• Jordan now starts DST on February's last Thursday.
• Samoa no longer observes DST.
• Merge more location-based Zones whose timestamps agree since 1970.
• Move some backward-compatibility links to 'backward'.
• Rename Pacific/Enderbury to Pacific/Kanton.
• Correct many pre-1993 transitions in Malawi, Portugal, etc.
• zic now creates each output file or link atomically.
• zic -L no longer omits the POSIX TZ string in its output.
• zic fixes for truncation and leap second table expiration.
• zic now follows POSIX for TZ strings using all-year DST.
• Fix some localtime crashes and bugs in obscure cases.
• zdump -v now outputs more-useful boundary cases.
• tzfile.5 better matches a draft successor to RFC 8536.
• A new file SECURITY.
• Revert most 2021b changes to 'backward'.
• Fix 'zic -b fat' bug in pre-1970 32-bit data.
• Fix two Link line typos.
• Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

• Fiji suspends DST for the 2021/2022 season.
• 'zic -r' marks unspecified timestamps with "-00".
• Palestine will fall back 10-29 (not 10-30) at 01:00.

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

1. destroyTokenAfterLogout (boolean, defaults to false)

   If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.

2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds)

   This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).

3. cleaner.longInterval (integer, defaults to 60000, in milliseconds)

   This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.