java

JDK 11.0.15 Release Notes

Java Development Kit 11 Release Notes

Java SE 11.0.15.1 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.15.1.2

 

Bug Fixes

BugId Component Subcomponent Description
JDK-8155701 tools javac The compiler fails with an AssertionError: typeSig ERROR

 

Changes in Java SE 11.0.15.1.1

Fixes from the prior BPR are included in this version.

Java™ SE Development Kit 11, Patch 11.0.15.1 (JDK 11.0.15.1)

May 2, 2022

The full version string for this update release is 11.0.15.1+2 (where "+" means "build"). The version number is 11.0.15.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 11.0.15.

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.15+8
8 8u331-b09
7 7u341-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15.1) be used after the next critical patch update scheduled for July 19, 2022.

 

Changes

core-libs/java.io
 New System Property to Disable Windows Alternate Data Stream Support in java.io.File

The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File, the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

See JDK-8285445

 

 

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:

BugId Component Subcomponent Description
JDK-8284920 xml javax.xml.path Incorrect Token type causes XPath expression to return incorrect results
JDK-8284548 xml jaxp Invalid XPath expression causes StringIndexOutOfBoundsException

Java SE 11.0.15 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.15.0.1

Bug Fixes

BugId Component Subcomponent Description
JDK-8221741 client-libs 2d ClassCastException can happen when fontconfig.properties is used
JDK-8212904 client-libs javax.swing JTextArea line wrapping incorrect when using UI scale
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 11.0.15 (JDK 11.0.15)

April 19, 2022

The full version string for this update release is 11.0.15+8 (where "+" means "build"). The version number is 11.0.15.

 

IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.15 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.15+8
8 8u331-b09
7 7u341-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15) be used after the next critical patch update scheduled for July 19, 2022.

 

New Features

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library

SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:

ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism

CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism  
CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism  
CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
See JDK-8255410

security-libs/javax.net.ssl
 ChaCha20 and Poly1305 TLS Cipher Suites

New TLS cipher suites using the ChaCha20-Poly1305 algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2:

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for details on these new TLS cipher suites.

See JDK-8140466

xml/jaxp
 New XML Processing Limits

Three processing limits have been added to the XML libraries. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20

 

There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

security-libs/java.security
 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

core-libs/javax.naming
 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)

 

The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.15:

