This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 11.
BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.
Release date: January 21, 2025
The full version string for this update release is 11.0.26+7 (where "+" means "build"). The version number is 11.0.26. This JDK conforms to version 11.3 of the Java SE Specification (JSR 384 MR 3 2024-07-02).
JDK 11.0.26 contains IANA time zone data 2024b which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 11.0.26 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
11 | 11.0.26+7 |
8 | 1.8.0_441-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.26) be used after the next critical patch update scheduled for April 15, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
The java.security.debug
system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.
+timestamp
can be appended to debug options to print a timestamp for that debug option. +thread
can be appended to debug options to print thread and caller information for that debug option.
Examples: -Djava.security.debug=all+timestamp+thread
adds timestamp and thread information to every debug statement generated.
-Djava.security.debug=properties+timestamp
adds timestamp information to every debug statement generated for the properties
component.
You can also specify -Djava.security.debug=help
which will display a complete list of supported components and arguments.
See Printing Thread and Timestamp Information for more information.
ProcessBuilder
on Windows Quotes Argument Strings Containing Any Space Character
(JDK-8335428 (not public))
On Windows, the ProcessBuilder
has expanded the quoting of argument strings when starting a process to ensure they are recognized by the application as a single command argument. The set of space characters has been expanded from space (0x20) to include all space characters as defined by java.lang.Character.isSpaceChar
, which includes all Unicode space separator characters, such as EN-SPACE (0x2002), and line separator and paragraph separator characters.
IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.
The new tzdata changes also impact some legacy time zone IDs. As per 2024b changes "EST" links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". To maintain compatibility with the Java SE specification, the java.time.ZoneId.SHORT_IDS
Map has not changed. Further details are available at JDK-8342331
The Standard Doclet no longer generates pre-compressed index files. Decisions about compression are now left to the underlying means of delivery (for example, application layer protocols such as HTTP).
Library | New Version | Module | JBS |
---|---|---|---|
JSZip | removed | jdk.javadoc | JDK-8237909 |
Pipewire | 0.3.68 | java.desktop | JDK-8280982 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.26:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8309621 | client-libs/java.awt | [XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1 |
2 | JDK-8280993 | client-libs/java.awt | [XWayland] Popup is not closed on click outside of area controlled by XWayland |
3 | JDK-8309756 | client-libs/java.awt | Occasional crashes with pipewire screen capture on Wayland |
4 | JDK-8313697 | client-libs/java.awt | [XWayland][Screencast] consequent getPixelColor calls are slow |
5 | JDK-8331011 | client-libs/java.awt | [XWayland] TokenStorage fails under Security Manager |
6 | JDK-8321176 | client-libs/java.awt | [Screencast] make a second attempt on screencast failure |
7 | JDK-8280994 | client-libs/java.awt | [XWayland] Drag and Drop does not work in java -> wayland app direction |
8 | JDK-8215921 | client-libs/java.awt | There is no change when select different Foreground and Background by mouse. |
9 | JDK-8014503 | client-libs/java.awt | AWT Choice implementation should be made consistent across platforms. |
10 | JDK-8280982 | client-libs/java.awt | [Wayland] [XWayland] java.awt.Robot taking screenshots |
11 | JDK-8280132 | client-libs/java.beans | Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder |
12 | JDK-8308152 | client-libs/java.beans | PropertyDescriptor should work with overridden generic getter method |
13 | JDK-8329667 | client-libs/javax.accessibility | [macos] Issue with JTree related fix for JDK-8317771 |
14 | JDK-8282578 | client-libs/javax.sound | AIOOBE in javax.sound.sampled.Clip |
15 | JDK-8319103 | client-libs/javax.swing | Popups that request focus are not shown on Linux with Wayland |
16 | JDK-8337792 | core-libs | javax.naming.NamingException: Could not resolve a valid ldap host when using LDAP connection in JDK11 |
17 | JDK-8340812 | core-libs/java.lang.invoke | LambdaForm customization via MethodHandle::updateForm is not thread safe |
18 | JDK-8312741 | hotspot/compiler | C2: LoopLimitNode is not eliminated |
19 | JDK-8337066 | hotspot/compiler | Repeated call of StringBuffer.reverse with double byte string returns wrong result |
20 | JDK-8315988 | hotspot/gc | Parallel: Make TestAggressiveHeap use createTestJvm |
21 | JDK-8298129 | hotspot/jfr | Let checkpoint event sizes grow beyond u4 limit |
22 | JDK-8338389 | hotspot/jfr | [JFR] Long strings should be added to the string pool |
23 | JDK-8340387 | hotspot/runtime | Update OS detection code to recognize Windows Server 2025 |
24 | JDK-8328723 | security-libs/java.security | IP Address error when client enables HTTPS endpoint check on server socket |
25 | JDK-8331864 | security-libs/java.security | Update Public Suffix List to 1cbd6e7 |
26 | JDK-8322809 | tools/jlink | SystemModulesMap::classNames and moduleNames arrays do not match the order |
The following sections summarize changes made in all Java SE 11.0.25 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8338389 | hotspot | jfr | [JFR] Long strings should be added to the string pool |
Release date: October 15, 2024
The full version string for this update release is 11.0.25+9 (where "+" means "build"). The version number is 11.0.25.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 11.0.25 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
11 | 11.0.25+9 |
8 | 1.8.0_431-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.25) be used after the next critical patch update scheduled for January 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.
Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
), results in the older Java entries in the "java" and "javac" groups not being deleted.
The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java
or keytool
without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.
Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.
New Default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the legacy URL protocol handler for HTTP, HttpURLConnection
, and the new HttpClient, in the module java.net.http
, now have a default limit on the maximum response headers size they will accept from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.
The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize
system property on the command line, or in the appropriate conf.properties
or net.properties
file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The JDK built-in implementation of the com.sun.net.httpserver.HttpServer
(jdk.httpserver
) implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize
system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.
In addition, the JDK built-in implementation of the new java.net.http.HttpClient
enforces two additional limits:
The system property jdk.httpclient.maxNonFinalResponses
can be specified with a positive value on the java
command line, or in the conf.properties
or net.properties
file, to control how many interim responses the client will accept before receiving a final response. An interim response is considered informational and is a response whose status is in the range [100, 199]. These responses are typically either handled internally or simply discarded by the implementation. The default limit is now set at a maximum of 8 interim responses before receiving the final response. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The system property jdk.httpclient.maxLiteralWithIndexing
can be specified with a positive value on the java
command line, or in the conf.properties
or net.properties
file, to control how many additions a server may request a client to make to the HPack dynamic table when decoding a set of headers. The default maximum value is now set to 512. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException
. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms
security property.
Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US |
73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C |
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 |
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 |
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 |
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net |
6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 |
CN=AffirmTrust Commercial, O=AffirmTrust, C=US |
03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 |
CN=AffirmTrust Networking, O=AffirmTrust, C=US |
0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B |
CN=AffirmTrust Premium, O=AffirmTrust, C=US |
70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A |
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US |
BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 |
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
This JDK release relaxes the specification of java.awt.Robot
to account for possible platform and desktop environment access restrictions or limitations.
This JDK implements Maintenance Release 3 of the Java SE 11 specification JSR 384. This is indicated by the system property java.specification.maintenance.version
having the value of "3"
.
In the JDK, java.text.MessageFormat
now has an implementation limit for the ArgumentIndex
pattern element. The hard limit for the value is 10,000.
If an ArgumentIndex
value is equal to or exceeds the upper limit, an IllegalArgumentException
will now be thrown by
MessageFormats
constructorsapplyPattern(String pattern)
instance methodformat(String pattern, Object... arguments)
static methodDe-serializing a MessageFormat
object with an ArgumentIndex
value at or over the limit will throw an InvalidObjectException
.
The ClassLoadingMXBean::setVerbose(boolean enabled)
method will set class+load*
logging on log output stdout
to level info
if enabled
is true, and to level off
otherwise. In contrast, the isVerbose
method would check if exactly class+load
logging was enabled at the info
level on any log output. This could result in counter-intuitive behavior when logging class+load=info
to a file via the command-line, as it caused isVerbose
to return true, even after a call to setVerbose(false)
had been made. A similar problem existed for the MemoryMXBean::isVerbose
method. Starting with this release, the behavior is as follows:
ClassLoadingMXBean::isVerbose
will return true only if class+load*
logging (note the wildcard use) has been enabled at the info
level (or above) on the stdout
log output.MemoryMXBean::isVerbose
will return true only if gc
logging has been enabled at the info
level (or above) on the stdout
log output.
The showSettings
launcher option no longer prints available locales information by default, when -XshowSettings
is used. The -XshowSettings:locale
option will continue to print all settings related to available locales.
Library | New Version | Module | JBS |
---|---|---|---|
GIFlib | 5.2.2 | java.desktop | JDK-8328999 |
Libpng | 1.6.43 | java.desktop | JDK-8329004 |
JQuery | 3.7.1 | jdk.javadoc | JDK-8330063 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.25:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8328896 | client-libs/2d | Fontmetrics for large Fonts has zero width |
2 | JDK-8280786 | client-libs/2d | Build failure on Solaris after 8262392 |
3 | JDK-8325179 | client-libs/javax.swing | Race in BasicDirectoryModel.validateFileCache |
4 | JDK-8294680 | client-libs/javax.swing | Refactor scaled border rendering |
5 | JDK-8328953 | client-libs/javax.swing | JEditorPane.read throws ChangedCharSetException |
6 | JDK-8320570 | core-libs/java.lang | NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters |
7 | JDK-8330416 | core-libs/java.lang | Update system property for Java SE specification maintenance version |
8 | JDK-8267938 | core-libs/java.net | (sctp) SCTP channel factory methods should check platform support |
9 | JDK-8299058 | core-libs/java.net | AssertionError in sun.net.httpserver.ServerImpl when connection is idle |
10 | JDK-8332424 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-05-16 |
11 | JDK-8334418 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-06-14 |
12 | JDK-8334653 | core-libs/java.util:i18n | ISO 4217 Amendment 177 Update |
13 | JDK-8313619 | hotspot/compiler | TestIntrinsicsRegStress.java fails on SPARC |
14 | JDK-8078725 | hotspot/jvmti | method adjustments can be done just once for all classes involved into redefinition |
15 | JDK-8235671 | hotspot/runtime | enhance print_rlimit_info in os_posix |
16 | JDK-8221470 | hotspot/runtime | Print methods in exception messages in java-like Syntax. |
17 | JDK-8205611 | hotspot/runtime | Improve the wording of LinkageErrors to include module and class loader information |
18 | JDK-8218147 | hotspot/runtime | make_walkable asserts on multiple calls |
19 | JDK-8253207 | other-libs/other | enable problemlists jcheck's check |
20 | JDK-8261433 | security-libs/javax.crypto:pkcs11 | Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit |
21 | JDK-8341059 | security-libs/javax.net.ssl | Change Entrust TLS distrust date to November 12, 2024 |
22 | JDK-8259530 | tools/javadoc(tool) | Generated docs contain MIT/GPL-licenced works without reproducing the licence |
The following sections summarize changes made in all Java SE 11.0.24 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8337792 | core-libs | javax.naming.NamingException: Could not resolve a valid ldap host when using LDAP connection in JDK11 |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8336107 (not public) | install | JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8333447 (not public) | install | install | "alternatives" uninstallation results into intermittent “Java not available” issues |
JDK-8333859 | core-libs | java.util.jar | Pack200.newUnpacker().unpack() throws IOException |
Release date: July 16, 2024
The full version string for this update release is 11.0.24+7 (where "+" means "build"). The version number is 11.0.24.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 11.0.24 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
11 | 11.0.24+7 |
8 | 8u421-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.24) be used after the next critical patch update scheduled for October 15, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
-XshowSettings
Launcher Option
(JDK-8281658)
The -XshowSettings
launcher has a new security
category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X
:
-XshowSettings:security
show all security settings and continue
-XshowSettings:security:*sub-category*
show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
all: show all security settings and continue
properties: show security properties and continue
providers: show static security provider settings and continue
tls: show TLS related security settings and continue
Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security
file.
Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons
, /usr/share/mime
, and /usr/share/applications
subtrees.
The following root certificates have been added to the cacerts truststore:
+ GlobalSign
+ globalsignr46
DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
+ GlobalSign
+ globalsigne46
DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException
. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms
security property.
RPATH
Instead of RUNPATH
(JDK-8326891)
Native executables and libraries on Linux have switched to using RPATH
instead of RUNPATH
in this release.
JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH
or RUNPATH
. The main difference is that the dynamic linker considers RPATH
before the LD_LIBRARY_PATH
environment variable, while RUNPATH
is only considered after LD_LIBRARY_PATH
.
By making the change to using RPATH
, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH
.
The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
.
Every update release will be installed in a separate directory on Linux platform.
Installers will create a /usr/java/jdk-${FEATURE}-oracle-${ARCH}
link pointing to the installation directory to allow programs to find the latest JDK version in the ${FEATURE}
release train.
Library | New Version | Module | JBS |
---|---|---|---|
LCMS | 2.16 | java.desktop | JDK-8321489 |
Zlib Data Compression Library | 1.3.1 | java.base | JDK-8324632 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.24:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8318854 | client-libs/java.awt | [macos14] Running any AWT app prints Secure coding warning |
2 | JDK-8317771 | client-libs/javax.accessibility | [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma |
3 | JDK-8296878 | client-libs/javax.swing | Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters |
4 | JDK-8218917 | client-libs/javax.swing | KeyEvent.getModifiers() returns inconsistent values for ALT keys |
5 | JDK-8322239 | client-libs/javax.swing | [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane |
6 | JDK-8187759 | client-libs/javax.swing | Background not refreshed when painting over a transparent JFrame |
7 | JDK-8258956 | core-libs/java.lang | Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result |
8 | JDK-8302791 | core-libs/java.lang:class_loading | Add specific ClassLoader object to Proxy IllegalArgumentException message |
9 | JDK-8319436 | core-libs/java.lang:reflect | Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader |
10 | JDK-8318599 | core-libs/java.net | HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 |
11 | JDK-8292044 | core-libs/java.net | HttpClient doesn't handle 102 or 103 properly |
12 | JDK-8242999 | core-libs/java.net | HTTP/2 client may not handle CONTINUATION frames correctly |
13 | JDK-8263940 | core-libs/java.nio | NPE when creating default file system when default file system provider is packaged as JAR file on class path |
14 | JDK-8318322 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-10-16 |
15 | JDK-8304761 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-03-22 |
16 | JDK-8302512 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-02-14 |
17 | JDK-8306031 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-04-13 |
18 | JDK-8308021 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-05-11 |
19 | JDK-8327631 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-03-07 |
20 | JDK-8313702 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-08-02 |
21 | JDK-8326638 | hotspot/compiler | Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop |
22 | JDK-8215205 | hotspot/compiler | javaVFrame much slower than vframeStream |
23 | JDK-8208669 | hotspot/gc | GC changes to allow enabling -Wreorder |
24 | JDK-8236124 | hotspot/jvmti | Minimal VM slowdebug build failed after JDK-8212160 |
25 | JDK-8254270 | hotspot/svc | linux 32 bit build doesn't compile libjdwp/log_messages.c |
26 | JDK-8241960 | security-libs/java.security | The SHA3 message digests impl of SUN provider are not thread safe after cloned |
27 | JDK-8214583 | security-libs/java.security | AccessController.getContext may return wrong value after JDK-8212605 |
28 | JDK-8212605 | security-libs/java.security | Pure-Java implementation of AccessController.doPrivileged |
29 | JDK-8214329 | security-libs/java.security | SwingMark SubMenus 9% regression in 12-b19 on Linux client |
30 | JDK-8326643 | security-libs/java.security | JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message |
31 | JDK-8236512 | security-libs/javax.crypto:pkcs11 | PKCS11 Connection closed after Cipher.doFinal and NoPadding |
32 | JDK-8312383 | security-libs/javax.net.ssl | Log X509ExtendedKeyManager implementation class name in TLS/SSL connection |
33 | JDK-8303809 | security-libs/org.ietf.jgss | Dispose context in SPNEGO NegotiatorImpl |
The following sections summarize changes made in all Java SE 11.0.23 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Fixes from the prior BPR are included in this version.
Release date: April 16, 2024
The full version string for this update release is 11.0.23+7 (where "+" means "build"). The version number is 11.0.23.
JDK 11.0.23 contains IANA time zone data 2024a which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 11.0.23 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
11 | 11.0.23+7 |
8 | 8u411-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.23) be used after the next critical patch update scheduled for July 16, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1
, SHA3_256_RSA_MGF1
, SHA3_384_RSA_MGF1
, and SHA3_512_RSA_MGF1
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.
Additionally, support for the following EdDSA signatures has been added: ED25519
and ED448
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here()
function by default. However, we recommend avoiding the use of the here()
function in new signatures and replacing existing signatures that use the here()
function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here()
function by setting the security property jdk.xml.dsig.hereFunctionSupported
to "false".
The java.awt.SystemTray
API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.
Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported()
will return false where ever the JDK determines the platform bug is likely to be present.
The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.
The following root certificates have been added to the cacerts truststore:
+ Certainly
+ certainlyrootr1
DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
+ certainlyroote1
DN: CN=Certainly Root E1, O=Certainly, C=US
The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy
security property.
If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation
property to Boolean.FALSE
with the DOMValidateContext.setProperty()
API.
Library | New Version | Module | JBS |
---|---|---|---|
FreeType | 2.13.2 | java.desktop | JDK-8316028 |
HarfBuzz | 8.2.2 | java.desktop | JDK-8313643 |
Joni | 2.2.1 | jdk.scripting.nashorn | JDK-8322094 |
libpng | 1.6.40 | java.desktop | JDK-8316030 |
Xalan Java | 2.7.3 | java.xml | JDK-8305814 |
XML Security for Java | 3.0.3 | java.xml.crypto | JDK-8319124 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.23:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8318951 | client-libs/2d | Additional negative value check in JPEG decoding |
2 | JDK-8301846 | client-libs/javax.sound | Invalid TargetDataLine after screen lock when using JFileChooser or COM library |
3 | JDK-8213478 | core-libs/java.lang.invoke | Reduce rebinds when applying repeated filters and conversions |
4 | JDK-8223454 | core-libs/java.lang.invoke | Reduce String concatenation shapes by folding initialLengthCoder into last mixer |
5 | JDK-8222852 | core-libs/java.lang.invoke | Reduce String concat combinator tree shapes by folding constants into prependers |
6 | JDK-8213035 | core-libs/java.lang.invoke | Pack MethodHandleInlineStrategy coder and length into a long |
7 | JDK-8212726 | core-libs/java.lang.invoke | Replace some use of drop- and foldArguments with filtering argument combinator in StringConcatFactory |
8 | JDK-8281560 | core-libs/java.util.regex | Matcher.hitEnd returns unexpected results in presence of CANON_EQ flag. |
9 | JDK-8321480 | core-libs/java.util:i18n | ISO 4217 Amendment 176 Update |
10 | JDK-8307683 | hotspot/compiler | Loop Predication should not hoist range checks with trap on success projection by negating their condition |
11 | JDK-8309119 | hotspot/compiler | [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication |
12 | JDK-8321215 | hotspot/compiler | Incorrect x86 instruction encoding for VSIB addressing mode |
13 | JDK-8236772 | hotspot/compiler | Fix build for windows 32-bit after 8212160 and 8234331. |
14 | JDK-8318889 | hotspot/compiler | C2: add bailout after assert Bad graph detected in build_loop_late |
15 | JDK-8317507 | hotspot/compiler | C2 compilation fails with "Exceeded _node_regs array" |
16 | JDK-8213927 | hotspot/gc | G1 ignores AlwaysPreTouch when UseTransparentHugePages is enabled |
17 | JDK-8287113 | hotspot/jfr | JFR: Periodic task thread uses period for method sampling events |
18 | JDK-8322321 | hotspot/runtime | Add man page doc for -XX:+VerifySharedSpaces |
19 | JDK-8268893 | hotspot/runtime | jcmd to trim the glibc heap |
20 | JDK-8323243 | hotspot/runtime | JNI invocation of an abstract instance method corrupts the stack |
21 | JDK-8320208 | security-libs/java.security | Update Public Suffix List to b5bf572 |
22 | JDK-8302182 | security-libs/java.security | Update Public Suffix List to 88467c9 |
23 | JDK-8307185 | security-libs/javax.crypto:pkcs11 | pkcs11 native libraries make JNI calls into java code while holding GC lock |
24 | JDK-8255867 | security-libs/javax.net.ssl | SignatureScheme JSSE property does not preserve ordering in handshake messages |
25 | JDK-8284910 | security-libs/javax.security | Buffer clean in PasswordCallback |
26 | JDK-8318971 | tools/jar | Better Error Handling for Jar Tool When Processing Non-existent Files |
27 | JDK-8308245 | tools/javac | Add -proc:full to describe current default annotation processing policy |
28 | JDK-8216408 | xml/javax.xml.stream | XMLStreamWriter setDefaultNamespace(null) throws NullPointerException |
29 | JDK-8223291 | xml/javax.xml.transform | Whitespace is added to CDATA tags when using OutputKeys.INDENT to format XML |
30 | JDK-8237456 | xml/javax.xml.transform | Transform filtered through SAX filter mishandles character entities |
31 | JDK-8265073 | xml/javax.xml.transform | XML transformation and indentation when using xml:space |
32 | JDK-8220818 | xml/javax.xml.validation | Validator does not find missing match for keyref error |
The following sections summarize changes made in all Java SE 11.0.22 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8325580 (not public) | install | install | Remove "alternatives --remove" call from Java rpm installer |
JDK-8325150 | core-libs | java.time | (tz) Update Timezone Data to 2024a |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8268893 | hotspot | runtime | jcmd to trim the glibc heap |
JDK-8322725 | core-libs | java.time | (tz) Update Timezone Data to 2023d |
Fixes from the prior BPR are included in this version.
January 16, 2024
The full version string for this update release is 11.0.22+9 (where "+" means "build"). The version number is 11.0.22.
For more information, refer to Timezone Data Versions in the Java Runtime.
The security baselines for the Java Runtime at the time of the release of JDK 11.0.22 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
11 | 11.0.22+9 |
8 | 8u401-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.22) be used after the next critical patch update scheduled for April 16, 2024.
Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).
A new system property named org.jcp.xml.dsig.secureValidation
has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext
property value.
Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.
When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.
This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine
or -XX:TieredStopAtLevel=[1,2,3]
.
hs-err
and VM.info
(JDK-8251255)
On Linux, process memory information has been added to both JVM crash reports (hs_err
files) and the VM.info
diagnostic jcmd
. This information contains the process' virtual size, its resident set size, and how much memory was swapped out. If the JVM uses glibc
, the size of glibc
outstanding allocations and retained memory are printed, as well as the glibc
tunables.
jdk.jar.maxSignatureFileSize
(JDK-8312489)
The system property, jdk.jar.maxSignatureFileSize
, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).
The following root certificates have been added to the cacerts truststore:
+ DigiCert, Inc.
+ digicertcseccrootg5
DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicertcsrsarootg5
DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlseccrootg5
DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlsrsarootg5
DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
The following root certificates have been added to the cacerts truststore:
+ eMudhra Technologies Limited
+ emsignrootcag1
DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsigneccrootcag3
DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsignrootcag2
DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
The following root certificate has been added to the cacerts truststore:
+ Telia Root CA v2
+ teliarootcav2
DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI
The following root certificate has been added to the cacerts truststore:
+ Let's Encrypt
+ letsencryptisrgx2
DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US
X509KeyManager.chooseClientAlias
Once for All Key Types
(JDK-8262186)
The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias()
only once during handshaking for client authentication, even if there are multiple algorithms requested .
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.22:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8238436 | client-libs/java.awt | java/awt/Frame/FrameLocationTest/FrameLocationTest.java fails |
2 | JDK-8266421 | client-libs/javax.sound | Deadlock in Sound System |
3 | JDK-8153090 | client-libs/javax.swing | TAB key cannot change input focus after the radio button in the Color Selection dialog |
4 | JDK-8294427 | client-libs/javax.swing | Check boxes and radio buttons have rendering issues on Windows in High DPI env |
5 | JDK-8314263 | core-libs/java.util.logging | Signed jars triggering Logger finder recursion and StackOverflowError |
6 | JDK-8303440 | core-libs/java.util:i18n | The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id |
7 | JDK-8313657 | core-libs/javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
8 | JDK-8314063 | core-libs/javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
9 | JDK-8198540 | core-libs/jdk.nashorn | Dynalink leaks memory when generating type converters |
10 | JDK-8299658 | hotspot/compiler | C1 compilation crashes in LinearScan::resolve_exception_edge |
11 | JDK-8313626 | hotspot/compiler | C2 crash due to unexpected exception control flow |
12 | JDK-8307572 | hotspot/compiler | AArch64: Vector registers are clobbered by some macroassemblers |
13 | JDK-8316178 | hotspot/compiler | Better diagnostic header for CodeBlobs |
14 | JDK-8316514 | hotspot/compiler | Better diagnostic header for VtableStub |
15 | JDK-8292713 | hotspot/compiler | Unsafe.allocateInstance should be intrinsified without UseUnalignedAccesses |
16 | JDK-8244207 | hotspot/compiler | Simplify usage of Compile::print_method() when debugging with gdb and enable its use with rr |
17 | JDK-8313756 | hotspot/compiler | [BACKOUT] 8308682: Enhance AES performance |
18 | JDK-8313760 | hotspot/compiler | [REDO] Enhance AES performance |
19 | JDK-8210265 | hotspot/gc | Crash in HSpaceCounters::update_used() |
20 | JDK-8275333 | hotspot/gc | Print count in "Too many recored phases?" assert |
21 | JDK-8316906 | hotspot/gc | Clarify TLABWasteTargetPercent flag |
22 | JDK-8207200 | hotspot/gc | Committed > max memory usage when getting MemoryUsage |
23 | JDK-8209062 | hotspot/gc | Clean up G1MonitoringSupport |
24 | JDK-8209061 | hotspot/gc | Move G1 serviceability functionality to G1MonitoringSupport |
25 | JDK-8208498 | hotspot/gc | Put archive regions into a first-class HeapRegionSet |
26 | JDK-8263185 | hotspot/runtime | Mallinfo deprecated in glibc 2.33 |
27 | JDK-8320597 | security-libs/java.security | RSA signature verification fails on signed data that does not encode params correctly |
28 | JDK-8302017 | security-libs/java.security | Allocate BadPaddingException only if it will be thrown |
29 | JDK-8313792 | tools/jshell | Verify 4th party information in src/jdk.internal.le/share/legal/jline.md |
The following sections summarize changes made in all Java SE 11.0.21 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
jdk.jar.maxSignatureFileSize
(JDK-8312489)
The system property, jdk.jar.maxSignatureFileSize
, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8312489 | security-libs | java.security | Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar |
JDK-8314880 (not public) | security-libs | org.ietf.jgss | Migrate SEAM KDC from sc11152399 to jpg-seclibs-infra-1-sol |
JDK-8316192 | core-libs | Increased startup time observed when upgrading from 8 to 11 | |
JDK-8054022 | core-libs | java.net | HttpURLConnection timeouts with Expect: 100-Continue and no chunking |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8314263 | core-libs | java.util.logging | Signed jars triggering Logger finder recursion and StackOverflowError |
JDK-8315696 | core-libs | java.util.logging | SignedLoggerFinderTest.java test failed |
JDK-8316087 | core-libs | java.util.logging | Test SignedLoggerFinderTest.java is still failing |
JDK-8232933 | tools | javac | Javac inferred type does not conform to equality constraint |
JDK-8309489 (not public) | install | install | 17.0.7/11.0.19 and later fail to run jar file via UNC path when using .exe files under javapath |
October 17, 2023
The full version string for this update release is 11.0.21+9 (where "+" means "build"). The version number is 11.0.21.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.21 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.21+9 |
8 | 8u391-b13 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.21) be used after the next critical patch update scheduled for January 16, 2024.
-XshowSettings:locale
Output Now Includes Tzdata Version
(JDK-8305950)
The -XshowSettings
launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale
showSettings option.
Example output using -X:showSettings:locale
:
.....
Locale settings:
default locale = English
default display locale = English
default format locale = English
tzdata version = 2023c
.....
The following root certificate from SECOM Trust System has been removed from the cacerts
keystore:
+ alias name "secomscrootca1 [jdk]"
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignarootca
DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
The installation directory of Oracle JDK Debian packages has changed. It was originally `/usr/lib/jvm/jdk-${FEATURE}`. With this release, it has been changed to `/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}`.
The Oracle JDK Debian package registers jexec
as an interpreter for launching .jar
files from the command line.
The Oracle JDK Debian package configures storage for Java Preferences API in the /etc/.java/.systemPrefs
directory.
The Oracle JDK Debian package registers JDK commands with the update-alternatives
command and supplies the /usr/lib/jvm/.jdk-${FEATURE}-oracle-${ARCH}.jinfo
file for the update-java-alternatives
command.
java.security.manager
System Property
(JDK-8301118)
In JDK 12, two new token options for the java.security.manager
system property, "allow" and "disallow", were introduced.
Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager
, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.
Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager
Error and the application will not start up.
From this release onward, the "allow" and "disallow" options for the java.security.manager
system property will be ignored.
The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.
As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize
system property to 1024 (at their own risk).
This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.
