java

Consolidated JDK 11 Release Notes

Consolidated Release Notes

This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 11.

BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.

  • JDK 11.0.26 (GA)
  • JDK 11.0.25 (GA and BPR builds)
  • JDK 11.0.24 (GA and BPR builds)
  • JDK 11.0.23 (GA and BPR builds)
  • JDK 11.0.22 (GA and BPR builds)
  • JDK 11.0.21 (GA and BPR builds)
  • JDK 11.0.20 (GA and BPR builds)
  • JDK 11.0.19 (GA and BPR builds)
  • JDK 11.0.18 (GA and BPR builds)
  • JDK 11.0.17 (GA and BPR builds)
  • JDK 11.0.16.1 (GA and BPR builds)
  • JDK 11.0.16 (GA)
  • JDK 11.0.15.1 (GA and BPR builds)
  • JDK 11.0.15 (GA and BPR builds)
  • JDK 11.0.14 (GA and BPR builds)
  • JDK 11.0.13 (GA and BPR builds)
  • JDK 11.0.12 (GA and BPR builds)
  • JDK 11.0.11 (GA and BPR builds)
  • JDK 11.0.10 (GA and BPR builds)
  • JDK 11.0.9 (GA and BPR builds)
  • JDK 11.0.8 (GA and BPR builds)
  • JDK 11.0.7 (GA and BPR builds)
  • JDK 11.0.6 (GA and BPR builds)
  • JDK 11.0.5 (GA and BPR builds)
  • JDK 11.0.4 (GA and BPR builds)
  • JDK 11.0.3 (GA and BPR builds)
  • JDK 11.0.2 (GA and BPR builds)
  • JDK 11.0.1 (GA)
  • JDK 11 (GA)

Java™ SE Development Kit 11.0.26 (JDK 11.0.26)

Release date: January 21, 2025

The full version string for this update release is 11.0.26+7 (where "+" means "build"). The version number is 11.0.26. This JDK conforms to version 11.3 of the Java SE Specification (JSR 384 MR 3 2024-07-02).

 

IANA TZ Data 2024b

JDK 11.0.26 contains IANA time zone data 2024b which contains the following changes:

  • Improve historical data for Mexico, Mongolia, and Portugal.
  • System V names are now obsolescent.
  • The main data form now uses %z.
  • The code now conforms to RFC 8536 for early timestamps.
  • Support POSIX.1-2024, which removes asctime_r and ctime_r.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 11.0.26 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1111.0.26+7
81.8.0_441-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.26) be used after the next critical patch update scheduled for April 15, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

New Features

security-libs/java.security
 Thread and Timestamp Options for java.security.debug System Property (JDK-8051959)

The java.security.debug system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.

+timestamp can be appended to debug options to print a timestamp for that debug option. +thread can be appended to debug options to print thread and caller information for that debug option.

Examples: -Djava.security.debug=all+timestamp+thread adds timestamp and thread information to every debug statement generated.

-Djava.security.debug=properties+timestamp adds timestamp information to every debug statement generated for the properties component.

You can also specify -Djava.security.debug=help which will display a complete list of supported components and arguments.

See Printing Thread and Timestamp Information for more information.

 

Other Notes

core-libs/java.lang
 ProcessBuilder on Windows Quotes Argument Strings Containing Any Space Character (JDK-8335428 (not public))

On Windows, the ProcessBuilder has expanded the quoting of argument strings when starting a process to ensure they are recognized by the application as a single command argument. The set of space characters has been expanded from space (0x20) to include all space characters as defined by java.lang.Character.isSpaceChar, which includes all Unicode space separator characters, such as EN-SPACE (0x2002), and line separator and paragraph separator characters.

core-libs/java.time
 Support for Time Zone Database 2024b (JDK-8339637)

IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.

The new tzdata changes also impact some legacy time zone IDs. As per 2024b changes "EST" links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". To maintain compatibility with the Java SE specification, the java.time.ZoneId.SHORT_IDS Map has not changed. Further details are available at JDK-8342331

tools/javadoc(tool)
 Standard Doclet Index Files Compression (JDK-8237909)

The Standard Doclet no longer generates pre-compressed index files. Decisions about compression are now left to the underlying means of delivery (for example, application layer protocols such as HTTP).

 

Updates to Third Party Libraries

Library New Version Module JBS
JSZip removed jdk.javadoc JDK-8237909
Pipewire 0.3.68 java.desktop JDK-8280982

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.26:

# JBS Component Summary
1JDK-8309621client-libs/java.awt[XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1
2JDK-8280993client-libs/java.awt[XWayland] Popup is not closed on click outside of area controlled by XWayland
3JDK-8309756client-libs/java.awt Occasional crashes with pipewire screen capture on Wayland
4JDK-8313697client-libs/java.awt[XWayland][Screencast] consequent getPixelColor calls are slow
5JDK-8331011client-libs/java.awt[XWayland] TokenStorage fails under Security Manager
6JDK-8321176client-libs/java.awt[Screencast] make a second attempt on screencast failure
7JDK-8280994client-libs/java.awt[XWayland] Drag and Drop does not work in java -> wayland app direction
8JDK-8215921client-libs/java.awtThere is no change when select different Foreground and Background by mouse.
9JDK-8014503client-libs/java.awtAWT Choice implementation should be made consistent across platforms.
10JDK-8280982client-libs/java.awt[Wayland] [XWayland] java.awt.Robot taking screenshots
11JDK-8280132client-libs/java.beansIncorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder
12JDK-8308152client-libs/java.beansPropertyDescriptor should work with overridden generic getter method
13JDK-8329667client-libs/javax.accessibility[macos] Issue with JTree related fix for JDK-8317771
14JDK-8282578client-libs/javax.soundAIOOBE in javax.sound.sampled.Clip
15JDK-8319103client-libs/javax.swingPopups that request focus are not shown on Linux with Wayland
16JDK-8337792core-libsjavax.naming.NamingException: Could not resolve a valid ldap host when using LDAP connection in JDK11
17JDK-8340812core-libs/java.lang.invokeLambdaForm customization via MethodHandle::updateForm is not thread safe
18JDK-8312741hotspot/compilerC2: LoopLimitNode is not eliminated
19JDK-8337066hotspot/compilerRepeated call of StringBuffer.reverse with double byte string returns wrong result
20JDK-8315988hotspot/gcParallel: Make TestAggressiveHeap use createTestJvm
21JDK-8298129hotspot/jfrLet checkpoint event sizes grow beyond u4 limit
22JDK-8338389hotspot/jfr[JFR] Long strings should be added to the string pool
23JDK-8340387hotspot/runtimeUpdate OS detection code to recognize Windows Server 2025
24JDK-8328723security-libs/java.securityIP Address error when client enables HTTPS endpoint check on server socket
25JDK-8331864security-libs/java.securityUpdate Public Suffix List to 1cbd6e7
26JDK-8322809tools/jlinkSystemModulesMap::classNames and moduleNames arrays do not match the order

Java SE 11.0.25 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.25 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 11.0.25.0.1

Bug Fixes

Release date: October 15, 2024

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com


  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
BugId Category Subcategory Summary
JDK-8338389 hotspot jfr [JFR] Long strings should be added to the string pool

Java™ SE Development Kit 11.0.25 (JDK 11.0.25)

Release date: October 15, 2024

The full version string for this update release is 11.0.25+9 (where "+" means "build"). The version number is 11.0.25.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 11.0.25 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1111.0.25+9
81.8.0_431-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.25) be used after the next critical patch update scheduled for January 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

Notable Issues Fixed

install/install
 JDK RPM Upgrade Leaves Orphan Alternatives Entry (JDK-8336107 (not public))

Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.

Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.

The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.

Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.

 

Other Notes

core-libs/java.net
 New Default Limits in the JDK HTTP Implementations (JDK-8328286 (not public))

New Default limits have been added to HTTP in the JDK.

The JDK built-in implementation of the legacy URL protocol handler for HTTP, HttpURLConnection, and the new HttpClient, in the module java.net.http, now have a default limit on the maximum response headers size they will accept from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.

The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the appropriate conf.properties or net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The JDK built-in implementation of the com.sun.net.httpserver.HttpServer (jdk.httpserver) implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.

