JDK 11.0.4 Release Notes

Java Development Kit 11 Release Notes

Java™ SE Development Kit 11.0.4 (JDK 11.0.4)

July 16, 2019

The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4.

IANA Data 2018i

JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.4+10
8 1.8.0_221-b11
7 1.7.0_231-b08

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019.

New Features

hotspot/runtime

HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file.

See JDK-8211106

Removed Features and Options

security-libs/java.security

Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "certplusclass2primaryca [jdk]"

    Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR

  • alias name "certplusclass3pprimaryca [jdk]"

    Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR

See JDK-8223499

security-libs/java.security

Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "utnuserfirstclientauthemailca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

  • alias name "utnuserfirsthardwareca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

See JDK-8222136

security-libs/java.security

Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore:

  • alias name "deutschetelekomrootca2 [jdk]"

    Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

See JDK-8222137

security-libs/java.security

Removal of GTE CyberTrust Global Root
The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts keystore:

  • alias name "gtecybertrustglobalca [jdk]"

    Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

See JDK-8195793

Other notes

security-libs/javax.xml.crypto

 com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

An application may continue working with the encoded output data containing the carriage return character (&#xd or &#13) if the application coding logic allows such output.

The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (&#xd or &#13).

Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.

See JDK-8219013
security-libs/javax.crypto

System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.

When the system property, jdk.security.useLegacyECC, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line.

If the option is explicitly set to "false", the provider decides which implementation of ECC is used.

The default value of the option is "true". Note that the default value might change in a future update release of the JDK.

JDK-8217763 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.4 Bug Fixes page.