Liberica JDK 8u402+7: Release Notes
1. Introduction
This document provides the late-breaking information about Liberica JDK 8u402 release.
The full version string for this update release is 8u402+7. The version number is 8.
2. Liberica JDK 8u402+7
Liberica is a certified, Java SE 8-compliant distribution of OpenJDK 8, which works on server (Linux x86_64, Linux ARM64, Windows 64), desktop (Windows 64, Windows 32, Mac, Linux x86_64), and embedded devices (Linux ARM64, Linux ARMv7, including Raspberry Pi 2 & 3 (ARMv6 hardfloat)). It has the following notable additions:
-
Linux x86_64 version contains experimental support for ZGC.
-
Linux x86_64, ARMv8 and ARMv7 distributions include a choice of Client VM, Server VM and Minimal VM.
-
Alpine Linux x86_64 version is build with musl support.
-
Windows x86_64, Windows x86, Windows ARMv8, Mac, Linux x86_64, Linux x86 and Linux ARMv7 distributions contain OpenJFX 8.
-
Linux ARMv7 distribution contains Device IO API compiled for Raspberry Pi.
Refer to the Oracle JDK 8u402 release notes for further information on JDK 8 features. This document further outlines the peculiarities of Liberica distribution as compared to Oracle JDK 8 distribution.
3. Liberica JDK 8 distribution
Liberica JDK 8 is distributed as .rpm, .zip, .deb and .tar.gz packages. Please select the most appropriate for your purposes.
Liberica JDK 8 introduced all new features supported by OpenJDK 8.
With the introduction of the Jigsaw feature in JDK 9 and Minimal VM it is now possible to create a Runtime that is sufficient to run your application and trim down the size of the Runtime. To generate a Runtime with just the Minimal VM, add --vm=minimal to jlink options.
By default, the Liberica uses Server VM. Server VM and Client VM can be enabled with -server and -client command line options, respectively. In case the deployment requires to minimize the footprint, it may be beneficial to use Minimal VM, which emphasises on a minimal footprint. It has C1 JIT compiler only, Serial GC and no serviceability features.
4. Security Baselines
BellSoft Liberica follows the security baselines for Oracle Java SE. Please refer to the Oracle documentation for a list of issues fixed in a given release.
5. Known Issues
LibericaFX and EGL on Raspbian
As of 2017, the default location of Broadcom libEGL.so and libGLESv2.so has changed in Raspbian OS. If you’d like to leverage hardware EGL acceleration available from Broadcom video drivers in LibericaFX while running a recent Raspbian OS, run the following command:
cd /opt/vc/lib
sudo ln -s libbrcmEGL.so libEGL.so
sudo ln -s libbrcmGLESv2.so libGLESv2.so6. CVEs
This is the list of the security issues fixed in this release. CVSS scores are provided using the CVSS version 3.1 scoring system.
| CVE ID | CVSS score | Component | Module | Attack Vector | Complexity | Privileges | User Interaction | Scope | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2024-20918 | 7.4 | hotspot | compiler | network | high | none | none | unchanged | high | high | none |
CVE-2024-20919 | 5.9 | hotspot | runtime | network | high | none | none | unchanged | none | high | none |
CVE-2024-20921 | 5.9 | hotspot | compiler | network | high | none | none | unchanged | high | none | none |
CVE-2024-20922 | 2.5 | javafx | window-toolkit | local | high | none | required | unchanged | none | low | none |
CVE-2024-20923 | 3.1 | javafx | graphics | network | high | none | required | unchanged | low | none | none |
CVE-2024-20925 | 3.1 | javafx | media | network | high | none | required | unchanged | none | low | none |
CVE-2024-20926 | 5.9 | core-libs | javax.script | network | high | none | none | unchanged | high | none | none |
CVE-2024-20945 | 4.7 | security-libs | javax.xml.crypto | local | high | low | none | unchanged | high | none | none |
CVE-2024-20952 | 7.4 | security-libs | java.security | network | high | none | none | unchanged | high | high | none |
7. Notable Issues
This is the list of the notable issues fixed in this release.
Issue ID: | JDK-8316606 |
Summary: | Accept yes/no for boolean krb5.conf settings |
Description: | The allow_weak_crypto option in the /etc/krb5.conf file now correctly parses both answers true and yes to signify that users want to allow weak crypto. |
Issue ID: | JDK-8316635 |
Summary: | Remove SECOM certificate that is expiring in September 2023 |
Description: | The secom root certificate expiring in September 2023 was removed. |
Issue ID: | JDK-8317321 |
Summary: | Arrays should be cloned in several JAAS Callback classes |
Description: | In JAAS ChoiceCallback and ConfirmationCallback, arrays were not cloned when passed into a constructor or returned. This allowed an external program to get access to internal fields of these classes. |
Issue ID: | JDK-8319176 |
Summary: | Added Certigna Root CA - 2 |
Description: | The Certinga root certificate has been added to the cacerts truststore. |
Issue ID: | JDK-8320704 |
Summary: | Increase jdk.jar.maxSignatureFileSize default size, which is too low for JARs such as WhiteSource/Mend unified agent jar |
Description: | jdk.jar.maxSignatureFileSize default size of 8MB was too low and caused errors. The fix increased the default value to 16MB. |
Issue ID: | JDK-8322257 |
Summary: | Add Telia Root CA v2 |
Description: | Telia root certificate was added. |
Issue ID: | JDK-8322258 |
Summary: | Add Let’s Encrypt ISRG Root X2 |
Description: | New Let’s Encrypt root certificates were added. |
Issue ID: | JDK-8322259 |
Summary: | Add four DigiCert root certificates |
Description: | Four new DigiCert root certificates were added to JDK 8 |
8. Resolved Issues
JDK issues
This is the list of general JDK issues fixed in this release.