For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder()
method.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.21:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8298887 | client-libs | On the latest macOS+XCode the Robot API may report wrong colors |
2 | JDK-8306881 | client-libs/2d | Update FreeType to 2.13.0 |
3 | JDK-8307301 | client-libs/2d | Update HarfBuzz to 7.2.0 |
4 | JDK-8312555 | client-libs/2d | Ideographic characters aren't stretched by AffineTransform.scale(2, 1) |
5 | JDK-8304054 | client-libs/java.awt | Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed |
6 | JDK-8311689 | client-libs/java.awt | Wrong visible amount in Adjustable of ScrollPane |
7 | JDK-8310054 | client-libs/java.awt | ScrollPane insets are incorrect |
8 | JDK-8297923 | client-libs/java.awt | java.awt.ScrollPane broken after multiple scroll up/down |
9 | JDK-8305815 | client-libs/java.awt | Update Libpng to 1.6.39 |
10 | JDK-6176679 | client-libs/java.awt | Application freezes when copying an animated gif image to the system clipboard |
11 | JDK-8286481 | client-libs/java.awt | Exception printed to stdout on Windows when storing transparent image in clipboard |
12 | JDK-8305517 | core-libs/java.net | Memory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress() |
13 | JDK-8248695 | core-libs/java.time | HostLocaleProviderAdapterImpl provides invalid date-only |
14 | JDK-8254350 | core-libs/java.util.concurrent | CompletableFuture.get may swallow InterruptedException |
15 | JDK-8300098 | core-libs/java.util.concurrent | java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3 |
16 | JDK-8313765 | core-libs/java.util.jar | Invalid CEN header (invalid zip64 extra data field size) |
17 | JDK-8234808 | core-svc/debugger | jdb quoted option parsing broken |
18 | JDK-8292778 | core-svc/java.lang.instrument | EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free |
19 | JDK-8300659 | core-svc/java.lang.management | Refactor TestMemoryAwareness to use WhiteBox api for host values |
20 | JDK-8257993 | hotspot/jvmti | vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine/TestDescription.java crash intermittently |
21 | JDK-8297887 | hotspot/runtime | Update Siphash |
22 | JDK-8303215 | hotspot/runtime | Make thread stacks not use huge pages |
23 | JDK-8220570 | hotspot/runtime | Additional trace when native thread creation fails |
24 | JDK-8283849 | hotspot/svc | AsyncGetCallTrace may crash JVM on guarantee |
25 | JDK-8301170 | hotspot/svc | perfMemory_windows.cpp add free_security_attr to early returns |
26 | JDK-8252530 | hotspot/test | Fix inconsistencies in hotspot whitebox |
27 | JDK-8213059 | install/install | Java .deb package implementation is incomplete |
28 | JDK-8296452 | security-libs/javax.crypto | Solaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error |
29 | JDK-8275233 | tools/javac | Incorrect line number reported in exception stack trace thrown from a lambda expression |
The following sections summarize changes made in all Java SE 11.0.20 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8312555 | client-libs | 2d | Ideographic characters aren't stretched by AffineTransform.scale(2, 1) |
JDK-8255387 | client-libs | 2d | Japanese characters were printed upside down on AIX |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8313765 | core-libs | java.util.jar | Invalid CEN header (invalid zip64 extra data field size) |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8294427 | client-libs | javax.swing | Check boxes and radio buttons have rendering issues on Windows in High DPI env |
JDK-6176679 | client-libs | java.awt | Application freezes when copying an animated gif image to the system clipboard |
JDK-8286481 | client-libs | java.awt | Exception printed to stdout on Windows when storing transparent image in clipboard |
July 18, 2023
The full version string for this update release is 11.0.20+9 (where "+" means "build"). The version number is 11.0.20.
JDK 11.0.20 contains IANA time zone data 2023c which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.20 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.20+9 |
8 | 8u381-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.20) be used after the next critical patch update scheduled for October 17, 2023.
The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 5 code points (U+9FEB
- U+9FEF
) from Unicode 11.0 into Java SE 11 to allow implementations to comply with their Implementation Level 1
requirements.
The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset
implementation for this new standard has now replaced the prior 2000
standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030
, is introduced. By setting its value to 2000
, the previous JDK releases' mappings for the GB18030 Charset
are used, which are based on the 2000
standard.
The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to state that Java SE 11 supports the Implementation Level 2
of the GB18030-2022 standard.
The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:
The following keystore types were also added, allowing developers to make it clear they map to the current user:
A new Java Flight Recorder (JFR) event has been added to record details of initial security properties when loaded via the java.security.Security
class.
The new event name is jdk.InitialSecurityProperty
and contains the following fields:
Field name | Field Description |
---|---|
key | Security Property Key |
value | Corresponding Security Property Value |
This new JFR event is enabled by default. The java.security.debug=properties
system property will also now print initial security properties to the standard error stream. With this new event and the already available jdk.SecurityPropertyModification
event (when enabled since it is not enabled by default), a JFR recording can now monitor the initial settings of all security properties and any subsequent changes.
A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm)
calls.
The new event name is jdk.SecurityProviderService
and contains the following fields:
Field name | Field Description |
---|---|
type | Type of Service |
algorithm | Algorithm Name |
provider | Security Provider |
This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl
from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.
Installing into the same, shared jdk-(family)
directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse
issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.
A new system property, jdk.nio.zipfs.allowDotZipEntry
, has been introduced. This system property can be used to remove the newly added restrictions in the Zip FS provider, which currently rejects ZIP files that contain entries with "." or ".." in name elements by default. Refer to the CSR for more detail.
/usr/java/default
Symlink on Linux Restored
(JDK-8306690)
A regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.
An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.
An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.
All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.
The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.
The following root certificate has been added to the cacerts truststore:
+ TWCA + twcaglobalrootca DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
The following root certificates have been added to the cacerts truststore:
+ Google Trust Services LLC + gtsrootcar1 DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootcar2 DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootecccar3 DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootecccar4 DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US
The following root certificates have been added to the cacerts truststore:
+ Microsoft Corporation + microsoftecc2017 DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US + Microsoft Corporation + microsoftrsa2017 DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
This JDK implements Maintenance Release 2 of the Java SE 11 specification (JSR 384). This is indicated by the new system property java.specification.maintenance.version
having the value of "2"
.
A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime()
method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive. (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
A behavioral change has been made when the default conf/security/java.security
security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError
.
Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.
A new system property, jdk.jar.maxSignatureFileSize
, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.
java.util.zip.ZipFile
has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation
to true
.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.20:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8297241 | client-libs/2d | Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java |
2 | JDK-8022403 | client-libs/2d | sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails |
3 | JDK-8301998 | client-libs/2d | Update HarfBuzz to 7.0.1 |
4 | JDK-8302151 | client-libs/javax.imageio | BMPImageReader throws an exception reading BMP images |
5 | JDK-8227257 | client-libs/javax.swing | javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError |
6 | JDK-8284756 | core-libs | [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem |
7 | JDK-8283059 | core-libs | Uninitialized warning in check_code.c with GCC 11.2 |
8 | JDK-8275735 | core-libs | [linux] Remove deprecated Metrics api (kernel memory limit) |
9 | JDK-8285497 | core-libs/java.lang | Add system property for Java SE specification maintenance version |
10 | JDK-8291638 | core-libs/java.net | Keep-Alive timeout of 0 should close connection immediately |
11 | JDK-8291637 | core-libs/java.net | HttpClient default keep alive timeout not followed if server sends invalid value |
12 | JDK-8211382 | core-libs/java.nio.charsets | ISO2022JP and GB18030 NIO converter issues |
13 | JDK-8301119 | core-libs/java.nio.charsets | Support for GB18030-2022 |
14 | JDK-8209167 | core-libs/java.util:i18n | Use CLDR's time zone mappings for Windows |
15 | JDK-8305400 | core-libs/java.util:i18n | ISO 4217 Amendment 175 Update |
16 | JDK-8275721 | core-libs/java.util:i18n | Name of UTC timezone in a locale changes depending on previous code |
17 | JDK-8293540 | core-svc | [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts |
18 | JDK-8219583 | performance/hotspot | Windows build failure after JDK-8214777 (Avoid some GCC 8.X strncpy() errors in HotSpot) |
19 | JDK-8252051 | hotspot/compiler | Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly |
20 | JDK-8303564 | hotspot/compiler | C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi |
21 | JDK-8299570 | hotspot/compiler | [JVMCI] Insufficient error handling when CodeBuffer is exhausted |
22 | JDK-8300079 | hotspot/compiler | SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument |
23 | JDK-8299259 | hotspot/compiler | C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE |
24 | JDK-8297730 | hotspot/compiler | C2: Arraycopy intrinsic throws incorrect exception |
25 | JDK-8301491 | hotspot/compiler | C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument |
26 | JDK-8201516 | hotspot/compiler | DebugNonSafepoints generates incorrect information |
27 | JDK-8269746 | hotspot/compiler | C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input? |
28 | JDK-8289748 | hotspot/compiler | C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM |
29 | JDK-8303511 | hotspot/compiler | C2: assert(get_ctrl(n) == cle_out) during unrolling |
30 | JDK-8257621 | hotspot/jfr | JFR StringPool misses cached items across consecutive recordings |
31 | JDK-8243936 | hotspot/runtime | NonWriteable system properties are actually writeable |
32 | JDK-8295974 | hotspot/runtime | jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames |
33 | JDK-8287007 | hotspot/runtime | [cgroups] Consistently use stringStream throughout parsing code |
34 | JDK-8292297 | security-libs/java.security | Fix up loading of override java.security properties file |
35 | JDK-8255348 | security-libs/java.security | NPE in PKIXCertPathValidator event logging code |
36 | JDK-8293858 | security-libs/java.security | Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG |
37 | JDK-8294906 | security-libs/javax.crypto:pkcs11 | Memory leak in PKCS11 NSS TLS server |
38 | JDK-8217375 | security-libs/jdk.security | jarsigner breaks old signature with long lines in manifest |
39 | JDK-8274205 | security-libs/org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
40 | JDK-8221871 | tools/javadoc(tool) | javadoc should not set role=region on <section> elements |
41 | JDK-8219142 | tools/jlink | Remove unused JIMAGE_ResourcePath |
42 | JDK-8297587 | tools/jshell | Upgrade JLine to 3.22.0 |
43 | JDK-8301269 | xml/jaxp | Update Commons BCEL to Version 6.7.0 |
The following sections summarize changes made in all Java SE 11.0.19 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8308884 | hotspot | compiler | [17u/11u] Backout JDK-8297951 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8306690 (not public) | install | install | Restore missing /usr/java/default symlink on Linux |
JDK-8308123 (not public) | install | install | /usr/java/latest symlink is not created during 8u371 jdk rpm install |
JDK-8305976 (not public) | install | install | Installation of OL-specific x64 jdk rpms pulls in i686 dependencies |
JDK-8305113 | core-libs | java.time | (tz) Update Timezone Data to 2023c |
JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
JDK-8302112 (not public) | hotspot | test | remove windows 2012 from task definitions |
Fixes from the prior BPR are included in this version.
April 18, 2023
The full version string for this update release is 11.0.19+9 (where "+" means "build"). The version number is 11.0.19.
JDK 11.0.19 contains IANA time zone data 2022g which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.19 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.19+9 |
8 | 8u371-b11 |
Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 11.0.19) after the next critical patch update release, scheduled for July 18, 2023.
A native GSS-API library named sspi_bridge.dll
has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native
system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib
system property to its path.
Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly
system property should be set to false.
com.sun.security.auth.module.Krb5LoginModule
does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule
from JAAS config.
Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object>
tag which allows for subclasses of java.awt.Component
to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true
.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignaca
DN: CN=Certigna, O=Dhimyotis, C=FR
SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.
After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms
security property, the SSLSocket.getEnabledProtocols()
, SSLServerSocket.getEnabledProtocols()
, SSLEngine.getEnabledProtocols()
and SSLParameters.getProtocols()
APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.
If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols
or jdk.tls.server.protocols
system properties or with the SSLSocket.setEnabledProtocols()
, SSLServerSocket.setEnabledProtocols()
and SSLEngine.setEnabledProtocols()
APIs.
The behavior of the method java.io.File.listRoots()
on Microsoft Windows has changed in this release so that the returned array includes a File
object for all available disk drives. This differs from the behavior in JDK 10 to JDK 20, where this method filtered out disk drives that were not accessible or did not have media present. This change avoids performance issues observed in the previous releases and also ensures that the method is consistent with the root directories in the iteration returned by FileSystem.getDefault().getRootDirectories()
.
Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:
Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.19:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8285399 | client-libs/2d | JNI exception pending in awt_GraphicsEnv.c:1432 |
2 | JDK-8284023 | client-libs/java.awt | java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo |
3 | JDK-8296496 | client-libs/java.awt | Overzealous check in sizecalc.h prevents large memory allocation |
4 | JDK-8279614 | client-libs/java.awt | The left line of the TitledBorder is not painted on 150 scale factor |
5 | JDK-8288332 | client-libs/java.awt | Tier1 validate-source fails after 8279614 |
6 | JDK-8295685 | client-libs/java.awt | Update Libpng to 1.6.38 |
7 | JDK-8282958 | client-libs/javax.swing | Rendering Issues with Borders on Windows High-DPI systems |
8 | JDK-8299238 | core-libs | Fix Bad Copyright introduced in 8299223 |
9 | JDK-8294378 | core-libs/java.net | URLPermission constructor exception when using tr locale |
10 | JDK-8297569 | core-libs/java.net | URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 |
11 | JDK-8299439 | core-libs/java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
12 | JDK-8295530 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.2.13 |
13 | JDK-8287180 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-08-08 |
14 | JDK-8267038 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-03-02 |
15 | JDK-8296239 | core-libs/java.util:i18n | ISO 4217 Amendment 174 Update |
16 | JDK-8297548 | core-libs/jdk.nashorn | Update double-conversion to 3.2.0 |
17 | JDK-8169718 | core-svc/debugger | nsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false |
18 | JDK-8292541 | core-svc/java.lang.management | [Metrics] Reported memory limit may exceed physical machine memory |
19 | JDK-8216314 | hotspot/compiler | SIGILL in CodeHeapState::print_names() |
20 | JDK-8276066 | hotspot/compiler | Reset LoopPercentProfileLimit for x86 due to suboptimal performance |
21 | JDK-8269574 | hotspot/compiler | C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events |
22 | JDK-8270533 | hotspot/compiler | AArch64: size_fits_all_mem_uses should return false if its output is a CAS |
23 | JDK-8295066 | hotspot/compiler | Folding of loads is broken in C2 after JDK-8242115 |
24 | JDK-8256934 | hotspot/compiler | C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit |
25 | JDK-8296912 | hotspot/compiler | C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 |
26 | JDK-8290964 | hotspot/compiler | C2 compilation fails with assert "non-reduction loop contains reduction nodes" |
27 | JDK-8296924 | hotspot/compiler | C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address |
28 | JDK-8285835 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work |
29 | JDK-8295788 | hotspot/compiler | C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" |
30 | JDK-8297951 | hotspot/compiler | C2: Create skeleton predicates for all If nodes in loop predication |
31 | JDK-8297264 | hotspot/compiler | C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top |
32 | JDK-8295116 | hotspot/compiler | C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead |
33 | JDK-8287425 | hotspot/compiler | Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path |
34 | JDK-8242115 | hotspot/compiler | C2 SATB barriers are not safepoint-safe |
35 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
36 | JDK-8283199 | hotspot/runtime | Linux os::cpu_microcode_revision() stalls cold startup |
37 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
38 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
39 | JDK-8291763 | hotspot/runtime | Include virtualization information in hs_err crash log on Solaris |
40 | JDK-8289424 | hotspot/runtime | Include LD_HWCAP in hs_err log output |
41 | JDK-8287107 | hotspot/runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
42 | JDK-8287741 | hotspot/runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
43 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
44 | JDK-8231610 | hotspot/runtime | Relocate the CDS archive if it cannot be mapped to the requested address |
45 | JDK-8287011 | hotspot/runtime | Improve container information |
46 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
47 | JDK-8298349 | install/install | /usr/java/latest points to wrong JDK |
48 | JDK-8298330 | install/install | /usr/java/latest is missing after one of JDK rpms is uninstalled |
49 | JDK-8242897 | security-libs/java.security | KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException |
50 | JDK-8280890 | security-libs/java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
51 | JDK-8253829 | security-libs/org.ietf.jgss | Wrong length compared in SSPI bridge |
52 | JDK-8225687 | security-libs/org.ietf.jgss | Newly added sspi.cpp in JDK-6722928 still contains some small errors |
53 | JDK-8222251 | tools/javac | preflow visitor is not visiting lambda expressions |
54 | JDK-8222091 | tools/javadoc(tool) | Javadoc does not handle package annotations correctly on package-info.java |
55 | JDK-8296619 | tools/javadoc(tool) | Upgrade jQuery to 3.6.1 |
The following sections summarize changes made in all Java SE 11.0.18 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8208077 | core-libs | java.io | File.listRoots performance degradation |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
January 17, 2023
The full version string for this update release is 11.0.18+9 (where "+" means "build"). The version number is 11.0.18.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.18 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.18+9 |
8 | 8u361-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.18) be used after the next critical patch update scheduled for April 18, 2023.
With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie
is false
. The property only affects the cookie exchange for resumption.
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
This issue prevents yum
from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum
but with the x86_64 architecture.
After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:
rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo
It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install
command to ensure the installation of the required packages.
The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.
It can be enabled by setting the system property: -Djavafx.allowjs=true
With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.
Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION}
to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
. Thus the 11.0.18, and 11.0.19 releases for x64 will both be installed in /usr/lib/jvm/jdk-11-oracle-x64
directory. RPM package will create /usr/java/jdk-${FEATURE}
link pointing to the installation directory for backward compatibility.
Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java
group of commands with the alternatives framework. The JDK 11 RPM package registers java
and javac
groups with the alternatives framework. java
group is for commands used to run applications: java
, jjs
, keytool
, pack200
, rmid
, rmiregistry
, unpack200
. javac
group is used for all other commands. The set of commands registered by the package has not changed.
Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-11-headless
and jdk-11-headful
. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-11-headless
is a Headless Java Runtime for running non-GUI applications. jdk-11-headful
is a Headful Java Runtime & Development Tools for developing and running applications of all types.
The combination of the OL-specific jdk-11-headless
and jdk-11-headful
packages provides the same JDK image and the same capabilities as jdk-11
OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist}
suffix.
Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE%
instead of %Program Files%\Java\jdk-%VNUM%
. I.e. all updates of the same release must share one installation directory.
Thus the 11.0.18 and 11.0.19 releases will both install into %Program Files%\Java\jdk-11
by default, and they both cannot be installed at the same time.
If the JDK11.0.19 installer is launched when JDK11.0.18 is already installed, it will auto-upgrade them to JDK11.0.19. There may be a Files In Use dialog shown if the older version was running and locking JDK files.
If the JDK11.0.18 installer is launched when JDK11.0.19 is already installed, it will show an error that a newer version of this JDK family is already installed.
The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk
to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk
. Thus the 11.0.18 and 11.0.19 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-11.jdk
installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 11.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 11 update release with JEP C208. However, JDK 11 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-11.jdk will be reused.
ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\"
, would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.
The Set
implementation that holds principals and credentials in a JAAS Subject
prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException
. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule
implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout()
method of the LoginModule
interface. Developers should verify and if necessary update any custom LoginModule
implementations to be compliant with this implementation advice.
As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.
If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.
The SunJSSE close notification checks for SSLEngine
to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.
Specifically, if an application tries to close its SSLEngine
inbound side using SSLEngine.closeInbound()
without having received a close notification message from its peer, the SSLEngine
will no longer:
The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException
. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the SSLEngine
will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus
value on the SSLEngine
. Any outstanding outbound data must still be obtained (SSLEngine.wrap()
) and sent in order to gracefully close the connection.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.18:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8295429 | client-libs | Update harfbuzz md file |
2 | JDK-8293672 | client-libs | Update freetype md file |
3 | JDK-8240756 | client-libs/2d | [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled |
4 | JDK-8284033 | client-libs/java.awt | Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c |
5 | JDK-8277497 | client-libs/javax.accessibility | Last column cell in the JTable row is read as empty cell |
6 | JDK-8273655 | core-libs/java.net | content-types.properties files are missing some common types |
7 | JDK-8280950 | core-libs/java.util | RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix |
8 | JDK-8281183 | core-libs/java.util | RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 |
9 | JDK-8272352 | core-libs/java.util:i18n | Java launcher can not parse Chinese character when system locale is set to UTF-8 |
10 | JDK-8294307 | core-libs/java.util:i18n | ISO 4217 Amendment 173 Update |
11 | JDK-8215571 | core-svc/debugger | jdb does not include jdk.* in the default class filter |
12 | JDK-8258894 | hotspot/compiler | C2: Forbid GCM to move stores into loops |
13 | JDK-8290781 | hotspot/compiler | Segfault at PhaseIdealLoop::clone_loop_handle_data_uses |
14 | JDK-8290711 | hotspot/compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
15 | JDK-8289043 | hotspot/compiler | C2: Vector constant materialization attempt |
16 | JDK-8290705 | hotspot/compiler | StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" |
17 | JDK-8240281 | hotspot/compiler | Remove failing assertion code when selecting first memory state in SuperWord::co_locate_pack |
18 | JDK-8290529 | hotspot/compiler | C2: assert(BoolTest(btest).is_canonical()) failure |
19 | JDK-8288445 | hotspot/compiler | AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding |
20 | JDK-8261336 | hotspot/compiler | IGV: enhance default filters |
21 | JDK-8287091 | hotspot/compiler | aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn |
22 | JDK-8272094 | hotspot/compiler | compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" |
23 | JDK-8293816 | hotspot/compiler | CI: ciBytecodeStream::get_klass() is not consistent |
24 | JDK-8293044 | hotspot/compiler | C1: Missing access check on non-accessible class |
25 | JDK-8292158 | hotspot/compiler | AES-CTR cipher state corruption with AVX-512 |
26 | JDK-8284358 | hotspot/compiler | Unreachable loop is not removed from C2 IR, leading to a broken graph |
27 | JDK-8270947 | hotspot/compiler | AArch64: C1: use zero_words to initialize all objects |
28 | JDK-8290451 | hotspot/compiler | Incorrect result when switching to C2 OSR compilation from C1 |
29 | JDK-8209375 | hotspot/gc | ZGC: Use dynamic base address for mark stack space |
30 | JDK-8288754 | hotspot/gc | GCC 12 fails to build zReferenceProcessor.cpp |
31 | JDK-8232533 | hotspot/gc | G1 uses only a single thread for pretouching the java heap |
32 | JDK-8241423 | hotspot/gc | NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default |
33 | JDK-8281297 | hotspot/gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
34 | JDK-8255716 | hotspot/runtime | AArch64: Regression: JVM crashes if manually offline a core |
35 | JDK-8266490 | hotspot/runtime | Extend the OSContainer API to support the pids controller of cgroups |
36 | JDK-8264593 | hotspot/runtime | debug.cpp utilities should be available in product builds. |
37 | JDK-8273526 | hotspot/runtime | Extend the OSContainer API pids controller with pids.current |
38 | JDK-8291459 | hotspot/runtime | JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) |
39 | JDK-8292083 | hotspot/runtime | Detected container memory limit may exceed physical machine memory |
40 | JDK-8209689 | hotspot/test | Compiler.isGraalEnabled should not check jvmci.Compiler property |
41 | JDK-8283723 | infrastructure | Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows |
42 | JDK-8236470 | security-libs/java.security | Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId |
43 | JDK-8242151 | security-libs/java.security | Improve OID mapping and reuse among JDK security providers for aliases registration |
44 | JDK-8257722 | security-libs/java.security | Improve "keytool -printcert -jarfile" output |
45 | JDK-8239457 | security-libs/javax.crypto:pkcs11 | call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect |
46 | JDK-8273553 | security-libs/javax.net.ssl | sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 |
47 | JDK-8273026 | security-libs/javax.security | Slow LoginContext.login() on multi threading application |
48 | JDK-8247964 | security-libs/javax.xml.crypto | All log0() in com/sun/org/slf4j/internal/Logger.java should be private |
49 | JDK-8247907 | security-libs/javax.xml.crypto | XMLDsig logging does not work |
50 | JDK-8293578 | tools/javac | Duplicate ldc generated by javac |
51 | JDK-8266082 | tools/javac | AssertionError in Annotate.fromAnnotations with -Xdoclint |
52 | JDK-8193462 | tools/javac | Fix Filer handling of package-info initial elements |
53 | JDK-8203277 | tools/javac | preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body |
54 | JDK-8286444 | tools/javac | javac errors after JDK-8251329 are not helpful enough to find root cause |
55 | JDK-8286855 | tools/javac | javac error on invalid jar should only print filename |
56 | JDK-8236490 | tools/javac | Compiler bug relating to @NonNull annotation |
57 | JDK-8215291 | tools/javadoc(tool) | Broken links when generating from project without modules |
58 | JDK-8287076 | xml/org.w3c.dom | Document.normalizeDocument() produces different results |
The following sections summarize changes made in all Java SE 11.0.17 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8293562 | core-libs | java.net | KeepAliveCache Blocks Threads while Closing Connections |
JDK-8296943 | tools | sun/net/www/http/HttpClient/MultiThreadTest Failing after KeepAliveCache Backport | |
JDK-8282958 | client-libs | javax.swing | Rendering Issues with Borders on Windows High-DPI systems |
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8255716 | hotspot | runtime | JVM Crashes If Manually Offline a Core |
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8291973 | install | install | Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
October 18, 2022
The full version string for this update release is 11.0.17+10 (where "+" means "build"). The version number is 11.0.17.
JDK 11.0.17 contains IANA time zone data 2022b, 2022c.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.17 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.17+10 |
8 | 8u351-b10 |
7 | 7u361-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.17) be used after the next critical patch update scheduled for January 17, 2023.
The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.
For compatibility, use the keystore.pkcs12.legacy
system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named jdk.Deserialization
, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism; see the ObjectInputFilter specification. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security. For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.
For example:
- Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or override it by using the java.security.properties
system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
The des3-hmac-sha1
and rc4-hmac
Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true
in the krb5.conf
configuration file to re-enable them (along with other weak etypes including des-cbc-crc
and des-cbc-md5
) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes
, default_tgs_enctypes
, or permitted_enctypes
settings.
Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server
and http.keepAlive.time.proxy
respectively. More information about them can be found in Networking Properties.
Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares
command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.
This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.
As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.
For more details, refer to the announcement of 2022b.
