Chapter 2. Eclipse Temurin features
Eclipse Temurin does not contain structural changes from the upstream distribution of OpenJDK.
For the list of changes and security fixes included in the latest OpenJDK 8 release of Eclipse Temurin, see OpenJDK 8u362 Released.
New features and enhancements
Review the following release notes to understand new features and feature enhancements included with the Eclipse Temurin 8.0.362 release:
Improved CORBA communications
By default, the CORBA implementation in OpenJDK 8.0.362 refuses to deserialize any objects that do not contain the IOR: prefix.
If you want to revert to the previous behavior, you can set the new com.sun.CORBA.ORBAllowDeserializeObject property to true.
See JDK-8285021 (JDK Bug System).
Enhanced BMP bounds
By default, OpenJDK 8.0.362 disables loading a linked International Color Consortium (ICC) profile in a BMP image. You can enable this functionality by setting the new sun.imageio.bmp.enabledLinkedProfiles property to true. This property replaces the old sun.imageio.plugins.bmp.disableLinkedProfiles property
See JDK-8295687 (JDK Bug System).
Improved banking of sounds
Previously, the SoundbankReader implementation, com.sun.media.sound.JARSoundbankReader, downloaded a JAR soundbank from a URL. For OpenJDK 8.0.362, this behavior is now disabled by default. To re-enable the behavior, set the new system property jdk.sound.jarsoundbank to true.
See JDK-8293742 (JDK Bug System).
OpenJDK support for Microsoft Windows 11
The OpenJDK 8.0.362 can now recogize the Microsoft Windows 11 operating system, and can set the os.name property to Windows 11.
See JDK-8274840 (JDK Bug System).
SHA-1 Signed JARs
With the OpenJDK 8.0.362 release, JARs signed with SHA-1 algorithms are restricted by default and treated as if they were unsigned. These restrictions apply to the following algorithms:
- Algorithms used to digest, sign, and optionally timestamp the JAR.
- Signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responses that are used to verify if those certificates have been revoked.
Additionally, the restrictions apply to signed Java Cryptography Extension (JCE) providers.
To reduce the compatibility risk for JARs that have been previously timestamped, the restriction does not apply to any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019. This exception might be removed in a future OpenJDK release.
To determine if your JAR file is impacted by the restriction, you can issue the following command in your CLI:
$ jarsigner -verify -verbose -certs
From the output of the previous command, search for instance of SHA1 , SHA-1, or disabled. Additionally, search for any warning messages that indicate that the JAR will be treated as unsigned. For example:
Signed by "CN="Signer"" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA1withRSA (disabled), 2048-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
Consider replacing or re-signing any JARs affected by the new restrictions with stronger algorithms.
If your JAR file is impacted by this restriction, you can remove the algorithm and re-sign the file with a stronger algorithm, such as SHA-256. If you want to remove the restriction on SHA-1 signed JARs for OpenJDK 8.0.362, and you accept the security risks, you can complete the following actions:
-
Modify the
java.securityconfiguration file. Alternatively, you can preserve this file and instead create another file with the required configurations. -
Remove the
SHA1 usage SignedJAR & denyAfter 2019 01 011entry from thejdk.certpath.disabledAlgorithmssecurity property. -
Remove the
SHA1 denyAfter 2019-01-01entry from thejdk.jar.disabledAlgorithmssecurity property.
The value of jdk.certpath.disabledAlgorithms in the java.security file might be overridden by the system security policy on RHEL 8 and 9. The values used by the system security policy can be seen in the file /etc/crypto-policies/back-ends/java.config and disabled by either setting security.useSystemPropertiesFile to false in the java.security file or passing -Djava.security.disableSystemPropertiesFile=true to the JVM. These values are not modified by this release, so the values remain the same for previous releases of OpenJDK.
For an example of configuring the java.security file, see Overriding java.security properties for JBoss EAP for OpenShift (Red Hat Customer Portal).
See JDK-8269039 (JDK Bug System).
Revised on 2023-02-02 15:41:25 UTC