Red Hat SummitRelease notes for Red Hat build of OpenJDK 8.0.452
Abstract
Preface
Open Java Development Kit (OpenJDK) is a free and open source implementation of the Java Platform, Standard Edition (Java SE). The Red Hat build of OpenJDK is available in four versions: 8u, 11u, 17u, and 21u.
Packages for the Red Hat build of OpenJDK are available on Red Hat Enterprise Linux and Microsoft Windows platforms and shipped as a JDK and a JRE in the Red Hat Ecosystem Catalog.
Providing feedback on Red Hat build of OpenJDK documentation
To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.
Procedure
- Click the following link to create a ticket.
- Enter a brief description of the issue in the Summary.
- Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
- Clicking Create creates and routes the issue to the appropriate documentation team.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Support policy
Red Hat will support select major versions of Red Hat build of OpenJDK in its products. For consistency, these are the same versions that Oracle designates as long-term support (LTS) for the Oracle JDK.
A major version of Red Hat build of OpenJDK will be supported for a minimum of six years from the time that version is first introduced. For more information, see the OpenJDK Life Cycle and Support Policy.
RHEL 6 reached the end of life in November 2020. Because of this, Red Hat build of OpenJDK is not supporting RHEL 6 as a supported configuration.
Chapter 2. Differences from upstream OpenJDK 8
Red Hat build of OpenJDK in Red Hat Enterprise Linux (RHEL) contains a number of structural changes from the upstream distribution of OpenJDK. The Microsoft Windows version of Red Hat build of OpenJDK attempts to follow RHEL updates as closely as possible.
The following list details the most notable Red Hat build of OpenJDK 8 changes:
- FIPS support. Red Hat build of OpenJDK 8 automatically detects whether RHEL is in FIPS mode and automatically configures Red Hat build of OpenJDK 8 to operate in that mode. This change does not apply to Red Hat build of OpenJDK builds for Microsoft Windows.
- Cryptographic policy support. Red Hat build of OpenJDK 8 obtains the list of enabled cryptographic algorithms and key size constraints from the RHEL system configuration. These configuration components are used by the Transport Layer Security (TLS) encryption protocol, the certificate path validation, and any signed JARs. You can set different security profiles to balance safety and compatibility. This change does not apply to Red Hat build of OpenJDK builds for Microsoft Windows.
-
Red Hat build of OpenJDK on RHEL dynamically links against native libraries such as
zlibfor archive format support andlibjpeg-turbo,libpng, andgiflibfor image support. RHEL also dynamically links againstHarfbuzzandFreetypefor font rendering and management. This change does not apply to Red Hat build of OpenJDK builds for Microsoft Windows. -
The
src.zipfile includes the source for all the JAR libraries shipped with Red Hat build of OpenJDK. - Red Hat build of OpenJDK on RHEL uses system-wide timezone data files as a source for timezone information.
- Red Hat build of OpenJDK on RHEL uses system-wide CA certificates.
- Red Hat build of OpenJDK on Microsoft Windows includes the latest available timezone data from RHEL.
- Red Hat build of OpenJDK on Microsoft Windows uses the latest available CA certificate from RHEL.
Additional resources
Chapter 3. Red Hat build of OpenJDK 8.0.452 release notes
The latest Red Hat build of OpenJDK 8 release might include new features. Additionally, the latest release might enhance, deprecate, or remove features that originated from earlier Red Hat build of OpenJDK 8 releases.
For all the other changes and security fixes, see OpenJDK 8u452 Released.
Red Hat build of OpenJDK new features and enhancements
Review the following release notes to understand new features and feature enhancements that Red Hat build of OpenJDK 8.0.452 provides:
Warnings from jarsigner tool about removed file entries
In earlier Red Hat build of OpenJDK releases, when a file was removed from a signed JAR file but the file signature was still present, the jarsigner tool did not detect this situation.
In Red Hat build of OpenJDK 8.0.452, you can use the jarsigner ‑verify command to check that every signature has a matching file entry. If any mismatch exists, this command prints a warning. To display the names of any mismatched entries, add the ‑verbose option to the command.
See JDK-8309841 (JDK Bug System).
Distrust of TLS server certificates issued after 15 April 2025 and anchored by Camerfirma root CAs
In accordance with similar plans that Google, Mozilla, Apple, and Microsoft recently announced, Red Hat build of OpenJDK 8.0.452 distrusts TLS certificates that are issued after 15 April 2025 and anchored by Camerfirma root certificates.
Red Hat build of OpenJDK will continue to trust certificates that are issued on or before 15 April 2025 until these certificates expire.
If a server’s certificate chain is anchored by an affected certificate, any attempts to negotiate a TLS session now fail with an exception to indicate that the trust anchor is not trusted. For example:
TLS server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
You can check whether this change affects a certificate in a JDK keystore by using the following keytool command:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If this change affects any certificate in the chain, update this certificate or contact the organisation that is responsible for managing the certificate.
If you want to continue using TLS server certificates that are anchored by Camerfirma root certificates, you can remove CAMERFIRMA_TLS from the jdk.security.caDistrustPolicies security property either by modifying the java.security configuration file or by using the java.security.properties system property.
Continued use of the distrusted TLS server certificates is at your own risk.
These restrictions apply to the following Camerfirma root certificates that Red Hat build of OpenJDK includes:
- Certificate 1
- Alias name: camerfirmachamberscommerceca [jdk]
- Distinguished name: CN=Chambers of Commerce Root OU=http://www.chambersign.org O=AC Camerfirma SA CIF A82743287 C=EU
- SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
- Certificate 2
- Alias name: camerfirmachambersca [jdk]
- Distinguished name: CN=Chambers of Commerce Root - 2008 O=AC Camerfirma S.A. SERIALNUMBER=A82743287 L=Madrid (see current address at www.camerfirma.com/address) C=EU
- SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
- Certificate 3
- Alias name: camerfirmachambersignca [jdk]
- Distinguished name: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A. SERIALNUMBER=A82743287 L=Madrid (see current address at www.camerfirma.com/address) C=EU
- SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
See JDK-8346587 (JDK Bug System).
IANA time zone database updated to version 2024b
In Red Hat build of OpenJDK 8.0.452, the in-tree copy of the Internet Assigned Numbers Authority (IANA) time zone database is updated to version 2024b. This update is primarily concerned with improving historical data for Mexico, Monogolia, and Portugal.
This update to the IANA database also includes the following changes:
-
Asia/Choibalsanis an alias forAsia/Ulaanbaatar. - The Middle European Time (MET) time zone is equal to Central European Time (CET).
Some legacy time-zone IDs are mapped to geographical names rather than fixed offsets:
-
Eastern Standard Time (EST) is mapped to
America/Panamarather than-5:00. -
Mountain Standard Time (MST) is mapped to
America/Phoenixrather than-7:00. -
Hawaii Standard Time (HST) is mapped to
Pacific/Honolulurather than-10:00.
Red Hat build of OpenJDK overrides the change in the legacy time-zone ID mappings by retaining the existing fixed-offset mapping.
-
Eastern Standard Time (EST) is mapped to
Chapter 4. Advisories related to this release
The following advisories are issued to document bug fixes and CVE fixes included in this release:
Revised on 2025-04-29 11:35:45 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}