# BugId Component Subcomponent Description
1 JDK-8233827 client-libs Enable screenshots in the enhanced failure handler on Linux/macOS
2 JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
3 JDK-8258554 client-libs javax.swing javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
4 JDK-8257620 core-libs Do not use objc_msgSend_stret to get macOS version
5 JDK-8275650 core-libs java.io Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
6 JDK-8279833 core-libs java.lang Loop optimization issue in String.encodeUTF8_UTF16
7 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
8 JDK-8236596 core-libs java.net HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel
9 JDK-8218546 core-libs java.net Unable to connect to https://google.com using java.net.HttpClient
10 JDK-8262844 core-libs java.nio (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3
11 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
12 JDK-8214761 core-libs java.util.stream Bug in parallel Kahan summation implementation
13 JDK-8242283 core-libs java.util:i18n Can't start JVM when java home path includes non-ASCII character
14 JDK-8273790 core-libs java.util:i18n Potential cyclic dependencies between Gregorian and CalendarSystem
15 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
16 JDK-8277795 core-libs javax.naming LDAP connection timeout not honoured under contention
17 JDK-8266187 core-svc java.lang.instrument Memory leak in appendBootClassPath()
18 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
19 JDK-8258836 core-svc java.lang.management JNI local refs exceed capacity getDiagnosticCommandInfo
20 JDK-8251155 core-svc tools HostIdentifier fails to canonicalize hostnames starting with digits
21 JDK-8238710 core-svc tools LingeredApp doesn't log stdout/stderr if exits with non-zero code
22 JDK-8223141 hotspot compiler Change (count) suffix _ct into _cnt.
23 JDK-8229797 hotspot compiler [JVMCI] Clean up no longer used JVMCI::dependencies_invalid value
24 JDK-8251930 hotspot compiler AArch64: Native types mismatch in hotspot
25 JDK-8268882 hotspot compiler C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
26 JDK-8276105 hotspot compiler C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
27 JDK-8223142 hotspot compiler Clean-up WS and CB.
28 JDK-8211170 hotspot compiler AArch64: Warnings in C1 and template interpreter
29 JDK-8277441 hotspot compiler CompileQueue::add fails with assert(_last->next() == __null) failed: not last
30 JDK-8275610 hotspot compiler C2: Object field load floats above its null check resulting in a segfault
31 JDK-8275326 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
32 JDK-8262134 hotspot compiler compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
33 JDK-8277447 hotspot compiler Hotspot C1 compiler crashes on Kotlin suspend fun with loop
34 JDK-8273277 hotspot compiler C2: Move conditional negation into rc_predicate
35 JDK-8271202 hotspot compiler C1: assert(false) failed: live_in set of first block must be empty
36 JDK-8276157 hotspot compiler C2: Compiler stack overflow during escape analysis on Linux x86_32
37 JDK-8255004 hotspot compiler [JVMCI] expose JVM_ACC_FIELD_INITIALIZED_FINAL_UPDATE
38 JDK-8266923 hotspot compiler [JVMCI] expose StackOverflow::_stack_overflow_limit to JVMCI
39 JDK-8253842 hotspot compiler [JVMCI] Allow implicit exception to dispatch to other address in jvmci compilers.
40 JDK-8253015 hotspot compiler Aarch64: Move linux code out from generic CPU feature detection
41 JDK-8252518 hotspot compiler [JVMCI] cache the result of CompilerToVM.getComponentType
42 JDK-8261071 hotspot compiler AArch64: Refactor interpreter native wrappers
43 JDK-8279076 hotspot compiler C2: Bad AD file when matching SqrtF with UseSSE=0
44 JDK-8276314 hotspot compiler [JVMCI] check alignment of call displacement during code installation
45 JDK-8279225 hotspot compiler [arm32] C1 longs comparison operation destroys argument registers
46 JDK-8279412 hotspot compiler [JVMCI] failed speculations list must outlive any nmethod that refers to it
47 JDK-8278871 hotspot compiler [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
48 JDK-8210236 hotspot gc Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading
49 JDK-8222072 hotspot jvmti JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv
50 JDK-8276177 hotspot jvmti nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
51 JDK-8223400 hotspot runtime Replace some enums with static const members in hotspot/runtime
52 JDK-8240197 hotspot runtime Cannot start JVM when $JAVA_HOME includes CJK characters
53 JDK-8261075 hotspot runtime Create stubRoutines.inline.hpp with SafeFetch implementation
54 JDK-8263068 hotspot runtime Rename safefetch.hpp to safefetch.inline.hpp
55 JDK-8272345 hotspot runtime macos doesn't check `os::set_boot_path()` result
56 JDK-8254940 hotspot runtime AArch64: Cleanup non-product thread members
57 JDK-8266170 hotspot runtime -Wnonnull happens in classLoaderData.inline.hpp
58 JDK-8266172 hotspot runtime -Wstringop-overflow happens in vmError.cpp
59 JDK-8186780 hotspot runtime clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment()
60 JDK-8274338 hotspot runtime com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
61 JDK-8274714 hotspot runtime Incorrect verifier protected access error message
62 JDK-8277342 hotspot runtime vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
63 JDK-8278384 hotspot runtime Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
64 JDK-8278309 hotspot runtime [windows] use of uninitialized OSThread::_state
65 JDK-8207011 hotspot runtime Remove uses of the register storage class specifier
66 JDK-8273341 hotspot runtime Update Siphash to version 1.0
67 JDK-8265150 hotspot svc AsyncGetCallTrace crashes on ResourceMark
68 JDK-8258471 hotspot svc-agent "search codecache" clhsdb command does not work
69 JDK-8274736 security-libs java.security Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
70 JDK-8257769 security-libs javax.crypto Cipher.getParameters() throws NPE for ChaCha20-Poly1305
71 JDK-8259319 security-libs javax.crypto:pkcs11 Illegal package access when SunPKCS11 requires SunJCE's classes
72 JDK-8255410 security-libs javax.crypto:pkcs11 Add ChaCha20 and Poly1305 support to SunPKCS11 provider
73 JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
74 JDK-8140466 security-libs javax.net.ssl ChaCha20 and Poly1305 TLS Cipher Suites
75 JDK-8275811 security-libs javax.net.ssl Incorrect instance to dispose
76 JDK-8273894 security-libs org.ietf.jgss:krb5 ConcurrentModificationException raised every time ReferralsCache drops referral
77 JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
78 JDK-8273682 tools jshell Upgrade Jline to 3.20.0
79 JDK-8255035 xml jaxp Update BCEL to Version 6.5.0
80 JDK-8276141 xml jaxp XPathFactory set/getProperty method
81 JDK-8282761 xml jaxp XPathFactoryImpl remove setProperty and getProperty methods