In addition, the JDK built-in implementation of the new java.net.http.HttpClient enforces two additional limits:

The system property jdk.httpclient.maxNonFinalResponses can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many interim responses the client will accept before receiving a final response. An interim response is considered informational and is a response whose status is in the range [100, 199]. These responses are typically either handled internally or simply discarded by the implementation. The default limit is now set at a maximum of 8 interim responses before receiving the final response. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The system property jdk.httpclient.maxLiteralWithIndexing can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many additions a server may request a client to make to the HPack dynamic table when decoding a set of headers. The default maximum value is now set to 512. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com

  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

security-libs/javax.net.ssl
 Disabled TLS_ECDH Cipher Suites (JDK-8279164)

The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.

security-libs/javax.net.ssl
 Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024 (JDK-8337664)

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),

OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23


You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

client-libs
 Relax the java.awt.Robot Specification (JDK-8307779)

This JDK release relaxes the specification of java.awt.Robot to account for possible platform and desktop environment access restrictions or limitations.

core-libs/java.lang
 System Property for Java SE Specification Maintenance Version (JDK-8335223)

This JDK implements Maintenance Release 3 of the Java SE 11 specification JSR 384. This is indicated by the system property java.specification.maintenance.version having the value of "3".

core-libs/java.text
 MessageFormat ArgumentIndex Now Has a Limit (JDK-8331446 (not public))

In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.

If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by

  • MessageFormats constructors
  • applyPattern(String pattern) instance method
  • format(String pattern, Object... arguments) static method

De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.

core-svc/java.lang.management
 The ClassLoadingMXBean and MemoryMXBean isVerbose Methods Are Now Consistent with Their setVerbose Methods (JDK-8338139)

The ClassLoadingMXBean::setVerbose(boolean enabled) method will set class+load* logging on log output stdout to level info if enabled is true, and to level off otherwise. In contrast, the isVerbose method would check if exactly class+load logging was enabled at the info level on any log output. This could result in counter-intuitive behavior when logging class+load=info to a file via the command-line, as it caused isVerbose to return true, even after a call to setVerbose(false) had been made. A similar problem existed for the MemoryMXBean::isVerbose method. Starting with this release, the behavior is as follows:

  • ClassLoadingMXBean::isVerbose will return true only if class+load* logging (note the wildcard use) has been enabled at the info level (or above) on the stdout log output.
  • MemoryMXBean::isVerbose will return true only if gc logging has been enabled at the info level (or above) on the stdout log output.

tools/launcher
 Available Locales Information Now Listed with -XshowSettings:locale Option (JDK-8310201)

The showSettings launcher option no longer prints available locales information by default, when -XshowSettings is used. The -XshowSettings:locale option will continue to print all settings related to available locales.

 

Updates to Third Party Libraries

Library New Version Module JBS
GIFlib 5.2.2 java.desktop JDK-8328999
Libpng 1.6.43 java.desktop JDK-8329004
JQuery 3.7.1 jdk.javadoc JDK-8330063

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.25:

# JBS Component Summary
1JDK-8328896client-libs/2dFontmetrics for large Fonts has zero width
2JDK-8280786client-libs/2dBuild failure on Solaris after 8262392
3JDK-8325179client-libs/javax.swingRace in BasicDirectoryModel.validateFileCache
4JDK-8294680client-libs/javax.swingRefactor scaled border rendering
5JDK-8328953client-libs/javax.swingJEditorPane.read throws ChangedCharSetException
6JDK-8320570core-libs/java.langNegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters
7JDK-8330416core-libs/java.langUpdate system property for Java SE specification maintenance version
8JDK-8267938core-libs/java.net(sctp) SCTP channel factory methods should check platform support
9JDK-8299058core-libs/java.netAssertionError in sun.net.httpserver.ServerImpl when connection is idle
10JDK-8332424core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-05-16
11JDK-8334418core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-06-14
12JDK-8334653core-libs/java.util:i18nISO 4217 Amendment 177 Update
13JDK-8313619hotspot/compilerTestIntrinsicsRegStress.java fails on SPARC
14JDK-8078725hotspot/jvmtimethod adjustments can be done just once for all classes involved into redefinition
15JDK-8235671hotspot/runtimeenhance print_rlimit_info in os_posix
16JDK-8221470hotspot/runtimePrint methods in exception messages in java-like Syntax.
17JDK-8205611hotspot/runtimeImprove the wording of LinkageErrors to include module and class loader information
18JDK-8218147hotspot/runtimemake_walkable asserts on multiple calls
19JDK-8253207other-libs/otherenable problemlists jcheck's check
20JDK-8261433security-libs/javax.crypto:pkcs11Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
21JDK-8341059security-libs/javax.net.sslChange Entrust TLS distrust date to November 12, 2024
22JDK-8259530tools/javadoc(tool)Generated docs contain MIT/GPL-licenced works without reproducing the licence

Java SE 11.0.24 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.24 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 11.0.24.0.3

Bug Fixes

Release date: September 18, 2024
BugId Category Subcategory Summary
JDK-8337792 core-libs javax.naming.NamingException: Could not resolve a valid ldap host when using LDAP connection in JDK11

 

Changes in Java SE 11.0.24.0.2

Bug Fixes

Release date: August 16, 2024
BugId Category Subcategory Summary
JDK-8336107 (not public) install JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry

 

Changes in Java SE 11.0.24.0.1

Bug Fixes

Release date: July 16, 2024
BugId Category Subcategory Summary
JDK-8333447 (not public) install install "alternatives" uninstallation results into intermittent “Java not available” issues
JDK-8333859 core-libs java.util.jar Pack200.newUnpacker().unpack() throws IOException

Java™ SE Development Kit 11.0.24 (JDK 11.0.24)

Release date: July 16, 2024

The full version string for this update release is 11.0.24+7 (where "+" means "build"). The version number is 11.0.24.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 11.0.24 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1111.0.24+7
88u421-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.24) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

New Features

security-libs/java.security
 New Security Category for -XshowSettings Launcher Option (JDK-8281658)

The -XshowSettings launcher has a new security category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X:

   -XshowSettings:security

       show all security settings and continue
   -XshowSettings:security:*sub-category*
       show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
       all: show all security settings and continue
       properties: show security properties and continue
       providers: show static security provider settings and continue
       tls: show TLS related security settings and continue

Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security file.

 

Removed Features and Options

install/install
 Remove Obsolete Desktop Integration from Linux Installers (JDK-8322234 (not public))

Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons, /usr/share/mime, and /usr/share/applications subtrees.

 

Other Notes

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

security-libs/javax.net.ssl
 Disabled DTLS 1.0 (JDK-8256660)

DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms security property.

infrastructure/build
 Native Executables and Libraries on Linux Use RPATH Instead of RUNPATH (JDK-8326891)

Native executables and libraries on Linux have switched to using RPATH instead of RUNPATH in this release.

JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH or RUNPATH. The main difference is that the dynamic linker considers RPATH before the LD_LIBRARY_PATH environment variable, while RUNPATH is only considered after LD_LIBRARY_PATH.

By making the change to using RPATH, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH.

install/install
 Install DEB and RPM Java Packages in Version Directory (JDK-8325265 (not public))

The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH} to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}.

Every update release will be installed in a separate directory on Linux platform.

Installers will create a /usr/java/jdk-${FEATURE}-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JDK version in the ${FEATURE} release train.

