

JDK-8352716

(tz) Update Timezone Data to 2025b

JDK-8356096

ISO 4217 Amendment 179 Update

JDK-8356571

Re-enable -Wtype-limits for GCC in LCMS

JDK-8359170

Add 2 TLS and 2 CS Sectigo roots

JDK-8360147

Better Glyph drawing redux

JDK-8352162

Update libxml2 to 2.13.8

JDK-8352164

Update libxslt to 1.1.43

JDK-8354876

Update SQLite to 3.49.1

JDK-8354940

Fail to sign in to Microsoft sites with WebView