A new system property named jdk.httpserver.maxConnections
has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer
to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.17:
# | JBS | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8285686 | client-libs | 2d | Update FreeType to 2.12.0 |
2 | JDK-8289853 | client-libs | 2d | Update HarfBuzz to 4.4.1 |
3 | JDK-8290334 | client-libs | 2d | Update FreeType to 2.12.1 |
4 | JDK-8273506 | client-libs | java.awt | java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 |
5 | JDK-8255439 | client-libs | java.awt | System Tray icons get corrupted when windows scaling changes |
6 | JDK-8231454 | client-libs | java.beans | File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo |
7 | JDK-8261352 | client-libs | javax.accessibility | Create implementation for component peer for all the components who should be ignored in a11y interactions |
8 | JDK-8263420 | client-libs | javax.accessibility | Incorrect function name in NSAccessibilityStaticText native peer implementation |
9 | JDK-8262981 | client-libs | javax.accessibility | Create implementation for NSAccessibilitySlider protocol |
10 | JDK-8287740 | client-libs | javax.accessibility | NSAccessibilityShowMenuAction not working for text editors |
11 | JDK-8275071 | client-libs | javax.accessibility | [macos] A11y cursor gets stuck when combobox is closed |
12 | JDK-8274383 | client-libs | javax.accessibility | JNI call of getAccessibleSelection on a wrong thread |
13 | JDK-8267387 | client-libs | javax.accessibility | Create implementation for NSAccessibilityOutline protocol |
14 | JDK-8267388 | client-libs | javax.accessibility | Create implementation for NSAccessibilityTable protocol |
15 | JDK-8262031 | client-libs | javax.accessibility | Create implementation for NSAccessibilityNavigableStaticText protocol |
16 | JDK-8275809 | client-libs | javax.accessibility | crash in [CommonComponentAccessibility getCAccessible:withEnv:] |
17 | JDK-8273678 | client-libs | javax.accessibility | TableAccessibility and TableRowAccessibility miss autorelease |
18 | JDK-8271071 | client-libs | javax.accessibility | accessibility of a table on macOS lacks cell navigation |
19 | JDK-8267066 | client-libs | javax.accessibility | New NSAccessibility peers should return they roles and subroles directly |
20 | JDK-8275720 | client-libs | javax.accessibility | CommonComponentAccessibility.createWithParent isWrapped causes mem leak |
21 | JDK-8267385 | client-libs | javax.accessibility | Create NSAccessibilityElement implementation for JavaComponentAccessibility |
22 | JDK-8275819 | client-libs | javax.accessibility | [TableRowAccessibility accessibilityChildren] method is ineffective |
23 | JDK-8284690 | client-libs | javax.accessibility | [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox |
24 | JDK-8286266 | client-libs | javax.accessibility | [macos] Voice over moving JTable column to be the first column JVM crashes |
25 | JDK-8278609 | client-libs | javax.accessibility | [macos] accessibility frame is misplaced on a secondary monitor on macOS |
26 | JDK-8284014 | client-libs | javax.accessibility | Menu items with submenus in JPopupMenu are not spoken on macOS |
27 | JDK-8283383 | client-libs | javax.accessibility | [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name |
28 | JDK-8211795 | client-libs | javax.imageio | ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458 |
29 | JDK-8256109 | client-libs | javax.swing | Create implementation for NSAccessibilityButton protocol |
30 | JDK-8256108 | client-libs | javax.swing | Create implementation for NSAccessibilityElement protocol peer |
31 | JDK-8256126 | client-libs | javax.swing | Create implementation for NSAccessibilityImage protocol peer |
32 | JDK-8256110 | client-libs | javax.swing | Create implementation for NSAccessibilityStepper protocol |
33 | JDK-8256111 | client-libs | javax.swing | Create implementation for NSAccessibilityStaticText protocol |
34 | JDK-8261350 | client-libs | javax.swing | Create implementation for NSAccessibilityCheckBox protocol peer |
35 | JDK-8261351 | client-libs | javax.swing | Create implementation for NSAccessibilityRadioButton protocol |
36 | JDK-8264299 | client-libs | javax.swing | Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles |
37 | JDK-8264300 | client-libs | javax.swing | Create implementation for NSAccessibilityScrollBar protocol peer |
38 | JDK-8264290 | client-libs | javax.swing | Create implementation for NSAccessibilityComponentGroup protocol peer |
39 | JDK-8264304 | client-libs | javax.swing | Create implementation for NSAccessibilityToolbar protocol peer |
40 | JDK-8264302 | client-libs | javax.swing | Create implementation for Accessibility native peer for Splitpane java role |
41 | JDK-8264305 | client-libs | javax.swing | Create implementation for native accessibility peer for Statusbar java role |
42 | JDK-8264287 | client-libs | javax.swing | Create implementation for NSAccessibilityComboBox protocol peer |
43 | JDK-8264303 | client-libs | javax.swing | Create implementation for NSAccessibilityTabGroup protocol peer |
44 | JDK-8264297 | client-libs | javax.swing | Create implementation for NSAccessibilityProgressIndicator protocol peer |
45 | JDK-8264294 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuBar protocol peer |
46 | JDK-8264298 | client-libs | javax.swing | Create implementation for NSAccessibilityRow protocol peer |
47 | JDK-8264286 | client-libs | javax.swing | Create implementation for NSAccessibilityColumn protocol peer |
48 | JDK-8264291 | client-libs | javax.swing | Create implementation for NSAccessibilityCell protocol peer |
49 | JDK-8264292 | client-libs | javax.swing | Create implementation for NSAccessibilityList protocol peer |
50 | JDK-8264293 | client-libs | javax.swing | Create implementation for NSAccessibilityMenu protocol peer |
51 | JDK-8264295 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuItem protocol peer |
52 | JDK-8264296 | client-libs | javax.swing | Create implementation for NSAccessibilityPopUpButton protocol peer |
53 | JDK-8287917 | core-libs | java.lang:class_loading | System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier |
54 | JDK-8288769 | core-libs | java.util.jar | Revert unintentional change to deflate.c |
55 | JDK-8283277 | core-libs | java.util:i18n | ISO 4217 Amendment 171 Update |
56 | JDK-8289549 | core-libs | java.util:i18n | ISO 4217 Amendment 172 Update |
57 | JDK-8254001 | core-svc | [Metrics] Enhance parsing of cgroup interface files for version detection | |
58 | JDK-8276990 | core-svc | debugger | Memory leak in invoker.c fillInvokeRequest() during JDI operations |
59 | JDK-8281615 | core-svc | debugger | Deadlock caused by jdwp agent |
60 | JDK-8284094 | core-svc | debugger | Memory leak in invoker_completeInvokeRequest() |
61 | JDK-8208471 | core-svc | debugger | nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds" |
62 | JDK-8235385 | hotspot | compiler | Crash on aarch64 JDK due to long offset |
63 | JDK-8139046 | hotspot | compiler | Compiler Control: IGVPrintLevel directive should set PrintIdealGraph |
64 | JDK-8271567 | hotspot | compiler | AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions |
65 | JDK-8211100 | hotspot | compiler | hotspot C1 issue with comparing long numbers on x86 32-bit |
66 | JDK-8282467 | hotspot | compiler | add extra diagnostics for JDK-8268184 |
67 | JDK-8269517 | hotspot | compiler | compiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges |
68 | JDK-8282555 | hotspot | compiler | Missing memory edge when spilling MoveF2I, MoveD2L etc |
69 | JDK-8284882 | hotspot | compiler | SIGSEGV in Node::verify_edges due to compilation bailout |
70 | JDK-8270090 | hotspot | compiler | C2: LCM may prioritize CheckCastPP nodes over projections |
71 | JDK-8285820 | hotspot | compiler | C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 |
72 | JDK-8288467 | hotspot | compiler | remove memory_operand assert for spilled instructions |
73 | JDK-8279622 | hotspot | compiler | C2: miscompilation of map pattern as a vector reduction |
74 | JDK-8286177 | hotspot | compiler | C2: "failed: non-reduction loop contains reduction nodes" assert failure |
75 | JDK-8284944 | hotspot | compiler | assert(cnt++ < 40) failed: infinite cycle in loop optimization |
76 | JDK-8287223 | hotspot | compiler | C1: Inlining attempt through MH::invokeBasic() with null receiver |
77 | JDK-8272736 | hotspot | compiler | [JVMCI] Add API for reading and writing JVMCI thread locals |
78 | JDK-8235870 | hotspot | compiler | C2 crashes in IdealLoopTree::est_loop_flow_merge_sz() |
79 | JDK-8271010 | hotspot | compiler | vmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently |
80 | JDK-8288360 | hotspot | compiler | CI: ciInstanceKlass::implementor() is not consistent for well-known classes |
81 | JDK-8287432 | hotspot | compiler | C2: assert(tn->in(0) != __null) failed: must have live top node |
82 | JDK-8258946 | hotspot | compiler | Fix optimization-unstable code involving signed integer overflow |
83 | JDK-8286314 | hotspot | compiler | Trampoline not created for far runtime targets outside small CodeCache |
84 | JDK-8280799 | hotspot | compiler | С2: assert(false) failed: cyclic dependency prevents range check elimination |
85 | JDK-8288781 | hotspot | compiler | C1: LIR_OpVisitState::maxNumberOfOperands too small |
86 | JDK-8288865 | hotspot | compiler | [aarch64] LDR instructions must use legitimized addresses |
87 | JDK-8283441 | hotspot | compiler | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
88 | JDK-8265677 | hotspot | gc | CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier |
89 | JDK-8223575 | hotspot | gc | add subspace transitions to gc+metaspace=info log lines |
90 | JDK-8217170 | hotspot | gc | gc/arguments/TestUseCompressedOopsErgo.java timed out |
91 | JDK-8252359 | hotspot | runtime | HotSpot Not Identifying it is Running in a Container |
92 | JDK-8220658 | hotspot | runtime | Improve the readability of container information in the error log |
93 | JDK-8253797 | hotspot | runtime | [cgroups v2] Account for the fact that swap accounting is disabled on some systems |
94 | JDK-8254997 | hotspot | runtime | Remove unimplemented OSContainer::read_memory_limit_in_bytes |
95 | JDK-8281274 | hotspot | runtime | deal with ActiveProcessorCount in os::Linux::print_container_info |
96 | JDK-8283469 | hotspot | runtime | Don't use memset to initialize members in FileMapInfo and fix memory leak |
97 | JDK-8247354 | hotspot | runtime | AArch64: PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop |
98 | JDK-8268773 | hotspot | runtime | Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) |
99 | JDK-8289477 | hotspot | runtime | Memory corruption with CPU_ALLOC, CPU_FREE on muslc |
100 | JDK-8289799 | hotspot | runtime | Build warning in methodData.cpp memset zero-length parameter |
101 | JDK-8239559 | hotspot | runtime | Cgroups: Incorrect detection logic on some systems |
102 | JDK-8253435 | hotspot | runtime | Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist |
103 | JDK-8239785 | hotspot | runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
104 | JDK-8209414 | hotspot | svc | AArch64: method handle invocation does not respect JVMTI interp_only mode |
105 | JDK-8235220 | hotspot | svc-agent | ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException |
106 | JDK-8186143 | security-libs | java.security | keytool -ext option doesn't accept wildcards for DNS subject alternative names |
107 | JDK-8263404 | security-libs | java.security | RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec |
108 | JDK-8275887 | security-libs | java.security | jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled |
109 | JDK-8281628 | security-libs | javax.crypto | KeyAgreement : generateSecret intermittently not resetting |
110 | JDK-8284694 | security-libs | javax.net.ssl | Avoid evaluating SSLAlgorithmConstraints twice |
111 | JDK-8286211 | security-libs | javax.smartcardio | Update PCSC-Lite for Suse Linux to 1.9.5 |
112 | JDK-8285398 | security-libs | jdk.security | Cache the results of constraint checks |
113 | JDK-8155701 | tools | javac | The compiler fails with an AssertionError: typeSig ERROR |
114 | JDK-8281316 | tools | javac | javac performance issues with large number of jars on classpath |
115 | JDK-8282214 | tools | javadoc(tool) | Upgrade JQuery to version 3.6.0 |
116 | JDK-8284367 | tools | javadoc(tool) | JQuery UI upgrade from 1.12.1 to 1.13.1 |
117 | JDK-8280373 | xml | avax.xml.parsers | Update Xalan serializer / SystemIDResolver to align with JDK-8270492 |
118 | JDK-8289486 | xml | jaxp | Improve XSLT XPath operators count efficiency |
The following sections summarize changes made in all Java SE 11.0.16.1 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8239785 | hotspot | runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
August 18, 2022
The full version string for this update release is 11.0.16.1+1 (where "+" means "build"). The version number is 11.0.16.1.
The security baselines are unchanged from the release of JDK 11.0.16.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.16+11 |
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16.1) be used after the next critical patch update scheduled for October 18, 2022.
Oracle recommends that all JDK 11 users, even those that have already updated to 11.0.16, uptake the 11.0.16.1 patch release.
Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.
July 19, 2022
The full version string for this update release is 11.0.16+11 (where "+" means "build"). The version number is 11.0.16.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.16 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.16+11 |
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16) be used after the next critical patch update scheduled for October 18, 2022.
Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property jdk.https.negotiate.cbt
which is described fully on the Networking Properties page.
The java.net.InetAddress
class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress
class methods are updated to throw an java.net.UnknownHostException
for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".
On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:
java.util.Vector
is updated to correctly report ClassNotFoundException
that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object)
when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException
is thrown that does not provide information about the missing class.
DeflaterOutputStream.close()
and GZIPOutputStream.finish()
methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry()
method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.16:
# | JBS | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8221741 | client-libs | 2d | ClassCastException can happen when fontconfig.properties is used |
2 | JDK-8262470 | client-libs | 2d | Printed GlyphVector outline with low DPI has bad quality on Windows |
3 | JDK-8251558 | client-libs | demo | J2DBench should support shaped and translucent windows |
4 | JDK-8274751 | client-libs | java.awt | Drag And Drop hangs on Windows |
5 | JDK-8133713 | client-libs | javax.accessibility | [macosx] Accessible JTables always reported as empty |
6 | JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
7 | JDK-7124301 | client-libs | javax.accessibility | [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements. |
8 | JDK-7124298 | client-libs | javax.accessibility | [macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group |
9 | JDK-7124293 | client-libs | javax.accessibility | [macosx] VoiceOver reads percentages rather than the actual values for sliders. |
10 | JDK-8274735 | client-libs | javax.imageio | javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image |
11 | JDK-8212904 | client-libs | javax.swing | JTextArea line wrapping incorrect when using UI scale |
12 | JDK-8277093 | core-libs | java.io:serialization | Vector should throw ClassNotFoundException for a missing class of an element |
13 | JDK-8267256 | core-libs | java.net | Extend minimal retry for loopback connections on Windows to PlainSocketImpl |
14 | JDK-8250521 | core-libs | java.net | Configure initial RTO to use minimal retry for loopback connections on Windows |
15 | JDK-8255264 | core-libs | java.net | Support for identifying the full range of IPv4 localhost addresses on Windows |
16 | JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
17 | JDK-8282293 | core-libs | java.net | Domain value for system property jdk.https.negotiate.cbt should be case-insensitive |
18 | JDK-8258795 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2021-05-11 |
19 | JDK-8277368 | core-libs | javax.script | Metaspace OOM thrown due to the leak of Nashorn ScriptEngine |
20 | JDK-8279219 | hotspot | compiler | [REDO] C2 crash when allocating array of size too large |
21 | JDK-8234930 | hotspot | compiler | Use MAP_JIT when allocating pages for code cache on macOS |
22 | JDK-8224648 | hotspot | compiler | assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw |
23 | JDK-8225475 | hotspot | compiler | Node budget asserts on x86_32/64 |
24 | JDK-8223143 | hotspot | compiler | Restructure/clean-up for 'loopexit_or_null()'. |
25 | JDK-8223363 | hotspot | compiler | Bad node estimate assertion failure |
26 | JDK-8263403 | hotspot | compiler | [JVMCI] output written to tty via HotSpotJVMCIRuntime can be garbled |
27 | JDK-8283451 | hotspot | compiler | C2: assert(_base == Long) failed: Not a Long |
28 | JDK-8282312 | hotspot | compiler | Minor corrections to evbroadcasti32x4 intrinsic on x86 |
29 | JDK-8254887 | hotspot | compiler | C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop |
30 | JDK-8253816 | hotspot | compiler | Support macOS W^X |
31 | JDK-8253795 | hotspot | compiler | Implementation of JEP 391: macOS/AArch64 Port |
32 | JDK-8214004 | hotspot | compiler | Missing space between compiler thread name and task info in hs_err |
33 | JDK-8216137 | hotspot | compiler | assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit |
34 | JDK-8234605 | hotspot | compiler | C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101" |
35 | JDK-8283641 | hotspot | compiler | Large value for CompileThresholdScaling causes assert |
36 | JDK-8283408 | hotspot | compiler | Fix a C2 crash when filling arrays with unsafe |
37 | JDK-8280867 | hotspot | compiler | Cpuid1Ecx feature parsing is incorrect for AMD CPUs |
38 | JDK-8279837 | hotspot | compiler | C2: assert(is_Loop()) failed: invalid node class: Region |
39 | JDK-8279668 | hotspot | compiler | x86: AVX2 versions of vpxor should be asserted |
40 | JDK-8275330 | hotspot | compiler | C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions |
41 | JDK-8275337 | hotspot | compiler | C1: assert(false) failed: live_in set of first block must be empty |
42 | JDK-8280526 | hotspot | compiler | x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} |
43 | JDK-8279356 | hotspot | compiler | Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! |
44 | JDK-8262011 | hotspot | compiler | [JVMCI] allow printing to tty from unattached libgraal thread |
45 | JDK-8265480 | hotspot | compiler | add basic JVMCI support for JEP 309: Dynamic Class-File Constants |
46 | JDK-8262323 | hotspot | compiler | do not special case JVMCI in tiered compilation policy |
47 | JDK-8258715 | hotspot | compiler | [JVMCI] separate JVMCI code install timers for CompileBroker and hosted compilations |
48 | JDK-8240335 | hotspot | compiler | C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint |
49 | JDK-8219520 | hotspot | compiler | assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit |
50 | JDK-8282231 | hotspot | compiler | x86-32: runtime call to SharedRuntime::ldiv corrupts registers |
51 | JDK-8284633 | hotspot | runtime | CompressedClassPointers.java fails on macos-aarch64 |
52 | JDK-8230305 | hotspot | runtime | Cgroups v2: Container awareness |
53 | JDK-8282589 | hotspot | runtime | runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11 |
54 | JDK-8253727 | hotspot | runtime | [cgroups v2] Memory and swap limits reported incorrectly |
55 | JDK-8253714 | hotspot | runtime | [cgroups v2] Soft memory limit incorrectly using memory.high |
56 | JDK-8208697 | hotspot | runtime | vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace |
57 | JDK-8253817 | hotspot | runtime | Support macOS Aarch64 ABI in Interpreter |
58 | JDK-8281275 | hotspot | runtime | Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths |
59 | JDK-8214275 | hotspot | runtime | CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type" |
60 | JDK-8218751 | hotspot | runtime | Do not store original classfiles inside the CDS archive |
61 | JDK-8281517 | install | install | Improve the error message shown when a user tries to install the aarch64 bundle on an intel mac |
62 | JDK-8278851 | security-libs | java.security | Correct signer logic for jars signed with multiple digest algorithms |
63 | JDK-8255266 | security-libs | java.security | Update Public Suffix List to 3c213aa |
64 | JDK-8268427 | security-libs | java.security | Improve AlgorithmConstraints:checkAlgorithm performance |
65 | JDK-8274524 | security-libs | javax.net.ssl | SSLSocket.close() hangs if it is called during the ssl handshake |
66 | JDK-8270317 | security-libs | javax.net.ssl | Large Allocation in CipherSuite |
67 | JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
68 | JDK-8279520 | security-libs | org.ietf.jgss | SPNEGO has not passed channel binding info into the underlying mechanism |
69 | JDK-8214026 | tools | javac | Canonicalized archive paths appearing in diagnostics |
70 | JDK-8236210 | tools | javac | javac generates wrong annotation for fields generated from record components |
71 | JDK-8261205 | tools | javac | AssertionError: Cannot add metadata to an intersection type |
72 | JDK-8210649 | tools | javac | AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244) |
73 | JDK-8225559 | tools | javac | assertion error at TransTypes.visitApply |
74 | JDK-8166727 | tools | jlink | javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28 |
The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Description |
---|---|---|---|
JDK-8155701 | tools | javac | The compiler fails with an AssertionError: typeSig ERROR |
May 2, 2022
The full version string for this update release is 11.0.15.1+2 (where "+" means "build"). The version number is 11.0.15.1.
The security baselines are unchanged from the release of JDK 11.0.15.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15.1) be used after the next critical patch update scheduled for July 19, 2022.
The Windows implementation of java.io.File
allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS
has been added to control this behavior. To disable ADS support in java.io.File
, the system property jdk.io.File.enableADS
should be set to false
(case ignored). Stricter path checking however prevents the use of special devices such as NUL:
This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
BugId | Component | Subcomponent | Description |
---|---|---|---|
JDK-8284920 | xml | javax.xml.path | Incorrect Token type causes XPath expression to return incorrect results |
JDK-8284548 | xml | jaxp | Invalid XPath expression causes StringIndexOutOfBoundsException |
The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Description |
---|---|---|---|
JDK-8221741 | client-libs | 2d | ClassCastException can happen when fontconfig.properties is used |
JDK-8212904 | client-libs | javax.swing | JTextArea line wrapping incorrect when using UI scale |
JDK-8282583 | xml | jaxp | Update BCEL md to include the copyright notice |
JDK-8283350 | core-libs | java.time | (tz) Update Timezone Data to 2022a |
April 19, 2022
The full version string for this update release is 11.0.15+8 (where "+" means "build"). The version number is 11.0.15.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.15 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15) be used after the next critical patch update scheduled for July 19, 2022.
SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:
ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
New TLS cipher suites using the ChaCha20-Poly1305
algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2:
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for details on these new TLS cipher suites.
Three processing limits have been added to the XML libraries. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
jdk.xml.xpathExprGrpLimit
and jdk.xml.xpathExprOpLimit
are supported by the XPath processor.
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
The default value is "compat" for all of the three providers.
In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI
constructors or its factory method to build URLs rather than handcrafting URL strings.
If an illegal URL string is found, a java.lang.IllegalArgumentException
or a javax.naming.NamingException
(or a subclass of it) is raised.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.15:
# | BugId | Component | Subcomponent | Description |
---|---|---|---|---|
1 | JDK-8233827 | client-libs | Enable screenshots in the enhanced failure handler on Linux/macOS | |
2 | JDK-8270874 | client-libs | 2d | JFrame paint artifacts when dragged from standard monitor to HiDPI monitor |
3 | JDK-8258554 | client-libs | javax.swing | javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F |
4 | JDK-8257620 | core-libs | Do not use objc_msgSend_stret to get macOS version | |
5 | JDK-8275650 | core-libs | java.io | Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 |
6 | JDK-8279833 | core-libs | java.lang | Loop optimization issue in String.encodeUTF8_UTF16 |
7 | JDK-8275703 | core-libs | java.lang | System.loadLibrary fails on Big Sur for libraries hidden from filesystem |
8 | JDK-8236596 | core-libs | java.net | HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel |
9 | JDK-8218546 | core-libs | java.net | Unable to connect to https://google.com using java.net.HttpClient |
10 | JDK-8262844 | core-libs | java.nio | (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 |
11 | JDK-8272473 | core-libs | java.time | Parsing epoch seconds at a DST transition with a non-UTC parser is wrong |
12 | JDK-8214761 | core-libs | java.util.stream | Bug in parallel Kahan summation implementation |
13 | JDK-8242283 | core-libs | java.util:i18n | Can't start JVM when java home path includes non-ASCII character |
14 | JDK-8273790 | core-libs | java.util:i18n | Potential cyclic dependencies between Gregorian and CalendarSystem |
15 | JDK-8274658 | core-libs | java.util:i18n | ISO 4217 Amendment 170 Update |
16 | JDK-8277795 | core-libs | javax.naming | LDAP connection timeout not honoured under contention |
17 | JDK-8266187 | core-svc | java.lang.instrument | Memory leak in appendBootClassPath() |
18 | JDK-8273575 | core-svc | java.lang.instrument | memory leak in appendBootClassPath(), paths must be deallocated |
19 | JDK-8258836 | core-svc | java.lang.management | JNI local refs exceed capacity getDiagnosticCommandInfo |
20 | JDK-8251155 | core-svc | tools | HostIdentifier fails to canonicalize hostnames starting with digits |
21 | JDK-8238710 | core-svc | tools | LingeredApp doesn't log stdout/stderr if exits with non-zero code |
22 | JDK-8223141 | hotspot | compiler | Change (count) suffix _ct into _cnt. |
23 | JDK-8229797 | hotspot | compiler | [JVMCI] Clean up no longer used JVMCI::dependencies_invalid value |
24 | JDK-8251930 | hotspot | compiler | AArch64: Native types mismatch in hotspot |
25 | JDK-8268882 | hotspot | compiler | C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc |
26 | JDK-8276105 | hotspot | compiler | C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly |
27 | JDK-8223142 | hotspot | compiler | Clean-up WS and CB. |
28 | JDK-8211170 | hotspot | compiler | AArch64: Warnings in C1 and template interpreter |
29 | JDK-8277441 | hotspot | compiler | CompileQueue::add fails with assert(_last->next() == __null) failed: not last |
30 | JDK-8275610 | hotspot | compiler | C2: Object field load floats above its null check resulting in a segfault |
31 | JDK-8275326 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
32 | JDK-8262134 | hotspot | compiler | compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" |
33 | JDK-8277447 | hotspot | compiler | Hotspot C1 compiler crashes on Kotlin suspend fun with loop |
34 | JDK-8273277 | hotspot | compiler | C2: Move conditional negation into rc_predicate |
35 | JDK-8271202 | hotspot | compiler | C1: assert(false) failed: live_in set of first block must be empty |
36 | JDK-8276157 | hotspot | compiler | C2: Compiler stack overflow during escape analysis on Linux x86_32 |
37 | JDK-8255004 | hotspot | compiler | [JVMCI] expose JVM_ACC_FIELD_INITIALIZED_FINAL_UPDATE |
38 | JDK-8266923 | hotspot | compiler | [JVMCI] expose StackOverflow::_stack_overflow_limit to JVMCI |
39 | JDK-8253842 | hotspot | compiler | [JVMCI] Allow implicit exception to dispatch to other address in jvmci compilers. |
40 | JDK-8253015 | hotspot | compiler | Aarch64: Move linux code out from generic CPU feature detection |
41 | JDK-8252518 | hotspot | compiler | [JVMCI] cache the result of CompilerToVM.getComponentType |
42 | JDK-8261071 | hotspot | compiler | AArch64: Refactor interpreter native wrappers |
43 | JDK-8279076 | hotspot | compiler | C2: Bad AD file when matching SqrtF with UseSSE=0 |
44 | JDK-8276314 | hotspot | compiler | [JVMCI] check alignment of call displacement during code installation |
45 | JDK-8279225 | hotspot | compiler | [arm32] C1 longs comparison operation destroys argument registers |
46 | JDK-8279412 | hotspot | compiler | [JVMCI] failed speculations list must outlive any nmethod that refers to it |
47 | JDK-8278871 | hotspot | compiler | [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob |
48 | JDK-8210236 | hotspot | gc | Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading |
49 | JDK-8222072 | hotspot | jvmti | JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv |
50 | JDK-8276177 | hotspot | jvmti | nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" |
51 | JDK-8223400 | hotspot | runtime | Replace some enums with static const members in hotspot/runtime |
52 | JDK-8240197 | hotspot | runtime | Cannot start JVM when $JAVA_HOME includes CJK characters |
53 | JDK-8261075 | hotspot | runtime | Create stubRoutines.inline.hpp with SafeFetch implementation |
54 | JDK-8263068 | hotspot | runtime | Rename safefetch.hpp to safefetch.inline.hpp |
55 | JDK-8272345 | hotspot | runtime | macos doesn't check `os::set_boot_path()` result |
56 | JDK-8254940 | hotspot | runtime | AArch64: Cleanup non-product thread members |
57 | JDK-8266170 | hotspot | runtime | -Wnonnull happens in classLoaderData.inline.hpp |
58 | JDK-8266172 | hotspot | runtime | -Wstringop-overflow happens in vmError.cpp |
59 | JDK-8186780 | hotspot | runtime | clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment() |
60 | JDK-8274338 | hotspot | runtime | com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" |
61 | JDK-8274714 | hotspot | runtime | Incorrect verifier protected access error message |
62 | JDK-8277342 | hotspot | runtime | vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for |
63 | JDK-8278384 | hotspot | runtime | Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT |
64 | JDK-8278309 | hotspot | runtime | [windows] use of uninitialized OSThread::_state |
65 | JDK-8207011 | hotspot | runtime | Remove uses of the register storage class specifier |
66 | JDK-8273341 | hotspot | runtime | Update Siphash to version 1.0 |
67 | JDK-8265150 | hotspot | svc | AsyncGetCallTrace crashes on ResourceMark |
68 | JDK-8258471 | hotspot | svc-agent | "search codecache" clhsdb command does not work |
69 | JDK-8274736 | security-libs | java.security | Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily |
70 | JDK-8257769 | security-libs | javax.crypto | Cipher.getParameters() throws NPE for ChaCha20-Poly1305 |
71 | JDK-8259319 | security-libs | javax.crypto:pkcs11 | Illegal package access when SunPKCS11 requires SunJCE's classes |
72 | JDK-8255410 | security-libs | javax.crypto:pkcs11 | Add ChaCha20 and Poly1305 support to SunPKCS11 provider |
73 | JDK-8241248 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) |
74 | JDK-8140466 | security-libs | javax.net.ssl | ChaCha20 and Poly1305 TLS Cipher Suites |
75 | JDK-8275811 | security-libs | javax.net.ssl | Incorrect instance to dispose |
76 | JDK-8273894 | security-libs | org.ietf.jgss:krb5 | ConcurrentModificationException raised every time ReferralsCache drops referral |
77 | JDK-8278069 | tools | javadoc(tool) | JQuery v3.4.1 references still exists in Oracle JDK 11.0.13 |
78 | JDK-8273682 | tools | jshell | Upgrade Jline to 3.20.0 |
79 | JDK-8255035 | xml | jaxp | Update BCEL to Version 6.5.0 |
80 | JDK-8276141 | xml | jaxp | XPathFactory set/getProperty method |
81 | JDK-8282761 | xml | jaxp | XPathFactoryImpl remove setProperty and getProperty methods |
The following sections summarize changes made in all Java SE 11.0.14 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8218546 | core-libs | java.net | Unable to connect to https://google.com using java.net.HttpClient |
JDK-8270874 | client-libs | 2d | JFrame paint artifacts when dragged from standard monitor to HiDPI monitor |
January 18, 2022
The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.14+8 |
8 | 8u321-b07 |
7 | 7u331-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022.
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
destroyTokenAfterLogout
(boolean, defaults to false) If set to true, when java.security.AuthProvider.logout()
is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout()
calls. Note that a PKCS11 provider with this attribute set to true
should not be added to the system provider list since the provider object is not usable after a logout()
method call.
cleaner.shortInterval
(integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).
cleaner.longInterval
(integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
Two new system properties have been added. The system property, jdk.tls.client.disableExtensions
, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions
, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.
The following root certificate from Google has been removed from the cacerts
keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...)
methods throw ZipException
if the ZIP file contains these entries.
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype”
has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point”
- Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming
module.