| Issue ID | Summary |
|---|---|
JDK-6528710 | sRGB-ColorSpace to sRGB-ColorSpace Conversion |
JDK-8029995 | accept yes/no for boolean krb5.conf settings |
JDK-8159156 | [TESTBUG] ReserveMemory test is not useful on Aix. |
JDK-8176509 | Use pandoc for converting build readme to html |
JDK-8206179 | com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value |
JDK-8207404 | MulticastSocket tests failing on AIX |
JDK-8209115 | adjust libsplashscreen linux ppc64le builds for easier libpng update |
JDK-8212677 | X11 default visual support for IM status window on VNC |
JDK-8239365 | ProcessBuilder test modifications for AIX execution |
JDK-8242330 | Arrays should be cloned in several JAAS Callback classes |
JDK-8271838 | AmazonCA.java interop test fails |
JDK-8283441 | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
JDK-8285398 | Cache the results of constraint checks |
JDK-8285696 | AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null |
JDK-8295685 | Update Libpng to 1.6.38 |
JDK-8302017 | Allocate BadPaddingException only if it will be thrown |
JDK-8305329 | [8u] Unify test libraries into single test library - step 1 |
JDK-8305815 | Update Libpng to 1.6.39 |
JDK-8307837 | [8u] Check step in GHA should also print errors |
JDK-8308204 | Enhanced certificate processing |
JDK-8309088 | security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails |
JDK-8311813 | C1: Uninitialized PhiResolver::_loop field |
JDK-8312489 | Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar |
JDK-8312535 | MidiSystem.getSoundbank() throws unexpected SecurityException |
JDK-8314284 | Enhance Nashorn performance |
JDK-8314295 | Enhance verification of verifier |
JDK-8314307 | Improve loop handling |
JDK-8314468 | Improve Compiler loops |
JDK-8315135 | Memory leak in the native implementation of Pack200.Unpacker.unpack() |
JDK-8315280 | Bump update version of OpenJDK: 8u402 |
JDK-8315506 | C99 compatibility issue in LinuxNativeDispatcher |
JDK-8316976 | Improve signature handling |
JDK-8317291 | Missing null check for nmethod::is_native_method() |
JDK-8317373 | Add Telia Root CA v2 |
JDK-8317374 | Add Let’s Encrypt ISRG Root X2 |
JDK-8317547 | Enhance TLS connection support |
JDK-8318759 | Add four DigiCert root certificates |
JDK-8319187 | Add three eMudhra emSign roots |
JDK-8319405 | [s390] [jdk8] Increase javac default stack size for s390x zero |
JDK-8320597 | RSA signature verification fails on signed data that does not encode params correctly |
JFX issues
This is the list of JFX issues fixed in this release.
| Issue ID | Summary |
|---|---|
JDK-8284544 | [Win] Name-Property of Spinner cannot be changed |
JDK-8297067 | Update Gradle to 7.6 |
JDK-8306918 | WebView: Update Public Suffix List to 88467c9 |
JDK-8310681 | Update WebKit to 616.1 |
JDK-8311097 | Synchron XMLHttpRequest not receiving data |
JDK-8313048 | Better Glyph handling |
JDK-8313056 | General enhancements of Glass |
JDK-8313105 | Improved media framing |
JDK-8313177 | Web Workers timeout with Webkit 616.1 |
JDK-8313181 | Enabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element |
JDK-8313321 | Set minimum python version in WebKit cmake scripts |
JDK-8313711 | Cherry-pick WebKit 616.1 stabilization fixes |
JDK-8313856 | Replace VLA with malloc in pango |
JDK-8313900 | Possible NULL pointer access in NativeAudioSpectrum and NativeVideoBuffer |
JDK-8314212 | Crash when loading cnn.com in WebView |
JDK-8315074 | Possible null pointer access in native glass |
JDK-8315657 | Application window not activated in macOS 14 Sonoma |
JDK-8315870 | icu fails to compile with Visual Studio 2022 17.6.5 |
JDK-8315958 | Missing range checks in GlassPasteboard |
JDK-8317508 | Provide media support for libavcodec version 60 |
JDK-8318708 | FX: Update copyright year in docs, readme files to 2024 |
JDK-8319066 | Application window not always activated in macOS 14 Sonoma |