 

Updates to Third Party Libraries

Library New Version Module JBS
LCMS 2.16 java.desktop JDK-8321489
Zlib Data Compression Library 1.3.1 java.base JDK-8324632

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.24:

# JBS Component Summary
1JDK-8318854client-libs/java.awt[macos14] Running any AWT app prints Secure coding warning
2JDK-8317771client-libs/javax.accessibility[macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma
3JDK-8296878client-libs/javax.swingDocument Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters
4JDK-8218917client-libs/javax.swingKeyEvent.getModifiers() returns inconsistent values for ALT keys
5JDK-8322239client-libs/javax.swing[macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane
6JDK-8187759client-libs/javax.swingBackground not refreshed when painting over a transparent JFrame
7JDK-8258956core-libs/java.langMemory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
8JDK-8302791core-libs/java.lang:class_loadingAdd specific ClassLoader object to Proxy IllegalArgumentException message
9JDK-8319436core-libs/java.lang:reflectProxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader
10JDK-8318599core-libs/java.netHttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809
11JDK-8292044core-libs/java.netHttpClient doesn't handle 102 or 103 properly
12JDK-8242999core-libs/java.netHTTP/2 client may not handle CONTINUATION frames correctly
13JDK-8263940core-libs/java.nioNPE when creating default file system when default file system provider is packaged as JAR file on class path
14JDK-8318322core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-10-16
15JDK-8304761core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-03-22
16JDK-8302512core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-02-14
17JDK-8306031core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-04-13
18JDK-8308021core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-05-11
19JDK-8327631core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-03-07
20JDK-8313702core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-08-02
21JDK-8326638hotspot/compilerCrash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop
22JDK-8215205hotspot/compiler javaVFrame much slower than vframeStream
23JDK-8208669hotspot/gcGC changes to allow enabling -Wreorder
24JDK-8236124hotspot/jvmtiMinimal VM slowdebug build failed after JDK-8212160
25JDK-8254270hotspot/svclinux 32 bit build doesn't compile libjdwp/log_messages.c
26JDK-8241960security-libs/java.securityThe SHA3 message digests impl of SUN provider are not thread safe after cloned
27JDK-8214583security-libs/java.securityAccessController.getContext may return wrong value after JDK-8212605
28JDK-8212605security-libs/java.securityPure-Java implementation of AccessController.doPrivileged
29JDK-8214329security-libs/java.securitySwingMark SubMenus 9% regression in 12-b19 on Linux client
30JDK-8326643security-libs/java.securityJDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message
31JDK-8236512security-libs/javax.crypto:pkcs11PKCS11 Connection closed after Cipher.doFinal and NoPadding
32JDK-8312383security-libs/javax.net.sslLog X509ExtendedKeyManager implementation class name in TLS/SSL connection
33JDK-8303809security-libs/org.ietf.jgssDispose context in SPNEGO NegotiatorImpl

Java SE 11.0.23 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.23 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.23.0.1

Release date: April 16, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11.0.23 (JDK 11.0.23)

Release date: April 16, 2024

The full version string for this update release is 11.0.23+7 (where "+" means "build"). The version number is 11.0.23.

 

IANA TZ Data 2024a

JDK 11.0.23 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 11.0.23 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1111.0.23+7
88u411-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.23) be used after the next critical patch update scheduled for July 16, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Other Notes

client-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

security-libs/javax.xml.crypto
 Enable XML Signature Secure Validation Mode by Default (JDK-8259801)

The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.

If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.

 

Updates to Third Party Libraries

Library New Version Module JBS
FreeType 2.13.2 java.desktop JDK-8316028
HarfBuzz 8.2.2 java.desktop JDK-8313643
Joni 2.2.1 jdk.scripting.nashorn JDK-8322094
libpng 1.6.40 java.desktop JDK-8316030
Xalan Java 2.7.3 java.xml JDK-8305814
XML Security for Java 3.0.3 java.xml.crypto JDK-8319124

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.23:

# JBS Component Summary
1JDK-8318951client-libs/2dAdditional negative value check in JPEG decoding
2JDK-8301846client-libs/javax.soundInvalid TargetDataLine after screen lock when using JFileChooser or COM library
3JDK-8213478core-libs/java.lang.invokeReduce rebinds when applying repeated filters and conversions
4JDK-8223454core-libs/java.lang.invokeReduce String concatenation shapes by folding initialLengthCoder into last mixer
5JDK-8222852core-libs/java.lang.invokeReduce String concat combinator tree shapes by folding constants into prependers
6JDK-8213035core-libs/java.lang.invokePack MethodHandleInlineStrategy coder and length into a long
7JDK-8212726core-libs/java.lang.invokeReplace some use of drop- and foldArguments with filtering argument combinator in StringConcatFactory
8JDK-8281560core-libs/java.util.regexMatcher.hitEnd returns unexpected results in presence of CANON_EQ flag.
9JDK-8321480core-libs/java.util:i18nISO 4217 Amendment 176 Update
10JDK-8307683hotspot/compilerLoop Predication should not hoist range checks with trap on success projection by negating their condition
11JDK-8309119hotspot/compiler[17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication
12JDK-8321215hotspot/compilerIncorrect x86 instruction encoding for VSIB addressing mode
13JDK-8236772hotspot/compilerFix build for windows 32-bit after 8212160 and 8234331.
14JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
15JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
16JDK-8213927hotspot/gcG1 ignores AlwaysPreTouch when UseTransparentHugePages is enabled
17JDK-8287113hotspot/jfrJFR: Periodic task thread uses period for method sampling events
18JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
19JDK-8268893hotspot/runtimejcmd to trim the glibc heap
20JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack
21JDK-8320208security-libs/java.securityUpdate Public Suffix List to b5bf572
22JDK-8302182security-libs/java.securityUpdate Public Suffix List to 88467c9
23JDK-8307185security-libs/javax.crypto:pkcs11pkcs11 native libraries make JNI calls into java code while holding GC lock
24JDK-8255867security-libs/javax.net.sslSignatureScheme JSSE property does not preserve ordering in handshake messages
25JDK-8284910security-libs/javax.securityBuffer clean in PasswordCallback
26JDK-8318971tools/jarBetter Error Handling for Jar Tool When Processing Non-existent Files
27JDK-8308245tools/javacAdd -proc:full to describe current default annotation processing policy
28JDK-8216408xml/javax.xml.streamXMLStreamWriter setDefaultNamespace(null) throws NullPointerException
29JDK-8223291xml/javax.xml.transformWhitespace is added to CDATA tags when using OutputKeys.INDENT to format XML
30JDK-8237456xml/javax.xml.transformTransform filtered through SAX filter mishandles character entities
31JDK-8265073xml/javax.xml.transformXML transformation and indentation when using xml:space
32JDK-8220818xml/javax.xml.validationValidator does not find missing match for keyref error

Java SE 11.0.22 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.22 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

 

Changes in Java SE 11.0.22.0.3

Bug Fixes

March 14, 2024
BugId Category Subcategory Summary
JDK-8325580 (not public) install install Remove "alternatives --remove" call from Java rpm installer
JDK-8325150 core-libs java.time (tz) Update Timezone Data to 2024a

 

Changes in Java SE 11.0.22.0.2

Bug Fixes

February 12, 2024
BugId Category Subcategory Summary
JDK-8268893 hotspot runtime jcmd to trim the glibc heap
JDK-8322725 core-libs java.time (tz) Update Timezone Data to 2023d

Changes in Java SE 11.0.22.0.1

January 16, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11.0.22 (JDK 11.0.22)

January 16, 2024

The full version string for this update release is 11.0.22+9 (where "+" means "build"). The version number is 11.0.22.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the Java Runtime.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 11.0.22 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1111.0.22+9
88u401-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.22) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).

 

New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

 

Other Notes

hotspot/runtime
 Add Process-Memory Information to hs-err and VM.info (JDK-8251255)

On Linux, process memory information has been added to both JVM crash reports (hs_err files) and the VM.info diagnostic jcmd. This information contains the process' virtual size, its resident set size, and how much memory was swapped out. If the JVM uses glibc, the size of glibc outstanding allocations and retained memory are printed, as well as the glibc tunables.

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added Telia Root CA v2 Certificate (JDK-8317373)

The following root certificate has been added to the cacerts truststore:

+ Telia Root CA v2

  + teliarootcav2
    DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.22:

# JBS Component Summary
1JDK-8238436client-libs/java.awtjava/awt/Frame/FrameLocationTest/FrameLocationTest.java fails
2JDK-8266421client-libs/javax.soundDeadlock in Sound System
3JDK-8153090client-libs/javax.swingTAB key cannot change input focus after the radio button in the Color Selection dialog
4JDK-8294427client-libs/javax.swingCheck boxes and radio buttons have rendering issues on Windows in High DPI env
5JDK-8314263core-libs/java.util.loggingSigned jars triggering Logger finder recursion and StackOverflowError
6JDK-8303440core-libs/java.util:i18nThe "ZonedDateTime.parse" may not accept the "UTC+XX" zone id
7JDK-8313657core-libs/javax.namingcom.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
8JDK-8314063core-libs/javax.namingThe socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
9JDK-8198540core-libs/jdk.nashornDynalink leaks memory when generating type converters
10JDK-8299658hotspot/compilerC1 compilation crashes in LinearScan::resolve_exception_edge
11JDK-8313626hotspot/compilerC2 crash due to unexpected exception control flow
12JDK-8307572hotspot/compilerAArch64: Vector registers are clobbered by some macroassemblers
13JDK-8316178hotspot/compilerBetter diagnostic header for CodeBlobs
14JDK-8316514hotspot/compilerBetter diagnostic header for VtableStub
15JDK-8292713hotspot/compilerUnsafe.allocateInstance should be intrinsified without UseUnalignedAccesses
16JDK-8244207hotspot/compilerSimplify usage of Compile::print_method() when debugging with gdb and enable its use with rr
17JDK-8313756hotspot/compiler[BACKOUT] 8308682: Enhance AES performance
18JDK-8313760hotspot/compiler[REDO] Enhance AES performance
19JDK-8210265hotspot/gcCrash in HSpaceCounters::update_used()
20JDK-8275333hotspot/gcPrint count in "Too many recored phases?" assert
21JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
22JDK-8207200hotspot/gcCommitted > max memory usage when getting MemoryUsage
23JDK-8209062hotspot/gcClean up G1MonitoringSupport
24JDK-8209061hotspot/gcMove G1 serviceability functionality to G1MonitoringSupport
25JDK-8208498hotspot/gcPut archive regions into a first-class HeapRegionSet
26JDK-8263185hotspot/runtimeMallinfo deprecated in glibc 2.33
27JDK-8320597security-libs/java.securityRSA signature verification fails on signed data that does not encode params correctly
28JDK-8302017security-libs/java.securityAllocate BadPaddingException only if it will be thrown
29JDK-8313792tools/jshellVerify 4th party information in src/jdk.internal.le/share/legal/jline.md

Java SE 11.0.21 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.21 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.21.0.2

November 27, 2023

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

BugId Component Subcomponent Summary
JDK-8312489 security-libs java.security Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
JDK-8314880 (not public) security-libs org.ietf.jgss Migrate SEAM KDC from sc11152399 to jpg-seclibs-infra-1-sol
JDK-8316192 core-libs Increased startup time observed when upgrading from 8 to 11
JDK-8054022 core-libs java.net HttpURLConnection timeouts with Expect: 100-Continue and no chunking

Changes in Java SE 11.0.21.0.1

BugId Component Subcomponent Summary
JDK-8314263 core-libs java.util.logging Signed jars triggering Logger finder recursion and StackOverflowError
JDK-8315696 core-libs java.util.logging SignedLoggerFinderTest.java test failed
JDK-8316087 core-libs java.util.logging Test SignedLoggerFinderTest.java is still failing
JDK-8232933 tools javac Javac inferred type does not conform to equality constraint
JDK-8309489 (not public) install install 17.0.7/11.0.19 and later fail to run jar file via UNC path when using .exe files under javapath

Java™ SE Development Kit 11.0.21 (JDK 11.0.21)

October 17, 2023

The full version string for this update release is 11.0.21+9 (where "+" means "build"). The version number is 11.0.21.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.21 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1111.0.21+9
88u391-b13

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.21) be used after the next critical patch update scheduled for January 16, 2024.

 

New Features

tools/launcher
 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:

.....

Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c
    .....

 

Removed Features and Options

security-libs/java.security
 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP

 

Other Notes

security-libs/java.security
 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

install/install
 Debian JDK Installer Changes (JDK-8284854 (not public))

The installation directory of Oracle JDK Debian packages has changed. It was originally `/usr/lib/jvm/jdk-${FEATURE}`. With this release, it has been changed to `/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}`.

The Oracle JDK Debian package registers jexec as an interpreter for launching .jar files from the command line.

The Oracle JDK Debian package configures storage for Java Preferences API in the /etc/.java/.systemPrefs directory.

The Oracle JDK Debian package registers JDK commands with the update-alternatives command and supplies the /usr/lib/jvm/.jdk-${FEATURE}-oracle-${ARCH}.jinfo file for the update-java-alternatives command.

security-libs/java.security
 Ignore Allow and Disallow Options for java.security.manager System Property (JDK-8301118)

In JDK 12, two new token options for the java.security.manager system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the java.security.manager system property will be ignored.

security-libs/javax.net.ssl
 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

security-libs/javax.net.ssl
 Use Server Cipher Suites Preference by Default (JDK-8168261)

For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder​() method.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.21:

# JBS Component Summary
1JDK-8298887client-libsOn the latest macOS+XCode the Robot API may report wrong colors
2JDK-8306881client-libs/2dUpdate FreeType to 2.13.0
3JDK-8307301client-libs/2dUpdate HarfBuzz to 7.2.0
4JDK-8312555client-libs/2dIdeographic characters aren't stretched by AffineTransform.scale(2, 1)
5JDK-8304054client-libs/java.awtLinux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed
6JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
7JDK-8310054client-libs/java.awtScrollPane insets are incorrect
8JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
9JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
10JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
11JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
12JDK-8305517core-libs/java.netMemory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress()
13JDK-8248695core-libs/java.timeHostLocaleProviderAdapterImpl provides invalid date-only
14JDK-8254350core-libs/java.util.concurrentCompletableFuture.get may swallow InterruptedException
15JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3
16JDK-8313765core-libs/java.util.jarInvalid CEN header (invalid zip64 extra data field size)
17JDK-8234808core-svc/debuggerjdb quoted option parsing broken
18JDK-8292778core-svc/java.lang.instrumentEncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
19JDK-8300659core-svc/java.lang.managementRefactor TestMemoryAwareness to use WhiteBox api for host values
20JDK-8257993hotspot/jvmtivmTestbase/nsk/jvmti/RedefineClasses/StressRedefine/TestDescription.java crash intermittently
21JDK-8297887hotspot/runtimeUpdate Siphash
22JDK-8303215hotspot/runtimeMake thread stacks not use huge pages
23JDK-8220570hotspot/runtimeAdditional trace when native thread creation fails
24JDK-8283849hotspot/svcAsyncGetCallTrace may crash JVM on guarantee
25JDK-8301170hotspot/svcperfMemory_windows.cpp add free_security_attr to early returns
26JDK-8252530hotspot/testFix inconsistencies in hotspot whitebox
27JDK-8213059install/installJava .deb package implementation is incomplete
28JDK-8296452security-libs/javax.cryptoSolaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error
29JDK-8275233tools/javacIncorrect line number reported in exception stack trace thrown from a lambda expression

Java SE 11.0.20 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.20 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.20.0.4

BugId Component Subcomponent Summary
JDK-8312555 client-libs 2d Ideographic characters aren't stretched by AffineTransform.scale(2, 1)
JDK-8255387 client-libs 2d Japanese characters were printed upside down on AIX

Changes in Java SE 11.0.20.0.3

BugId Component Subcomponent Summary
JDK-8313765 core-libs java.util.jar Invalid CEN header (invalid zip64 extra data field size)

Changes in Java SE 11.0.20.0.2

BugId Component Subcomponent Summary
JDK-8294427 client-libs javax.swing Check boxes and radio buttons have rendering issues on Windows in High DPI env
JDK-6176679 client-libs java.awt Application freezes when copying an animated gif image to the system clipboard
JDK-8286481 client-libs java.awt Exception printed to stdout on Windows when storing transparent image in clipboard

Java™ SE Development Kit 11.0.20 (JDK 11.0.20)

July 18, 2023

The full version string for this update release is 11.0.20+9 (where "+" means "build"). The version number is 11.0.20.

 

IANA TZ Data 2023c

JDK 11.0.20 contains IANA time zone data 2023c which contains the following changes:

  • Egypt now uses DST again, from April through October.
  • This year Morocco springs forward April 23, not April 30.
  • Palestine delays the start of DST this year.
  • Much of Greenland still uses DST from 2024 on.
  • America/Yellowknife now links to America/Edmonton.
  • tzselect can now use current time to help infer timezone.
  • The code now defaults to C99 or later.
  • Fix use of C23 attributes.
  • This release's code and data are identical to 2023a.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.20 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1111.0.20+9
88u381-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.20) be used after the next critical patch update scheduled for October 17, 2023.