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad
now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.14:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8249548 | client-libs | backward focus traversal gets stuck in button group | |
2 | JDK-8273436 | client-libs | Backport JDK-8273426 caused build failure due to missing "All rights reserved." | |
3 | JDK-8211999 | client-libs | java.awt | Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) |
4 | JDK-8272806 | client-libs | java.awt | [macOS] "Apple AWT Internal Exception" when input method is changed |
5 | JDK-6722236 | client-libs | java.awt | 3 Choice regression testcases are failing from 6u10_b26 build onwards |
6 | JDK-8015886 | client-libs | java.awt | java/awt/Focus/DeiconifiedFrameLoosesFocus/DeiconifiedFrameLoosesFocus.java sometimes failed on ubuntu |
7 | JDK-8257242 | client-libs | java.awt | [macOS] Java app crashes while switching input methods |
8 | JDK-8274326 | client-libs | javax.accessibility | [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m |
9 | JDK-8274056 | client-libs | javax.accessibility | JavaAccessibilityUtilities leaks JNI objects |
10 | JDK-8274381 | client-libs | javax.accessibility | missing CAccessibility definitions in JNI code |
11 | JDK-8208747 | client-libs | javax.accessibility | [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on |
12 | JDK-8270893 | client-libs | javax.imageio | IndexOutOfBoundsException while reading large TIFF file |
13 | JDK-8239334 | client-libs | javax.swing | Tab Size does not work correctly in JTextArea with setLineWrap on |
14 | JDK-8269951 | client-libs | javax.swing | [macos] Focus not painted in JButton when setBorderPainted(false) is invoked |
15 | JDK-8259237 | client-libs | javax.swing | Demo selection changes with left/right arrow key. No need to press space for selection. |
16 | JDK-8269850 | core-libs | Most JDK releases report macOS version 12 as 10.16 instead of 12.0 | |
17 | JDK-8231717 | core-libs | java.lang | Improve performance of charset decoding when charset is always compactable |
18 | JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
19 | JDK-8276536 | core-libs | java.time | Update TimeZoneNames files to follow the changes made by JDK-8275766 |
20 | JDK-8273924 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() |
21 | JDK-8187649 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar |
22 | JDK-8245527 | core-libs | javax.naming | LDAP Channel Binding support for Java GSS/Kerberos |
23 | JDK-8195703 | core-svc | debugger | BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' |
24 | JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
25 | JDK-8235211 | core-svc | tools | serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file |
26 | JDK-8270886 | hotspot | compiler | Crash in PhaseIdealLoop::verify_strip_mined_scheduling |
27 | JDK-8210392 | hotspot | compiler | assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit |
28 | JDK-8223137 | hotspot | compiler | Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. |
29 | JDK-8223139 | hotspot | compiler | Rename mandatory policy-do routines. |
30 | JDK-8223923 | hotspot | compiler | C2: Missing interference with mismatched unsafe accesses |
31 | JDK-8223140 | hotspot | compiler | Clean-up in 'ok_to_convert()' |
32 | JDK-8272570 | hotspot | compiler | C2: crash in PhaseCFG::global_code_motion |
33 | JDK-8267652 | hotspot | compiler | c2 loop unrolling by 8 results in reading memory past array |
34 | JDK-8263303 | hotspot | compiler | C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint |
35 | JDK-8268019 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
36 | JDK-8268672 | hotspot | compiler | C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only |
37 | JDK-8252049 | hotspot | compiler | Native memory leak in ciMethodData ctor |
38 | JDK-8231501 | hotspot | compiler | VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 |
39 | JDK-8223138 | hotspot | compiler | Small clean-up in loop-tree support. |
40 | JDK-8271341 | hotspot | compiler | Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java |
41 | JDK-8271340 | hotspot | compiler | Crash PhaseIdealLoop::clone_outer_loop |
42 | JDK-8271459 | hotspot | compiler | C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity |
43 | JDK-8257919 | hotspot | compiler | [JVMCI] profiling info didn't change after reprofile |
44 | JDK-8263776 | hotspot | compiler | [JVMCI] add helper to perform Java upcalls |
45 | JDK-8272131 | hotspot | compiler | PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj |
46 | JDK-8268261 | hotspot | compiler | C2: assert(n != __null) failed: Bad immediate dominator info. |
47 | JDK-8272574 | hotspot | compiler | C2: assert(false) failed: Bad graph detected in build_loop_late |
48 | JDK-8215889 | hotspot | gc | assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC |
49 | JDK-8221584 | hotspot | jvmti | SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event |
50 | JDK-8217348 | hotspot | jvmti | assert(thread->is_Java_thread()) failed: just checking |
51 | JDK-8236177 | hotspot | runtime | assert(status == 0) failed: error ETIMEDOUT(60), cond_wait |
52 | JDK-8218483 | hotspot | runtime | Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" |
53 | JDK-8222446 | hotspot | runtime | assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ |
54 | JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
55 | JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
56 | JDK-8273342 | hotspot | runtime | Null pointer dereference in classFileParser.cpp:2817 |
57 | JDK-8269668 | hotspot | runtime | [aarch64] java.library.path not including /usr/lib64 |
58 | JDK-8230674 | hotspot | runtime | Heap dumps should exclude dormant CDS archived objects of unloaded classes |
59 | JDK-8272124 | hotspot | runtime | Cgroup v1 initialization causes NullPointerException when cgroup path contains colon |
60 | JDK-8269934 | hotspot | runtime | RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status |
61 | JDK-8181313 | hotspot | svc-agent | SA: Remove libthread_db dependency on Linux |
62 | JDK-8225083 | security-libs | java.security | Remove Google certificate that is expiring in December 2021 |
63 | JDK-8273826 | security-libs | java.security | Correct Manifest file name and NPE checks |
64 | JDK-8277224 | security-libs | java.security | sun.security.pkcs.PKCS9Attributes.toString() throws NPE |
65 | JDK-8269034 | security-libs | javax.crypto:pkcs11 | AccessControlException for SunPKCS11 daemon threads |
66 | JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
67 | JDK-8270344 | security-libs | javax.net.ssl | Session resumption errors |
68 | JDK-8217633 | security-libs | javax.net.ssl | Configurable extensions with system properties |
69 | JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
70 | JDK-8211148 | tools | javac | var in implicit lambdas shouldn't be accepted for source < 11 |
71 | JDK-8267459 | tools | jshell | Pasting Unicode characters into JShell does not work. |
The following sections summarize changes made in all Java SE 11.0.13 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8278069 | tools | javadoc(tool) | JQuery v3.4.1 references still exists in Oracle JDK 11.0.13 |
JDK-8275766 | core-libs | java.time | (tz) Update Timezone Data to 2021e |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8239334 | client-libs | javax.swing | Tab Size does not work correctly in JTextArea with setLineWrap on |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8263773 | infrastructure | build | Reenable German localization for builds at Oracle |
October 19, 2021
The full version string for this update release is 11.0.13+10 (where "+" means "build"). The version number is 11.0.13.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.13 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.13+10 |
8 | 8u311-b11 |
7 | 7u321-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.13) be used after the next critical patch update scheduled for January 18, 2022.
Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.
The behavior is opt-in based on the presence of the jdk.serialFilterFactory
system property on the command line or the jdk.serialFilterFactory
security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.
The JVM-wide filter factory is a java.util.function.BinaryOperator<java.io.ObjectInputFilter>
function invoked when each ObjectInputStream
is constructed and when the stream-specific filter is set using ObjectInputStream.setObjectInputFilter(ObjectInputFilter)
. The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream
constructors, the first parameter is null
and the second parameter is the static JVM-wide filter
. When invoked from ObjectInputStream.setObjectInputFilter, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter given to ObjectInputStream.setObjectInputFilter
.
A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.
Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.
The following root certificate from IdenTrust has been removed from the cacerts
keystore:
+ alias name "identrustdstx3 [jdk]"
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
The experimental Java-based JIT compiler, Graal JEP317, has been removed. Attempting to use it produces a JVMCI error: JVMCI compiler 'graal' not found
.
The Java Ahead-of-Time compilation experimental tool jaotc
has been removed. Using HotSpot VM AOT options defined by JEP295 produce "Unrecognized VM option" error on VM initialization.
Developers who wish to test the Graal compiler for either AOT or JIT compilation should use GraalVM.
This release doesn't correctly identify Windows 11. The property os.name
is set to Windows 10
on Windows 11. In HotSpot error logs, the OS is identified as Windows 10
; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.
On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version>
pattern instead of the jdk-<update_release_version>
pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11
, jdk-16
, and jdk-17
respectively.
The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.
If a user wants to have multiple update releases from the same family, the user must download the tar.gz
bundles.
The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.
For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.
For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:
The scope of the com.sun.jndi.ldap.object.trustSerialData
system property has been extended to control the deserialization of java objects from the javaReferenceAddress
LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData
and javaReferenceAddress
LDAP attributes.
To prevent deserialization of java objects from these attributes, the system property can be set to false
. By default, the deserialization of java objects from javaSerializedData
and javaReferenceAddress
attributes is allowed.
This release doesn't correctly identify Windows Server 2022. The property os.name
is set to Windows Server 2019
on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019
; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above.
The gencert
command of the keytool
utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".
This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.13:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8264047 | client-libs | 2d | Duplicate global variable 'jvm' in libjavajpeg and libawt |
2 | JDK-8261169 | client-libs | 2d | Upgrade HarfBuzz to the latest 2.8.0 |
3 | JDK-8242557 | client-libs | 2d | Add length limit for strings in PNGImageWriter |
4 | JDK-8265761 | client-libs | 2d | Font with missed font family name is not properly printed on Windows |
5 | JDK-8211055 | client-libs | 2d | Provide print to a file (PDF) feature even when printer was not connected |
6 | JDK-8212040 | client-libs | 2d | Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 |
7 | JDK-7179006 | client-libs | 2d | [macosx] Print-to-file doesn't work: printing to the default printer instead |
8 | JDK-8256372 | client-libs | 2d | [macos] Unexpected symbol was displayed on JTextField with Monospaced font |
9 | JDK-8262731 | client-libs | 2d | [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" |
10 | JDK-8262392 | client-libs | 2d | Update Mesa 3-D Headers to version 21.0.3 |
11 | JDK-8273358 | client-libs | 2d | macOS Monterey does not have the font Times needed by Serif |
12 | JDK-8272602 | client-libs | java.awt | [macos] not all KEY_PRESSED events sent when control modifier is used |
13 | JDK-8270216 | client-libs | java.awt | [macOS] Update named used for Java run loop mode |
14 | JDK-8269984 | client-libs | java.awt | [macos] JTabbedPane title looks like disabled |
15 | JDK-8268775 | client-libs | javax.accessibility | Password is being converted to String in AccessibleJPasswordField |
16 | JDK-8190763 | client-libs | javax.swing | Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() |
17 | JDK-8247753 | client-libs | javax.swing | UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32 |
18 | JDK-8251377 | client-libs | javax.swing | [macos11] JTabbedPane selected tab text is barely legible |
19 | JDK-8232243 | client-libs | javax.swing | Wrong caret position in JTextPane on Windows with a screen resolution > 100% |
20 | JDK-8255227 | core-libs | java.net | java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface |
21 | JDK-8233185 | core-libs | java.net | HttpServer.stop() blocks indefinitely when called on dispatch thread |
22 | JDK-8241786 | core-libs | java.net | Improve heuristic to determine default network interface on macOS |
23 | JDK-8227080 | core-libs | java.nio | (fs) Files.newInputStream(...).skip(n) is slow |
24 | JDK-8227609 | core-libs | java.nio | (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size |
25 | JDK-8226530 | core-libs | java.util.jar | ZipFile reads wrong entry size from ZIP64 entries |
26 | JDK-8215411 | core-svc | some GetByteArrayElements calls miss corresponding Release | |
27 | JDK-8253134 | core-svc | java.lang.management | JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 |
28 | JDK-8216145 | docs | tools | jarsigner doc is not precise when describing jar file re-signing |
29 | JDK-8265938 | hotspot | compiler | C2's conditional move optimization does not handle top Phi |
30 | JDK-8269795 | hotspot | compiler | C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV |
31 | JDK-8269304 | hotspot | compiler | Regression ~5% in 2005 in b27 |
32 | JDK-8265132 | hotspot | compiler | C2 compilation fails with assert "missing precedence edge" |
33 | JDK-8267424 | hotspot | compiler | CTW: C1 fails with "State must not be null" |
34 | JDK-8223050 | hotspot | compiler | JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods |
35 | JDK-8266288 | hotspot | compiler | assert root method not found in witnessed_reabstraction_in_supers is too strong |
36 | JDK-8268360 | hotspot | compiler | Missing check for infinite loop during node placement |
37 | JDK-8262017 | hotspot | compiler | C2: assert(n != __null) failed: Bad immediate dominator info. |
38 | JDK-8268369 | hotspot | compiler | SIGSEGV in PhaseCFG::implicit_null_check due to missing null check |
39 | JDK-8260653 | hotspot | compiler | Unreachable nodes keep speculative types alive |
40 | JDK-8268366 | hotspot | compiler | Incorrect calculation of has_fpu_registers in C1 linear scan |
41 | JDK-8268347 | hotspot | compiler | C2: nested locks optimization may create unbalanced monitor enter/exit code |
42 | JDK-8258746 | hotspot | compiler | illegal access to global field _jvmci_old_thread_counters by terminated thread causes crash |
43 | JDK-8266615 | hotspot | compiler | C2 incorrectly folds subtype checks involving an interface array |
44 | JDK-8266480 | hotspot | compiler | Implicit null check optimization does not update control of hoisted memory operation |
45 | JDK-8267773 | hotspot | compiler | PhaseStringOpts::int_stringSize doesn't handle min_jint correctly |
46 | JDK-8269745 | hotspot | compiler | [JVMCI] restore original qualified exports to Graal |
47 | JDK-8263227 | hotspot | compiler | C2: inconsistent spilling due to dead nodes in exception block |
48 | JDK-8261147 | hotspot | compiler | C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions |
49 | JDK-8268362 | hotspot | compiler | [REDO] C2 crash when compile negative Arrays.copyOf length after loop |
50 | JDK-8264016 | hotspot | compiler | [JVMCI] add some thread local fields for use by JVMCI |
51 | JDK-8210063 | hotspot | gc | ZGC: Enable load barriers for IN_NATIVE runtime barriers |
52 | JDK-8264640 | hotspot | gc | CMS ParScanClosure misses a barrier |
53 | JDK-8245511 | hotspot | gc | G1 adaptive IHOP does not account for reclamation of humongous objects by young GC |
54 | JDK-8246274 | hotspot | gc | G1 old gen allocation tracking is not in a separate class |
55 | JDK-8269768 | hotspot | jfr | JFR Terminology Refresh |
56 | JDK-8191521 | hotspot | runtime | handle long relative path specified in -Xbootclasspath/a on windows |
57 | JDK-8231885 | hotspot | runtime | Fix/remove malformed assert in os_windows.cpp |
58 | JDK-8231930 | hotspot | runtime | Windows build fails after JDK-8191521 |
59 | JDK-8262163 | hotspot | runtime | Extend settings printout in jcmd VM.metaspace |
60 | JDK-8253572 | hotspot | runtime | [windows] CDS archive may fail to open with long file names |
61 | JDK-8211296 | hotspot | runtime | Remove HotSpot deprecation warning suppression for Mac/clang |
62 | JDK-8024368 | hotspot | runtime | private methods are allocated vtable indices |
63 | JDK-8266642 | hotspot | runtime | Improve ResolvedMethodTable hash function |
64 | JDK-8267396 | hotspot | runtime | Avoid recording "pc" in unhandled oops detector for better performance |
65 | JDK-8227766 | hotspot | runtime | CheckUnhandledOops is broken in MemAllocator |
66 | JDK-8218145 | hotspot | runtime | block_if_requested is not proper inlined due to size |
67 | JDK-8267235 | hotspot | runtime | [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash |
68 | JDK-8268635 | hotspot | runtime | Corrupt oop in ClassLoaderData |
69 | JDK-8266404 | hotspot | runtime | Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report |
70 | JDK-8269594 | hotspot | runtime | assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark |
71 | JDK-8212992 | hotspot | runtime | Change mirror accessor in Klass::verify_on() to use AS_NO_KEEPALIVE |
72 | JDK-8227815 | hotspot | svc | Minimal VM: set_state is not a member of AttachListener |
73 | JDK-8266473 | install | install | javapath/java.exe strips double quotes from command line args |
74 | JDK-8218618 | security-libs | java.security | Program fails when using JDK addressed by UNC path and using Security Manager |
75 | JDK-8257497 | security-libs | java.security | Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 |
76 | JDK-8225082 | security-libs | java.security | Remove IdenTrust certificate that is expiring in September 2021 |
77 | JDK-8236671 | security-libs | javax.crypto | NullPointerException in JKS keystore |
78 | JDK-8238555 | security-libs | javax.crypto:pkcs11 | Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB |
79 | JDK-8163326 | security-libs | javax.net.ssl | Update the default enabled cipher suites preference |
80 | JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
81 | JDK-8255255 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.2.1 |
82 | JDK-8265773 | tools | incorrect jdeps message "jdk8internals" to describe a removed JDK internal API | |
83 | JDK-8207160 | tools | javac | ClassReader::adjustMethodParams can potentially return null if the args list is empty |
84 | JDK-8177068 | tools | javac | incomplete classpath causes NPE in Flow |
85 | JDK-8210495 | tools | javac | compiler crashes because of illegal signature in otherwise legal code |
86 | JDK-8241353 | tools | javac | NPE in ToolProvider.getSystemJavaCompiler |
87 | JDK-8263432 | tools | javac | javac may report an invalid package/class clash on case insensitive filesystems |
88 | JDK-8265524 | tools | javadoc(tool) | Upgrading JSZip from v3.2.2 to v3.6.0 |
89 | JDK-8272180 | tools | javadoc(tool) | Upgrade JSZip from v3.6.0 to v3.7.1 |
90 | JDK-8260690 | tools | jconsole | JConsole User Guide Link from the Help menu is not accessible by keyboard |
91 | JDK-8239536 | tools | jshell | Can't use `java.util.List` object after importing `java.awt.List` |
92 | JDK-8242919 | tools | jshell | Paste locks up jshell |
93 | JDK-8247403 | tools | jshell | JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder |
The following sections summarize changes made in all Java SE 11.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8263773 | infrastructure | build | Reenable German localization for builds at Oracle |
JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
JDK-8245511 | hotspot | gc | G1 adaptive IHOP does not account for reclamation of humongous objects by young GC |
JDK-8246274 | hotspot | gc | G1 old gen allocation tracking is not in a separate class |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268347 | hotspot | compiler | C2: nested locks optimization may create unbalanced monitor enter/exit code |
JDK-8269304 | hotspot | compiler | Regression ~5% in 2005 in b27 |
JDK-8266653 (Confidential) | install | install | Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+ |
JDK-8260680 | tools | jshell | PipedOutputStream.write in a JShell throws error "pipe closed" |
JDK-8247403 | tools | jshell | JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder |
July 20, 2021
The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12.
JDK 11.0.12 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.12+8 |
8 | 8u301-b09 |
7 | 7u311-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021.
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security
file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts
keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
The JarFile
class now treats a signed JAR as unsigned if it detects a second manifest in the JAR file. A warning message, "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned."
, is logged if the system property -Djava.security.debug=jar
is set.
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
The ADDLOCAL=ToolsFeature,SourceFeature
argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.
The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy
is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacerts
keystore will not be restricted.These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or overriding it using the java.security.properties
system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset
to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.12:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259869 | client-libs | [macOS] Remove desktop module dependencies on JNF Reference APIs | |
2 | JDK-8260616 | client-libs | Removing remaining JNF dependencies in the java.desktop module | |
3 | JDK-8259343 | client-libs | [macOS] Update JNI error handling in Cocoa code. | |
4 | JDK-6847157 | client-libs | 2d | java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit |
5 | JDK-8261170 | client-libs | 2d | Upgrade to FreeType 2.10.4 |
6 | JDK-8260380 | client-libs | 2d | Upgrade to LittleCMS 2.12 |
7 | JDK-8259232 | client-libs | 2d | Bad JNI lookup during printing |
8 | JDK-8263311 | client-libs | 2d | Watch registry changes for remote printers update instead of polling |
9 | JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
10 | JDK-8213944 | client-libs | java.awt | Fix AIX build after the removal of Xrandr.h and add a configure check for it |
11 | JDK-8262461 | client-libs | java.awt | handle wcstombsdmp return value correctly in unix awt_InputMethod.c |
12 | JDK-8262446 | client-libs | java.awt | DragAndDrop hangs on Windows |
13 | JDK-8261231 | client-libs | java.awt | Windows IME was disabled after DnD operation |
14 | JDK-8255681 | client-libs | java.awt | Print callstack in error case in runAWTLoopWithApp |
15 | JDK-8264786 | client-libs | java.awt | [macOS] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched |
16 | JDK-8259585 | client-libs | java.awt | [macOS] Bad JNI lookup error : Accessible actions do not work on macOS |
17 | JDK-8259729 | client-libs | javax.accessibility | Missed JNFInstanceOf -> IsInstanceOf conversion |
18 | JDK-8261198 | client-libs | javax.accessibility | [macOS] Incorrect JNI parameters in number conversion in A11Y code |
19 | JDK-8239312 | client-libs | javax.swing | [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java |
20 | JDK-8252883 | core-libs | java.util.logging | AccessDeniedException caused by delayed file deletion on Windows |
21 | JDK-8262110 | core-libs | java.util:i18n | DST starts from incorrect time in 2038 |
22 | JDK-8255086 | core-libs | java.util:i18n | Update the root locale display names |
23 | JDK-8247432 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-09-29 |
24 | JDK-8241082 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry data to 03-16-2020 version |
25 | JDK-8242010 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-04-01 |
26 | JDK-8073446 | core-libs | java.util:i18n | TimeZone getOffset API does not return a DST offset between years 2038-2137 |
27 | JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
28 | JDK-8259785 | docs | Create man pages using pandoc from markdown sources | |
29 | JDK-8262465 | hotspot | compiler | Very long compilation times and high memory consumption in C2 debug builds |
30 | JDK-8262093 | hotspot | compiler | java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" |
31 | JDK-8261914 | hotspot | compiler | IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload |
32 | JDK-8261846 | hotspot | compiler | [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream |
33 | JDK-8261912 | hotspot | compiler | Code IfNode::fold_compares_helper more defensively |
34 | JDK-8262298 | hotspot | compiler | G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" |
35 | JDK-8262295 | hotspot | compiler | C2: Out-of-Bounds Array Load from Clone Source |
36 | JDK-8262739 | hotspot | compiler | String inflation C2 intrinsic prevents insertion of anti-dependencies |
37 | JDK-8262726 | hotspot | compiler | AArch64: C1 StubAssembler::call_RT can corrupt stack |
38 | JDK-8264360 | hotspot | compiler | Loop strip mining verification fails with "should be on the backedge" |
39 | JDK-8262837 | hotspot | compiler | handle split_USE correctly |
40 | JDK-8263448 | hotspot | compiler | CTW: fatal error: meet not symmetric |
41 | JDK-8263425 | hotspot | compiler | AArch64: two potential bugs in C1 LIRGenerator::generate_address() |
42 | JDK-8264958 | hotspot | compiler | C2 compilation fails with assert "n is later than its clone" |
43 | JDK-8263676 | hotspot | compiler | AArch64: one potential bug in C1 LIRGenerator::generate_address() |
44 | JDK-8261730 | hotspot | compiler | C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge |
45 | JDK-8265154 | hotspot | compiler | vinserti128 operand mix up for KNL platforms |
46 | JDK-8261812 | hotspot | compiler | C2 compilation fails with assert(!had_error) failed: bad dominance |
47 | JDK-8261235 | hotspot | compiler | C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check |
48 | JDK-8260338 | hotspot | compiler | Some fields in HaltNode is not cloned |
49 | JDK-8260284 | hotspot | compiler | C2: assert(_base == Int) failed: Not an Int |
50 | JDK-8238812 | hotspot | compiler | assert(false) failed: bad AD file |
51 | JDK-8255763 | hotspot | compiler | C2: OSR miscompilation caused by invalid memory instruction placement |
52 | JDK-8252482 | hotspot | compiler | disable cbcond instructions on SPARC64 |
53 | JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
54 | JDK-8259777 | hotspot | compiler | Incorrect predication condition generated by ADLC |
55 | JDK-8259710 | hotspot | compiler | Inlining trace leaks memory |
56 | JDK-8260420 | hotspot | compiler | C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint |
57 | JDK-8259061 | hotspot | compiler | C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it |
58 | JDK-8259619 | hotspot | compiler | C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect |
59 | JDK-8259227 | hotspot | compiler | C2 crashes with SIGFPE due to a division that floats above its zero check |
60 | JDK-8257822 | hotspot | compiler | C2 crashes with SIGFPE due to a division that floats above its zero check |
61 | JDK-8257574 | hotspot | compiler | C2: "failed: parsing found no loops but there are some" assert failure |
62 | JDK-8240353 | hotspot | compiler | AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 |
63 | JDK-8263361 | hotspot | compiler | Incorrect arraycopy stub selected by C2 for SATB collectors |
64 | JDK-8264918 | hotspot | compiler | [JVMCI] getVtableIndexForInterfaceMethod doesn't check that type and method are related |
65 | JDK-8265689 | hotspot | compiler | JVMCI: InternalError: Class java.lang.Object does not implement interface jdk.vm.ci.meta.JavaType |
66 | JDK-8259276 | hotspot | compiler | C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization |
67 | JDK-8248411 | hotspot | compiler | AArch64: Insufficient error handling when CodeBuffer is exhausted |
68 | JDK-8211150 | hotspot | gc | G1 Full GC not purging code root memory and hence causing memory leak |
69 | JDK-8235324 | hotspot | gc | Dying objects are published from users of CollectedHeap::object_iterate |
70 | JDK-8260704 | hotspot | gc | ParallelGC: oldgen expansion needs release-store for _end |
71 | JDK-8247201 | hotspot | gc | Print potential pointer value of readable stack memory in hs_err file |
72 | JDK-8259271 | hotspot | gc | gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" |
73 | JDK-8232905 | hotspot | jfr | JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant |
74 | JDK-8257569 | hotspot | jfr | Failure observed with JfrVirtualMemory::initialize |
75 | JDK-8245283 | hotspot | jfr | JFR: Can't handle constant dynamic used by Jacoco agent |
76 | JDK-8209385 | hotspot | runtime | CDS runtime classpath checking is too strict when only classes from the system modules are archived |
77 | JDK-8234355 | hotspot | runtime | Buffer overflow in jcmd GC.class_stats due to too many classes |
78 | JDK-8213231 | hotspot | runtime | ThreadSnapshot::_threadObj can become stale |
79 | JDK-8208061 | hotspot | runtime | runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode |
80 | JDK-8261916 | hotspot | runtime | gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed |
81 | JDK-8263004 | hotspot | runtime | SPARC CodeBuffer overflow in generate_satb_log_enqueue |
82 | JDK-8263407 | hotspot | runtime | SPARC64 detection fails on Athena (SPARC64-X) |
83 | JDK-8261397 | hotspot | runtime | try catch Method failing to work when dividing an integer by 0 |
84 | JDK-8259843 | hotspot | runtime | initialize dli_fname array before calling dll_address_to_library_name |
85 | JDK-8257746 | hotspot | runtime | Regression introduced with JDK-8250984 - memory might be null in some machines |
86 | JDK-8259786 | hotspot | runtime | initialize last parameter of getpwuid_r |
87 | JDK-8260349 | hotspot | runtime | Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS |
88 | JDK-8238175 | hotspot | runtime | CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class |
89 | JDK-8261262 | hotspot | runtime | Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION |
90 | JDK-8236847 | hotspot | runtime | CDS archive with 4K alignment unusable on machines with 64k pages |
91 | JDK-8266293 | security-libs | Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" | |
92 | JDK-8243559 | security-libs | java.security | Remove root certificates with 1024-bit keys |
93 | JDK-8153005 | security-libs | java.security | Upgrade the default PKCS12 encryption/MAC algorithms |
94 | JDK-8076190 | security-libs | java.security | Customizing the generation of a PKCS12 keystore |
95 | JDK-8266929 | security-libs | java.security | Unable to use algorithms from 3p providers |
96 | JDK-8196415 | security-libs | java.security | Disable SHA-1 Signed JARs |
97 | JDK-8267100 | security-libs | java.security | [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs |
98 | JDK-8267599 | security-libs | java.security | Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u |
99 | JDK-8225081 | security-libs | java.security | Remove Telia Company CA certificate expiring in April 2021 |
100 | JDK-8226374 | security-libs | javax.net.ssl | Restrict TLS signature schemes and named groups |
101 | JDK-8254631 | security-libs | javax.net.ssl | Better support ALPN byte wire values in SunJSSE |
102 | JDK-8005819 | security-libs | org.ietf.jgss:krb5 | Support cross-realm MSSFU |
103 | JDK-8253948 | tools | jlink | Memory leak in ImageFileReader |
104 | JDK-8213725 | tools | jshell | JShell NullPointerException due to class file with unexpected package |
105 | JDK-8247438 | tools | jshell | JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown |
106 | JDK-8235368 | xml | jaxp | Update BCEL to Version 6.4.1 |
The following sections summarize changes made in all Java SE 11.0.11 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8226530 | core-libs | java.util.jar | ZipFile reads wrong entry size from ZIP64 entries |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8263575 (Confidential) | install | install | Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates |
JDK-8263407 | hotspot | runtime | SPARC64 detection fails on Athena (SPARC64-X) |
JDK-8263004 | hotspot | runtime | SPARC CodeBuffer overflow in generate_satb_log_enqueue |
JDK-8252482 | hotspot | compiler | disable cbcond instructions on SPARC64 |
April 20, 2021
The full version string for this update release is 11.0.11+9 (where "+" means "build"). The version number is 11.0.11.
JDK 11.0.11 contains IANA time zone data 2020e, 2020f, 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.11 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.11+9 |
8 | 8u291-b10 |
7 | 7u301-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.11) be used after the next critical patch update scheduled for July 20, 2021.
jdeps --print-module-deps
, --list-deps
, and --list-reduce-deps
options have been enhanced as follows.
By default, they perform transitive module dependence analysis on libraries on the class path and module path, both directly and indirectly, as required by the given input JAR files or classes. Previously, they only reported the modules required by the given input JAR files or classes. The --no-recursive
option can be used to request non-transitive dependence analysis.
By default, they flag any missing dependency, i.e. not found from class path and module path, as an error. The --ignore-missing-deps
option can be used to suppress missing dependence errors. Note that a custom image is created with the list of modules output by jdeps when using the --ignore-missing-deps
option for a non-modular application. Such an application, running on the custom image, might fail at runtime when missing dependence errors are suppressed.
jdk.jndi.object.factoriesFilter
: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.
com.sun.jndi.ldap.object.trustSerialData
: This system property allows control of the deserialization of java objects from the javaSerializedData
LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false
value. By default, deserialization of java objects from the javaSerializedData
attribute is allowed.
The following root certificates have been added to the cacerts truststore:
+ HARICA
+ haricarootca2015
DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+ haricaeccrootca2015
DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).
These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file.
In this release, some of the one-way byte-to-char mappings have been aligned with the preferred mappings provided by the Unicode Consortium.
