From c91336d3e4d8b4103239ccec19528d906746dd93 Mon Sep 17 00:00:00 2001 From: Elif Aslan Date: Thu, 10 Oct 2024 21:30:07 +0000 Subject: [PATCH] Update changelog for 11.0.25.9.1 --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 94bfefc115..b72a2f7102 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,11 +27,11 @@ The following issues are addressed in 11.0.25.9.1: | Issue Name | Platform | Description | Link | |--------------------------------------------|----------|----------------------------------------------------------------------|-------------------------------------------------------------------------------| | Import jdk-11.0.25+9 | All | Update Corretto baseline to OpenJDK 11.0.25+9 | [jdk-11.0.25+9](https://github.com/openjdk/jdk11u/releases/tag/jdk-11.0.25+9) | -| JDK-8299677 | All | `Formatter.format` might take a long time to format an integer or floating-point | [JDK-8299677](bugs.openjdk.org/browse/JDK-8299677) | -| JDK-8318854 | macOS | Resolves a warning when running AWT apps on macOS 14 | [JDK-8318854](https://bugs.openjdk.org/browse/JDK-8318854) | -| JDK-8307779 | All | Relax the java.awt.Robot specification | [JDK-8307779](https://bugs.openjdk.org/browse/JDK-8307779) | -| JDK-8193682 | Linux | Infinite loop in ZipOutputStream.close() | [JDK-8193682](https://bugs.openjdk.org/browse/JDK-8193682) | - +| JDK-8279164 | All | The TLS_ECDH cipher suites do not preserve forward secrecy and are rarely used in practice. With this release, they are disabled by adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. Attempts to use these suites with this release will result in a `SSLHandshakeException` being thrown. Note that ECDH cipher suites which use RC4 were already disabled prior to this change. Users can, *at their own risk*, remove this restriction by modifying the `java.security` configuration file (or override it by using the `java.security.properties` system property) so "ECDH" is no longer listed in the `jdk.tls.disabledAlgorithms` security property. This change has no effect on TLS_ECDHE cipher suites, which remain enabled by default. | [JDK-8279164](https://bugs.openjdk.org/browse/JDK-8279164) | +| JDK-8341059 | All | In accordance with similar plans recently announced by Google and Mozilla, the JDK will not trust Transport Layer Security (TLS) certificates issued after the 12th of November 2024 which are anchored by Entrust root certificates. This includes certificates branded as AffirmTrust, which are managed by Entrust. Certificates issued on or before November 12th, 2024 will continue to be trusted until they expire. If a server's certificate chain is anchored by an affected certificate, attempts to negotiate a TLS session will fail with an Exception that indicates the trust anchor is not trusted. | [JDK-8341059](https://bugs.openjdk.org/browse/JDK-8341059) | +| JDK-8307779 | All | This release of OpenJDK 11 updates to the latest maintenance release of the Java 11 specification. This relaxes the specification of three methods in the `java.awt.Robot` class - `mouseMove(int,int)`, `getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to allow these methods to fail when the desktop environment does not permit moving the mouse pointer or capturing screen content. | [JDK-8307779](https://bugs.openjdk.org/browse/JDK-8307779) | +| JDK-8290367 | All | With this OpenJDK release, the JDK implementation of the LDAP provider no longer supports the deserialisation of Java objects by default. This is achieved by the system property `com.sun.jndi.ldap.object.trustSerialData` being set to `false` by default. Note that this release also increases the scope of the `com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction of RMI remote objects from the `javaRemoteLocation` LDAP attribute. The result of this change is that transparent deserialisation of Java objects will require an explicit opt-in. Applications that wish to reconstruct Java objects and RMI stubs from LDAP attributes will need to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`. | [JDK-8290367](https://bugs.openjdk.org/browse/JDK-8290367) | +| JDK-8328286 | All | This OpenJDK release limits the maximum header field size accepted by the HTTP client within the JDK for all supported versions of the HTTP protocol. The header field size is computed as the sum of the size of the uncompressed header name, the size of the uncompressed header value and a overhead of 32 bytes for each field section line. If a peer sends a field section that exceeds this limit, a `java.net.ProtocolException` will be raised. This release also introduces a new system property, `jdk.http.maxHeaderSize`. This property can be used to alter the maximum header field size (in bytes) or disable it by setting the value to zero or a negative value. The default value is 393,216 bytes or 384kB. | | The following CVEs are addressed in 11.0.25.9.1: