JDK 11.0.4 Release Notes
Java™ SE Development Kit 11.0.4 (JDK 11.0.4)
July 16, 2019
The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4.
IANA Data 2018i
JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 11 | 11.0.4+10 |
| 8 | 1.8.0_221-b11 |
| 7 | 1.7.0_231-b08 |
Oracle JDK Expiration Date
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019.
New Features
➜HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file.
See JDK-8211106
Removed Features and Options
➜Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore:
-
alias name "certplusclass2primaryca [jdk]"
Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR
-
alias name "certplusclass3pprimaryca [jdk]"
Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR
See JDK-8223499
➜Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts keystore:
-
alias name "utnuserfirstclientauthemailca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
-
alias name "utnuserfirsthardwareca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
See JDK-8222136
➜Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore:
-
alias name "deutschetelekomrootca2 [jdk]"
Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
See JDK-8222137
➜Removal of GTE CyberTrust Global Root
The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts keystore:
-
alias name "gtecybertrustglobalca [jdk]"
Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
See JDK-8195793
Other notes
➜ com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in 
 or 
 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character (
 or 
) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (
 or 
).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
➜System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.
When the system property, jdk.security.useLegacyECC, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
in the command line.
If the option is explicitly set to "false", the provider decides which implementation of ECC is used.
The default value of the option is "true". Note that the default value might change in a future update release of the JDK.
JDK-8217763 (not public)
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.4:
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-8190361 | client-libs | Incorrect version info in jaccessinspector.exe and jaccesswalker.exe | |
| 2 | JDK-8214252 | client-libs | Expanded & Collapsed nodes of a JTree look the same on GTK3 | |
| 3 | JDK-8210782 | client-libs | Upgrade HarfBuzz to the latest 2.3.1 | |
| 4 | JDK-8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
| 5 | JDK-8218020 | client-libs | 2d | Fix version number in mesa.md 3rd party legal file |
| 6 | JDK-8210886 | client-libs | java.awt | Remove references in xwindows.md to non-existent files. |
| 7 | JDK-8214109 | client-libs | java.awt | XToolkit is not correctly displayed color on 16-bit high color setting |
| 8 | JDK-8214765 | client-libs | java.awt | All TrayIcon MessageType icons does not show up with gtk3 option set |
| 9 | JDK-8213183 | client-libs | java.awt:i18n | InputMethod cannot be used after its restarting |
| 10 | JDK-8220349 | client-libs | javax.swing | The fix done for JDK-8214253 have caused issues in JTree behaviour |
| 11 | JDK-8214112 | client-libs | javax.swing | The whole text in target JPasswordField image are not selected. |
| 12 | JDK-8214253 | client-libs | javax.swing | Tooltip is transparent rather than having a black background |
| 13 | JDK-8214111 | client-libs | javax.swing | There is no icon in all JOptionPane target image |
| 14 | JDK-8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
| 15 | JDK-8220166 | core-libs | java.io:serialization | Performance regression in deserialization (4-6% in SPECjbb) |
| 16 | JDK-8217094 | core-libs | java.net | HttpClient SSL race if a socket IOException is raised before ALPN is available |
| 17 | JDK-8213294 | core-libs | java.util:i18n | Upgrade IANA LSR data |
| 18 | JDK-8214935 | core-libs | java.util:i18n | Upgrade IANA LSR data |
| 19 | JDK-8218781 | core-libs | java.util:i18n | Localized names for Japanese Era Reiwa in COMPAT provider |
| 20 | JDK-8217564 | hotspot | compiler | idempotent protection missing in crc32c.h |
| 21 | JDK-8209951 | hotspot | compiler | Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining |
| 22 | JDK-8220293 | hotspot | jfr | Deadlock in JFR string pool |
| 23 | JDK-8205633 | hotspot | runtime | TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently |
| 24 | JDK-8211106 | hotspot | runtime | [windows] Update OS detection code to recognize Windows Server 2019 |
| 25 | JDK-8217765 | hotspot | runtime | Internal Error (javaCalls.cpp:61) guarantee(thread->can_call_java()) failed |
| 26 | JDK-8202884 | hotspot | svc-agent | SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching |
| 27 | JDK-8218180 | install | JAB description in Control Panel is messed | |
| 28 | JDK-8195793 | security-libs | java.security | Remove GTE CyberTrust Global Root |
| 29 | JDK-8223499 | security-libs | java.security | Remove two DocuSign root certificates that are expiring |
| 30 | JDK-8222137 | security-libs | java.security | Remove T-Systems root CA certificate |
| 31 | JDK-8222136 | security-libs | java.security | Remove two Comodo root CA certificates that are expiring |
| 32 | JDK-8217690 | security-libs | java.security | Update public suffix version |
| 33 | JDK-8204909 | security-libs | javax.crypto | Improved ECC Implementation |
| 34 | JDK-8210989 | security-libs | javax.net.ssl | RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2 |
| 35 | JDK-8215790 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws java.nio.BufferUnderflowException |
| 36 | JDK-8214339 | security-libs | javax.net.ssl | SSLSocketImpl erroneously wraps SocketException |
| 37 | JDK-8219389 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws BufferUnderflowException |
| 38 | JDK-8216045 | security-libs | javax.net.ssl | The size of key_exchange may be wrong on FFDHE |
| 39 | JDK-8217878 | security-libs | javax.xml.crypto | ENVELOPING XML signature no longer works in JDK 11 |
| 40 | JDK-8218629 | security-libs | javax.xml.crypto | XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 |
| 41 | JDK-8209914 | tools | javadoc(tool) | javadoc search sometimes generates bad URIs |
| 42 | JDK-8214468 | tools | javadoc(tool) | jQuery UI upgrade from 1.11.4 to 1.12.1 |