In the java.lang.ProcessBuilder
implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false
ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess
. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands
property can be set to true
: jdk.lang.Process.allowAmbiguousCommands=true
or false
. If left unset, it is the same as setting it to true
.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.11:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8244088 | client-libs | 2d | [Regression] Switch of Gnome theme ends up in deadlocked UI |
2 | JDK-8247872 | client-libs | 2d | Upgrade HarfBuzz to the latest 2.7.2 |
3 | JDK-8244621 | client-libs | 2d | [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 |
4 | JDK-8258805 | client-libs | java.awt | Japanese characters not entered by mouse click on Windows 10 |
5 | JDK-8212678 | client-libs | java.awt | Windows IME related patch |
6 | JDK-8239137 | client-libs | javax.accessibility | JAWS does not always announce the value of JSliders in JColorChooser |
7 | JDK-8249588 | client-libs | javax.accessibility | libwindowsaccessbridge issues on 64bit Windows |
8 | JDK-6532025 | client-libs | javax.imageio | GIF reader throws misleading exception with truncated images |
9 | JDK-8237495 | client-libs | javax.sound | Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 |
10 | JDK-8255880 | client-libs | javax.swing | UI of Swing components is not redrawn after their internal state changed |
11 | JDK-8240704 | core-libs | java.lang | ProcessBuilder/checkHandles/CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent." |
12 | JDK-8239893 | core-libs | java.lang | Windows handle Leak when starting processes using ProcessBuilder |
13 | JDK-8251397 | core-libs | java.lang | NPE on ClassValue.ClassValueMap.cacheArray |
14 | JDK-8235351 | core-libs | java.lang.invoke | Lookup::unreflect should bind with the original caller independent of Method's accessible flag |
15 | JDK-7146776 | core-libs | java.net | Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection |
16 | JDK-8232161 | core-libs | java.nio.charsets | Align some one-way conversion in MS950 charset with Windows |
17 | JDK-8254854 | core-svc | tools | [cgroups v1] Metric limits not properly detected on some join controller combinations |
18 | JDK-8218966 | hotspot | compiler | AArch64: String.compareTo() can read memory after string |
19 | JDK-8244164 | hotspot | compiler | AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base |
20 | JDK-8245051 | hotspot | compiler | c1 is broken if it is compiled by gcc without -fno-lifetime-dse |
21 | JDK-8253404 | hotspot | compiler | C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit |
22 | JDK-8247766 | hotspot | compiler | AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn |
23 | JDK-8255479 | hotspot | compiler | AArch64: assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity |
24 | JDK-8255466 | hotspot | compiler | C2 crashes at ciObject::get_oop() const+0x0 |
25 | JDK-8245512 | hotspot | compiler | CRC32 optimization using AVX512 instructions |
26 | JDK-8257575 | hotspot | compiler | C2: "failed: only phis" assert failure in loop strip mining verification |
27 | JDK-8254734 | hotspot | compiler | "dead loop detected" assert failure with patch from 8223051 |
28 | JDK-8257594 | hotspot | compiler | C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle |
29 | JDK-8256807 | hotspot | compiler | C2: Not marking stores correctly as mismatched in string opts |
30 | JDK-8256061 | hotspot | compiler | RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers |
31 | JDK-8257561 | hotspot | compiler | Some code is not vectorized after 8251925 and 8250607 |
32 | JDK-8256025 | hotspot | compiler | AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls |
33 | JDK-8257910 | hotspot | compiler | [JVMCI] Set exception_seen accordingly in the runtime. |
34 | JDK-8257220 | hotspot | compiler | [JVMCI] option validation should not result in a heavy-weight VM crash |
35 | JDK-8211320 | hotspot | compiler | AArch64: unsafe.compareAndSetByte() and unsafe.compareAndSetShort() c2 intrinsics broken with negative expected value |
36 | JDK-8215792 | hotspot | compiler | AArch64: String.indexOf generates incorrect result |
37 | JDK-8214025 | hotspot | compiler | assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2 |
38 | JDK-8229701 | hotspot | compiler | aarch64: C2 OSR compilation fails with "shouldn't process one node several times" in final graph reshaping |
39 | JDK-8255550 | hotspot | compiler | x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect |
40 | JDK-8255058 | hotspot | compiler | C1: assert(is_virtual()) failed: type check |
41 | JDK-8253756 | hotspot | compiler | C2 CompilerThread0 crash in Node::add_req(Node*) |
42 | JDK-8251923 | hotspot | compiler | "Invalid JNI handle" assertion failure in JVMCICompiler::force_comp_at_level_simple() |
43 | JDK-8253524 | hotspot | compiler | C2: Refactor code that clones predicates during loop unswitching |
44 | JDK-8250825 | hotspot | compiler | C2 crashes with assert(field != __null) failed: missing field |
45 | JDK-8252881 | hotspot | compiler | [JVMCI] ResolvedJavaType.resolveMethod fails in fastdebug when invoked with a constructor |
46 | JDK-8251925 | hotspot | compiler | C2: RenaissanceStressTest fails with assert(!had_error): bad dominance |
47 | JDK-8253644 | hotspot | compiler | C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected |
48 | JDK-8247691 | hotspot | compiler | [aarch64] Incorrect handling of VM exceptions in C1 deopt stub/traps |
49 | JDK-8247200 | hotspot | compiler | AArch64: assert((unsigned)fpargs < 32) |
50 | JDK-8248336 | hotspot | compiler | AArch64: C2: offset overflow in BoxLockNode::emit |
51 | JDK-8258015 | hotspot | compiler | [JVMCI] JVMCI_lock shouldn't be held while initializing box classes |
52 | JDK-8256056 | hotspot | compiler | Deoptimization stub doesn't save vector registers on x86 |
53 | JDK-8258380 | hotspot | compiler | [JVMCI] don't clear InstalledCode reference when unloading JVMCI nmethods |
54 | JDK-8255578 | hotspot | compiler | [JVMCI] be more careful about reflective reads of Class.componentType. |
55 | JDK-8257513 | hotspot | compiler | C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset()) |
56 | JDK-8259339 | hotspot | compiler | AllocateUninitializedArray C2 intrinsic fails with void.class input |
57 | JDK-8245026 | hotspot | gc | PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused |
58 | JDK-8258396 | hotspot | jfr | SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() |
59 | JDK-8214180 | hotspot | runtime | Need better granularity for sleeping |
60 | JDK-8215583 | hotspot | runtime | Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java |
61 | JDK-8234742 | hotspot | runtime | Improve handshake logging |
62 | JDK-8234796 | hotspot | runtime | Refactor Handshake::execute to take a more complex type than ThreadClosure |
63 | JDK-8256359 | hotspot | runtime | AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails |
64 | JDK-8227275 | hotspot | runtime | Within native OOM error handling, assertions may hang the process |
65 | JDK-8228400 | hotspot | runtime | Remove built-in AArch64 simulator |
66 | JDK-8257168 | hotspot | runtime | Use SkippedException instead of RuntimeException for docker not able to pull the repository |
67 | JDK-8255544 | hotspot | runtime | Create a checked cast |
68 | JDK-8258077 | hotspot | runtime | Using -Xcheck:jni can lead to a double-free after JDK-8193234 |
69 | JDK-8242565 | security-libs | java.security | Policy initialization issues when the denyAfter constraint is enabled |
70 | JDK-8244154 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v3.0 header files |
71 | JDK-8240871 | security-libs | javax.net.ssl | SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3 |
72 | JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
73 | JDK-8253368 | security-libs | javax.net.ssl | TLS connection always receives close_notify exception |
74 | JDK-8202343 | security-libs | javax.net.ssl | Disable TLS 1.0 and 1.1 |
75 | JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
76 | JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
77 | JDK-8255559 | security-libs | javax.xml.crypto | Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() |
78 | JDK-8213909 | tools | jdeps --print-module-deps should report missing dependences | |
79 | JDK-8234687 | tools | javac | change javap reporting on unknown attributes |
80 | JDK-8221759 | tools | javac | Crash when completing "java.io.File.path" |
81 | JDK-8255845 | tools | jlink | Memory leak in imageFile.cpp |
82 | JDK-8223688 | tools | jshell | JShell: crash on the instantiation of raw anonymous class |
83 | JDK-8242030 | tools | jshell | Wrong package declarations in jline classes after JDK-8241598 |
84 | JDK-8211694 | tools | jshell | JShell: Redeclared variable should be reset |
85 | JDK-8210527 | tools | jshell | JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack |
86 | JDK-8241598 | tools | jshell | Upgrade JLine to 3.14.0 |
87 | JDK-8218287 | tools | jshell | jshell tool: input behavior unstable after 12-ea+24 on Windows |
88 | JDK-8249867 | xml | jaxp | XML declaration is not followed by a newline |
The following sections summarize changes made in all Java SE 11.0.10 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8245283 | hotspot | jfr | JFR: Can't handle constant dynamic used by Jacoco agent |
JDK-8226810 | core-libs | java.lang | Failed to launch JVM because of NullPointerException occured on System.props |
JDK-8258878 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020e |
JDK-8259048 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020f |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8225745 | security-libs | java.security | NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support |
January 19, 2021
The full version string for this update release is 11.0.10+8 (where "+" means "build"). The version number is 11.0.10.
JDK 11.0.10 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.10 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.10+8 |
8 | 1.8.0_281-b09 |
7 | 1.7.0_291-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.10) be used after the next critical patch update scheduled for April 20, 2021.
A new -groupname
option has been added to keytool -genkeypair
so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1
will generate an EC key pair by using the secp384r1
curve. Because there might be multiple curves with the same size, using the -groupname
option is preferred over the -keysize
option.
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.
With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension
system property to true
. The default value of the property is false
.
Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension
is set to true
and the client trusts more CAs than the server implementation limit.
As an additional way to launch processes on Linux, the jdk.lang.Process.launchMechanism
property can be set to POSIX_SPAWN
. This option has been available for a long time on other *nix platforms. The default launch mechanism (VFORK
) on Linux is unchanged, so this additional option does not affect existing installations.
POSIX_SPAWN
mitigates rare pathological cases when spawning child processes, but it has not yet been excessively tested. Prudence is advised when using POSIX_SPAWN
in productive installations.
The named elliptic curve groups x25519
and x448
are now available for JSSE key agreement in TLS versions 1.0 to 1.3, with x25519
being the most preferred of the default enabled named groups. The default ordered list is now:
x25519, secp256r1, secp384r1, secp521r1, x448,
ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
The default list can be overridden by using the system property jdk.tls.namedGroups
.
When signing a file that contains POSIX file permission or symlink attributes, jarsigner
now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify
operation for such files.
Note that the jar
tool does not read/write these attributes. This change is more visible to tools like unzip
where these attributes are preserved.
Oracle JDK-11.0.10 and later for Solaris 11 requires that
the OS provide the package library/desktop/harfbuzz
as part of the
system installation. This package is provided for Solaris 11.3 and later.
$ pkg info harfbuzz
Name: library/desktop/harfbuzz
Summary: HarfBuzz is an OpenType text shaping engine
Description: HarfBuzz is a library for text shaping, which converts
unicode text to glyph indices and positions. HarfBuzz is
used directly by libraries such as Pango, and the layout
engines in firefox.
Category: Desktop (GNOME)/Libraries
State: Installed
Publisher: solaris
This is a desktop library, but the font processing it does is part of some common backend server workloads. It should always be considered as required.
If this library is missing, then the pkg
mechanism will require it during installation of the JDK.
If installing the JDK by using a tar.gz
bundle (for example) and the library/desktop/harfbuzz
package is missing, a runtime link failure will occur when this package is needed.
The JDK update incorporates tzdata2020d. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.
The JDK update incorporates tzdata2020c. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.
Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew
and systemv
have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew
data file is no longer available for use.
Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.10:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8245400 | client-libs | 2d | Upgrade to LittleCMS 2.11 |
2 | JDK-8247867 | client-libs | 2d | Upgrade to freetype 2.10.2 |
3 | JDK-8249215 | client-libs | 2d | JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. |
4 | JDK-7185258 | client-libs | java.awt | [macosx] Deadlock in SunToolKit.realSync() |
5 | JDK-8198334 | client-libs | java.awt | java/awt/FileDialog/8003399/bug8003399.java fails in headless mode |
6 | JDK-8207938 | client-libs | java.awt | At step6,Click Add button,case failed automatically. |
7 | JDK-8212226 | client-libs | java.awt | SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows) |
8 | JDK-8230480 | client-libs | java.awt | check malloc/calloc results in java.desktop |
9 | JDK-8231445 | client-libs | java.awt | check ZALLOC return values in awt coding |
10 | JDK-8232114 | client-libs | java.awt | JVM crashed at imjpapi.dll in native code |
11 | JDK-8241797 | client-libs | java.awt | Add some tests to the problem list |
12 | JDK-8248532 | client-libs | java.awt | Every time I change keyboard language at my MacBook, Java crashes |
13 | JDK-8249183 | client-libs | java.awt | JVM crash in "AwtFrame::WmSize" method |
14 | JDK-8252470 | client-libs | java.awt | java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows |
15 | JDK-8152332 | client-libs | javax.swing | [macosx] JFileChooser cannot be serialized on Mac OS X |
16 | JDK-8203281 | client-libs | javax.swing | [Windows] JComboBox change in ui when editor.setBorder() is called |
17 | JDK-8204963 | client-libs | javax.swing | javax.swing.border.TitledBorder has a memory leak |
18 | JDK-8209343 | client-libs | javax.swing | Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful |
19 | JDK-8213535 | client-libs | javax.swing | Windows HiDPI html lightweight tooltips are truncated |
20 | JDK-8240633 | client-libs | javax.swing | Memory leaks in the implementations of FileChooserUI |
21 | JDK-8240690 | client-libs | javax.swing | Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() |
22 | JDK-8213017 | core-libs | java.lang | jspawnhelper: need to handle pipe write failure when sending return code |
23 | JDK-8232846 | core-libs | java.lang | ProcessHandle.Info command with non-English shows question marks |
24 | JDK-8233920 | core-libs | java.lang.invoke | MethodHandles::tryFinally generates illegal bytecode for long/double return types |
25 | JDK-8222448 | core-libs | java.lang:reflect | java/lang/reflect/PublicMethods/PublicMethodsTest.java times out |
26 | JDK-8217429 | core-libs | java.net | WebSocket over authenticating proxy fails to send Upgrade headers |
27 | JDK-8225037 | core-libs | java.net | java.net.JarURLConnection::getJarEntry() throws NullPointerException |
28 | JDK-8233958 | core-libs | java.net | Memory retention due to HttpsURLConnection finalizer that serves no purpose |
29 | JDK-8241138 | core-libs | java.net | http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector |
30 | JDK-8241568 | core-libs | java.nio | (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted" |
31 | JDK-8242541 | core-libs | java.nio.charsets | Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C) |
32 | JDK-8239351 | core-libs | java.util.jar | Give more meaningful InternalError messages in Deflater.c |
33 | JDK-8252497 | core-libs | java.util:i18n | Incorrect numeric currency code for ROL |
34 | JDK-8241130 | core-libs | javax.naming | com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException |
35 | JDK-8067354 | core-svc | debugger | com/sun/jdi/GetLocalVariables4Test.sh failed |
36 | JDK-8203393 | core-svc | debugger | com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout |
37 | JDK-8209517 | core-svc | debugger | com/sun/jdi/BreakpointWithFullGC.java fails with timeout |
38 | JDK-8209605 | core-svc | debugger | com/sun/jdi/BreakpointWithFullGC.java fails with ZGC |
39 | JDK-8210725 | core-svc | debugger | com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds |
40 | JDK-8212629 | core-svc | debugger | [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest |
41 | JDK-8212665 | core-svc | debugger | com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 |
42 | JDK-8214061 | core-svc | debugger | Buffer written into itself |
43 | JDK-8231209 | core-svc | java.lang.management | [REDO] JDK-8207266 ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread |
44 | JDK-8231968 | core-svc | java.lang.management | getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes |
45 | JDK-8242480 | core-svc | java.lang.management | Negative value may be returned by getFreeSwapSpaceSize() in the docker |
46 | JDK-8252157 | core-svc | java.lang.management | JDK-8231209 11u backport breaks jmm binary compatibility |
47 | JDK-8222533 | core-svc | tools | jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine |
48 | JDK-8250665 | globalization | locale-data | Wrong translation for the month of May in ar_JO, ar_LB and ar_SY |
49 | JDK-8022574 | hotspot | compiler | remove HaltNode code after uncommon trap calls |
50 | JDK-8220420 | hotspot | compiler | Cleanup c1_LinearScan |
51 | JDK-8225653 | hotspot | compiler | Provide more information when hitting SIGILL from HaltNode |
52 | JDK-8227647 | hotspot | compiler | [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled" |
53 | JDK-8231720 | hotspot | compiler | Some perf regressions after 8225653 |
54 | JDK-8236944 | hotspot | compiler | The legVecZ operand should be limited to zmm0-zmm15 registers |
55 | JDK-8237950 | hotspot | compiler | C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization |
56 | JDK-8240676 | hotspot | compiler | Meet not symmetric failure when running lucene on jdk8 |
57 | JDK-8243114 | hotspot | compiler | Implement montgomery{Multiply,Square}intrinsics on Windows |
58 | JDK-8244278 | hotspot | compiler | Excessive code cache flushes and sweeps |
59 | JDK-8246381 | hotspot | compiler | VM crashes with "Current BasicObjectLock* below than low_mark" |
60 | JDK-8247246 | hotspot | compiler | [JVMCI] `ResolvedJavaType.getDeclaredMethod()` can throw NoClassDefFoundError. |
61 | JDK-8247502 | hotspot | compiler | PhaseStringOpts crashes while optimising effectively dead code |
62 | JDK-8247763 | hotspot | compiler | assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined() |
63 | JDK-8248226 | hotspot | compiler | TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing |
64 | JDK-8248347 | hotspot | compiler | windows build broken by JDK-8243114 |
65 | JDK-8248552 | hotspot | compiler | C2 crashes with SIGFPE due to division by zero |
66 | JDK-8248791 | hotspot | compiler | sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing |
67 | JDK-8248822 | hotspot | compiler | 8 vm/classfmt/atr_ann/atr_rtm_annot007/atr_rtm_annot00709 tests fail w/ AOT |
68 | JDK-8248987 | hotspot | compiler | AOT's Linker.java seems to eagerly fail-fast on Windows. |
69 | JDK-8249602 | hotspot | compiler | C2: assert(cnt == _outcnt) failed: no insertions allowed |
70 | JDK-8249603 | hotspot | compiler | C1: assert(has_error == false) failed: register allocation invalid |
71 | JDK-8249605 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
72 | JDK-8249607 | hotspot | compiler | C2: assert(!had_error) failed: bad dominance |
73 | JDK-8249608 | hotspot | compiler | Vector register used by C2 compiled method corrupted at safepoint |
74 | JDK-8249749 | hotspot | compiler | modify a primitive array through a stream and a for cycle causes jre crash |
75 | JDK-8249880 | hotspot | compiler | JVMCI calling register_nmethod without CodeCache lock |
76 | JDK-8250233 | hotspot | compiler | -XX:+CITime triggers guarantee(events != NULL) in jvmci.cpp:173 |
77 | JDK-8250548 | hotspot | compiler | libgraal can deadlock in -Xcomp mode |
78 | JDK-8250609 | hotspot | compiler | C2 crash in IfNode::fold_compares |
79 | JDK-8251458 | hotspot | compiler | Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed" |
80 | JDK-8252696 | hotspot | compiler | Loop unswitching may cause out of bound array load to be executed |
81 | JDK-8253118 | hotspot | compiler | Avoid unnecessary deopts when OSR nmethods of the same level are present. |
82 | JDK-8254104 | hotspot | compiler | MethodCounters must exist before nmethod is installed |
83 | JDK-8254790 | hotspot | compiler | SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics |
84 | JDK-8248214 | hotspot | gc | Add paddings for TaskQueueSuper to reduce false-sharing cache contention |
85 | JDK-8250928 | hotspot | jfr | JFR: Improve hash algorithm for stack traces |
86 | JDK-8252090 | hotspot | jfr | JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9) |
87 | JDK-8252754 | hotspot | jfr | Hash code calculation of JfrStackTrace is inconsistent |
88 | JDK-8173361 | hotspot | jvmti | various crashes in JvmtiExport::post_compiled_method_load |
89 | JDK-8173658 | hotspot | jvmti | JvmtiExport::post_class_unload() is broken for non-JavaThread initiators |
90 | JDK-8210131 | hotspot | jvmti | vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code |
91 | JDK-8210926 | hotspot | jvmti | vmTestbase/nsk/jvmti/scenarios/allocation/AP11/ap11t001/TestDescription.java failed with JVMTI_ERROR_INVALID_CLASS in CDS mode |
92 | JDK-8212160 | hotspot | jvmti | JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" |
93 | JDK-8216324 | hotspot | jvmti | GetClassMethods is confused by the presence of default methods in super interfaces |
94 | JDK-8224555 | hotspot | jvmti | vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed |
95 | JDK-8247615 | hotspot | jvmti | Initialize the bytes left for the heap sampler |
96 | JDK-8217338 | hotspot | runtime | [Containers] Improve systemd slice memory limit support |
97 | JDK-8217766 | hotspot | runtime | Container Support doesn't work for some Join Controllers combinations |
98 | JDK-8218851 | hotspot | runtime | JVM crash in custom classloader stress test, JDK 12 & 13 |
99 | JDK-8220718 | hotspot | runtime | Missing ResourceMark in nmethod::metadata_do |
100 | JDK-8227006 | hotspot | runtime | [linux] Runtime.availableProcessors execution time increased by factor of 100 |
101 | JDK-8233386 | hotspot | runtime | Initialize NULL fields for unused decorations |
102 | JDK-8235243 | hotspot | runtime | handle VS2017 15.9 and VS2019 in abstract_vm_version |
103 | JDK-8237512 | hotspot | runtime | AArch64: aarch64TestHook leaks a BufferBlob |
104 | JDK-8243290 | hotspot | runtime | Improve diagnostic messages for class verification and redefinition failures |
105 | JDK-8244340 | hotspot | runtime | Handshake processing thread lacks yielding |
106 | JDK-8246648 | hotspot | runtime | issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 |
107 | JDK-8249192 | hotspot | runtime | MonitorInfo stores raw oops across safepoints |
108 | JDK-8249672 | hotspot | runtime | Include microcode revision in features_string on x86 |
109 | JDK-8250598 | hotspot | runtime | Hyper-V is detected in spite of running on host OS |
110 | JDK-8250984 | hotspot | runtime | Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities |
111 | JDK-8251945 | hotspot | runtime | SIGSEGV in PackageEntry::purge_qualified_exports() |
112 | JDK-8209332 | hotspot | svc | [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect |
113 | JDK-8250968 | security-libs | java.security | Symlinks attributes not preserved when using jarsigner on zip files |
114 | JDK-8224997 | security-libs | javax.net.ssl | ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException |
115 | JDK-8244151 | security-libs | javax.smartcardio | Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 |
116 | JDK-8250582 | security-libs | org.ietf.jgss:krb5 | Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets |
117 | JDK-8230094 | xml | javax.xml.stream | CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter |
118 | JDK-8233686 | xml | javax.xml.transform | XML transformer uses excessive amount of memory |
The following sections summarize changes made in all Java SE 11.0.9 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8252455 (Confidential) | core-libs | java.net | Performance issue caused by 8232854 |
JDK-8255226 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020d |
JDK-8254982 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020c |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8252394 (Confidential) | core-libs | javax.naming | ldap failure due to JDK-8230944 changes in 11.0.8 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8254177 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020b. |
October 20, 2020
The full version string for this update release is 11.0.9+7 (where "+" means "build"). The version number is 11.0.9.
JDK 11.0.9 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.9 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.9+7 |
8 | 1.8.0_271-b09 |
7 | 1.7.0_281-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.9) be used after the next critical patch update scheduled for January 19, 2021.
Weak named curves are disabled by default by adding them to the following disabledAlgorithms
security properties: jdk.tls.disabledAlgorithms
, jdk.certpath.disabledAlgorithms
, and jdk.jar.disabledAlgorithms
. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms
property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves
, is implemented that can list the named curves common to all of the disabledAlgorithms
properties. To use the new property in the disabledAlgorithms
properties, precede the full property name with the keyword include
. Users can still add individual named curves to disabledAlgorithms
properties separate from this new property. No other properties can be included in the disabledAlgorithms
properties.
To restore the named curves, remove the include jdk.disabled.namedCurves
either from specific or from all disabledAlgorithms
security properties.
To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves
property.
Curves that are disabled through jdk.disabled.namedCurves
include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals
security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals
security or system property to any positive value.
See further information in JDK-8223172.
A new system property, jdk.tls.maxHandshakeMessageSize
, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property, jdk.tls.maxCertificateChainLength
, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
The keytool
and jarsigner
tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms
security property in the java.security
configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
A new environment property,
jdk.jndi.ldap.mechsAllowedToSendCredentials
, has been added to
control which LDAP authentication mechanisms are allowed to send
credentials over clear
LDAP connections - a connection not secured
with TLS. An encrypted
LDAP connection is a connection opened
by using ldaps
scheme, or a connection opened by using ldap
scheme
and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma
separated list of the mechanism names that are permitted to authenticate
over a clear
connection. If a value is not specified for the property, then all mechanisms
are allowed. If the specified value is an empty list, then no mechanisms are
allowed (except for none
and anonymous
). The default value for this property is 'null'
( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials")
returns 'null'). To explicitly permit all mechanisms to authenticate over a clear
connection, the property
value can be set to "all"
. If a connection is downgraded from
encrypted
to clear
, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
Note: none
and anonymous
authentication mechanisms are exempted
from these rules and are always allowed regardless of the property value.
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation
+ sslrootrsaca
DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrootevrsaca
DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrooteccca
DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
The following root certificate has been added to the cacerts truststore:
+ Entrust
+ entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
English time zone names provided by the CLDR locale provider are now correctly synthesized following the CLDR spec, rather than substituted from the COMPAT provider. For example, SHORT style names are no longer synthesized abbreviations of LONG style names, but instead produce GMT offset formats.
The deserialization of java.lang.reflect.Proxy
objects can be limited by setting the system property jdk.serialProxyInterfaceLimit
.
The limit is the maximum number of interfaces allowed per Proxy in the stream.
Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.9:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8220150 | client-libs | 2d | [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs |
2 | JDK-8244818 | client-libs | 2d | [macos] Java2D Queue Flusher crash while moving application window to external monitor |
3 | JDK-8240518 | client-libs | java.awt | Incorrect JNU_ReleaseStringPlatformChars in Windows Print |
4 | JDK-8243925 | client-libs | java.awt | Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) |
5 | JDK-8249278 | client-libs | javax.accessibility | Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList |
6 | JDK-8215396 | client-libs | javax.swing | JTabbedPane preferred size calculation is wrong for SCROLL_TAB_LAYOUT |
7 | JDK-8249251 | client-libs | javax.swing | [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel |
8 | JDK-8233452 | core-libs | java.math | java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result |
9 | JDK-8216974 | core-libs | java.net | HttpConnection not returned to the pool after 204 response |
10 | JDK-8238270 | core-libs | java.net | java.net HTTP/2 client does not decrease stream count when receives 204 response |
11 | JDK-8218948 | core-libs | java.text | SimpleDateFormat :: format - Zone Names are not reflected correctly during run time |
12 | JDK-8246807 | core-libs | java.util | Incorrect copyright header in TimeZoneDatePermissionCheck.sh |
13 | JDK-8234347 | core-libs | java.util:i18n | "Turkey" meta time zone does not generate composed localized names |
14 | JDK-8062947 | core-libs | javax.naming | Fix exception message to correctly represent LDAP connection failure |
15 | JDK-8222529 | core-svc | debugger | sun.jdwp.listenerAddress agent property uses wrong encoding |
16 | JDK-8227269 | core-svc | debugger | Slow class loading when running with JDWP |
17 | JDK-8229378 | core-svc | debugger | jdwp library loader in linker_md.c quietly truncates on buffer overflow |
18 | JDK-8244703 | core-svc | debugger | "platform encoding not initialized" exceptions with debugger, JNI |
19 | JDK-8234968 | core-svc | java.lang.instrument | check calloc rv in libinstrument InvocationAdapter |
20 | JDK-8203026 | core-svc | tools | java.rmi.NoSuchObjectException: no such object in table |
21 | JDK-8227435 | core-svc | tools | Perf::attach() should not throw a java.lang.Exception |
22 | JDK-8214074 | hotspot | compiler | Optimize Ghash using AVX instructions |
23 | JDK-8224580 | hotspot | compiler | Matcher can cause oop field/array element to be reloaded |
24 | JDK-8225625 | hotspot | compiler | AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions |
25 | JDK-8230402 | hotspot | compiler | Allocation of compile task fails with assert: "Leaking compilation tasks?" |
26 | JDK-8231586 | hotspot | compiler | enlarge encoding space for OopMapValue offsets |
27 | JDK-8231756 | hotspot | compiler | [JVMCI] need support for deoptimizing virtual byte arrays encoding non-byte primitives |
28 | JDK-8232083 | hotspot | compiler | Minimal VM is broken after JDK-8231586 |
29 | JDK-8233027 | hotspot | compiler | OopMapSet::all_do does oms.next() twice during iteration |
30 | JDK-8236179 | hotspot | compiler | C1 register allocation failure with T_ADDRESS |
31 | JDK-8236647 | hotspot | compiler | java/lang/invoke/CallSiteTest.java failed with InvocationTargetException in Graal mode |
32 | JDK-8239083 | hotspot | compiler | C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method"); |
33 | JDK-8240610 | hotspot | compiler | [JVMCI] Export VMVersion::_has_intel_jcc_erratum to JVMCI compiler |
34 | JDK-8241234 | hotspot | compiler | Unify monitor enter/exit runtime entries. |
35 | JDK-8244407 | hotspot | compiler | JVM crashes after transformation in C2 IdealLoopTree::split_fall_in |
36 | JDK-8244672 | hotspot | compiler | [JVMCI] Export InstanceKlass::being_initialized to JVMCI compilers |
37 | JDK-8244719 | hotspot | compiler | CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" |
38 | JDK-8245714 | hotspot | compiler | "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch |
39 | JDK-8245801 | hotspot | compiler | StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" |
40 | JDK-8246153 | hotspot | compiler | TestEliminateArrayCopy fails with -XX:+StressReflectiveCode |
41 | JDK-8246203 | hotspot | compiler | Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN |
42 | JDK-8246453 | hotspot | compiler | TestClone crashes with "all collected exceptions must come from the same place" |
43 | JDK-8247350 | hotspot | compiler | [aarch64] assert(false) failed: wrong size of mach node |
44 | JDK-8247992 | hotspot | compiler | [JVMCI] HotSpotNmethod.executeVarargs can try execute a zombie nmethod |
45 | JDK-8248321 | hotspot | compiler | [JVMCI] improve libgraal logging and fatal error handling |
46 | JDK-8248359 | hotspot | compiler | Update JVMCI |
47 | JDK-8248410 | hotspot | compiler | Correct Fix for 8236647: java/lang/invoke/CallSiteTest.java failed with InvocationTargetException in Graal mode |
48 | JDK-8248987 | hotspot | compiler | AOT's Linker.java seems to eagerly fail-fast on Windows. |
49 | JDK-8248851 | hotspot | gc | CMS: Missing memory fences between free chunk check and klass read |
50 | JDK-8210024 | hotspot | jfr | JFR calls virtual is_Java_thread from ~Thread() |
51 | JDK-8210977 | hotspot | jfr | jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject |
52 | JDK-8219904 | hotspot | jfr | ClassCastException when calling FlightRecorderMXBean#getRecordings() |
53 | JDK-8230767 | hotspot | jfr | FlightRecorderListener returns null recording |
54 | JDK-8243489 | hotspot | jfr | Thread CPU Load event may contain wrong data for CPU time under certain conditions |
55 | JDK-8211064 | hotspot | runtime | [AArch64] Interpreter and c1 don't correctly handle jboolean results in native calls |
56 | JDK-8213410 | hotspot | runtime | UseCompressedOops requirement check fails fails on 32-bit system |
57 | JDK-8213574 | hotspot | runtime | Deadlock in string table expansion when dumping lots of CDS classes |
58 | JDK-8215342 | hotspot | runtime | [Zero] Build fails after JDK-8200613 |
59 | JDK-8215879 | hotspot | runtime | Aarch64: ReservedStackAccess may leave stack guard in inconsistent state |
60 | JDK-8215961 | hotspot | runtime | jdk/jfr/event/os/TestCPUInformation.java fails on AArch64 |
61 | JDK-8218185 | hotspot | runtime | aarch64: missing LoadStore barrier in TemplateTable::putfield_or_static |
62 | JDK-8219635 | hotspot | runtime | aarch64: missing LoadStore barrier in TemplateTable::fast_storefield |
63 | JDK-8219698 | hotspot | runtime | aarch64: SIGILL triggered when specifying unsupported hardware features |
64 | JDK-8219712 | hotspot | runtime | code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs |
65 | JDK-8221220 | hotspot | runtime | AArch64: Add StoreStore membar explicitly for Volatile Writes in TemplateTable |
66 | JDK-8224828 | hotspot | runtime | aarch64: rflags is not correct after safepoint poll |
67 | JDK-8225329 | hotspot | runtime | -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms |
68 | JDK-8228601 | hotspot | runtime | AArch64: Fix interpreter code at JVMCI deoptimization entry |
69 | JDK-8233466 | hotspot | runtime | aarch64: remove unnecessary load of mdo when profiling return and parameters type |
70 | JDK-8233839 | hotspot | runtime | aarch64: missing memory barrier in NewObjectArrayStub and NewTypeArrayStub |
71 | JDK-8234270 | hotspot | runtime | [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area |
72 | JDK-8240295 | hotspot | runtime | hs_err elapsed time in seconds is not accurate enough |
73 | JDK-8241586 | hotspot | runtime | compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64 |
74 | JDK-8248219 | hotspot | runtime | aarch64: missing memory barrier in fast_storefield and fast_accessfield |
75 | JDK-8228448 | hotspot | svc | Jconsole can't connect to itself |
76 | JDK-8163805 | hotspot | svc-agent | hotspot/test/serviceability/sa/sadebugd/SADebugDTest.java failed with timed out |
77 | JDK-8196969 | hotspot | svc-agent | JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE |
78 | JDK-8203364 | hotspot | svc-agent | Some serviceability/sa/ tests intermittently fail with java.io.IOException: LingeredApp terminated with non-zero exit code 3 |
79 | JDK-8204994 | hotspot | svc-agent | SA might fail to attach to process with "Windbg Error: WaitForEvent failed" |
80 | JDK-8205534 | hotspot | svc-agent | Remove SymbolTable dependency from serviceability agent |
81 | JDK-8209790 | hotspot | svc-agent | SA tools not providing option to connect to debug server |
82 | JDK-8214797 | hotspot | svc-agent | TestJmapCoreMetaspace.java timed out |
83 | JDK-8223665 | hotspot | svc-agent | SA: debugd options should follow jhsdb style |
84 | JDK-8223814 | hotspot | svc-agent | SA: jhsdb common help needs to be more detailed |
85 | JDK-8225636 | hotspot | svc-agent | SA can't handle prelinked libraries |
86 | JDK-8232592 | hotspot | svc-agent | <Unknown compiled code> is shown in jstack mixed mode |
87 | JDK-8235637 | hotspot | svc-agent | jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled |
88 | JDK-8235846 | hotspot | svc-agent | Improve WindbgDebuggerLocal implementation |
89 | JDK-8244310 | other-libs | other | Validate-headers failed for HugeArenaTracking.java |
90 | JDK-8215694 | security-libs | java.security | keytool cannot generate RSASSA-PSS certificates |
91 | JDK-8238448 | security-libs | java.security | RSASSA-PSS signature verification fail when using certain odd key sizes |
92 | JDK-8242184 | security-libs | java.security | Default signature algorithm for an RSASSA-PSS key |
93 | JDK-8242556 | security-libs | java.security | Cannot load RSASSA-PSS public key with non-null params from byte array |
94 | JDK-8244087 | security-libs | java.security | 2020-04-24 public suffix list update v ff6fcea |
95 | JDK-8245151 | security-libs | java.security | jarsigner should not raise duplicate warnings on verification |
96 | JDK-8215443 | security-libs | javax.net.ssl | The use of TransportContext.fatal() leads to bad coding style |
97 | JDK-8219991 | security-libs | javax.net.ssl | New fix of the deadlock in sun.security.ssl.SSLSocketImpl |
98 | JDK-8236464 | security-libs | javax.net.ssl | SO_LINGER option is ignored by SSLSocket in JDK 11 |
99 | JDK-8226719 | security-libs | org.ietf.jgss | Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message" |
100 | JDK-8227381 | security-libs | org.ietf.jgss | GSS login fails with PREAUTH_FAILED |
101 | JDK-8227437 | security-libs | org.ietf.jgss:krb5 | S4U2proxy cannot continue because server's TGT cannot be found |
102 | JDK-8246193 | security-libs | org.ietf.jgss:krb5 | Possible NPE in ENC-PA-REP search in AS-REQ |
103 | JDK-8193367 | tools | javac | annotated type variables bounds crash javac |
104 | JDK-8213703 | tools | javac | LambdaConversionException: Invalid receiver type not a subtype of implementation type interface |
105 | JDK-8214571 | tools | javac | -Xdoclint of array serialField gives "error: array type not allowed here" |
106 | JDK-8244763 | tools | javac | Update --release 8 symbol information after JSR 337 MR3 |
107 | JDK-8240169 | tools | javadoc(tool) | javadoc fails to link to docs with non-matching modularity |
108 | JDK-8245981 | tools | javadoc(tool) | Upgrade to jQuery 3.5.1 |
109 | JDK-8080353 | tools | jshell | JShell: Better error message on attempting to add default method |
110 | JDK-8159740 | tools | jshell | JShell: corralled declarations do not have correct source to wrapper mapping |
111 | JDK-8212167 | tools | jshell | JShell : Stack trace of exception has wrong line number |
112 | JDK-8214491 | tools | jshell | Upgrade to JLine 3.9.0 |
113 | JDK-8215243 | tools | jshell | JShell tests failing intermitently with "Problem cleaning up the following threads:" |
114 | JDK-8215244 | tools | jshell | jdk/jshell/ToolBasicTest.java testHistoryReference failed |
115 | JDK-8215438 | tools | jshell | jshell tool: Ctrl-D causes EOF |
116 | JDK-8229815 | tools | jshell | Upgrade Jline to 3.12.1 |
117 | JDK-8241445 | tools | launcher | Fix copyrights after JDK-8240629 change |
118 | JDK-8248348 | xml | jaxp | Regression caused by the update to BCEL 6.0 |
The following sections summarize changes made in all Java SE 11.0.8 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8244407 | hotspot | compiler | JVM crashes after transformation in C2 IdealLoopTree::split_fall_in |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8248505 | security-libs | java.security | Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider |
8247925 (Confidential) | xml | jaxp | JDK8u251- XSL transformer fails with TransformerConfigurationException |
July 14, 2020
The full version string for this update release is 11.0.8+10 (where "+" means "build"). The version number is 11.0.8.
JDK 11.0.8 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.8 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.8+10 |
8 | 1.8.0_261-b12 |
7 | 1.7.0_271-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.8) be used after the next critical patch update scheduled for October 20, 2020.
security-libs/javax.net.ssl
➜ New System Properties to Configure the TLS Signature Schemes
Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes
is added for TLS client side, and jdk.tls.server.SignatureSchemes
for server side.
Each System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
See JDK-8242141
security-libs/javax.xml.crypto
➜ Apache Santuario Library Updated to Version 2.1.4
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size
has been introduced.
This new system property sets the pool size of the internal DocumentBuilder
cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size
system property used in Apache Santuario and has the same default value of 20.
See JDK-8231507
infrastructure
➜ Toolchain Upgrade to Xcode 10.1
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.
JDK-8232007 (not public)
The Oracle JDK installer for Windows provides java.exe
, javaw.exe
, javac.exe
, and jshell.exe
commands in a system location so that users can run Java applications without needing to provide the path to the Oracle JDK's installation folder.
security-libs/java.security
➜ Removal of Comodo Root CA Certificate
The following expired Comodo root CA certificate was removed from the cacerts
keystore:
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
See JDK-8225069
security-libs/java.security
➜ Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts
keystore:
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
See JDK-8225068
When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter
the method must be called before reading any objects from the stream. If the methods readObject
or readUnshared
are called, the setObjectInputFilter
method throws IllegalStateException
.
core-libs/java.util:collections
➜ Better Listing of Arrays
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection)
. In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.
JDK-8231800 (not public)
security-libs/javax.net.ssl
➜ Default SSLEngine Should Create in Server Role
In JDK 11 and later, javax.net.ssl.SSLEngine
by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine
would usually be used in server mode. From this JDK release onwards, SSLEngine
will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)
method may be used to configure the mode.
See JDK-8237474
core-svc/java.lang.management
➜ OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean
methods in this release return container specific information, if available. Otherwise, they return host specific data:
getFreePhysicalMemorySize()
getTotalPhysicalMemorySize()
getFreeSwapSpaceSize()
getTotalSwapSpaceSize()
getSystemCpuLoad()
See JDK-8226575
security-libs
➜ Default SSL Session Cache Size Updated to 20480
The default SSL session cache size has been updated to 20480 in this JDK release
See JDK-8210985
client-libs/javax.swing
➜ Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook
and textured
Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar
property be set to true
to make the title of the frame invisible again. The apple.awt.fullWindowContent
property can also be used.
Please note that Textured window
support was implemented by using the NSTexturedBackgroundWindowMask
value of NSWindowStyleMask
. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground
, which was deprecated in macOS 10.14.
For additional information, refer to the following documentation:
See JDK-8240995
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.8:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-6933331 | client-libs | 2d | (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created |
2 | JDK-8196181 | client-libs | 2d | sun/java2d/GdiRendering/InsetClipping.java fails |
3 | JDK-8209113 | client-libs | 2d | Use WeakReference for lastFontStrike for created Fonts |
4 | JDK-8214481 | client-libs | 2d | freetype path does not disable TrueType hinting with AA+FM hints |
5 | JDK-8224109 | client-libs | 2d | Text spaced incorrectly by drawString under rotation with fractional metrics |
6 | JDK-8234398 | client-libs | 2d | Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps |
7 | JDK-8235904 | client-libs | 2d | Infinite loop when rendering huge lines |
8 | JDK-8236996 | client-libs | 2d | Incorrect Roboto font rendering on Windows with subpixel antialiasing |
9 | JDK-8239091 | client-libs | 2d | Reversed arguments in call to strstr in freetype "debug" code. |
10 | JDK-8176359 | client-libs | java.awt | Frame#setMaximizedbounds not working properly in multi screen environments |
11 | JDK-8196019 | client-libs | java.awt | java/awt/Window/Grab/GrabTest.java fails on Windows |
12 | JDK-8211301 | client-libs | java.awt | [macos] support full window content options |
13 | JDK-8225126 | client-libs | java.awt | Test SetBoundsPaintTest.html failed on Windows when desktop is scaled |
14 | JDK-8226806 | client-libs | java.awt | [macOS 10.14] Methods of Java Robot should be called from appropriate thread |
15 | JDK-8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
16 | JDK-8231564 | client-libs | java.awt | setMaximizedBounds is broken with large display scale and multiple monitors |
17 | JDK-8233573 | client-libs | java.awt | Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException |
18 | JDK-8233707 | client-libs | java.awt | systemScale.cpp could not compile with VS2019 |
19 | JDK-8234107 | client-libs | java.awt | Several AWT modal dialog tests failing on Linux after JDK-8231991 |
20 | JDK-8237221 | client-libs | java.awt | [macos] java/awt/MenuBar/SeparatorsNavigation/SeparatorsNavigation.java fails |
21 | JDK-8238575 | client-libs | java.awt | DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) |
22 | JDK-8242174 | client-libs | java.awt | [macos] The NestedModelessDialogTest test make the macOS unstable |
23 | JDK-8242498 | client-libs | java.awt | Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash |
24 | JDK-8226253 | client-libs | javax.accessibility | JAWS reports wrong number of radio buttons when buttons are hidden |
25 | JDK-8238842 | client-libs | javax.imageio | AIOOBE in GIFImageReader.initializeStringTable |
26 | JDK-8221445 | client-libs | javax.sound | FastSysexMessage constructor crashes MIDI receiption thread |
27 | JDK-8040630 | client-libs | javax.swing | Popup menus and tooltips flicker with previous popup contents when first shown |
28 | JDK-8198339 | client-libs | javax.swing | Test javax/swing/border/Test6981576.java is unstable |
29 | JDK-8183369 | core-libs | java.net | RFC unconformity of HttpURLConnection with proxy |
30 | JDK-8210147 | core-libs | java.net | adjust some WSAGetLastError usages in windows network coding |
31 | JDK-8232854 | core-libs | java.net | URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails |
32 | JDK-8044365 | core-libs | java.nio | (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) |
33 | JDK-8221531 | core-libs | java.nio | Incorrect copyright header in src/java.base/windows/native/libnio/ch/FileChannelImpl.c |
34 | JDK-8205399 | core-libs | java.util:collections | Set node color on pinned HashMap.TreeNode deletion |
35 | JDK-8160768 | core-libs | javax.naming | Add capability to custom resolve host/domain names within the default JNDI LDAP provider |
36 | JDK-8214440 | core-libs | javax.naming | ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" |
37 | JDK-8217606 | core-libs | javax.naming | LdapContext#reconnect always opens a new connection |
38 | JDK-8240523 | core-libs | javax.naming | JCK Test Case api/modulegraph/index.html#ModuleGraphTest failed in CI |
39 | JDK-8193879 | core-svc | debugger | Java debugger hangs on method invocation |
40 | JDK-8239055 | core-svc | debugger | Wrong implementation of VMState.hasListener |
41 | JDK-8206179 | core-svc | javax.management | com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value |
42 | JDK-8132849 | hotspot | compiler | Increased stop time in cleanup phase because of single-threaded walk of thread stacks in NMethodSweeper::mark_active_nmethods() |
43 | JDK-8156207 | hotspot | compiler | Resource allocated BitMaps are often cleared unnecessarily |
44 | JDK-8163511 | hotspot | compiler | Allocation of compile task fails with assert: "Leaking compilation tasks?" |
45 | JDK-8187078 | hotspot | compiler | -XX:+VerifyOops finds numerous problems when running JPRT |
46 | JDK-8208277 | hotspot | compiler | Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages |
47 | JDK-8209420 | hotspot | compiler | Track membars for volatile accesses so they can be properly optimized |
48 | JDK-8209439 | hotspot | compiler | C2 library_call can potentially ignore Math.pow intrinsic or use null pointer |
49 | JDK-8209684 | hotspot | compiler | Intrinsics that assume some input non null should use GraphKit::must_be_not_null() |
50 | JDK-8209686 | hotspot | compiler | cleanup arguments to PhaseIdealLoop() constructor |
51 | JDK-8210284 | hotspot | compiler | "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 |
52 | JDK-8210389 | hotspot | compiler | C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc |
53 | JDK-8211129 | hotspot | compiler | compiler/whitebox/ForceNMethodSweepTest.java fails after JDK-8132849 |
54 | JDK-8211233 | hotspot | compiler | MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better |
55 | JDK-8211332 | hotspot | compiler | code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs |
56 | JDK-8211740 | hotspot | compiler | [AOT] -XX:AOTLibrary doesn't accept windows path |
57 | JDK-8211743 | hotspot | compiler | [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames |
58 | JDK-8214344 | hotspot | compiler | C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0 |
59 | JDK-8214444 | hotspot | compiler | Wrong strncat limits in dfa.cpp |
60 | JDK-8214857 | hotspot | compiler | "bad trailing membar" assert failure at memnode.cpp:3220 |
61 | JDK-8214862 | hotspot | compiler | assert(proj != __null) at compile.cpp:3251 |
62 | JDK-8215551 | hotspot | compiler | Missing case label in nmethod::reloc_string_for() |
63 | JDK-8215555 | hotspot | compiler | TieredCompilation C2 threads can excessively block handshakes |
64 | JDK-8216151 | hotspot | compiler | [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug |
65 | JDK-8216154 | hotspot | compiler | C4819 warnings at HotSpot sources on Windows |
66 | JDK-8216541 | hotspot | compiler | CompiledICHolders of VM locked unloaded nmethods are released too late |
67 | JDK-8217230 | hotspot | compiler | assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() |
68 | JDK-8217447 | hotspot | compiler | Develop flag TraceICs is broken |
69 | JDK-8219214 | hotspot | compiler | Infinite Loop in CodeSection::dump() |
70 | JDK-8219919 | hotspot | compiler | RuntimeStub's name lost with PrintFrameConverterAssembly |
71 | JDK-8220341 | hotspot | compiler | Class redefinition fails with assert(!is_unloaded()) failed: unloaded method on the stack |
72 | JDK-8221482 | hotspot | compiler | Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode |
73 | JDK-8221782 | hotspot | compiler | [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.jdk.vm.ci.services |
74 | JDK-8225567 | hotspot | compiler | Wrong file headers with 8202414 fix changeset |
75 | JDK-8225783 | hotspot | compiler | Incorrect use of binary operators on booleans in type.cpp |
76 | JDK-8226198 | hotspot | compiler | use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state |
77 | JDK-8226879 | hotspot | compiler | Memory leak in Type::hashcons |
78 | JDK-8227034 | hotspot | compiler | Graal crash with gcbasher |
79 | JDK-8227632 | hotspot | compiler | Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 |
80 | JDK-8229855 | hotspot | compiler | C2 fails with assert(false) failed: bad AD file |
81 | JDK-8231515 | hotspot | compiler | [Graal] Crash during exception throwing in InterpreterRuntime::resolve_invoke |
82 | JDK-8232106 | hotspot | compiler | [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it |
83 | JDK-8233019 | hotspot | compiler | java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit |
84 | JDK-8233364 | hotspot | compiler | Fix undefined behavior in Canonicalizer::do_ShiftOp |
85 | JDK-8235332 | hotspot | compiler | TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM |
86 | JDK-8235762 | hotspot | compiler | JVM crash in SWPointer during C2 compilation |
87 | JDK-8235984 | hotspot | compiler | C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop |
88 | JDK-8236285 | hotspot | compiler | [JVMCI] improve TranslatedException traces |
89 | JDK-8236709 | hotspot | compiler | struct SwitchRange in HS violates C++ One Definition Rule |
90 | JDK-8236759 | hotspot | compiler | ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling |
91 | JDK-8237045 | hotspot | compiler | JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 |
92 | JDK-8237086 | hotspot | compiler | assert(is_MachReturn()) running CTW with fix for JDK-8231291 |
93 | JDK-8237375 | hotspot | compiler | SimpleThresholdPolicy misses CounterDecay timestamp initialization |
94 | JDK-8237945 | hotspot | compiler | CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo |
95 | JDK-8237951 | hotspot | compiler | CTW: C2 compilation fails with "malformed control flow" |
96 | JDK-8238190 | hotspot | compiler | [JVMCI] Fix single implementor speculation for diamond shapes. |
97 | JDK-8238356 | hotspot | compiler | CodeHeap::blob_count() overestimates the number of blobs |
98 | JDK-8238438 | hotspot | compiler | SuperWord::co_locate_pack picks memory state of first instead of last load |
99 | JDK-8238756 | hotspot | compiler | C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node |
100 | JDK-8238765 | hotspot | compiler | PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly |
101 | JDK-8238811 | hotspot | compiler | C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges |
102 | JDK-8239142 | hotspot | compiler | C2's UseUniqueSubclasses optimization is broken for array accesses |
103 | JDK-8239456 | hotspot | compiler | [win][x86] vtable stub generation: assert failure (code size estimate) |
104 | JDK-8239852 | hotspot | compiler | java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed |
105 | JDK-8239931 | hotspot | compiler | [win][x86] vtable stub generation: assert failure (code size estimate) follow-up |
106 | JDK-8240220 | hotspot | compiler | IdealLoopTree::dump_head predicate printing is broken |
107 | JDK-8240223 | hotspot | compiler | Use consistent predicate order in and with PhaseIdealLoop::find_predicate |
108 | JDK-8240576 | hotspot | compiler | JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges |
109 | JDK-8240831 | hotspot | compiler | [JVMCI] Export missing vmStructs entries used by JVMCI compilers |
110 | JDK-8240905 | hotspot | compiler | assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? |
111 | JDK-8240976 | hotspot | compiler | [JVMCI] MethodProfileWidth flag is broken |
112 | JDK-8241556 | hotspot | compiler | Memory leak if -XX:CompileCommand is set |
113 | JDK-8241900 | hotspot | compiler | Loop unswitching may cause dependence on null check to be lost |
114 | JDK-8242108 | hotspot | compiler | Performance regression after fix for JDK-8229496 |
115 | JDK-8242357 | hotspot | compiler | [JVMCI] Incorrect use of JVMCI_CHECK_ on return statement |
116 | JDK-8243467 | hotspot | compiler | [BACKOUT] JDK-8132849 and JDK-8211129 from 11.0.8-oracle |
117 | JDK-8204834 | hotspot | gc | Fix confusing "allocate" naming in OopStorage |
118 | JDK-8221534 | hotspot | gc | Incorrect copyright header in src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/gc/z/ZPageTableEntry.java |
119 | JDK-8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
120 | JDK-8189633 | hotspot | runtime | Missing -Xcheck:jni checking for DeleteWeakGlobalRef |
121 | JDK-8203911 | hotspot | runtime | Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni |
122 | JDK-8209850 | hotspot | runtime | Allow NamedThreads to use GlobalCounter critical sections |
123 | JDK-8209976 | hotspot | runtime | Improve iteration over non-JavaThreads |
124 | JDK-8210303 | hotspot | runtime | VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" |
125 | JDK-8212933 | hotspot | runtime | Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks |
126 | JDK-8213250 | hotspot | runtime | CDS archive creation aborts due to metaspace object allocation failure |
127 | JDK-8219241 | hotspot | runtime | Provide basic virtualization related info in the hs_error file on linux/windows x86_64 |
128 | JDK-8219562 | hotspot | runtime | Line of code in osContainer_linux.cpp#L102 appears unreachable |
129 | JDK-8222720 | hotspot | runtime | Provide extended VMWare/vSphere virtualization related info in the hs_error file on linux/windows x86_64 |
130 | JDK-8224793 | hotspot | runtime | os::die() does not honor CreateCoredumpOnCrash option |
131 | JDK-8240529 | hotspot | runtime | CheckUnhandledOops breaks NULL check in Modules::define_module |
132 | JDK-8241296 | hotspot | runtime | Segfault in JNIHandleBlock::oops_do() |
133 | JDK-8241464 | hotspot | runtime | [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action |
134 | JDK-8241660 | hotspot | runtime | Add virtualization information output to hs_err file on macOS |
135 | JDK-8237589 | other-libs | other | Fix copyright header formatting |
136 | JDK-7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
137 | JDK-8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
138 | JDK-8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
139 | JDK-8238452 | security-libs | java.security | Keytool generates wrong expiration date if validity is set to 2050/01/01 |
140 | JDK-8246613 | security-libs | java.security | Choose the default SecureRandom algo based on registration ordering |
141 | JDK-8240983 | security-libs | javax.crypto | Incorrect copyright header in Apache Santuario 2.1.3 files |
142 | JDK-8238898 | security-libs | javax.crypto:pkcs11 | Missing hash characters for header on license file |
143 | JDK-8209333 | security-libs | javax.net.ssl | Socket reset issue for TLS 1.3 socket close |
144 | JDK-8211339 | security-libs | javax.net.ssl | NPE during SSL handshake caused by HostnameChecker |
145 | JDK-8215711 | security-libs | javax.net.ssl | Missing key_share extension for (EC)DHE key exchange should alert missing_extension |
146 | JDK-8223482 | security-libs | javax.net.ssl | Unsupported ciphersuites may be offered by a TLS client |
147 | JDK-8223940 | security-libs | javax.net.ssl | Private key not supported by chosen signature algorithm |
148 | JDK-8233621 | security-libs | javax.net.ssl | Mismatch in jsse.enableMFLNExtension property name |
149 | JDK-8235874 | security-libs | javax.net.ssl | The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property. |
150 | JDK-8236039 | security-libs | javax.net.ssl | JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 |
151 | JDK-8239798 | security-libs | javax.net.ssl | SSLSocket closes socket both socket endpoints on a SocketTimeoutException |
152 | JDK-8242294 | security-libs | javax.net.ssl | JSSE Client does not throw SSLException when an alert occurs during handshaking |
153 | JDK-8246031 | security-libs | javax.net.ssl | SSLSocket.getSession() doesn't close connection for timeout/ interrupts |
154 | JDK-8163251 | security-libs | javax.smartcardio | Hard coded loop limit prevents reading of smart card data greater than 8k |
155 | JDK-8210197 | tools | javac | javac can't tell during speculative attribution if a diamond expression is creating an anonymous inner class or not |
156 | JDK-8213908 | tools | javac | AssertionError in DeferredAttr at setOverloadKind |
157 | JDK-8214345 | tools | javac | infinite recursion while checking super class |
158 | JDK-8218268 | tools | javac | Javac treats Manifest Class-Path entries as Paths instead of URLs |
159 | JDK-8200432 | tools | javadoc(tool) | javadoc fails with ClassCastException on {@link byte[]} |
160 | JDK-8212233 | tools | javadoc(tool) | javadoc fails on jdk12 with "The code being documented uses modules but the packages defined in $URL are in the unnamed module." |
161 | JDK-8214856 | tools | javadoc(tool) | Errors with JSZip in web console after upgrade to 3.1.5 |
162 | JDK-8236700 | tools | javadoc(tool) | Upgrading JSZip from v3.1.5 to v3.2.2 |
163 | JDK-8216261 | tools | javap | Javap ignores default modifier on interfaces |
164 | JDK-8217093 | tools | launcher | Support extended-length paths in parse_manifest.c on Windows |
165 | JDK-8240629 | tools | launcher | argfiles parsing broken for argfiles with comment cross 4096 bytes chunk |
166 | JDK-8221533 | xml | jaxp | Incorrect copyright header in DurationDayTimeImpl.java, DurationYearMonthImpl.java and XMLStreamException.java |
167 | JDK-8242470 | xml | jaxp | Update Xerces to Version 2.12.1 |
The following sections summarize changes made in all Java SE 11.0.7 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Please note that fixes from the prior BPR are included in this version.
April 14, 2020
The full version string for this update release is 11.0.7+8 (where "+" means "build"). The version number is 11.0.7.
JDK 11.0.7 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.7 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.7+8 |
8 | 1.8.0_251-b08 |
7 | 1.7.0_261-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.7) be used after the next critical patch update scheduled for July 14, 2020.
➜ Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA
, SHA256withECDSA
, etc.) are also supported.