 

New Features

core-libs/java.lang
 Allow Additional Characters for GB18030-2022 Support (JDK-8301401)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 5 code points (U+9FEB - U+9FEF) from Unicode 11.0 into Java SE 11 to allow implementations to comply with their Implementation Level 1 requirements.

core-libs/java.nio.charsets
 Support for GB18030-2022 (JDK-8307229)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset implementation for this new standard has now replaced the prior 2000 standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030, is introduced. By setting its value to 2000, the previous JDK releases' mappings for the GB18030 Charset are used, which are based on the 2000 standard.

core-libs/java.lang
 Update the Javadoc in the Character Class to State Support for GB 18030-2022 Implementation Level 2 (JDK-8305682)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to state that Java SE 11 supports the Implementation Level 2 of the GB18030-2022 standard.

security-libs/java.security
 Windows KeyStore Updated to Include Access to the Local Machine Location (JDK-6782021)

The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:

  • "Windows-MY-LOCALMACHINE"
  • "Windows-ROOT-LOCALMACHINE"

The following keystore types were also added, allowing developers to make it clear they map to the current user:

  • "Windows-MY-CURRENTUSER" (same as "Windows-MY")
  • "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")

security-libs/java.security
 New JFR Event: jdk.InitialSecurityProperty (JDK-8292177)

A new Java Flight Recorder (JFR) event has been added to record details of initial security properties when loaded via the java.security.Security class.

The new event name is jdk.InitialSecurityProperty and contains the following fields:

Field name Field Description
key Security Property Key
value Corresponding Security Property Value

This new JFR event is enabled by default. The java.security.debug=properties system property will also now print initial security properties to the standard error stream. With this new event and the already available jdk.SecurityPropertyModification event (when enabled since it is not enabled by default), a JFR recording can now monitor the initial settings of all security properties and any subsequent changes.

security-libs/java.security
 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

security-libs/javax.crypto
 JDK Now Accepts RSA Keys in PKCS#1 Format (JDK-8023980)

RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.

 

Known Issues

install
 Problem Upgrading JDK on Windows if System User Is Using Shared Files (JDK-8310932 (not public))

Installing into the same, shared jdk-(family) directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.

 

Other Notes

core-libs/java.nio
 System Property to Turn off JDK-8251329 Restrictions (JDK-8302992)

A new system property, jdk.nio.zipfs.allowDotZipEntry, has been introduced. This system property can be used to remove the newly added restrictions in the Zip FS provider, which currently rejects ZIP files that contain entries with "." or ".." in name elements by default. Refer to the CSR for more detail.

install/install
 Missing /usr/java/default Symlink on Linux Restored (JDK-8306690)

A regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

install/install
 Installation of JDK RPM Corrupts Alternatives (JDK-8308244)

The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.

An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.

An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.

All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.

The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.

security-libs/java.security
 Added TWCA Root CA Certificate (JDK-8305975)

The following root certificate has been added to the cacerts truststore:

+ TWCA

  + twcaglobalrootca
    DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

security-libs/java.security
 Added 4 GTS Root CA Certificates (JDK-8307134)

The following root certificates have been added to the cacerts truststore:

+ Google Trust Services LLC

 + gtsrootcar1
  DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootcar2
  DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar3
  DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar4
  DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US

security-libs/java.security
 Added Microsoft Corporation's 2 TLS Root CA Certificates (JDK-8304760)

The following root certificates have been added to the cacerts truststore:

+ Microsoft Corporation

  + microsoftecc2017
    DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

+ Microsoft Corporation
  + microsoftrsa2017
    DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

core-libs/java.lang
 System Property for Java SE Specification Maintenance Version (JDK-8302365)

This JDK implements Maintenance Release 2 of the Java SE 11 specification (JSR 384). This is indicated by the new system property java.specification.maintenance.version having the value of "2".

hotspot/compiler
 GregorianCalender.computeTime() JVM Crash (JDK-8308884)

A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime() method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive. (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

security-libs/java.security
 Throw Error If Default java.security File Fails to Load (JDK-8155246)

A behavioral change has been made when the default conf/security/java.security security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError.

Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.

security-libs/java.security
 New System Property to Control the Maximum Size of Signature Files (JDK-8300596 (not public))

A new system property, jdk.jar.maxSignatureFileSize, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.

core-libs/java.util.jar
 Improved ZIP64 Extra Field Validation (JDK-8302483 (not public))

java.util.zip.ZipFile has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation to true.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.20:

# JBS Component Summary
1JDK-8297241client-libs/2dUpdate sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
2JDK-8022403client-libs/2dsun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
3JDK-8301998client-libs/2dUpdate HarfBuzz to 7.0.1
4JDK-8302151client-libs/javax.imageioBMPImageReader throws an exception reading BMP images
5JDK-8227257client-libs/javax.swingjavax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError
6JDK-8284756core-libs[11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
7JDK-8283059core-libsUninitialized warning in check_code.c with GCC 11.2
8JDK-8275735core-libs[linux] Remove deprecated Metrics api (kernel memory limit)
9JDK-8285497core-libs/java.langAdd system property for Java SE specification maintenance version
10JDK-8291638core-libs/java.netKeep-Alive timeout of 0 should close connection immediately
11JDK-8291637core-libs/java.netHttpClient default keep alive timeout not followed if server sends invalid value
12JDK-8211382core-libs/java.nio.charsetsISO2022JP and GB18030 NIO converter issues
13JDK-8301119core-libs/java.nio.charsetsSupport for GB18030-2022
14JDK-8209167core-libs/java.util:i18nUse CLDR's time zone mappings for Windows
15JDK-8305400core-libs/java.util:i18nISO 4217 Amendment 175 Update
16JDK-8275721core-libs/java.util:i18nName of UTC timezone in a locale changes depending on previous code
17JDK-8293540core-svc[Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
18JDK-8219583performance/hotspotWindows build failure after JDK-8214777 (Avoid some GCC 8.X strncpy() errors in HotSpot)
19JDK-8252051hotspot/compilerMake mlvmJvmtiUtils strncpy uses GCC 10.x friendly
20JDK-8303564hotspot/compilerC2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
21JDK-8299570hotspot/compiler[JVMCI] Insufficient error handling when CodeBuffer is exhausted
22JDK-8300079hotspot/compilerSIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
23JDK-8299259hotspot/compilerC2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
24JDK-8297730hotspot/compilerC2: Arraycopy intrinsic throws incorrect exception
25JDK-8301491hotspot/compilerC2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
26JDK-8201516hotspot/compilerDebugNonSafepoints generates incorrect information
27JDK-8269746hotspot/compilerC2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
28JDK-8289748hotspot/compilerC2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
29JDK-8303511hotspot/compilerC2: assert(get_ctrl(n) == cle_out) during unrolling
30JDK-8257621hotspot/jfrJFR StringPool misses cached items across consecutive recordings
31JDK-8243936hotspot/runtimeNonWriteable system properties are actually writeable
32JDK-8295974hotspot/runtimejni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
33JDK-8287007hotspot/runtime[cgroups] Consistently use stringStream throughout parsing code
34JDK-8292297security-libs/java.securityFix up loading of override java.security properties file
35JDK-8255348security-libs/java.securityNPE in PKIXCertPathValidator event logging code
36JDK-8293858security-libs/java.securityChange PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
37JDK-8294906security-libs/javax.crypto:pkcs11Memory leak in PKCS11 NSS TLS server
38JDK-8217375security-libs/jdk.securityjarsigner breaks old signature with long lines in manifest
39JDK-8274205security-libs/org.ietf.jgss:krb5Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
40JDK-8221871tools/javadoc(tool)javadoc should not set role=region on <section> elements
41JDK-8219142tools/jlinkRemove unused JIMAGE_ResourcePath
42JDK-8297587tools/jshellUpgrade JLine to 3.22.0
43JDK-8301269xml/jaxpUpdate Commons BCEL to Version 6.7.0

Java SE 11.0.19 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.19 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.19.0.3

BugId Component Subcomponent Summary
JDK-8308884 hotspot compiler [17u/11u] Backout JDK-8297951

Changes in Java SE 11.0.19.0.2

BugId Component Subcomponent Summary
JDK-8306690 (not public) install install Restore missing /usr/java/default symlink on Linux
JDK-8308123 (not public) install install /usr/java/latest symlink is not created during 8u371 jdk rpm install
JDK-8305976 (not public) install install Installation of OL-specific x64 jdk rpms pulls in i686 dependencies
JDK-8305113 core-libs java.time (tz) Update Timezone Data to 2023c
JDK-8212970 core-libs java.time TZ database in "vanguard" format support
JDK-8302112 (not public) hotspot test remove windows 2012 from task definitions

 

Changes in Java SE 11.0.19.0.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11.0.19 (JDK 11.0.19)

April 18, 2023

The full version string for this update release is 11.0.19+9 (where "+" means "build"). The version number is 11.0.19.

