java

JDK 21.0.5 Release Notes

Java™ SE Development Kit 21.0.5 (JDK 21.0.5)

Release date: October 15, 2024

The full version string for this update release is 21.0.5+9 (where "+" means "build"). The version number is 21.0.5.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 21.0.5 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
2121.0.5+9
1717.0.13+10
1111.0.25+9
81.8.0_431-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 21.0.5) be used after the next critical patch update scheduled for January 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

New Features

security-libs/java.security
 Thread and Timestamp Options for java.security.debug System Property (JDK-8051959)

The java.security.debug system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.

+timestamp can be appended to debug options to print a timestamp for that debug option. +thread can be appended to debug options to print thread and caller information for that debug option.

Examples: -Djava.security.debug=all+timestamp+thread adds timestamp and thread information to every debug statement generated.

-Djava.security.debug=properties+timestamp adds timestamp information to every debug statement generated for the properties component.

You can also specify -Djava.security.debug=help which will display a complete list of supported components and arguments.

See Printing Thread and Timestamp Information for more information.

 

Notable Issues Resolved

install/install
 JDK RPM Upgrade Leaves Orphan Alternatives Entry (JDK-8336107 (not public))

Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.

Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.

The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.

Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.

 

Other Notes

core-libs/java.net
 New Default Limits in the JDK HTTP Implementations (JDK-8328286 (not public))

New Default limits have been added to HTTP in the JDK.

The JDK built-in implementation of the legacy URL protocol handler for HTTP, HttpURLConnection, and the new HttpClient, in the module java.net.http, now have a default limit on the maximum response headers size they will accept from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.

The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the appropriate conf.properties or net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The JDK built-in implementation of the com.sun.net.httpserver.HttpServer (jdk.httpserver) implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.

In addition, the JDK built-in implementation of the new java.net.http.HttpClient enforces two additional limits:

The system property jdk.httpclient.maxNonFinalResponses can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many interim responses the client will accept before receiving a final response. An interim response is considered informational and is a response whose status is in the range [100, 199]. These responses are typically either handled internally or simply discarded by the implementation. The default limit is now set at a maximum of 8 interim responses before receiving the final response. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The system property jdk.httpclient.maxLiteralWithIndexing can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many additions a server may request a client to make to the HPack dynamic table when decoding a set of headers. The default maximum value is now set to 512. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com

  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

security-libs/javax.net.ssl
 Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024 (JDK-8337664)

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),

OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23


You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

core-libs/java.text
 MessageFormat ArgumentIndex Now Has a Limit (JDK-8331446 (not public))

In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.

If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by

  • MessageFormats constructors
  • applyPattern(String pattern) instance method
  • format(String pattern, Object... arguments) static method

De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.

core-svc/java.lang.management
 The ClassLoadingMXBean and MemoryMXBean isVerbose Methods Are Now Consistent with Their setVerbose Methods (JDK-8338139)

The ClassLoadingMXBean::setVerbose(boolean enabled) method will set class+load* logging on log output stdout to level info if enabled is true, and to level off otherwise. In contrast, the isVerbose method would check if exactly class+load logging was enabled at the info level on any log output. This could result in counter-intuitive behavior when logging class+load=info to a file via the command-line, as it caused isVerbose to return true, even after a call to setVerbose(false) had been made. A similar problem existed for the MemoryMXBean::isVerbose method. Starting with this release, the behavior is as follows:

  • ClassLoadingMXBean::isVerbose will return true only if class+load* logging (note the wildcard use) has been enabled at the info level (or above) on the stdout log output.
  • MemoryMXBean::isVerbose will return true only if gc logging has been enabled at the info level (or above) on the stdout log output.

security-libs/javax.crypto
 KEM.getInstance() Should Check If a Third-Party Security Provider Is Signed (JDK-8322971)

When instantiating a third-party security provider's implementation (class) of a KEM algorithm, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. This is consistent with other JCE service classes, such as Cipher, Mac, KeyAgreement, and others.

tools/launcher
 Available Locales Information Now Listed with -XshowSettings:locale Option (JDK-8310201)

The showSettings launcher option no longer prints available locales information by default, when -XshowSettings is used. The -XshowSettings:locale option will continue to print all settings related to available locales.

 

Updates to Third Party Libraries

Library New Version Module JBS
GIFlib 5.2.2 java.desktop JDK-8328999
Libpng 1.6.43 java.desktop JDK-8329004
JQuery 3.7.1 jdk.javadoc JDK-8330063