See JDK-8026953
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.7:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-6511207 | client-libs | 2d | java/awt/FullScreen/VramExaustionFSTest/VramExaustionFSTest.java fails |
2 | JDK-8227324 | client-libs | 2d | Upgrade to freetype 2.10.1 |
3 | JDK-8234769 | client-libs | 2d | Duplicate attribution in freetype.md |
4 | JDK-8220322 | client-libs | java.awt | This case automatically fails, it cannot find symbol variable OldScrollb at class OldScrollEvents |
5 | JDK-8224821 | client-libs | java.awt | java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 |
6 | JDK-8224830 | client-libs | java.awt | test/jdk/java/awt/Focus/ModalExcludedWindowClickTest/ModalExcludedWindowClickTest.java fails on linux-x64 |
7 | JDK-8225105 | client-libs | java.awt | java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 |
8 | JDK-8225487 | client-libs | java.awt | giflib legal file is missing attribution for openbsd-reallocarray.c. |
9 | JDK-8230597 | client-libs | java.awt | Update GIFlib library to the 5.2.1 |
10 | JDK-8230926 | client-libs | java.awt | [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout |
11 | JDK-8232433 | client-libs | java.awt | [macos 10.15] java/awt/Window/LocationAtScreenCorner/LocationAtScreenCorner.java may fail |
12 | JDK-7054477 | client-libs | javax.swing | closed/javax/swing/BufferStrategyPaintManager/6354265/bug6354265.java failed |
13 | JDK-8194944 | client-libs | javax.swing | Regression automated test 'open/test/jdk/javax/swing/JInternalFrame/8145896/TestJInternalFrameMaximize.java' fails |
14 | JDK-8196467 | client-libs | javax.swing | javax/swing/JInternalFrame/Test6325652.java fails |
15 | JDK-8198321 | client-libs | javax.swing | javax/swing/JEditorPane/5076514/bug5076514.java fails |
16 | JDK-8198398 | client-libs | javax.swing | Test javax/swing/JColorChooser/Test6199676.java fails in mach5 |
17 | JDK-8199072 | client-libs | javax.swing | Test javax/swing/GroupLayout/6613904/bug6613904.java is unstable |
18 | JDK-8203904 | client-libs | javax.swing | javax/swing/JSplitPane/4816114/bug4816114.java: The divider location is wrong |
19 | JDK-8209418 | client-libs | javax.swing | Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 |
20 | JDK-8209494 | client-libs | javax.swing | Create a test for SwingSet3 InternalFrameDemo |
21 | JDK-8209499 | client-libs | javax.swing | Create test for SwingSet3 EditorPaneDemo |
22 | JDK-8209789 | client-libs | javax.swing | Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 |
23 | JDK-8209993 | client-libs | javax.swing | Create a test for SwingSet3 ToolTipDemo |
24 | JDK-8210052 | client-libs | javax.swing | Enable testing for all the available look and feels in SwingSet3 demo tests |
25 | JDK-8210055 | client-libs | javax.swing | Enable different look and feel tests in SwingSet3 demo tests |
26 | JDK-8210057 | client-libs | javax.swing | Enable different look and feels in SwingSet3 demo test InternalFrameDemoTest |
27 | JDK-8210910 | client-libs | javax.swing | Create test for FileChooserDemo |
28 | JDK-8210994 | client-libs | javax.swing | Create test for SwingSet3 FrameDemo |
29 | JDK-8211443 | client-libs | javax.swing | Enable different look and feels in SwingSet3 demo test SplitPaneDemoTest |
30 | JDK-8211703 | client-libs | javax.swing | JInternalFrame : java.lang.AssertionError: cannot find the internal frame |
31 | JDK-8212897 | client-libs | javax.swing | Some improvements in the EditorPaneDemotest |
32 | JDK-8213168 | client-libs | javax.swing | Enable different look and feel tests in SwingSet3 demo test FileChooserDemoTest |
33 | JDK-8214471 | client-libs | javax.swing | Enable different look and feel tests in SwingSet3 demo test ToolTipDemoTest |
34 | JDK-8216353 | client-libs | javax.swing | Use utility APIs introduced in org/netbeans/jemmy/util/LookAndFeel class in client sanity test cases |
35 | JDK-8217235 | client-libs | javax.swing | Create automated test for SwingSet ColorChooserDemoTest |
36 | JDK-8221312 | client-libs | javax.swing | test/jdk/sanity/client/SwingSet/src/ColorChooserDemoTest.java failed |
37 | JDK-8222519 | client-libs | javax.swing | ButtonDemoScreenshotTest fails randomly with "still state to be reached" |
38 | JDK-8224475 | client-libs | javax.swing | JTextPane does not show images in HTML rendering |
39 | JDK-8225144 | client-libs | javax.swing | [macos] In Aqua L&F backspace key does not delete when Shift is pressed |
40 | JDK-8226892 | client-libs | javax.swing | ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys |
41 | JDK-8235744 | client-libs | javax.swing | PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 |
42 | JDK-8218280 | core-libs | java.io | LineNumberReader throws "Mark invalid" exception if CRLF straddles buffer. |
43 | JDK-8229899 | core-libs | java.io | java.io.File.isInvalid() is racy |
44 | JDK-6996807 | core-libs | java.io:serialization | FieldReflectorKey hash code computation can be improved |
45 | JDK-8208715 | core-libs | java.lang | Conversion of milliseconds to nanoseconds in UNIXProcess contains bug. |
46 | JDK-8224181 | core-libs | java.lang | On child process spawn, child may write to random file descriptor instead of the fail pipe |
47 | JDK-8206955 | core-libs | java.lang.invoke | MethodHandleProxies.asInterfaceInstance does not support default methods |
48 | JDK-8225117 | core-libs | java.math | java/math/BigInteger/SymmetricRangeTests.java fails with ParseException |
49 | JDK-8216355 | core-libs | java.net | missing NULL checks in libnet in interface iteration and potential resource leak in getMacAddress |
50 | JDK-8218662 | core-libs | java.net | Allow 204 responses with Content-Length:0 |
51 | JDK-8202252 | core-libs | java.nio | (aio) Closed AsynchronousSocketChannel keeps completion handler alive |
52 | JDK-8229888 | core-libs | java.nio | (zipfs) Updating an existing zip file does not preserve original permissions |
53 | JDK-8234824 | core-libs | java.nio | java/nio/channels/SocketChannel/AdaptSocket.java fails on Windows 10 |
54 | JDK-8237368 | core-libs | java.rmi | Problem with NullPointerException in RMI TCPEndpoint.read |
55 | JDK-8221120 | core-libs | java.util.concurrent | CopyOnWriteArrayList.set should always have volatile write semantics |
56 | JDK-8221892 | core-libs | java.util.concurrent | ThreadPoolExecutor: Thread.isAlive() is not equivalent to not being startable |
57 | JDK-8222930 | core-libs | java.util.concurrent | ConcurrentSkipListMap.clone() shares size variable between original and clone |
58 | JDK-8234466 | core-libs | java.util.jar | Class loading deadlock involving X509Factory#commitEvent() |
59 | JDK-8237508 | core-libs | java.util.jar | Simplify JarFile.isInitializing |
60 | JDK-8234423 | core-libs | java.util:collections | Modifying ArrayList.subList().subList() resets modCount of subList |
61 | JDK-8226869 | core-libs | java.util:i18n | Test java/util/Locale/LocaleProvidersRun.java should enable assertions |
62 | JDK-8223260 | core-libs | javax.naming | NamingManager should cache InitialContextFactory |
63 | JDK-8193042 | hotspot | compiler | NativeLookup::lookup_critical_entry() should only load shared library once |
64 | JDK-8206963 | hotspot | compiler | [AOT] bug with multiple class loaders |
65 | JDK-8209574 | hotspot | compiler | [AOT] breakpoint events are generated in different threads does not meet expected count when testcase vm/jvmti/Breakpoint/brkp001/brkp00102/brkp00102.html is executed |
66 | JDK-8210220 | hotspot | compiler | [AOT] jdwp test cases are failing with error # ERROR: TEST FAILED: Cought IOException while receiving event packet: # ERROR: java.net.SocketTimeoutException: Read timed out |
67 | JDK-8213604 | hotspot | compiler | Fix missing includes after JDK-8212673 |
68 | JDK-8214557 | hotspot | compiler | Filter out VM flags which don't affect AOT code generation |
69 | JDK-8215322 | hotspot | compiler | add @file support to jaotc |
70 | JDK-8216199 | hotspot | compiler | Local variable arg defined but never used in BCEscapeAnalyzer::compute_escape_for_intrinsic() |
71 | JDK-8218201 | hotspot | compiler | Failures when vmIntrinsics::_getClass is not inlined |
72 | JDK-8218879 | hotspot | compiler | Keep track of memory accesses originated from Unsafe |
73 | JDK-8224658 | hotspot | compiler | Unsafe access C2 compile fails with assert(flat != TypePtr::BOTTOM) failed: cannot alias-analyze an untyped ptr: adr_type = NULL |
74 | JDK-8225019 | hotspot | compiler | Update JVMCI |
75 | JDK-8225199 | hotspot | compiler | [Graal] compiler/jvmci/compilerToVM/IsMatureVsReprofileTest.java fails with -XX:CompileThresholdScaling=0.1 |
76 | JDK-8228888 | hotspot | compiler | C2 compilation fails with assert "m has strange control" |
77 | JDK-8229377 | hotspot | compiler | [JVMCI] Improve InstalledCode.invalidate for large code caches |
78 | JDK-8229961 | hotspot | compiler | Assert failure in compiler/graalunit/HotspotTest.java |
79 | JDK-8229994 | hotspot | compiler | assert(false) failed: Bad graph detected in get_early_ctrl_for_expensive |
80 | JDK-8231620 | hotspot | compiler | assert(bol->is_Bool()) crash during split if due to FastLockNode |
81 | JDK-8232539 | hotspot | compiler | SIGSEGV in C2 Node::unique_ctrl_out |
82 | JDK-8233081 | hotspot | compiler | C1: PatchingStub for field access copies too much |
83 | JDK-8233745 | hotspot | compiler | [JVMCI] TranslatedException should serialize classloader and module info |
84 | JDK-8233820 | hotspot | compiler | Test crashed with assert(phi->operand_count() != 1 || phi->subst() != phi) failed: missed trivial simplification |
85 | JDK-8233900 | hotspot | compiler | [JVMCI] improve help text for EnableJVMCIProduct option |
86 | JDK-8234359 | hotspot | compiler | [JVMCI] invalidate_nmethod_mirror shouldn't use a phantom reference |
87 | JDK-8234610 | hotspot | compiler | MaxVectorSize set wrongly when UseAVX=3 is specified after JDK-8221092 |
88 | JDK-8234617 | hotspot | compiler | C1: Incorrect result of field load due to missing narrowing conversion |
89 | JDK-8234681 | hotspot | compiler | Remove UseJVMCIClassLoader logic from JVMCI code |
90 | JDK-8235288 | hotspot | compiler | AVX 512 instructions inadvertently used on Xeon for small vector width operations |
91 | JDK-8235438 | hotspot | compiler | [JVMCI] StackTraceElement::decode should use the original Method |
92 | JDK-8235539 | hotspot | compiler | [JVMCI] -XX:+EnableJVMCIProduct breaks -XX:-EnableJVMCI |
93 | JDK-8236140 | hotspot | compiler | assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it |
94 | JDK-8204529 | hotspot | gc | gc/TestAllocateHeapAtMultiple.java fail with Agent 7 timed out |
95 | JDK-8211211 | hotspot | gc | vmTestbase/metaspace/stressDictionary/StressDictionary.java timeout |
96 | JDK-8229020 | hotspot | gc | Failure on CPUs allowing loads reordering: assert(_tasks[t] == 1) failed: What else? |
97 | JDK-8229169 | hotspot | gc | False failure of GenericTaskQueue::pop_local on architectures with weak memory model |
98 | JDK-8213015 | hotspot | jfr | Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions |
99 | JDK-8213617 | hotspot | jfr | JFR should record the PID of the recorded process |
100 | JDK-8215284 | hotspot | jfr | Reduce noise induced by periodic task getFileSize() |
101 | JDK-8215771 | hotspot | jfr | The jfr tool should pretty print reference chains |
102 | JDK-8216064 | hotspot | jfr | -XX:StartFlightRecording:settings= doesn't work properly |
103 | JDK-8216486 | hotspot | jfr | Possibility of integer overflow in JfrThreadSampler::run() |
104 | JDK-8219205 | hotspot | jfr | JFR file without license header |
105 | JDK-8220657 | hotspot | jfr | JFR.dump does not work when filename is set |
106 | JDK-8221569 | hotspot | jfr | JFR tool produces incorrect output when both --categories and --events are specified |
107 | JDK-8223697 | hotspot | jfr | jfr tool can't format duration values greater than 1 minute |
108 | JDK-8224217 | hotspot | jfr | RecordingInfo should use textual representation of path |
109 | JDK-8225694 | hotspot | jfr | Destination option missing in FlightRecorderMXBeanImpl |
110 | JDK-8227411 | hotspot | jfr | TestTimeMultiple.java failed "assert(!lease()) failed: invariant" |
111 | JDK-8227605 | hotspot | jfr | Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant" |
112 | JDK-8233075 | hotspot | jfr | JFR - nmetods - misspelled in several places |
113 | JDK-8209361 | hotspot | jvmti | [AOT] Unexpected number of references for JVMTI_HEAP_REFERENCE_CONSTANT_POOL [111-->111]: 0 (expected at least 1) |
114 | JDK-8207832 | hotspot | runtime | serviceability/sa/ClhsdbCDSCore.java failed with java.lang.Error: Couldn't find core file location in: |
115 | JDK-8216977 | hotspot | runtime | ShowHiddenFrames use in java_lang_StackTraceElement::fill_in appears broken |
116 | JDK-8223336 | hotspot | runtime | Assert in VirtualMemoryTracker::remove_released_region when running the SharedArchiveConsistency.java test with -XX:NativeMemoryTracking=detail |
117 | JDK-8226406 | hotspot | runtime | JVM fails to detect mismatched or corrupt CDS archive |
118 | JDK-8229345 | hotspot | runtime | Memory leak due to vtable stubs not being shared on SPARC |
119 | JDK-8232052 | hotspot | runtime | use string literal for format string when handling PauseAtStartupFile |
120 | JDK-8204308 | hotspot | svc-agent | SA: serviceability/sa/TestInstanceKlassSize*.java fails when running in CDS mode |
121 | JDK-8227645 | hotspot | svc-agent | Some tests in serviceability/sa run with fixed -Xmx values and risk running out of memory |
122 | JDK-8223671 | infrastructure | The latest Java 8 is not ready to use in applications on future macOS versions | |
123 | JDK-8225180 | security-libs | java.security | SignedObject with invalid Key not throwing the InvalidKeyException in Windows |
124 | JDK-8228969 | security-libs | java.security | 2019-09-28 public suffix list update |
125 | JDK-8223003 | security-libs | javax.crypto | SunMSCAPI keys are not cleaned up |
126 | JDK-8183107 | security-libs | javax.crypto:pkcs11 | PKCS11 regression regarding checkKeySize |
127 | JDK-8232950 | security-libs | javax.crypto:pkcs11 | SUNPKCS11 Provider incorrectly check key length for PSS Signatures. |
128 | JDK-4919790 | security-libs | javax.net.ssl | Errors in alert ssl message does not reflect the actual certificate status |
129 | JDK-8225766 | security-libs | javax.net.ssl | Curve in certificate should not affect signature scheme when using TLSv1.3 |
130 | JDK-8207395 | tools | jar | jar should support UNC-path arguments for the jar -C parameter |
131 | JDK-8218152 | tools | javac | [javac] fails and exits with no error if a bad annotation processor provided |
132 | JDK-8208269 | tools | javadoc(tool) | Javadoc does not support module-info in a multi-release jar |
133 | JDK-8215026 | tools | jlink | Incorrect amount of memory unmapped with ImageFileReader::close() |
134 | JDK-8215123 | tools | jlink | Crash in runtime image built with jlink --compress=2 |
135 | JDK-8234696 | tools | jlink | tools/jlink/plugins/VendorInfoPluginsTest.java times out |
136 | JDK-8234339 | tools | launcher | replace JLI_StrTok in java_md_solinux.c |
137 | JDK-8016914 | xml | javax.xml.parsers | CoreDocumentImpl.setXmlVersion NPE |
138 | JDK-8180901 | xml | javax.xml.transform | Transformer.reset() resets the state only once |
139 | JDK-8207760 | xml | javax.xml.transform | SAXException: Invalid UTF-16 surrogate detected: d83c ? |
140 | JDK-8233548 | xml | jaxp | Update CUP to v0.11b |
The following sections summarize changes made in all Java SE 11.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
Bug Fixes
January 14, 2020
The full version string for this update release is 11.0.6+8 (where "+" means "build"). The version number is 11.0.6.
JDK 11.0.6 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.6 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.6+8 |
8 | 1.8.0_241-b07 |
7 | 1.7.0_251-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.6) be used after the next critical patch update scheduled for April 14, 2020.
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms
argument of Sasl.createSaslClient
or the mechanism
argument of Sasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
The java.rmi.Remote
marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
java.rmi.Remote
can be invoked remotelyRemote
directly or indirectly cannot be invoked remotelyThis affects remote objects in the java.rmi.registry.Registry
and any other remote object.
JDK-8230967 (not public)
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor
has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
See JDK-8232019
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=US
See JDK-8233223
➜ Turn off AOT by Default and Change Related Flags to Experimental
Following AOT support related flags have been made experimental: UseAOT
, PrintAOT
and AOTLibrary
. Also default value of UseAOT
has been changed from enabled to disabled.
See JDK-8227439
Epsilon GC may have violated the specification requirements by accepting the type-incompatible store into the array, instead of throwing the ArrayStoreException. This is now handled correctly, both in this release, and associated backports. Users are advised to upgrade as soon as possible.
The following are some of the notable bug fixes included in this release:
➜ Memory Growth Issue in SunPKCS11 Fixed
A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed.
A system property, sun.security.pkcs11.disableKeyExtraction
has been introduced to disable the fix. A "true
" value disables the fix, while a "false
" value (default) keeps it enabled.
When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes.
Further information and implementation details can be found in the CSR: JDK-8213430
See JDK-6913047
➜ Better Serial Filter Handling
The jdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter
. Setting the jdk.serialFilter with java.lang.System.setProperty
has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.6:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8208179 | client-libs | 2d | Devanagari not shown with logical fonts on Windows after removal of Lucida Sans from JDK |
2 | JDK-8210384 | client-libs | 2d | SunLayoutEngine.isAAT() font is expensive on MacOS |
3 | JDK-8212071 | client-libs | 2d | Need to set the FreeType LCD Filter to reduce fringing. |
4 | JDK-8213568 | client-libs | 2d | Typo in java/awt/GraphicsEnvironment/LoadLock/GE_init5.java |
5 | JDK-8217707 | client-libs | 2d | JNICALL declaration breaks Splash screen functions |
6 | JDK-8220231 | client-libs | 2d | Cache HarfBuzz face object for same font's text layout calls |
7 | JDK-8228711 | client-libs | 2d | Path rendered incorrectly when it goes outside the clipping region |
8 | JDK-8230728 | client-libs | 2d | Thin stroked shapes are not rendered if affine transform has flip bit |
9 | JDK-8230769 | client-libs | 2d | BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return |
10 | JDK-8144125 | client-libs | java.awt | [macos] java/awt/event/ComponentEvent/MovedResizedTwiceTest/MovedResizedTwiceTest.java failed automatically |
11 | JDK-8211267 | client-libs | java.awt | StackOverflowError happened by TextField.setFont(...) |
12 | JDK-8211810 | client-libs | java.awt | X11 Time stamp data should be unsigned |
13 | JDK-8211826 | client-libs | java.awt | StringIndexOutOfBoundsException happens via GetStringUTFRegion() |
14 | JDK-8211992 | client-libs | java.awt | GraphicsConfiguration.getDevice().getDisplayMode() causes JVM crash on Mac |
15 | JDK-8212677 | client-libs | java.awt | X11 default visual support for IM status window on VNC |
16 | JDK-8213119 | client-libs | java.awt | [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails |
17 | JDK-8213292 | client-libs | java.awt | Input freezes after MacOS key-selector (press&hold) usage on macOS Mojave |
18 | JDK-8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
19 | JDK-8215105 | client-libs | java.awt | java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color |
20 | JDK-8215200 | client-libs | java.awt | IllegalArgumentException in sun.lwawt.macosx.CPlatformWindow |
21 | JDK-8215756 | client-libs | java.awt | Memory leaks in the AWT on macOS |
22 | JDK-8219504 | client-libs | java.awt | Test for JDK-8211435 can be run on all platforms |
23 | JDK-8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
24 | JDK-8224152 | client-libs | java.awt | [macOS] ProblemList tests that leave rubbish on the screen |
25 | JDK-8230782 | client-libs | java.awt | Robot.createScreenCapture() fails if “awt.robot.gtk” is set to false |
26 | JDK-8211393 | client-libs | java.awt:i18n | Memory leak issue on awt_InputMethod.c |
27 | JDK-8211147 | client-libs | java.beans | Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder |
28 | JDK-8221244 | client-libs | java.beans | Unexpected behavior of PropertyDescription.getReadMethod for boolean properties |
29 | JDK-8225505 | client-libs | javax.swing | ctrl-F1 does not show the tooltip of a menu item (JMenuItems) |
30 | JDK-8185898 | core-libs | java.net | setRequestProperty(key, null) results in HTTP header without colon in request |
31 | JDK-8221395 | core-libs | java.net | HttpClient leaving connections in CLOSE_WAIT state until Java process ends |
32 | JDK-8222968 | core-libs | java.net | ByteArrayPublisher is not thread-safe resulting in broken re-use of HttpRequests |
33 | JDK-8227127 | core-libs | java.text | Era designator not displayed correctly using the COMPAT provider |
34 | JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
35 | JDK-8231770 | core-libs | java.util.jar | Test java/util/zip/FlaterTest.java fails with -Xcheck:jni |
36 | JDK-8227368 | core-libs | java.util:collections | EnumSet.class serialization broken in JDK 9+ |
37 | JDK-8220227 | core-libs | java.util:i18n | Host Locale Provider getDisplayCountry returns error message under non-English Win10 |
38 | JDK-8227391 | core-libs | jdk.nashorn | Update double-conversion to version 3.1.5 |
39 | JDK-8232984 | core-libs | jdk.nashorn | Upgrading Joni License version to 2.1.16 |
40 | JDK-8230303 | core-svc | debugger | JDB hangs when running monitor command |
41 | JDK-8220474 | core-svc | java.lang.instrument | Incorrect GPL header in src/java.instrument/share/classes/java/lang/instrument/package-info.java |
42 | JDK-8220175 | core-svc | tools | serviceability/dcmd/framework/VMVersionTest.java fails with a timeout |
43 | JDK-8087128 | hotspot | compiler | C2: Disallow definition split on MachCopySpill nodes |
44 | JDK-8202952 | hotspot | compiler | C2: Unexpected dead nodes after matching |
45 | JDK-8209691 | hotspot | compiler | Allow MemBar on single memory slice |
46 | JDK-8209833 | hotspot | compiler | C2 compilation fails with "assert(ex_map->jvms()->same_calls_as(_exceptions->jvms())) failed: all collected exceptions must come from the same place" |
47 | JDK-8210387 | hotspot | compiler | C2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced" |
48 | JDK-8210390 | hotspot | compiler | C2 still crashes with "assert(mode == ControlAroundStripMined && use == sfpt) failed: missed a node" |
49 | JDK-8211232 | hotspot | compiler | GraphKit::make_runtime_call() sometimes attaches wrong memory state to call |
50 | JDK-8211776 | hotspot | compiler | 8210887 broke arraycopy optimization when ZGC is enabled |
51 | JDK-8212673 | hotspot | compiler | jtreg/applications/runthese/RunThese30M.java fails in C2 with "assert(!had_error) failed: bad dominance" |
52 | JDK-8213014 | hotspot | compiler | Crash in CompileBroker::make_thread due to OOM |
53 | JDK-8214773 | hotspot | compiler | Replace use of thread unsafe strtok |
54 | JDK-8215044 | hotspot | compiler | C2 crash in loopTransform.cpp with assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop |
55 | JDK-8215265 | hotspot | compiler | C2: range check elimination may allow illegal out of bound access |
56 | JDK-8215708 | hotspot | compiler | ZGC: Add missing LoadBarrierNode::size_of() |
57 | JDK-8215755 | hotspot | compiler | ZGC: split_barrier_thru_phi: check number of inputs of phi |
58 | JDK-8216135 | hotspot | compiler | C2 assert(!had_error) failed: bad dominance |
59 | JDK-8216427 | hotspot | compiler | ciMethodData::load_extra_data() does not always unpack the last entry |
60 | JDK-8216549 | hotspot | compiler | Mismatched unsafe access to non escaping object fails |
61 | JDK-8216987 | hotspot | compiler | ciMethodData::load_data() unpacks MDOs with non-atomic copy |
62 | JDK-8217359 | hotspot | compiler | C2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal |
63 | JDK-8217371 | hotspot | compiler | Incorrect LP64 guard in x86.ad after JDK-8210764 (Update avx512 implementation) |
64 | JDK-8217760 | hotspot | compiler | C2: Missing symbolic info on a call from intrinsics when invoked through MethodHandle |
65 | JDK-8218163 | hotspot | compiler | C2: Continuous deoptimization w/ Reason_speculate_class_check and Action_none |
66 | JDK-8218468 | hotspot | compiler | Load barrier slow path node should be MachTypeNode |
67 | JDK-8219517 | hotspot | compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
68 | JDK-8221456 | hotspot | compiler | nmethod::make_unloaded() clears _method member too early |
69 | JDK-8224538 | hotspot | compiler | LoadBarrierNode::common_barrier must check address |
70 | JDK-8224558 | hotspot | compiler | Fix replicateB encoding |
71 | JDK-8225141 | hotspot | compiler | Better handling of classes in error state by fast class initialization checks |
72 | JDK-8229906 | hotspot | compiler | Backout backport 8227318 which was incomplete |
73 | JDK-8230711 | hotspot | compiler | ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG |
74 | JDK-8214315 | hotspot | gc | G1: fatal error: acquiring lock SATB_Q_FL_lock/1 out of order with lock tty_lock/0 |
75 | JDK-8215724 | hotspot | gc | Epsilon: ArrayStoreExceptionTest.java fails; missing arraycopy check |
76 | JDK-8221913 | hotspot | gc | Add GC.selected() jtreg-ext function |
77 | JDK-8225716 | hotspot | gc | G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding |
78 | JDK-8230706 | hotspot | gc | Waiting on completion of strong nmethod processing causes long pause times with G1 |
79 | JDK-8205516 | hotspot | jfr | JFR tool |
80 | JDK-8213834 | hotspot | jvmti | JVMTI ResourceExhausted should not be posted in CompilerThread |
81 | JDK-8227277 | hotspot | jvmti | HeapInspection::find_instances_at_safepoint walks dead objects |
82 | JDK-8193234 | hotspot | runtime | When using -Xcheck:jni an internally allocated buffer can leak |
83 | JDK-8200109 | hotspot | runtime | NMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type") |
84 | JDK-8210043 | hotspot | runtime | Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap |
85 | JDK-8210559 | hotspot | runtime | ClassLoaderData Symbols can leak |
86 | JDK-8212173 | hotspot | runtime | Thread._stack_base/_stack_size initialized too late for new threads |
87 | JDK-8212205 | hotspot | runtime | VM asserts after CDS archive has been unmapped |
88 | JDK-8212937 | hotspot | runtime | Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader |
89 | JDK-8214975 | hotspot | runtime | No hs-err file if fatal error is raised during dynamic initialization. |
90 | JDK-8215699 | hotspot | runtime | -Xlog::file cannot be used with named pipe |
91 | JDK-8215962 | hotspot | runtime | Support ThreadPriorityPolicy mode 1 for non-root users on linux/bsd |
92 | JDK-8216426 | hotspot | runtime | Usage of array placement new may lead to memory corruption |
93 | JDK-8216970 | hotspot | runtime | condy causes JVM crash |
94 | JDK-8216982 | hotspot | runtime | Assertion poison page established too early |
95 | JDK-8218581 | hotspot | runtime | Incorrect exception message generation |
96 | JDK-8220173 | hotspot | runtime | assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark |
97 | JDK-8220394 | hotspot | runtime | bufferedStream does not honor size limit |
98 | JDK-8221437 | hotspot | runtime | assert(java_lang_invoke_ResolvedMethodName::vmtarget(resolved_method()) == m()) failed: Should not change after link resolution |
99 | JDK-8222387 | hotspot | runtime | Out-of-bounds access to CPU _family_id_xxx array |
100 | JDK-8223572 | hotspot | runtime | ~ThreadInVMForHandshake() should call handle_special_runtime_exit_condition() |
101 | JDK-8224193 | hotspot | runtime | stringStream should not use Resource Area |
102 | JDK-8224487 | hotspot | runtime | outputStream should not be copyable |
103 | JDK-8225225 | hotspot | runtime | stringStream internal buffer should always be zero terminated |
104 | JDK-8227117 | hotspot | runtime | normal interpreter table is not restored after single stepping with TLH |
105 | JDK-8227497 | hotspot | runtime | No documented method for setting module addexports to JNI_CreateJavaVM |
106 | JDK-8228485 | hotspot | runtime | JVM crashes when bootstrap method for condy triggers loading of class whose static initializer throws exception |
107 | JDK-8021335 | hotspot | svc | Missing synchronization when reading counters for live threads and peak thread count |
108 | JDK-8221532 | hotspot | svc | Incorrect copyright header in FileSystemSupport_md.c |
109 | JDK-8225388 | hotspot | svc | Running jcmd Compiler.CodeHeap_Analytics all 0 cause crash. |
110 | JDK-8200613 | hotspot | svc-agent | SA: jstack throws UnmappedAddressException with a CDS core file |
111 | JDK-8220682 | hotspot | svc-agent | Heap dumping and inspection fails with JDK-8214712 |
112 | JDK-8218553 | security-libs | java.security | Enhance keystore load debug output |
113 | JDK-8213008 | security-libs | javax.crypto:pkcs11 | Cipher with UNWRAP_MODE should support the generation of an AES key type |
114 | JDK-8216597 | security-libs | javax.crypto:pkcs11 | SIGBUS in Java_sun_security_pkcs11_wrapper_PKCS11_getNativeKeyInfo after JDK-6913047 |
115 | JDK-8225695 | security-libs | javax.crypto:pkcs11 | 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) |
116 | JDK-8226651 | security-libs | javax.crypto:pkcs11 | Setting the mgfHash in CK_RSA_PKCS_PSS_PARAMS has no effect |
117 | JDK-8228835 | security-libs | javax.crypto:pkcs11 | Memory leak in PKCS11 provider when using AES GCM |
118 | JDK-8211866 | security-libs | javax.net.ssl | TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms |
119 | JDK-8212738 | security-libs | javax.net.ssl | Incorrectly named signature scheme ecdsa_secp512r1_sha512 |
120 | JDK-8212752 | security-libs | javax.net.ssl | Typo in SSL log message related to inactive/disabled signature scheme |
121 | JDK-8214098 | security-libs | javax.net.ssl | sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards. |
122 | JDK-8215524 | security-libs | javax.net.ssl | Finished message validation failure should be decrypt_error alert |
123 | JDK-8226607 | security-libs | javax.smartcardio | Inconsistent info between pcsclite.md and MUSCLE headers |
The following sections summarize changes made in all Java SE 11.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8230085 | core-libs | java.nio | (fs) FileStore::isReadOnly is always true on macOS Catalina |
October 15, 2019
The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.
JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.5+10 |
8 | 1.8.0_231-b11 |
7 | 1.7.0_241-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.
security-libs/java.security
➜New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
jdk.SecurityPropertyModification
Security.setProperty(String key, String value)
method callsjdk.TLSHandshake
jdk.X509Validation
jdk.X509Certificate
See JDK-8148188
docs
➜Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1,
sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...
JDK-8228825 (not public)
security-libs/javax.crypto
➜Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init()
.
See JDK-8218723
install
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto
module has been updated to version 2.1.3 of Apache Santuario. New features include:
See JDK-8219013
security-libs/javax.crypto
➜System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
core-libs/java.util
➜Changed Properties.loadFromXML to Comply with Specification
The implementation of the java.util.Properties.loadFromXML
method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException
as specified by the loadFromXML
method.
