Release date: October 15, 2024
The full version string for this update release is 21.0.5+9 (where "+" means "build"). The version number is 21.0.5.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 21.0.5 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
21 | 21.0.5+9 |
17 | 17.0.13+10 |
11 | 11.0.25+9 |
8 | 1.8.0_431-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 21.0.5) be used after the next critical patch update scheduled for January 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
The java.security.debug
system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.
+timestamp
can be appended to debug options to print a timestamp for that debug option. +thread
can be appended to debug options to print thread and caller information for that debug option.
Examples: -Djava.security.debug=all+timestamp+thread
adds timestamp and thread information to every debug statement generated.
-Djava.security.debug=properties+timestamp
adds timestamp information to every debug statement generated for the properties
component.
You can also specify -Djava.security.debug=help
which will display a complete list of supported components and arguments.
See Printing Thread and Timestamp Information for more information.
Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.
Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
), results in the older Java entries in the "java" and "javac" groups not being deleted.
The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java
or keytool
without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.
Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.
New Default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the legacy URL protocol handler for HTTP, HttpURLConnection
, and the new HttpClient, in the module java.net.http
, now have a default limit on the maximum response headers size they will accept from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.
The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize
system property on the command line, or in the appropriate conf.properties
or net.properties
file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The JDK built-in implementation of the com.sun.net.httpserver.HttpServer
(jdk.httpserver
) implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize
system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.
In addition, the JDK built-in implementation of the new java.net.http.HttpClient
enforces two additional limits:
The system property jdk.httpclient.maxNonFinalResponses
can be specified with a positive value on the java
command line, or in the conf.properties
or net.properties
file, to control how many interim responses the client will accept before receiving a final response. An interim response is considered informational and is a response whose status is in the range [100, 199]. These responses are typically either handled internally or simply discarded by the implementation. The default limit is now set at a maximum of 8 interim responses before receiving the final response. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The system property jdk.httpclient.maxLiteralWithIndexing
can be specified with a positive value on the java
command line, or in the conf.properties
or net.properties
file, to control how many additions a server may request a client to make to the HPack dynamic table when decoding a set of headers. The default maximum value is now set to 512. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US |
73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C |
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 |
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 |
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 |
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net |
6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 |
CN=AffirmTrust Commercial, O=AffirmTrust, C=US |
03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 |
CN=AffirmTrust Networking, O=AffirmTrust, C=US |
0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B |
CN=AffirmTrust Premium, O=AffirmTrust, C=US |
70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A |
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US |
BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 |
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
In the JDK, java.text.MessageFormat
now has an implementation limit for the ArgumentIndex
pattern element. The hard limit for the value is 10,000.
If an ArgumentIndex
value is equal to or exceeds the upper limit, an IllegalArgumentException
will now be thrown by
MessageFormats
constructorsapplyPattern(String pattern)
instance methodformat(String pattern, Object... arguments)
static methodDe-serializing a MessageFormat
object with an ArgumentIndex
value at or over the limit will throw an InvalidObjectException
.
The ClassLoadingMXBean::setVerbose(boolean enabled)
method will set class+load*
logging on log output stdout
to level info
if enabled
is true, and to level off
otherwise. In contrast, the isVerbose
method would check if exactly class+load
logging was enabled at the info
level on any log output. This could result in counter-intuitive behavior when logging class+load=info
to a file via the command-line, as it caused isVerbose
to return true, even after a call to setVerbose(false)
had been made. A similar problem existed for the MemoryMXBean::isVerbose
method. Starting with this release, the behavior is as follows:
ClassLoadingMXBean::isVerbose
will return true only if class+load*
logging (note the wildcard use) has been enabled at the info
level (or above) on the stdout
log output.MemoryMXBean::isVerbose
will return true only if gc
logging has been enabled at the info
level (or above) on the stdout
log output.
When instantiating a third-party security provider's implementation (class) of a KEM
algorithm, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. This is consistent with other JCE service classes, such as Cipher
, Mac
, KeyAgreement
, and others.
The showSettings
launcher option no longer prints available locales information by default, when -XshowSettings
is used. The -XshowSettings:locale
option will continue to print all settings related to available locales.
Library | New Version | Module | JBS |
---|---|---|---|
GIFlib | 5.2.2 | java.desktop | JDK-8328999 |
Libpng | 1.6.43 | java.desktop | JDK-8329004 |
JQuery | 3.7.1 | jdk.javadoc | JDK-8330063 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 21.0.5:# | JBS | Component/Subcomponent | Summary |
---|---|---|---|
1 | JDK-8328896 | client-libs/2d | Fontmetrics for large Fonts has zero width |
2 | JDK-8315701 | client-libs/java.awt | [macos] Regression: KeyEvent has different keycode on different keyboard layouts |
3 | JDK-8309621 | client-libs/java.awt | [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 |
4 | JDK-8313697 | client-libs/java.awt | [XWayland][Screencast] consequent getPixelColor calls are slow |
5 | JDK-8331011 | client-libs/java.awt | [XWayland] TokenStorage fails under Security Manager |
6 | JDK-8321176 | client-libs/java.awt | [Screencast] make a second attempt on screencast failure |
7 | JDK-8323801 | client-libs/javax.swing | <s> tag doesn't strikethrough the text |
8 | JDK-8326734 | client-libs/javax.swing | text-decoration applied to <span> lost when mixed with <u> or <s> |
9 | JDK-8325179 | client-libs/javax.swing | Race in BasicDirectoryModel.validateFileCache |
10 | JDK-8328953 | client-libs/javax.swing | JEditorPane.read throws ChangedCharSetException |
11 | JDK-8335967 | client-libs/javax.swing | "text-decoration: none" does not work with "A" HTML tags |
12 | JDK-6967482 | client-libs/javax.swing | TAB-key does not work in JTables after selecting details-view in JFileChooser |
13 | JDK-8321409 | core-libs/java.io | Console read line with zero out should zero out underlying buffer in JLine (redux) |
14 | JDK-8330748 | core-libs/java.io | ByteArrayOutputStream.writeTo(OutputStream) pins carrier |
15 | JDK-8325382 | core-libs/java.nio | (fc) FileChannel.transferTo throws IOException when position equals size |
16 | JDK-8332154 | core-libs/java.util.concurrent | Memory leak in SynchronousQueue |
17 | JDK-8332424 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-05-16 |
18 | JDK-8334418 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-06-14 |
19 | JDK-8334653 | core-libs/java.util:i18n | ISO 4217 Amendment 177 Update |
20 | JDK-8324668 | core-svc/debugger | JDWP process management needs more efficient file descriptor handling |
21 | JDK-8328822 | hotspot/compiler | C2: "negative trip count?" assert failure in profile predicate code |
22 | JDK-8324121 | hotspot/compiler | SIGFPE in PhaseIdealLoop::extract_long_range_checks |
23 | JDK-8328938 | hotspot/compiler | C2 SuperWord: disable vectorization for large stride and scale |
24 | JDK-8312218 | hotspot/compiler | Print additional debug information when hitting assert(in_hash) |
25 | JDK-8324983 | hotspot/compiler | Race in CompileBroker::possibly_add_compiler_threads |
26 | JDK-8331863 | hotspot/compiler | DUIterator_Fast used before it is constructed |
27 | JDK-8329258 | hotspot/compiler | TailCall should not use frame pointer register for jump target |
28 | JDK-8323682 | hotspot/compiler | C2: guard check is not generated in Arrays.copyOfRange intrinsic when allocation is eliminated by EA |
29 | JDK-8324969 | hotspot/compiler | C2: prevent elimination of unbalanced coarsened locking regions |
30 | JDK-8333366 | hotspot/compiler | C2: CmpU3Nodes are not pushed back to worklist in PhaseCCP leading to non-fixpoint assertion failure |
31 | JDK-8332959 | hotspot/compiler | C2: ZGC fails with 'Incorrect load shift' when invoking Object.clone() reflectively on an array |
32 | JDK-8332905 | hotspot/compiler | C2 SuperWord: bad AD file, with RotateRightV and first operand not a pack |
33 | JDK-8316756 | hotspot/compiler | C2 EA fails with "missing memory path" when encountering unsafe_arraycopy stub call |
34 | JDK-8324174 | hotspot/compiler | assert(m->is_entered(current)) failed: invariant |
35 | JDK-8319793 | hotspot/compiler | C2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888 |
36 | JDK-8317299 | hotspot/compiler | safepoint scalarization doesn't keep track of the depth of the JVM state |
37 | JDK-8323972 | hotspot/compiler | C2 compilation fails with assert(!x->as_Loop()->is_loop_nest_inner_loop()) failed: loop was transformed |
38 | JDK-8322996 | hotspot/compiler | BoxLockNode creation fails with assert(reg < CHUNK_SIZE) failed: sanity |
39 | JDK-8331575 | hotspot/compiler | C2: crash when ConvL2I is split thru phi at LongCountedLoop |
40 | JDK-8323274 | hotspot/compiler | C2: array load may float above range check |
41 | JDK-8322743 | hotspot/compiler | C2: prevent lock region elimination in OSR compilation |
42 | JDK-8308660 | hotspot/compiler | C2 compilation hits 'node must be dead' assert |
43 | JDK-8330819 | hotspot/compiler | C2 SuperWord: bad dominance after pre-loop limit adjustment with base that has CastLL after pre-loop |
44 | JDK-8329126 | hotspot/compiler | No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 |
45 | JDK-8332920 | hotspot/compiler | C2: Partial Peeling is wrongly applied for CmpU with negative limit |
46 | JDK-8325494 | hotspot/compiler | C2: Broken graph after not skipping CastII node anymore for Assertion Predicates after JDK-8309902 |
47 | JDK-8325520 | hotspot/compiler | Vector loads and stores with indices and masks incorrectly compiled |
48 | JDK-8333099 | hotspot/compiler | Missing check for is_LoadVector in StoreNode::Identity |
49 | JDK-8334421 | hotspot/compiler | assert(!oldbox->is_unbalanced()) failed: this should not be called for unbalanced region |
50 | JDK-8330611 | hotspot/compiler | AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512) |
51 | JDK-8333542 | hotspot/jvmti | Breakpoint in parallel code does not work |
52 | JDK-8319773 | hotspot/runtime | Avoid inflating monitors when installing hash codes for LM_LIGHTWEIGHT |
53 | JDK-8324577 | hotspot/runtime | [REDO] - [IMPROVE] OPEN_MAX is no longer the max limit on macOS >= 10.6 for RLIMIT_NOFILE |
54 | JDK-8319437 | hotspot/runtime | NMT should show library names in call stacks |
55 | JDK-8319153 | hotspot/test | Fix: Class is a raw type in ProcessTools |
56 | JDK-8328785 | security-libs/javax.crypto:pkcs11 | IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 |
57 | JDK-8330133 | security-libs/javax.crypto:pkcs11 | libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries |
58 | JDK-8261433 | security-libs/javax.crypto:pkcs11 | Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit |
59 | JDK-8341059 | security-libs/javax.net.ssl | Change Entrust TLS distrust date to November 12, 2024 |
60 | JDK-8312229 | tools/javac | Crash involving yield, switch and anonymous classes |
61 | JDK-8326332 | tools/javadoc(tool) | Unclosed inline tags cause misalignment in summary tables |