JDK 17.0.10 Release Notes
Java SE 17.0.10 - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 17.0.10 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 17.0.10.0.1
Bug Fixes
January 16, 2024Fixes from the prior BPR are included in this version.
Java™ SE Development Kit 17, Update 17.0.10 (JDK 17.0.10)
January 16, 2024The full version string for this update release is 17.0.10+11 (where "+" means "build"). The version number is 17.0.10.
IANA TZ Data 2023c
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 17.0.10 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 17 | 17.0.10+11 |
| 11 | 11.0.22+9 |
| 8 | 8u401-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.10) be used after the next critical patch update scheduled for April 16, 2024.
Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).
New Features
A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.
By default, secure validation mode is enabled. Disabling secure validation mode is done at your own risk.
Known Issues
When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.
This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].
Other Notes
jdk.jar.maxSignatureFileSize
(JDK-8312489)
The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).
The following root certificates have been added to the cacerts truststore:
+ DigiCert, Inc.
+ digicertcseccrootg5
DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicertcsrsarootg5
DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlseccrootg5
DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlsrsarootg5
DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
The following root certificates have been added to the cacerts truststore:
+ eMudhra Technologies Limited
+ emsignrootcag1
DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsigneccrootcag3
DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsignrootcag2
DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
The following root certificate has been added to the cacerts truststore:
+ Telia Root CA v2
+ teliarootcav2
DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI
The following root certificate has been added to the cacerts truststore:
+ Let's Encrypt
+ letsencryptisrgx2
DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US
X509KeyManager.chooseClientAlias Once for All Key Types
(JDK-8262186)
The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.10:
| # | JBS | Component | Summary |
|---|---|---|---|
| 1 | JDK-8238436 | client-libs/java.awt | java/awt/Frame/FrameLocationTest/FrameLocationTest.java fails |
| 2 | JDK-8294427 | client-libs/javax.swing | Check boxes and radio buttons have rendering issues on Windows in High DPI env |
| 3 | JDK-8282444 | core-libs/java.lang.module | Module finder incorrectly assumes default file system path-separator character |
| 4 | JDK-8293659 | core-libs/java.lang:class_loading | Improve UnsatisfiedLinkError error message to include dlopen error details |
| 5 | JDK-8299015 | core-libs/java.net | Ensure that HttpResponse.BodySubscribers.ofFile writes all bytes |
| 6 | JDK-8274562 | core-libs/java.nio | (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS |
| 7 | JDK-8273162 | core-libs/java.util | AbstractSplittableWithBrineGenerator does not create a random salt |
| 8 | JDK-8301637 | core-libs/java.util.concurrent | ThreadLocalRandom.current().doubles().parallel() contention |
| 9 | JDK-8314263 | core-libs/java.util.logging | Signed jars triggering Logger finder recursion and StackOverflowError |
| 10 | JDK-8303440 | core-libs/java.util:i18n | The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id |
| 11 | JDK-8313657 | core-libs/javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
| 12 | JDK-8314063 | core-libs/javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
| 13 | JDK-8299658 | hotspot/compiler | C1 compilation crashes in LinearScan::resolve_exception_edge |
| 14 | JDK-8301489 | hotspot/compiler | C1: ShortLoopOptimizer might lift instructions before their inputs |
| 15 | JDK-8313626 | hotspot/compiler | C2 crash due to unexpected exception control flow |
| 16 | JDK-8313402 | hotspot/compiler | C1: Incorrect LoadIndexed value numbering |
| 17 | JDK-8312909 | hotspot/compiler | C1 should not inline through interface calls with non-subtype receiver |
| 18 | JDK-8303279 | hotspot/compiler | C2: crash in SubTypeCheckNode::sub() at IGVN split if |
| 19 | JDK-8304954 | hotspot/compiler | SegmentedCodeCache fails when using large pages |
| 20 | JDK-8316178 | hotspot/compiler | Better diagnostic header for CodeBlobs |
| 21 | JDK-8315377 | hotspot/compiler | C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? |
| 22 | JDK-8316514 | hotspot/compiler | Better diagnostic header for VtableStub |
| 23 | JDK-8314024 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info |
| 24 | JDK-8313262 | hotspot/compiler | C2: Sinking node may cause required cast to be dropped |
| 25 | JDK-8312440 | hotspot/compiler | assert(cast != nullptr) failed: must have added a cast to pin the node |
| 26 | JDK-8313756 | hotspot/compiler | [BACKOUT] 8308682: Enhance AES performance |
| 27 | JDK-8313760 | hotspot/compiler | [REDO] Enhance AES performance |
| 28 | JDK-8308103 | hotspot/compiler | Massive (up to ~30x) increase in C2 compilation time since JDK 17 |
| 29 | JDK-8309119 | hotspot/compiler | [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication |
| 30 | JDK-8307683 | hotspot/compiler | Loop Predication should not hoist range checks with trap on success projection by negating their condition |
| 31 | JDK-8275333 | hotspot/gc | Print count in "Too many recored phases?" assert |
| 32 | JDK-8316906 | hotspot/gc | Clarify TLABWasteTargetPercent flag |
| 33 | JDK-8270894 | hotspot/runtime | Use acquire semantics in ObjectSynchronizer::read_stable_mark() |
| 34 | JDK-8305994 | hotspot/runtime | Guarantee eventual async monitor deflation |
| 35 | JDK-8309228 | hotspot/runtime | Clarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp |
| 36 | JDK-8306825 | hotspot/runtime | Monitor deflation might be accidentally disabled by zero intervals |
| 37 | JDK-8279545 | hotspot/runtime | Buffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517 |
| 38 | JDK-8283326 | hotspot/runtime | Implement SafeFetch statically |
| 39 | JDK-8314679 | hotspot/svc-agent | SA fails to properly attach to JVM after having just detached from a different JVM |
| 40 | JDK-8320597 | security-libs/java.security | RSA signature verification fails on signed data that does not encode params correctly |
| 41 | JDK-8302017 | security-libs/java.security | Allocate BadPaddingException only if it will be thrown |
| 42 | JDK-8311592 | security-libs/javax.crypto | ECKeySizeParameterSpec causes too many exceptions on third party providers |
| 43 | JDK-8313742 | security-libs/javax.crypto | ZipFile.getManifestName fails during jar verification for Spring Boot |
| 44 | JDK-8291154 | tools/javac | Create a non static nested class without enclosing class throws VerifyError |
| 45 | JDK-8301247 | tools/jpackage | JPackage app-image exe launches multiple exe's in JDK 17+ |
| 46 | JDK-8313792 | tools/jshell | Verify 4th party information in src/jdk.internal.le/share/legal/jline.md |