Chapter 6. Red Hat build of OpenJDK 21.0.1 bug fixes

Red Hat build of OpenJDK 21.0.1 includes the following bug fixes.

Fixed Invalid CEN header error on valid .zip files

Red Hat build of OpenJDK 21.0.0 introduced additional validation checks on the ZIP64 fields of .zip files (JDK-8302483). However, these additional checks caused validation failures on some valid .zip files with the following error message: Invalid CEN header (invalid zip64 extra data field size).

To fix this issue, Red Hat build of OpenJDK 21.0.1 supports zero-length headers and the additional padding that some ZIP64 creation tools produce.

The following third-party tools have also released patches for better adherence to the .ZIP File Format Specification:

  • Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11
  • Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14
  • BND issue with writing invalid Extra Headers fixed in BND 5.3


    The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch.

If these improved validation checks cause issues for deployed ZIP or JAR files, check how the file was created and whether patches are available from the generating software to resolve the issue. From Red Hat build of OpenJDK 21.0.0 onward, you can disable these checks by setting the system property to true.

See JDK-8313765 (JDK Bug System)

Fixed potential deadlock where JVM might hang when using Generational ZGC if a VM handshake stalls on memory

In Red Hat build of OpenJDK 21.0.0, the JVM might hang when all of the following situations occurred at the same time:

  • The JVM was running out of heap memory.
  • The garbage collector (GC) was just starting a relocation phase to reclaim memory.
  • A JVM thread-local handshake was asking to relocate an object.

Red Hat build of OpenJDK 21.0.0 introduces a fix to avoid this potential deadlock.

See JDK-8311981 (JDK Bug System)

Fixed potential exception thrown by java.util.regex.MatchResult on Regex patterns containing lookaheads and lookbehinds

In Red Hat build of OpenJDK 21.0.0, the optimization of the Matcher$ImmutableMatchResult nested class (JDK-8132995) introduced an unintended regression when using instances returned by java.util.regex.Matcher.toMatchResult(). This regression occurred with java.util.regex.Pattern classes containing lookahead and lookbehind assertions that, in turn, contained groups. If these groups were located outside the match, the java.util.regex.MatchResult threw a StringIndexOutOfBoundsException when accessing these groups.

Red Hat build of OpenJDK 21.0.1 resolves this issue by calculating a minimum start location as part of the match result and by using this minimum start location rather than the location of the first match when constructing String objects.

See JDK-8312976 (JDK Bug System)

Certigna root CA certificate added

In Red Hat build of OpenJDK 21.0.1, the cacerts truststore includes the Certigna root certificate:

  • Name: Certigna (Dhimyotis)
  • Alias name: certignarootca
  • Distinguished name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

See JDK-8314960 (JDK Bug System).

Increased default value of jdk.jar.maxSignatureFileSize system property

Red Hat build of OpenJDK 21.0.0 introduced a jdk.jar.maxSignatureFileSize system property for configuring the maximum number of bytes that are allowed for the signature-related files in a Java archive (JAR) file (JDK-8300596). By default, the jdk.jar.maxSignatureFileSize property was set to 8000000 bytes (8 MB), which was too small for some JAR files.

Red Hat build of OpenJDK 21.0.1 increases the default value of the jdk.jar.maxSignatureFileSize property to 16000000 bytes (16 MB).

See JDK-8312489 (JDK Bug System).