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 21.0.5:
# JBS Component/Subcomponent Summary
1JDK-8328896client-libs/2dFontmetrics for large Fonts has zero width
2JDK-8315701client-libs/java.awt[macos] Regression: KeyEvent has different keycode on different keyboard layouts
3JDK-8309621client-libs/java.awt[XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1
4JDK-8313697client-libs/java.awt[XWayland][Screencast] consequent getPixelColor calls are slow
5JDK-8331011client-libs/java.awt[XWayland] TokenStorage fails under Security Manager
6JDK-8321176client-libs/java.awt[Screencast] make a second attempt on screencast failure
7JDK-8323801client-libs/javax.swing<s> tag doesn't strikethrough the text
8JDK-8326734client-libs/javax.swingtext-decoration applied to <span> lost when mixed with <u> or <s>
9JDK-8325179client-libs/javax.swingRace in BasicDirectoryModel.validateFileCache
10JDK-8328953client-libs/javax.swingJEditorPane.read throws ChangedCharSetException
11JDK-8335967client-libs/javax.swing"text-decoration: none" does not work with "A" HTML tags
12JDK-6967482client-libs/javax.swingTAB-key does not work in JTables after selecting details-view in JFileChooser
13JDK-8321409core-libs/java.ioConsole read line with zero out should zero out underlying buffer in JLine (redux)
14JDK-8330748core-libs/java.ioByteArrayOutputStream.writeTo(OutputStream) pins carrier
15JDK-8325382core-libs/java.nio(fc) FileChannel.transferTo throws IOException when position equals size
16JDK-8332154core-libs/java.util.concurrentMemory leak in SynchronousQueue
17JDK-8332424core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-05-16
18JDK-8334418core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-06-14
19JDK-8334653core-libs/java.util:i18nISO 4217 Amendment 177 Update
20JDK-8324668core-svc/debuggerJDWP process management needs more efficient file descriptor handling
21JDK-8328822hotspot/compilerC2: "negative trip count?" assert failure in profile predicate code
22JDK-8324121hotspot/compilerSIGFPE in PhaseIdealLoop::extract_long_range_checks
23JDK-8328938hotspot/compilerC2 SuperWord: disable vectorization for large stride and scale
24JDK-8312218hotspot/compilerPrint additional debug information when hitting assert(in_hash)
25JDK-8324983hotspot/compilerRace in CompileBroker::possibly_add_compiler_threads
26JDK-8331863hotspot/compilerDUIterator_Fast used before it is constructed
27JDK-8329258hotspot/compilerTailCall should not use frame pointer register for jump target
28JDK-8323682hotspot/compilerC2: guard check is not generated in Arrays.copyOfRange intrinsic when allocation is eliminated by EA
29JDK-8324969hotspot/compilerC2: prevent elimination of unbalanced coarsened locking regions
30JDK-8333366hotspot/compilerC2: CmpU3Nodes are not pushed back to worklist in PhaseCCP leading to non-fixpoint assertion failure
31JDK-8332959hotspot/compilerC2: ZGC fails with 'Incorrect load shift' when invoking Object.clone() reflectively on an array
32JDK-8332905hotspot/compilerC2 SuperWord: bad AD file, with RotateRightV and first operand not a pack
33JDK-8316756hotspot/compilerC2 EA fails with "missing memory path" when encountering unsafe_arraycopy stub call
34JDK-8324174hotspot/compilerassert(m->is_entered(current)) failed: invariant
35JDK-8319793hotspot/compilerC2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888
36JDK-8317299hotspot/compilersafepoint scalarization doesn't keep track of the depth of the JVM state
37JDK-8323972hotspot/compilerC2 compilation fails with assert(!x->as_Loop()->is_loop_nest_inner_loop()) failed: loop was transformed
38JDK-8322996hotspot/compilerBoxLockNode creation fails with assert(reg < CHUNK_SIZE) failed: sanity
39JDK-8331575hotspot/compilerC2: crash when ConvL2I is split thru phi at LongCountedLoop
40JDK-8323274hotspot/compilerC2: array load may float above range check
41JDK-8322743hotspot/compilerC2: prevent lock region elimination in OSR compilation
42JDK-8308660hotspot/compilerC2 compilation hits 'node must be dead' assert
43JDK-8330819hotspot/compilerC2 SuperWord: bad dominance after pre-loop limit adjustment with base that has CastLL after pre-loop
44JDK-8329126hotspot/compilerNo native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462
45JDK-8332920hotspot/compilerC2: Partial Peeling is wrongly applied for CmpU with negative limit
46JDK-8325494hotspot/compilerC2: Broken graph after not skipping CastII node anymore for Assertion Predicates after JDK-8309902
47JDK-8325520hotspot/compilerVector loads and stores with indices and masks incorrectly compiled
48JDK-8333099hotspot/compilerMissing check for is_LoadVector in StoreNode::Identity
49JDK-8334421hotspot/compilerassert(!oldbox->is_unbalanced()) failed: this should not be called for unbalanced region
50JDK-8330611hotspot/compilerAES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512)
51JDK-8333542hotspot/jvmtiBreakpoint in parallel code does not work
52JDK-8319773hotspot/runtimeAvoid inflating monitors when installing hash codes for LM_LIGHTWEIGHT
53JDK-8324577hotspot/runtime[REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE
54JDK-8319437hotspot/runtimeNMT should show library names in call stacks
55JDK-8319153hotspot/testFix: Class is a raw type in ProcessTools
56JDK-8328785security-libs/javax.crypto:pkcs11IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0
57JDK-8330133security-libs/javax.crypto:pkcs11libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries
58JDK-8261433security-libs/javax.crypto:pkcs11Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
59JDK-8341059security-libs/javax.net.sslChange Entrust TLS distrust date to November 12, 2024
60JDK-8312229tools/javacCrash involving yield, switch and anonymous classes
61JDK-8326332tools/javadoc(tool)Unclosed inline tags cause misalignment in summary tables