The effect of the change is as follows:
Documents created by Properties.storeToXML
: No change. Properties.loadFromXML
will have no problem reading such files.
Documents not created by Properties.storeToXML
: Any documents containing DTDs not in the format as specified in Properties.loadFromXML
will be rejected. This means the DTD shall be exactly as follows (as generated by the Properties.storeToXML
method):
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
See JDK-8213325
core-libs/java.lang
➜Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
client-libs/2d
➜Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship a dll
required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll
, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.
See JDK-8229800
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.5:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8217676 | client-libs | Upgrade libpng to 1.6.37 | |
2 | JDK-8214579 | client-libs | JFrame does not paint content in XVFB / X11vnc environment | |
3 | JDK-8222108 | client-libs | 2d | Reduce minRefreshTime for updating remote printer list on Windows |
4 | JDK-8224825 | client-libs | 2d | java/awt/Color/AlphaColorTest.java fails in linux-x64 system |
5 | JDK-8139178 | client-libs | 2d | Wrong fontMetrics when printing in Landscape (OpenJDK) |
6 | JDK-8221411 | client-libs | 2d | NullPointerException in RasterPrinterJob without PrinterResolution |
7 | JDK-8222362 | client-libs | 2d | Upgrade to Freetype 2.10.0 |
8 | JDK-8218854 | client-libs | 2d | FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth |
9 | JDK-8221304 | client-libs | 2d | Problem list java/awt/FontMetrics/MaxAdvanceIsMax.java |
10 | JDK-8227392 | client-libs | java.awt | Colors with alpha are painted incorrectly on Linux, after JDK-8214579 |
11 | JDK-8196681 | client-libs | javax.accessibility | Java Access Bridge logging and debug flags dynamically controlled |
12 | JDK-8225423 | client-libs | javax.swing | GTK L&F: JSplitPane: There is no divider shown |
13 | JDK-8226964 | client-libs | javax.swing | [Yaru] GTK L&F: There is no difference between menu selected and de-selected |
14 | JDK-8214702 | client-libs | javax.swing | Wrong text position for whitespaced string in printing Swing text |
15 | JDK-8217366 | core-libs | ZoneStrings are not populated for all the Locales | |
16 | JDK-8216205 | core-libs | java.lang | Java API documentation formatting error in System.getEnv() |
17 | JDK-8225425 | core-libs | java.net | java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries |
18 | JDK-8217364 | core-libs | java.net | Custom URLStreamHandler for jrt or file protocol can override default handler. |
19 | JDK-8213406 | core-libs | java.nio | (fs) More than one instance of built-in FileSystem observed in heap |
20 | JDK-8224202 | core-libs | java.util | Speed up Properties.load |
21 | JDK-8213325 | core-libs | java.util | (props) Properties.loadFromXML does not fully comply with the spec |
22 | JDK-8214687 | core-libs | java.util:collections | Optimize Collections.nCopies().hashCode() and equals() |
23 | JDK-8221924 | core-libs | java.util:collections | get(null) on single-entry unmodifiable Map returns null instead of throwing NPE |
24 | JDK-8226876 | core-libs | java.util:i18n | Assertion in sun/util/locale/provider/CalendarDataUtility on Windows after JDK-8218960 |
25 | JDK-8222980 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to Version 2019-04-03 |
26 | JDK-8220037 | core-libs | java.util:i18n | Inconsistencies of generated timezone files between Windows and Linux |
27 | JDK-8219890 | core-libs | java.util:i18n | Calendar.getDisplayName() returns empty string for new Japanese Era on some locales |
28 | JDK-8218960 | core-libs | java.util:i18n | CONFIG level logging statements printed in CLDRCalendarDataProviderImpl.java even when default log Level is INFO |
29 | JDK-8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
30 | JDK-8206879 | globalization | locale-data | Currency decimal marker incorrect for Peru |
31 | JDK-8219448 | hotspot | compiler | split-if update_uses accesses stale idom data |
32 | JDK-8220198 | hotspot | compiler | Lots of com/sun/crypto/provider/Cipher tests fail on x86_32 due to missing SHA512 stubs |
33 | JDK-8219335 | hotspot | compiler | "failed: unexpected type" assert failure in ConnectionGraph::split_unique_types() with unsafe accesses |
34 | JDK-8220714 | hotspot | compiler | C2 Compilation failure when accessing off-heap memory using Unsafe |
35 | JDK-8188133 | hotspot | compiler | C2: Static field accesses in clinit can trigger deoptimizations |
36 | JDK-8177899 | hotspot | compiler | Tests fail due to code cache exhaustion on machines with many cores |
37 | JDK-8222670 | hotspot | compiler | pathological case of JIT recompilation and code cache bloat |
38 | JDK-8220374 | hotspot | compiler | C2: LoopStripMining doesn't strip as expected |
39 | JDK-8213825 | hotspot | compiler | assert(false) failed: Non-balanced monitor enter/exit! Likely JNI locking |
40 | JDK-8223537 | hotspot | compiler | testlibrary_tests/ctw/ClassesListTest.java fails with Agent timeout frequently |
41 | JDK-8207965 | hotspot | compiler | C2-only debug build fails |
42 | JDK-8202414 | hotspot | compiler | Unsafe write after primitive array creation may result in array length change |
43 | JDK-8215483 | hotspot | compiler | Off heap memory accesses should be vectorized |
44 | JDK-8219807 | hotspot | compiler | C2 crash in IfNode::up_one_dom(Node*, bool) |
45 | JDK-8218721 | hotspot | compiler | C1's CEE optimization produces safepoint poll with invalid debug information |
46 | JDK-8213419 | hotspot | compiler | C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1 |
47 | JDK-8214059 | hotspot | compiler | Undefined behaviour in ADLC |
48 | JDK-8214189 | hotspot | compiler | test/hotspot/jtreg/compiler/intrinsics/mathexact/MulExactLConstantTest.java fails on Windows x64 when run with -XX:-TieredCompilation |
49 | JDK-8200365 | hotspot | gc | TestOptionsWithRanges.java of '-XX:TLABWasteTargetPercent=100' fails intermittently |
50 | JDK-8214161 | hotspot | jfr | java.lang.IllegalAccessError: class jdk.internal.event.X509CertificateEvent (in module java.base) cannot access class jdk.jfr.internal.handlers.EventHandler (in module jdk.jfr) because module java.base does not read module jdk.jfr |
51 | JDK-8213172 | hotspot | jfr | CDS and JFR tests fail with assert(JdkJfrEvent::is(klass)) failed: invariant |
52 | JDK-8203629 | hotspot | jfr | Produce events in the JDK without a dependency on jdk.jfr |
53 | JDK-8214287 | hotspot | jfr | SpecJbb2005StressModule got uncaught exception |
54 | JDK-8216049 | hotspot | runtime | stringTable::intern creates redundant String when looking up existing one |
55 | JDK-8217994 | hotspot | runtime | os::print_hex_dump should be more resilient against unreadable memory |
56 | JDK-8216308 | hotspot | runtime | StackTraceElement::fill_in can use injected Class source-file |
57 | JDK-8217315 | hotspot | runtime | Proper units should print more significant digits |
58 | JDK-8216302 | hotspot | runtime | StackTraceElement::fill_in can use cached Class.name |
59 | JDK-8202835 | hotspot | runtime | jfr/event/os/TestSystemProcess.java fails on missing events |
60 | JDK-8202353 | hotspot | runtime | os::readdir should use readdir instead of readdir_r |
61 | JDK-8210457 | hotspot | runtime | JVM crash in ResolvedMethodTable::add_method(Handle) |
62 | JDK-8222914 | hotspot | runtime | Partial backport of JDK-8218266 |
63 | JDK-8206075 | hotspot | runtime | On x86, assert on unbound assembler Labels used as branch targets |
64 | JDK-8208480 | hotspot | runtime | Test failure: assert(is_bound() || is_unused()) after JDK-8206075 in C1 |
65 | JDK-8222985 | install | uninstall | need to build 64-bit JavaUninstallTool.exe as 32-bit exe |
66 | JDK-8229773 | security-libs | java.security | Resolve permissions for code source URLs lazily |
67 | JDK-8224589 | security-libs | java.security | Improve startup behavior of SecurityProperties |
68 | JDK-8147502 | security-libs | java.security | Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size |
69 | JDK-8221801 | security-libs | java.security | Update src/java.base/share/legal/public_suffix.md |
70 | JDK-8148188 | security-libs | java.security | Enhance the security libraries to record events of interest |
71 | JDK-8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
72 | JDK-8218723 | security-libs | javax.crypto | Use SunJCE Mac in SecretKeyFactory PBKDF2 implementation |
73 | JDK-8133489 | security-libs | javax.net.ssl | Better messaging for PKIX path validation matching |
74 | JDK-8216039 | security-libs | javax.net.ssl | TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange |
75 | JDK-8216326 | security-libs | javax.net.ssl | SSLSocket stream close() does not close the associated socket |
76 | JDK-8218780 | security-libs | javax.smartcardio | Update MUSCLE PCSC-Lite header files |
77 | JDK-8219013 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.1.3 |
78 | JDK-8225005 | xml | jaxp | Xerces 2.12.0: License file |
79 | JDK-8222415 | xml | jaxp | Xerces 2.12.0: Parsing Configuration |
80 | JDK-8222743 | xml | jaxp | Xerces 2.12.0: DOM Implementation |
81 | JDK-8222991 | xml | jaxp | Xerces 2.12.0: Validation |
82 | JDK-8213117 | xml | org.w3c.dom | adoptNode corrupts attribute values |
83 | JDK-8213734 | xml | org.xml.sax | SAXParser.parse(File, ..) does not close resources when Exception occurs. |
The following sections summarize changes made in all Java SE 11.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Please note that fixes from prior BPR are included in this version.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8217610 | security-libs | javax.net.ssl | TLSv1.3 fail with ClassException when EC keys are stored in PKCS11 |
July 16, 2019
The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4.
JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.4+10 |
8 | 1.8.0_221-b11 |
7 | 1.7.0_231-b08 |
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019.
➜HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name
system property and the hs_err_pid
file.
See JDK-8211106
➜Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts
keystore:
alias name "certplusclass2primaryca [jdk]"
Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR
alias name "certplusclass3pprimaryca [jdk]"
Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR
See JDK-8223499
➜Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts
keystore:
alias name "utnuserfirstclientauthemailca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
alias name "utnuserfirsthardwareca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
See JDK-8222136
➜Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts
keystore:
alias name "deutschetelekomrootca2 [jdk]"
Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
See JDK-8222137
➜Removal of GTE CyberTrust Global Root
The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts
keystore:
alias name "gtecybertrustglobalca [jdk]"
Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
See JDK-8195793
➜ com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in 
or 
being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character (
or 
) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks
system property may be set to a value of true
if an application is unable to handle encoded output data including the carriage return character (
or 
).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
➜System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC
, has been introduced that enables switching between implementations of ECC.
When the system property, jdk.security.useLegacyECC
, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
in the command line.
If the option is explicitly set to "false", the provider decides which implementation of ECC is used.
The default value of the option is "true". Note that the default value might change in a future update release of the JDK.
JDK-8217763 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.4:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8190361 | client-libs | Incorrect version info in jaccessinspector.exe and jaccesswalker.exe | |
2 | JDK-8214252 | client-libs | Expanded & Collapsed nodes of a JTree look the same on GTK3 | |
3 | JDK-8210782 | client-libs | Upgrade HarfBuzz to the latest 2.3.1 | |
4 | JDK-8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
5 | JDK-8218020 | client-libs | 2d | Fix version number in mesa.md 3rd party legal file |
6 | JDK-8210886 | client-libs | java.awt | Remove references in xwindows.md to non-existent files. |
7 | JDK-8214109 | client-libs | java.awt | XToolkit is not correctly displayed color on 16-bit high color setting |
8 | JDK-8214765 | client-libs | java.awt | All TrayIcon MessageType icons does not show up with gtk3 option set |
9 | JDK-8213183 | client-libs | java.awt:i18n | InputMethod cannot be used after its restarting |
10 | JDK-8220349 | client-libs | javax.swing | The fix done for JDK-8214253 have caused issues in JTree behaviour |
11 | JDK-8214112 | client-libs | javax.swing | The whole text in target JPasswordField image are not selected. |
12 | JDK-8214253 | client-libs | javax.swing | Tooltip is transparent rather than having a black background |
13 | JDK-8214111 | client-libs | javax.swing | There is no icon in all JOptionPane target image |
14 | JDK-8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
15 | JDK-8220166 | core-libs | java.io:serialization | Performance regression in deserialization (4-6% in SPECjbb) |
16 | JDK-8217094 | core-libs | java.net | HttpClient SSL race if a socket IOException is raised before ALPN is available |
17 | JDK-8213294 | core-libs | java.util:i18n | Upgrade IANA LSR data |
18 | JDK-8214935 | core-libs | java.util:i18n | Upgrade IANA LSR data |
19 | JDK-8218781 | core-libs | java.util:i18n | Localized names for Japanese Era Reiwa in COMPAT provider |
20 | JDK-8217564 | hotspot | compiler | idempotent protection missing in crc32c.h |
21 | JDK-8209951 | hotspot | compiler | Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining |
22 | JDK-8220293 | hotspot | jfr | Deadlock in JFR string pool |
23 | JDK-8205633 | hotspot | runtime | TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently |
24 | JDK-8211106 | hotspot | runtime | [windows] Update OS detection code to recognize Windows Server 2019 |
25 | JDK-8217765 | hotspot | runtime | Internal Error (javaCalls.cpp:61) guarantee(thread->can_call_java()) failed |
26 | JDK-8202884 | hotspot | svc-agent | SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching |
27 | JDK-8218180 | install | JAB description in Control Panel is messed | |
28 | JDK-8195793 | security-libs | java.security | Remove GTE CyberTrust Global Root |
29 | JDK-8223499 | security-libs | java.security | Remove two DocuSign root certificates that are expiring |
30 | JDK-8222137 | security-libs | java.security | Remove T-Systems root CA certificate |
31 | JDK-8222136 | security-libs | java.security | Remove two Comodo root CA certificates that are expiring |
32 | JDK-8217690 | security-libs | java.security | Update public suffix version |
33 | JDK-8204909 | security-libs | javax.crypto | Improved ECC Implementation |
34 | JDK-8210989 | security-libs | javax.net.ssl | RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2 |
35 | JDK-8215790 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws java.nio.BufferUnderflowException |
36 | JDK-8214339 | security-libs | javax.net.ssl | SSLSocketImpl erroneously wraps SocketException |
37 | JDK-8219389 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws BufferUnderflowException |
38 | JDK-8216045 | security-libs | javax.net.ssl | The size of key_exchange may be wrong on FFDHE |
39 | JDK-8217878 | security-libs | javax.xml.crypto | ENVELOPING XML signature no longer works in JDK 11 |
40 | JDK-8218629 | security-libs | javax.xml.crypto | XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 |
41 | JDK-8209914 | tools | javadoc(tool) | javadoc search sometimes generates bad URIs |
42 | JDK-8214468 | tools | javadoc(tool) | jQuery UI upgrade from 1.11.4 to 1.12.1 |
The following sections summarize changes made in all Java SE 11.0.3 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8210739 | client-libs | javax.swing | Calling JSpinner's setFont with null throws NullPointerException |
April 16, 2019
The full version string for this update release is 11.0.3+12 (where "+" means "build"). The version number is 11.0.3.
JDK 11.0.3 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.3 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.3+12 |
10 | 10.0.99 |
9 | 9.0.99 |
8 | 1.8.0_211-b12 |
7 | 1.7.0_221-b08 |
6 | 1.6.0_221 |
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.3) will expire with the release of the next critical patch update scheduled for July 16, 2019.
➜Square Character Support for Japanese New Era
The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character
class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.
See JDK-8211398
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
➜Added GlobalSign R6 Root Certificate
The following root certificate has been added to the cacerts truststore:
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
JDK-8216577 (not public)
➜Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.
TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).
An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.
The restrictions are enforced in the JDK implementation (the SunJSSE
Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA:
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"
If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Root Certificates distrusted after 2019-04-16
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US |
FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A |
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US |
37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C |
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66 |
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 |
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US |
A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 |
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F |
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US |
A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 |
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C |
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA |
3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 |
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US |
A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B |
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 |
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 |
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF |
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C |
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US |
FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A |
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US |
37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C |
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66 |
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 |
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US |
A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 |
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F |
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US |
A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 |
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C |
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA |
3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 |
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US |
A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B |
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 |
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 |
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF |
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C |
Subordinate Certificates distrusted after 2019-12-31
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US |
AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B |
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US |
A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED |
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US |
AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B |
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US |
A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED |
If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.
See JDK-8207258
➜New Japanese Era Name Reiwa
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3)
or JapaneseEra.valueOf("Reiwa")
. JDK 13 and later will have a new public field to represent this era.
The placeholder name, "NewEra
", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")
) will no longer work.
See JDK-8205432
➜Support New Japanese Era in java.time.chrono.JapaneseEra
The JapaneseEra class and its of(int)
, valueOf(String)
, and values()
methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.
See JDK-8212941
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.3:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8207070 | client-libs | java.awt | Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor |
2 | JDK-8211295 | core-libs | java.sql | DriverManager::getConnection fails to find driver if it's called from JDBC RowSet |
3 | JDK-8212941 | core-libs | java.time | Support new Japanese era in java.time.chrono.JapaneseEra |
4 | JDK-8211398 | core-libs | java.util:i18n | Square character support for the Japanese new era |
5 | JDK-8208275 | hotspot | compiler | C2 crash in Node::add_req(Node*) |
6 | JDK-8209758 | hotspot | gc | 2 classes with same name G1PrintCollectionSetClosure cause crash when logging is enabled |
7 | JDK-8211821 | hotspot | runtime | PrintStringTableStatistics crashes JVM |
8 | JDK-8214827 | hotspot | runtime | Incorrect call ClassLoaders.toFileURL("jrt:/java.compiler") |
9 | JDK-8215397 | hotspot | runtime | jsig.c missing classpath exception |
10 | JDK-8213952 | security-libs | java.security | Relax DNSName restriction as per RFC 1123 |
11 | JDK-8213782 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers |
12 | JDK-8212885 | security-libs | javax.net.ssl | TLS 1.3 resumed session does not retain peer certificate chain |
13 | JDK-8207258 | security-libs | javax.net.ssl | Distrust TLS server certificates anchored by Symantec Root CAs |
14 | JDK-8214129 | security-libs | javax.net.ssl | SSL session resumption/SNI with TLS1.2 causes StackOverflowError |
15 | JDK-8209615 | xml | javax.xml.stream | ParseError in XMLEventReader on a valid input |
16 | JDK-8210874 | xml | javax.xml.stream | Test for JDK-8209615 |
17 | JDK-8215330 | xml | jaxp | javax.xml.catalog.CatalogResolverImpl: GroupEntry.matchURI fails to match |
The following sections summarize changes made in all Java SE 11.0.2 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8209055 | tools | javac | c.s.t.javac.code.DeferredCompletionFailureHandler seems to use WeakHashMap incorrectly |
8179098 | security-libs | javax.crypto | Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) |
8211765 | core-libs | java.util.jar | JarFile constructor throws undocumented java.nio.file.InvalidPathException |
8211698 | hotspot | compiler | Crash in C2 compiled code during execution of double array heavy processing code |
8210483 | tools | javac | AssertionError in DeferredAttr at setOverloadKind caused by JDK-8203679 |
8215398 | hotspot | runtime | -Xlog option usage => Invalid decorator '\temp\app_cds.log'. |
8220165 | security-libs | javax.crypto | Encryption using GCM results in RuntimeException: input length out of bound |
8201633 | security-libs | javax.crypto | Problems with AES-GCM native acceleration |
8201317 | security-libs | javax.crypto | X25519/X448 code improvements |
8208648 | security-libs | javax.crypto | ECC Field Arithmetic Enhancements |
January 15, 2019
The full version string for this update release is 11.0.2+9 (where "+" means "build"). The version number is 11.0.2.
JDK 11.0.2 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.2 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.2+9 |
10 | 10.0.99 |
9 | 9.0.99 |
8 | 1.8.0_201-b09 |
7 | 1.7.0_211-b07 |
6 | 1.6.0_221 |
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.2) will expire with the release of the next critical patch update scheduled for April 16, 2019.
➜GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.
See JDK-8219072
➜TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms
security property and are now disabled by default.
See JDK-8211883
➜Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.
JDK-8196902 (not public)
➜ Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation. However, Java Access Bridge can still be enabled and disabled by following these steps:
%JAVAHOME%\bin\windowsaccessbridge-64.dll
to %WINDOWSHOME%\SYSTEM32
. A reboot might be required after this step.%JAVAHOME%\bin\jabswitch /enable
and %JAVAHOME%\bin\jabswitch /disable
.%WINDOWSHOME%
is the directory where Microsoft Windows is installed (for example, C:\WINDOWS
)%JAVAHOME%
is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11
)See JDK-8208637
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.2:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-7017058 | client-libs | 2d | Malayalam glyph substitution is failing for Malayalam with Windows Kartika font. |
2 | JDK-8210335 | client-libs | 2d | Clipping problems with complex affine transforms: negative scaling factors or small scaling factors |
3 | JDK-8206392 | client-libs | javax.swing | [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut |
4 | JDK-8209786 | core-libs | JDK12 fails to build on s390x with gcc 7.3 | |
5 | JDK-8211437 | core-libs | java.net | java.net.http.HttpClient hangs on 204 reply without Content-length 0 |
6 | JDK-8203850 | core-libs | java.net | java.net.http HTTP client should allow specifying Origin and Referer headers |
7 | JDK-8211420 | core-libs | java.net | com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code |
8 | JDK-8212926 | core-libs | java.net | HttpClient does not retrieve files with large sizes over HTTP/1.1 |
9 | JDK-8209576 | core-libs | java.nio.charsets | java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 |
10 | JDK-8206389 | core-libs | java.util.jar | JarEntry.setCreation/LastAccessTime without setLastModifiedTime causes Invalid CEN header |
11 | JDK-8209775 | core-libs | java.util:i18n | ISO 4217 Amendment #169 Update |
12 | JDK-8208746 | core-libs | java.util:i18n | ISO 4217 Amendment #168 Update |
13 | JDK-8210153 | core-libs | java.util:i18n | localized currency symbol of VES |
14 | JDK-8210490 | core-libs | java.util:i18n | TimeZone.getDisplayName given Locale.US doesn't always honor the Locale |
15 | JDK-8212795 | core-svc | java.lang.management | ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData |
16 | JDK-8212197 | core-svc | java.lang.management | OpenDataException thrown when constructing CompositeData for StackTraceElement |
17 | JDK-8209996 | hotspot | [PPC64] Fix JFR profiling. | |
18 | JDK-8211105 | hotspot | compiler | AArch64: Disable cos/sin and log intrinsics in jdk11u pending fix |
19 | JDK-8210497 | hotspot | compiler | [PPC64] Vector registers not saved across safepoint |
20 | JDK-8210319 | hotspot | compiler | [s390]: Use of shift operators not covered by cpp standard |
21 | JDK-8209950 | hotspot | compiler | SIGBUS in CodeHeapState::print_names() |
22 | JDK-8210355 | hotspot | compiler | Minimal and Zero non-PCH builds fail after JDK-8207343 (Automate vtable/itable stub size calculation) |
23 | JDK-8210357 | hotspot | compiler | Zero builds fail after JDK-8207343 (Automate vtable/itable stub size calculation) |
24 | JDK-8207343 | hotspot | compiler | Automate vtable/itable stub size calculation |
25 | JDK-8211375 | hotspot | compiler | Minimal VM build failures after JDK-8211251 (Default mask register for avx512 instructions) |
26 | JDK-8211272 | hotspot | compiler | x86_32 build failures after JDK-8210764 (Update avx512 implementation) |
27 | JDK-8211251 | hotspot | compiler | Default mask register for avx512 instructions |
28 | JDK-8210764 | hotspot | compiler | Update avx512 implementation |
29 | JDK-8209588 | hotspot | compiler | SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls |
30 | JDK-8209639 | hotspot | compiler | assert failure in coalesce.cpp: attempted to spill a non-spillable item |
31 | JDK-8211061 | hotspot | compiler | Tests fail with assert(VM_Version::supports_sse4_1()) on ThreadRipper CPU |
32 | JDK-8211231 | hotspot | compiler | BarrierSetC1::generate_referent_check() confuses register allocator |
33 | JDK-8211856 | hotspot | compiler | [ppc, s390] ProblemList some failing tests. |
34 | JDK-8209942 | hotspot | gc | [epsilon] range function for EpsilonTLABElasticity causes compiler warning |
35 | JDK-8212177 | hotspot | gc | Epsilon alignment adjustments can overflow max TLAB size |
36 | JDK-8212005 | hotspot | gc | Epsilon elastic TLAB sizing may cause misalignment |
37 | JDK-8211768 | hotspot | jfr | [s390] Implement JFR profiling. |
38 | JDK-8210775 | hotspot | jvmti | JVM TI Spec missing copyright |
39 | JDK-8212754 | hotspot | jvmti | Build failure: undefined JvmtiSampledObjectAllocEventCollector::object_alloc_is_safe_to_sample |
40 | JDK-8211909 | hotspot | jvmti | JDWP Transport Listener: dt_socket thread crash |
41 | JDK-8211065 | hotspot | runtime | Private method check in linkResolver is incorrect |
42 | JDK-8211208 | hotspot | runtime | make AllocateHeapAt an unsupported option on AIX |
43 | JDK-8211852 | hotspot | runtime | inspect stack during error reporting |
44 | JDK-8027434 | hotspot | runtime | "-XX:OnOutOfMemoryError" uses fork instead of vfork |
45 | JDK-8211714 | hotspot | runtime | Need to update vm_version.cpp to recognise VS2017 minor versions |
46 | JDK-8210754 | hotspot | runtime | print_location is not reliable enough (printing register info) |
47 | JDK-8210964 | hotspot | runtime | add more ld preloading info to hs_error file on Linux |
48 | JDK-8209889 | hotspot | runtime | RedefineStress tests crash |
49 | JDK-8211956 | hotspot | runtime | AppCDS crashes for some uses with JRuby |
50 | JDK-8210836 | hotspot | svc-agent | Build fails with warn_unused_result in openjdk/src/jdk.hotspot.agent/linux/native/libsaproc/ps_core.c |
51 | JDK-8211012 | install | uninstall | [Linux] JDK 11, warning when uninstall rpm package "warning: %postun(jdk-11-2000:11-ga.x86_64) scriptlet failed, exit status 2 |
52 | JDK-8209862 | security-libs | javax.crypto | CipherCore performance improvement |
53 | JDK-8210334 | security-libs | javax.net.ssl | TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes |
54 | JDK-8211883 | security-libs | javax.net.ssl | Disable anon and NULL cipher suites |
55 | JDK-8211806 | security-libs | javax.net.ssl | TLS 1.3 handshake server name indication is missing on a session resume |
56 | JDK-8210502 | tools | jdeps does not handle properly on analyzing a mixture of MR JARs and non-MR JARs | |
57 | JDK-8205593 | tools | javadoc(tool) | Javadoc -link makes broken links if module name matches package name |
58 | JDK-8210810 | tools | launcher | Escaped character at specific position in argument file is not handled properly |
59 | JDK-8212178 | xml | javax.xml.stream | Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator |
October 16, 2018
The full version string for this update release is 11.0.1+13 (where "+" means "build"). The version number is 11.0.1.
JDK 11.0.1 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.1 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.1+13 |
10 | 10.0.99 |
9 | 9.0.99 |
8 | 1.8.0_191-b12 |
7 | 1.7.0_201-b11 |
6 | 1.6.0_211-b11 |
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.1) will expire with the release of the next critical patch update scheduled for January 15, 2019.
The following root certificate have been added to the OpenJDK cacerts truststore:
teliasonerarootcav1
DN: CN=TeliaSonera Root CA v1, O=TeliaSonera
Endpoint identification has been enabled on LDAPS connections.
To improve robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification
.
Define this system property (or set it to true
) to disable endpoint identification algorithms.
The file system location in Windows for the usagetracker.properties
file has been moved from %ProgramData%\Oracle\Java\
to %ProgramFiles%\Java\conf
There is no change in the file path for Linux, Solaris, or macOS.
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias
method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-
If application code implements javax.net.ssl.X509KeyManager
, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType
String array in the first call to chooseClientAlias: String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms
security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms
security property in the java.security
file or by dynamically calling the Security.setProperty()
method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites()
or SSLEngine.setEnabledCipherSuites()
methods.
Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms
security property.
The specification of javax.crypto.CipherInputStream
has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.
The following are some of the notable bug fixes included in this release:
➜LDAPS Communication Failure
Application code using LDAPS with a socket connect timeout that is <= 0 (the default value) may encounter an exception when establishing the connection.
The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...
See JDK-8211107
➜
Better HTTP Redirection Support
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection
has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false)
for the original request.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.1:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8210345 | core-libs | java.io | The Japanese message of FileNotFoundException garbled. |
2 | JDK-8211107 | core-libs | javax.naming | LDAPS communication failure with jdk 1.8.0_181 |
3 | JDK-8208350 | security-libs | javax.net.ssl | Disable all DES cipher suites |
4 | JDK-8209916 | security-libs | javax.net.ssl | NPE in SupportedGroupsExtension |
5 | JDK-8210846 | security-libs | javax.net.ssl | TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth |
The Java Platform, Standard Edition 11 Development Kit (JDK 11) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas.
You can use the links on this page to open the Release Notes describing important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 11 and Java SE 11.
Links to other sources of information about JDK 11 are also provided. The JDK Guides and Reference Documentation link below displays a page containing links to the user guides, troubleshooting information, and specific information of interest to users moving from previous versions of the JDK. Links to the JDK 11 API Specification and the Java Language and Virtual Machine Specifications are provided below in the JDK 11 Specifications group.
Note: The Release Notes files are located only on our website.
JDK 11 Specifications: