JDK 11.0.6 Release Notes
Java™ SE Development Kit 11.0.6 (JDK 11.0.6)
January 14, 2020
The full version string for this update release is 11.0.6+8 (where "+" means "build"). The version number is 11.0.6.
IANA Data 2019c
JDK 11.0.6 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.6 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 11 | 11.0.6+8 |
| 8 | 1.8.0_241-b07 |
| 7 | 1.7.0_251-b08 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.6) be used after the next critical patch update scheduled for April 14, 2020.
New Features
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
Other notes
The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
- Methods declared in interfaces that directly or indirectly extend
java.rmi.Remotecan be invoked remotely - Methods declared in interfaces that do not extend
Remotedirectly or indirectly cannot be invoked remotely
This affects remote objects in the java.rmi.registry.Registry and any other remote object.
JDK-8230967 (not public)
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LUSee JDK-8232019
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=USSee JDK-8233223
➜ Turn off AOT by Default and Change Related Flags to Experimental
Following AOT support related flags have been made experimental: UseAOT, PrintAOT and AOTLibrary. Also default value of UseAOT has been changed from enabled to disabled.
See JDK-8227439
Epsilon GC may have violated the specification requirements by accepting the type-incompatible store into the array, instead of throwing the ArrayStoreException. This is now handled correctly, both in this release, and associated backports. Users are advised to upgrade as soon as possible.
Bug Fixes
The following are some of the notable bug fixes included in this release:
➜ Memory Growth Issue in SunPKCS11 Fixed
A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed.
A system property, sun.security.pkcs11.disableKeyExtraction has been introduced to disable the fix. A "true" value disables the fix, while a "false" value (default) keeps it enabled.
When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes.
Further information and implementation details can be found in the CSR: JDK-8213430
See JDK-6913047
➜ Better Serial Filter Handling
The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.6:
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-8208179 | client-libs | 2d | Devanagari not shown with logical fonts on Windows after removal of Lucida Sans from JDK |
| 2 | JDK-8210384 | client-libs | 2d | SunLayoutEngine.isAAT() font is expensive on MacOS |
| 3 | JDK-8212071 | client-libs | 2d | Need to set the FreeType LCD Filter to reduce fringing. |
| 4 | JDK-8213568 | client-libs | 2d | Typo in java/awt/GraphicsEnvironment/LoadLock/GE_init5.java |
| 5 | JDK-8217707 | client-libs | 2d | JNICALL declaration breaks Splash screen functions |
| 6 | JDK-8220231 | client-libs | 2d | Cache HarfBuzz face object for same font's text layout calls |
| 7 | JDK-8228711 | client-libs | 2d | Path rendered incorrectly when it goes outside the clipping region |
| 8 | JDK-8230728 | client-libs | 2d | Thin stroked shapes are not rendered if affine transform has flip bit |
| 9 | JDK-8230769 | client-libs | 2d | BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return |
| 10 | JDK-8144125 | client-libs | java.awt | [macos] java/awt/event/ComponentEvent/MovedResizedTwiceTest/MovedResizedTwiceTest.java failed automatically |
| 11 | JDK-8211267 | client-libs | java.awt | StackOverflowError happened by TextField.setFont(...) |
| 12 | JDK-8211810 | client-libs | java.awt | X11 Time stamp data should be unsigned |
| 13 | JDK-8211826 | client-libs | java.awt | StringIndexOutOfBoundsException happens via GetStringUTFRegion() |
| 14 | JDK-8211992 | client-libs | java.awt | GraphicsConfiguration.getDevice().getDisplayMode() causes JVM crash on Mac |
| 15 | JDK-8212677 | client-libs | java.awt | X11 default visual support for IM status window on VNC |
| 16 | JDK-8213119 | client-libs | java.awt | [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails |
| 17 | JDK-8213292 | client-libs | java.awt | Input freezes after MacOS key-selector (press&hold) usage on macOS Mojave |
| 18 | JDK-8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
| 19 | JDK-8215105 | client-libs | java.awt | java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color |
| 20 | JDK-8215200 | client-libs | java.awt | IllegalArgumentException in sun.lwawt.macosx.CPlatformWindow |
| 21 | JDK-8215756 | client-libs | java.awt | Memory leaks in the AWT on macOS |
| 22 | JDK-8219504 | client-libs | java.awt | Test for JDK-8211435 can be run on all platforms |
| 23 | JDK-8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
| 24 | JDK-8224152 | client-libs | java.awt | [macOS] ProblemList tests that leave rubbish on the screen |
| 25 | JDK-8230782 | client-libs | java.awt | Robot.createScreenCapture() fails if “awt.robot.gtk” is set to false |
| 26 | JDK-8211393 | client-libs | java.awt:i18n | Memory leak issue on awt_InputMethod.c |
| 27 | JDK-8211147 | client-libs | java.beans | Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder |
| 28 | JDK-8221244 | client-libs | java.beans | Unexpected behavior of PropertyDescription.getReadMethod for boolean properties |
| 29 | JDK-8225505 | client-libs | javax.swing | ctrl-F1 does not show the tooltip of a menu item (JMenuItems) |
| 30 | JDK-8185898 | core-libs | java.net | setRequestProperty(key, null) results in HTTP header without colon in request |
| 31 | JDK-8221395 | core-libs | java.net | HttpClient leaving connections in CLOSE_WAIT state until Java process ends |
| 32 | JDK-8222968 | core-libs | java.net | ByteArrayPublisher is not thread-safe resulting in broken re-use of HttpRequests |
| 33 | JDK-8227127 | core-libs | java.text | Era designator not displayed correctly using the COMPAT provider |
| 34 | JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
| 35 | JDK-8231770 | core-libs | java.util.jar | Test java/util/zip/FlaterTest.java fails with -Xcheck:jni |
| 36 | JDK-8227368 | core-libs | java.util:collections | EnumSet.class serialization broken in JDK 9+ |
| 37 | JDK-8220227 | core-libs | java.util:i18n | Host Locale Provider getDisplayCountry returns error message under non-English Win10 |
| 38 | JDK-8227391 | core-libs | jdk.nashorn | Update double-conversion to version 3.1.5 |
| 39 | JDK-8232984 | core-libs | jdk.nashorn | Upgrading Joni License version to 2.1.16 |
| 40 | JDK-8230303 | core-svc | debugger | JDB hangs when running monitor command |
| 41 | JDK-8220474 | core-svc | java.lang.instrument | Incorrect GPL header in src/java.instrument/share/classes/java/lang/instrument/package-info.java |
| 42 | JDK-8220175 | core-svc | tools | serviceability/dcmd/framework/VMVersionTest.java fails with a timeout |
| 43 | JDK-8087128 | hotspot | compiler | C2: Disallow definition split on MachCopySpill nodes |
| 44 | JDK-8202952 | hotspot | compiler | C2: Unexpected dead nodes after matching |
| 45 | JDK-8209691 | hotspot | compiler | Allow MemBar on single memory slice |
| 46 | JDK-8209833 | hotspot | compiler | C2 compilation fails with "assert(ex_map->jvms()->same_calls_as(_exceptions->jvms())) failed: all collected exceptions must come from the same place" |
| 47 | JDK-8210387 | hotspot | compiler | C2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced" |
| 48 | JDK-8210390 | hotspot | compiler | C2 still crashes with "assert(mode == ControlAroundStripMined && use == sfpt) failed: missed a node" |
| 49 | JDK-8211232 | hotspot | compiler | GraphKit::make_runtime_call() sometimes attaches wrong memory state to call |
| 50 | JDK-8211776 | hotspot | compiler | 8210887 broke arraycopy optimization when ZGC is enabled |
| 51 | JDK-8212673 | hotspot | compiler | jtreg/applications/runthese/RunThese30M.java fails in C2 with "assert(!had_error) failed: bad dominance" |
| 52 | JDK-8213014 | hotspot | compiler | Crash in CompileBroker::make_thread due to OOM |
| 53 | JDK-8214773 | hotspot | compiler | Replace use of thread unsafe strtok |
| 54 | JDK-8215044 | hotspot | compiler | C2 crash in loopTransform.cpp with assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop |
| 55 | JDK-8215265 | hotspot | compiler | C2: range check elimination may allow illegal out of bound access |
| 56 | JDK-8215708 | hotspot | compiler | ZGC: Add missing LoadBarrierNode::size_of() |
| 57 | JDK-8215755 | hotspot | compiler | ZGC: split_barrier_thru_phi: check number of inputs of phi |
| 58 | JDK-8216135 | hotspot | compiler | C2 assert(!had_error) failed: bad dominance |
| 59 | JDK-8216427 | hotspot | compiler | ciMethodData::load_extra_data() does not always unpack the last entry |
| 60 | JDK-8216549 | hotspot | compiler | Mismatched unsafe access to non escaping object fails |
| 61 | JDK-8216987 | hotspot | compiler | ciMethodData::load_data() unpacks MDOs with non-atomic copy |
| 62 | JDK-8217359 | hotspot | compiler | C2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal |
| 63 | JDK-8217371 | hotspot | compiler | Incorrect LP64 guard in x86.ad after JDK-8210764 (Update avx512 implementation) |
| 64 | JDK-8217760 | hotspot | compiler | C2: Missing symbolic info on a call from intrinsics when invoked through MethodHandle |
| 65 | JDK-8218163 | hotspot | compiler | C2: Continuous deoptimization w/ Reason_speculate_class_check and Action_none |
| 66 | JDK-8218468 | hotspot | compiler | Load barrier slow path node should be MachTypeNode |
| 67 | JDK-8219517 | hotspot | compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
| 68 | JDK-8221456 | hotspot | compiler | nmethod::make_unloaded() clears _method member too early |
| 69 | JDK-8224538 | hotspot | compiler | LoadBarrierNode::common_barrier must check address |
| 70 | JDK-8224558 | hotspot | compiler | Fix replicateB encoding |
| 71 | JDK-8225141 | hotspot | compiler | Better handling of classes in error state by fast class initialization checks |
| 72 | JDK-8229906 | hotspot | compiler | Backout backport 8227318 which was incomplete |
| 73 | JDK-8230711 | hotspot | compiler | ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG |
| 74 | JDK-8214315 | hotspot | gc | G1: fatal error: acquiring lock SATB_Q_FL_lock/1 out of order with lock tty_lock/0 |
| 75 | JDK-8215724 | hotspot | gc | Epsilon: ArrayStoreExceptionTest.java fails; missing arraycopy check |
| 76 | JDK-8221913 | hotspot | gc | Add GC.selected() jtreg-ext function |
| 77 | JDK-8225716 | hotspot | gc | G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding |
| 78 | JDK-8230706 | hotspot | gc | Waiting on completion of strong nmethod processing causes long pause times with G1 |
| 79 | JDK-8205516 | hotspot | jfr | JFR tool |
| 80 | JDK-8213834 | hotspot | jvmti | JVMTI ResourceExhausted should not be posted in CompilerThread |
| 81 | JDK-8227277 | hotspot | jvmti | HeapInspection::find_instances_at_safepoint walks dead objects |
| 82 | JDK-8193234 | hotspot | runtime | When using -Xcheck:jni an internally allocated buffer can leak |
| 83 | JDK-8200109 | hotspot | runtime | NMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type") |
| 84 | JDK-8210043 | hotspot | runtime | Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap |
| 85 | JDK-8210559 | hotspot | runtime | ClassLoaderData Symbols can leak |
| 86 | JDK-8212173 | hotspot | runtime | Thread._stack_base/_stack_size initialized too late for new threads |
| 87 | JDK-8212205 | hotspot | runtime | VM asserts after CDS archive has been unmapped |
| 88 | JDK-8212937 | hotspot | runtime | Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader |
| 89 | JDK-8214975 | hotspot | runtime | No hs-err file if fatal error is raised during dynamic initialization. |
| 90 | JDK-8215699 | hotspot | runtime | -Xlog::file cannot be used with named pipe |
| 91 | JDK-8215962 | hotspot | runtime | Support ThreadPriorityPolicy mode 1 for non-root users on linux/bsd |
| 92 | JDK-8216426 | hotspot | runtime | Usage of array placement new may lead to memory corruption |
| 93 | JDK-8216970 | hotspot | runtime | condy causes JVM crash |
| 94 | JDK-8216982 | hotspot | runtime | Assertion poison page established too early |
| 95 | JDK-8218581 | hotspot | runtime | Incorrect exception message generation |
| 96 | JDK-8220173 | hotspot | runtime | assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark |
| 97 | JDK-8220394 | hotspot | runtime | bufferedStream does not honor size limit |
| 98 | JDK-8221437 | hotspot | runtime | assert(java_lang_invoke_ResolvedMethodName::vmtarget(resolved_method()) == m()) failed: Should not change after link resolution |
| 99 | JDK-8222387 | hotspot | runtime | Out-of-bounds access to CPU _family_id_xxx array |
| 100 | JDK-8223572 | hotspot | runtime | ~ThreadInVMForHandshake() should call handle_special_runtime_exit_condition() |
| 101 | JDK-8224193 | hotspot | runtime | stringStream should not use Resource Area |
| 102 | JDK-8224487 | hotspot | runtime | outputStream should not be copyable |
| 103 | JDK-8225225 | hotspot | runtime | stringStream internal buffer should always be zero terminated |
| 104 | JDK-8227117 | hotspot | runtime | normal interpreter table is not restored after single stepping with TLH |
| 105 | JDK-8227497 | hotspot | runtime | No documented method for setting module addexports to JNI_CreateJavaVM |
| 106 | JDK-8228485 | hotspot | runtime | JVM crashes when bootstrap method for condy triggers loading of class whose static initializer throws exception |
| 107 | JDK-8021335 | hotspot | svc | Missing synchronization when reading counters for live threads and peak thread count |
| 108 | JDK-8221532 | hotspot | svc | Incorrect copyright header in FileSystemSupport_md.c |
| 109 | JDK-8225388 | hotspot | svc | Running jcmd Compiler.CodeHeap_Analytics all 0 cause crash. |
| 110 | JDK-8200613 | hotspot | svc-agent | SA: jstack throws UnmappedAddressException with a CDS core file |
| 111 | JDK-8220682 | hotspot | svc-agent | Heap dumping and inspection fails with JDK-8214712 |
| 112 | JDK-8218553 | security-libs | java.security | Enhance keystore load debug output |
| 113 | JDK-8213008 | security-libs | javax.crypto:pkcs11 | Cipher with UNWRAP_MODE should support the generation of an AES key type |
| 114 | JDK-8216597 | security-libs | javax.crypto:pkcs11 | SIGBUS in Java_sun_security_pkcs11_wrapper_PKCS11_getNativeKeyInfo after JDK-6913047 |
| 115 | JDK-8225695 | security-libs | javax.crypto:pkcs11 | 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) |
| 116 | JDK-8226651 | security-libs | javax.crypto:pkcs11 | Setting the mgfHash in CK_RSA_PKCS_PSS_PARAMS has no effect |
| 117 | JDK-8228835 | security-libs | javax.crypto:pkcs11 | Memory leak in PKCS11 provider when using AES GCM |
| 118 | JDK-8211866 | security-libs | javax.net.ssl | TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms |
| 119 | JDK-8212738 | security-libs | javax.net.ssl | Incorrectly named signature scheme ecdsa_secp512r1_sha512 |
| 120 | JDK-8212752 | security-libs | javax.net.ssl | Typo in SSL log message related to inactive/disabled signature scheme |
| 121 | JDK-8214098 | security-libs | javax.net.ssl | sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards. |
| 122 | JDK-8215524 | security-libs | javax.net.ssl | Finished message validation failure should be decrypt_error alert |
| 123 | JDK-8226607 | security-libs | javax.smartcardio | Inconsistent info between pcsclite.md and MUSCLE headers |