 

IANA TZ Data 2022g

JDK 11.0.19 contains IANA time zone data 2022g which contains the following changes:

  • The northern edge of Chihuahua changes to US timekeeping.
  • Much of Greenland stops changing clocks after March 2023.
  • Fix some pre-1996 timestamps in northern Canada.
  • C89 is now deprecated; please use C99 or later.
  • Portability fixes for AIX, libintl, MS-Windows, musl, z/OS.
  • In C code, use more C23 features if available.
  • C23 timegm now supported by default.
  • Fixes for unlikely integer overflows.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.19 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1111.0.19+9
88u371-b11

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 11.0.19) after the next critical patch update release, scheduled for July 18, 2023.

 

New Features

security-libs/org.ietf.jgss
 Added a Default Native GSS-API Library on Windows (JDK-6722928)

A native GSS-API library named sspi_bridge.dll has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib system property to its path.

Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly system property should be set to false.

com.sun.security.auth.module.Krb5LoginModule does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule from JAAS config.

 

Other Notes

client-libs/javax.swing
 System Property to Handle HTML ObjectView Creation (JDK-8296832 (Not Public))

Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true.

security-libs/java.security
 Added Certigna(Dhimyotis) CA Certificate (JDK-8245654)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)
   + certignaca
      DN: CN=Certigna, O=Dhimyotis, C=FR

security-libs/javax.net.ssl
 Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols (JDK-8190492)

SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.

After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols or jdk.tls.server.protocols system properties or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine.setEnabledProtocols() APIs.

core-libs/java.io
 File::listRoots Changed to Return All Available Drives on Windows (JDK-8208077)

The behavior of the method java.io.File.listRoots() on Microsoft Windows has changed in this release so that the returned array includes a File object for all available disk drives. This differs from the behavior in JDK 10 to JDK 20, where this method filtered out disk drives that were not accessible or did not have media present. This change avoids performance issues observed in the previous releases and also ensures that the method is consistent with the root directories in the iteration returned by FileSystem.getDefault().getRootDirectories().

security-libs/java.security
 Crypto-J Exception for Diffie-Hellman and DSA AlgorithmParameters Requests (JDK-8278027)

Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:

Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.19:

# JBS Component Summary
1JDK-8285399client-libs/2dJNI exception pending in awt_GraphicsEnv.c:1432
2JDK-8284023client-libs/java.awtjava.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
3JDK-8296496client-libs/java.awtOverzealous check in sizecalc.h prevents large memory allocation
4JDK-8279614client-libs/java.awtThe left line of the TitledBorder is not painted on 150 scale factor
5JDK-8288332client-libs/java.awtTier1 validate-source fails after 8279614
6JDK-8295685client-libs/java.awtUpdate Libpng to 1.6.38
7JDK-8282958client-libs/javax.swingRendering Issues with Borders on Windows High-DPI systems
8JDK-8299238core-libsFix Bad Copyright introduced in 8299223
9JDK-8294378core-libs/java.netURLPermission constructor exception when using tr locale
10JDK-8297569core-libs/java.netURLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378
11JDK-8299439core-libs/java.textjava/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
12JDK-8295530core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.2.13
13JDK-8287180core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-08-08
14JDK-8267038core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-03-02
15JDK-8296239core-libs/java.util:i18nISO 4217 Amendment 174 Update
16JDK-8297548core-libs/jdk.nashornUpdate double-conversion to 3.2.0
17JDK-8169718core-svc/debuggernsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false
18JDK-8292541core-svc/java.lang.management[Metrics] Reported memory limit may exceed physical machine memory
19JDK-8216314hotspot/compilerSIGILL in CodeHeapState::print_names()
20JDK-8276066hotspot/compilerReset LoopPercentProfileLimit for x86 due to suboptimal performance
21JDK-8269574hotspot/compilerC2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
22JDK-8270533hotspot/compilerAArch64: size_fits_all_mem_uses should return false if its output is a CAS
23JDK-8295066hotspot/compilerFolding of loads is broken in C2 after JDK-8242115
24JDK-8256934hotspot/compilerC2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit
25JDK-8296912hotspot/compilerC2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1
26JDK-8290964hotspot/compilerC2 compilation fails with assert "non-reduction loop contains reduction nodes"
27JDK-8296924hotspot/compilerC2: assert(is_valid_AArch64_address(dest.target())) failed: bad address
28JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
29JDK-8295788hotspot/compilerC2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node"
30JDK-8297951hotspot/compilerC2: Create skeleton predicates for all If nodes in loop predication
31JDK-8297264hotspot/compilerC2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top
32JDK-8295116hotspot/compilerC2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead
33JDK-8287425hotspot/compilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
34JDK-8242115hotspot/compilerC2 SATB barriers are not safepoint-safe
35JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
36JDK-8283199hotspot/runtimeLinux os::cpu_microcode_revision() stalls cold startup
37JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
38JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
39JDK-8291763hotspot/runtimeInclude virtualization information in hs_err crash log on Solaris
40JDK-8289424hotspot/runtimeInclude LD_HWCAP in hs_err log output
41JDK-8287107hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
42JDK-8287741hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
43JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
44JDK-8231610hotspot/runtimeRelocate the CDS archive if it cannot be mapped to the requested address
45JDK-8287011hotspot/runtimeImprove container information
46JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
47JDK-8298349install/install/usr/java/latest points to wrong JDK
48JDK-8298330install/install/usr/java/latest is missing after one of JDK rpms is uninstalled
49JDK-8242897security-libs/java.securityKeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException
50JDK-8280890security-libs/java.securityCannot use '-Djava.system.class.loader' with class loader in signed JAR
51JDK-8253829security-libs/org.ietf.jgssWrong length compared in SSPI bridge
52JDK-8225687security-libs/org.ietf.jgssNewly added sspi.cpp in JDK-6722928 still contains some small errors
53JDK-8222251tools/javacpreflow visitor is not visiting lambda expressions
54JDK-8222091tools/javadoc(tool)Javadoc does not handle package annotations correctly on package-info.java
55JDK-8296619tools/javadoc(tool)Upgrade jQuery to 3.6.1

Java SE 11.0.18 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.18 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.18.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8208077 core-libs java.io File.listRoots performance degradation

 

Changes in Java SE 11.0.18.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java™ SE Development Kit 11.0.18 (JDK 11.0.18)

January 17, 2023

The full version string for this update release is 11.0.18+9 (where "+" means "build"). The version number is 11.0.18.

 

IANA TZ Data 2022d, 2022e, 2022f

JDK 11.0.18 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.18 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1111.0.18+9
88u361-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.18) be used after the next critical patch update scheduled for April 18, 2023.

 

New Features

security-libs/javax.net.ssl
 DTLS Resumption Uses HelloVerifyRequest Messages (JDK-8287411 (not public))

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption.

security-libs/java.security
 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.

 

Known Issues

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8297475 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.

 

Other Notes

javafx/fxml
 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

It can be enabled by setting the system property: -Djavafx.allowjs=true

globalization
 Translated resource bundles for German (JDK-8263773)

With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.

install/install
 RPM JDK Installer Changes (JDK-8292836)

Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}. Thus the 11.0.18, and 11.0.19 releases for x64 will both be installed in /usr/lib/jvm/jdk-11-oracle-x64 directory. RPM package will create /usr/java/jdk-${FEATURE} link pointing to the installation directory for backward compatibility.

Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 11 RPM package registers java and javac groups with the alternatives framework. java group is for commands used to run applications: java, jjs, keytool, pack200, rmid, rmiregistry, unpack200. javac group is used for all other commands. The set of commands registered by the package has not changed.

Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-11-headless and jdk-11-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-11-headless is a Headless Java Runtime for running non-GUI applications. jdk-11-headful is a Headful Java Runtime & Development Tools for developing and running applications of all types.

The combination of the OL-specific jdk-11-headless and jdk-11-headful packages provides the same JDK image and the same capabilities as jdk-11 OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix.

install/install
 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292822)

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. I.e. all updates of the same release must share one installation directory.

Thus the 11.0.18 and 11.0.19 releases will both install into %Program Files%\Java\jdk-11 by default, and they both cannot be installed at the same time.

If the JDK11.0.19 installer is launched when JDK11.0.18 is already installed, it will auto-upgrade them to JDK11.0.19. There may be a Files In Use dialog shown if the older version was running and locking JDK files.

If the JDK11.0.18 installer is launched when JDK11.0.19 is already installed, it will show an error that a newer version of this JDK family is already installed.

install/install
 All JDK Update Releases Are Installed Into the Same Directory on macOS (JDK-8292830)

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk. Thus the 11.0.18 and 11.0.19 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-11.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 11.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 11 update release with JEP C208. However, JDK 11 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-11.jdk will be reused.

core-libs/java.lang
 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

security-libs/javax.security
 New Implementation Note for LoginModule on Removing Null from a Principals or Credentials set (JDK-8282730)

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.

infrastructure
 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.

security-libs/javax.net.ssl
 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.18:

# JBS Component Summary
1JDK-8295429client-libsUpdate harfbuzz md file
2JDK-8293672client-libsUpdate freetype md file
3JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
4JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
5JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
6JDK-8273655core-libs/java.netcontent-types.properties files are missing some common types
7JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
8JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
9JDK-8272352core-libs/java.util:i18nJava launcher can not parse Chinese character when system locale is set to UTF-8
10JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
11JDK-8215571core-svc/debuggerjdb does not include jdk.* in the default class filter
12JDK-8258894hotspot/compilerC2: Forbid GCM to move stores into loops
13JDK-8290781hotspot/compilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
14JDK-8290711hotspot/compilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
15JDK-8289043hotspot/compilerC2: Vector constant materialization attempt
16JDK-8290705hotspot/compilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
17JDK-8240281hotspot/compilerRemove failing assertion code when selecting first memory state in SuperWord::co_locate_pack
18JDK-8290529hotspot/compilerC2: assert(BoolTest(btest).is_canonical()) failure
19JDK-8288445hotspot/compilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
20JDK-8261336hotspot/compilerIGV: enhance default filters
21JDK-8287091hotspot/compileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
22JDK-8272094hotspot/compilercompiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
23JDK-8293816hotspot/compilerCI: ciBytecodeStream::get_klass() is not consistent
24JDK-8293044hotspot/compilerC1: Missing access check on non-accessible class
25JDK-8292158hotspot/compilerAES-CTR cipher state corruption with AVX-512
26JDK-8284358hotspot/compilerUnreachable loop is not removed from C2 IR, leading to a broken graph
27JDK-8270947hotspot/compilerAArch64: C1: use zero_words to initialize all objects
28JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
29JDK-8209375hotspot/gcZGC: Use dynamic base address for mark stack space
30JDK-8288754hotspot/gcGCC 12 fails to build zReferenceProcessor.cpp
31JDK-8232533hotspot/gcG1 uses only a single thread for pretouching the java heap
32JDK-8241423hotspot/gcNUMA APIs fail to work in dockers due to dependent syscalls are disabled by default
33JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
34JDK-8255716hotspot/runtimeAArch64: Regression: JVM crashes if manually offline a core
35JDK-8266490hotspot/runtimeExtend the OSContainer API to support the pids controller of cgroups
36JDK-8264593hotspot/runtimedebug.cpp utilities should be available in product builds.
37JDK-8273526hotspot/runtimeExtend the OSContainer API pids controller with pids.current
38JDK-8291459hotspot/runtimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
39JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
40JDK-8209689hotspot/testCompiler.isGraalEnabled should not check jvmci.Compiler property
41JDK-8283723infrastructureUpdate Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
42JDK-8236470security-libs/java.securityDeal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
43JDK-8242151security-libs/java.securityImprove OID mapping and reuse among JDK security providers for aliases registration
44JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
45JDK-8239457security-libs/javax.crypto:pkcs11call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect
46JDK-8273553security-libs/javax.net.sslsun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
47JDK-8273026security-libs/javax.securitySlow LoginContext.login() on multi threading application
48JDK-8247964security-libs/javax.xml.cryptoAll log0() in com/sun/org/slf4j/internal/Logger.java should be private
49JDK-8247907security-libs/javax.xml.cryptoXMLDsig logging does not work
50JDK-8293578tools/javacDuplicate ldc generated by javac
51JDK-8266082tools/javacAssertionError in Annotate.fromAnnotations with -Xdoclint
52JDK-8193462tools/javacFix Filer handling of package-info initial elements
53JDK-8203277tools/javacpreflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body
54JDK-8286444tools/javacjavac errors after JDK-8251329 are not helpful enough to find root cause
55JDK-8286855tools/javacjavac error on invalid jar should only print filename
56JDK-8236490tools/javacCompiler bug relating to @NonNull annotation
57JDK-8215291tools/javadoc(tool)Broken links when generating from project without modules
58JDK-8287076xml/org.w3c.domDocument.normalizeDocument() produces different results

Java SE 11.0.17 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.17 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.17.0.3

Bug Fixes

BugId Category Subcategory Description
JDK-8293562 core-libs java.net KeepAliveCache Blocks Threads while Closing Connections
JDK-8296943 tools sun/net/www/http/HttpClient/MultiThreadTest Failing after KeepAliveCache Backport
JDK-8282958 client-libs javax.swing Rendering Issues with Borders on Windows High-DPI systems

 

Changes in Java SE 11.0.17.0.2

Bug Fixes

BugId Category Subcategory Description
JDK-8255716 hotspot runtime JVM Crashes If Manually Offline a Core

 

Changes in Java SE 11.0.17.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d

Java™ SE Development Kit 11.0.17 (JDK 11.0.17)

October 18, 2022

The full version string for this update release is 11.0.17+10 (where "+" means "build"). The version number is 11.0.17.

 

IANA TZ Data 2022b, 2022c

JDK 11.0.17 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.17 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.17+10
8 8u351-b10
7 7u361-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.17) be used after the next critical patch update scheduled for January 17, 2023.

 

New Features

security-libs/java.security
 Upgrade the Default PKCS12 MAC Algorithm (JDK-8267880)

The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.

For compatibility, use the keystore.pkcs12.legacy system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

core-libs/java.io:serialization
 JDK Flight Recorder Event for Deserialization (JDK-8261160)

It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named jdk.Deserialization, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism; see the ObjectInputFilter specification. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security. For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation.

 

Other Notes

security-libs/java.security
 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

security-libs/org.ietf.jgss:krb5
 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

core-libs/java.net
 Make HttpURLConnection Default Keep Alive Timeout Configurable (JDK-8278067)

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties.

hotspot/runtime
 CPU Shares Ignored When Computing Active Processor Count (JDK-8281181)

Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.

Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.

core-libs/java.time
 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

core-libs/java.net
 New System Property to Limit the Number of Open Connections to com.sun.net.httpserver.HttpServer (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.17:

# JBS Component Subcomponent Summary
1JDK-8285686client-libs2dUpdate FreeType to 2.12.0
2JDK-8289853client-libs2dUpdate HarfBuzz to 4.4.1
3JDK-8290334client-libs2dUpdate FreeType to 2.12.1
4JDK-8273506client-libsjava.awtjava Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
5JDK-8255439client-libsjava.awtSystem Tray icons get corrupted when windows scaling changes
6JDK-8231454client-libsjava.beansFile lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
7JDK-8261352client-libsjavax.accessibilityCreate implementation for component peer for all the components who should be ignored in a11y interactions
8JDK-8263420client-libsjavax.accessibilityIncorrect function name in NSAccessibilityStaticText native peer implementation
9JDK-8262981client-libsjavax.accessibilityCreate implementation for NSAccessibilitySlider protocol
10JDK-8287740client-libsjavax.accessibilityNSAccessibilityShowMenuAction not working for text editors
11JDK-8275071client-libsjavax.accessibility[macos] A11y cursor gets stuck when combobox is closed
12JDK-8274383client-libsjavax.accessibilityJNI call of getAccessibleSelection on a wrong thread
13JDK-8267387client-libsjavax.accessibilityCreate implementation for NSAccessibilityOutline protocol
14JDK-8267388client-libsjavax.accessibilityCreate implementation for NSAccessibilityTable protocol
15JDK-8262031client-libsjavax.accessibilityCreate implementation for NSAccessibilityNavigableStaticText protocol
16JDK-8275809client-libsjavax.accessibilitycrash in [CommonComponentAccessibility getCAccessible:withEnv:]
17JDK-8273678client-libsjavax.accessibilityTableAccessibility and TableRowAccessibility miss autorelease
18JDK-8271071client-libsjavax.accessibilityaccessibility of a table on macOS lacks cell navigation
19JDK-8267066client-libsjavax.accessibilityNew NSAccessibility peers should return they roles and subroles directly
20JDK-8275720client-libsjavax.accessibilityCommonComponentAccessibility.createWithParent isWrapped causes mem leak
21JDK-8267385client-libsjavax.accessibilityCreate NSAccessibilityElement implementation for JavaComponentAccessibility
22JDK-8275819client-libsjavax.accessibility[TableRowAccessibility accessibilityChildren] method is ineffective
23JDK-8284690client-libsjavax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
24JDK-8286266client-libsjavax.accessibility[macos] Voice over moving JTable column to be the first column JVM crashes
25JDK-8278609client-libsjavax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
26JDK-8284014client-libsjavax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
27JDK-8283383client-libsjavax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
28JDK-8211795client-libsjavax.imageioArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
29JDK-8256109client-libsjavax.swingCreate implementation for NSAccessibilityButton protocol
30JDK-8256108client-libsjavax.swingCreate implementation for NSAccessibilityElement protocol peer
31JDK-8256126client-libsjavax.swingCreate implementation for NSAccessibilityImage protocol peer
32JDK-8256110client-libsjavax.swingCreate implementation for NSAccessibilityStepper protocol
33JDK-8256111client-libsjavax.swingCreate implementation for NSAccessibilityStaticText protocol
34JDK-8261350client-libsjavax.swingCreate implementation for NSAccessibilityCheckBox protocol peer
35JDK-8261351client-libsjavax.swingCreate implementation for NSAccessibilityRadioButton protocol
36JDK-8264299client-libsjavax.swingCreate implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
37JDK-8264300client-libsjavax.swingCreate implementation for NSAccessibilityScrollBar protocol peer
38JDK-8264290client-libsjavax.swingCreate implementation for NSAccessibilityComponentGroup protocol peer
39JDK-8264304client-libsjavax.swingCreate implementation for NSAccessibilityToolbar protocol peer
40JDK-8264302client-libsjavax.swingCreate implementation for Accessibility native peer for Splitpane java role
41JDK-8264305client-libsjavax.swingCreate implementation for native accessibility peer for Statusbar java role
42JDK-8264287client-libsjavax.swingCreate implementation for NSAccessibilityComboBox protocol peer
43JDK-8264303client-libsjavax.swingCreate implementation for NSAccessibilityTabGroup protocol peer
44JDK-8264297client-libsjavax.swingCreate implementation for NSAccessibilityProgressIndicator protocol peer
45JDK-8264294client-libsjavax.swingCreate implementation for NSAccessibilityMenuBar protocol peer
46JDK-8264298client-libsjavax.swingCreate implementation for NSAccessibilityRow protocol peer
47JDK-8264286client-libsjavax.swingCreate implementation for NSAccessibilityColumn protocol peer
48JDK-8264291client-libsjavax.swingCreate implementation for NSAccessibilityCell protocol peer
49JDK-8264292client-libsjavax.swingCreate implementation for NSAccessibilityList protocol peer
50JDK-8264293client-libsjavax.swingCreate implementation for NSAccessibilityMenu protocol peer
51JDK-8264295client-libsjavax.swingCreate implementation for NSAccessibilityMenuItem protocol peer
52JDK-8264296client-libsjavax.swingCreate implementation for NSAccessibilityPopUpButton protocol peer
53JDK-8287917core-libsjava.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
54JDK-8288769core-libsjava.util.jarRevert unintentional change to deflate.c
55JDK-8283277core-libsjava.util:i18nISO 4217 Amendment 171 Update
56JDK-8289549core-libsjava.util:i18nISO 4217 Amendment 172 Update
57JDK-8254001core-svc[Metrics] Enhance parsing of cgroup interface files for version detection
58JDK-8276990core-svcdebuggerMemory leak in invoker.c fillInvokeRequest() during JDI operations
59JDK-8281615core-svcdebuggerDeadlock caused by jdwp agent
60JDK-8284094core-svcdebuggerMemory leak in invoker_completeInvokeRequest()
61JDK-8208471core-svcdebuggernsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds"
62JDK-8235385hotspotcompilerCrash on aarch64 JDK due to long offset
63JDK-8139046hotspotcompilerCompiler Control: IGVPrintLevel directive should set PrintIdealGraph
64JDK-8271567hotspotcompilerAArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
65JDK-8211100hotspotcompilerhotspot C1 issue with comparing long numbers on x86 32-bit
66JDK-8282467hotspotcompileradd extra diagnostics for JDK-8268184
67JDK-8269517hotspotcompilercompiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges
68JDK-8282555hotspotcompilerMissing memory edge when spilling MoveF2I, MoveD2L etc
69JDK-8284882hotspotcompilerSIGSEGV in Node::verify_edges due to compilation bailout
70JDK-8270090hotspotcompilerC2: LCM may prioritize CheckCastPP nodes over projections
71JDK-8285820hotspotcompilerC2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
72JDK-8288467hotspotcompilerremove memory_operand assert for spilled instructions
73JDK-8279622hotspotcompilerC2: miscompilation of map pattern as a vector reduction
74JDK-8286177hotspotcompilerC2: "failed: non-reduction loop contains reduction nodes" assert failure
75JDK-8284944hotspotcompilerassert(cnt++ < 40) failed: infinite cycle in loop optimization
76JDK-8287223hotspotcompilerC1: Inlining attempt through MH::invokeBasic() with null receiver
77JDK-8272736hotspotcompiler[JVMCI] Add API for reading and writing JVMCI thread locals
78JDK-8235870hotspotcompilerC2 crashes in IdealLoopTree::est_loop_flow_merge_sz()
79JDK-8271010hotspotcompilervmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently
80JDK-8288360hotspotcompilerCI: ciInstanceKlass::implementor() is not consistent for well-known classes
81JDK-8287432hotspotcompilerC2: assert(tn->in(0) != __null) failed: must have live top node
82JDK-8258946hotspotcompilerFix optimization-unstable code involving signed integer overflow
83JDK-8286314hotspotcompilerTrampoline not created for far runtime targets outside small CodeCache
84JDK-8280799hotspotcompilerС2: assert(false) failed: cyclic dependency prevents range check elimination
85JDK-8288781hotspotcompilerC1: LIR_OpVisitState::maxNumberOfOperands too small
86JDK-8288865hotspotcompiler[aarch64] LDR instructions must use legitimized addresses
87JDK-8283441hotspotcompilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
88JDK-8265677hotspotgcCMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
89JDK-8223575hotspotgcadd subspace transitions to gc+metaspace=info log lines
90JDK-8217170hotspotgcgc/arguments/TestUseCompressedOopsErgo.java timed out
91JDK-8252359hotspotruntimeHotSpot Not Identifying it is Running in a Container
92JDK-8220658hotspotruntimeImprove the readability of container information in the error log
93JDK-8253797hotspotruntime[cgroups v2] Account for the fact that swap accounting is disabled on some systems
94JDK-8254997hotspotruntimeRemove unimplemented OSContainer::read_memory_limit_in_bytes
95JDK-8281274hotspotruntimedeal with ActiveProcessorCount in os::Linux::print_container_info
96JDK-8283469hotspotruntimeDon't use memset to initialize members in FileMapInfo and fix memory leak
97JDK-8247354hotspotruntimeAArch64: PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop
98JDK-8268773hotspotruntimeImprovements related to: Failed to start thread - pthread_create failed (EAGAIN)
99JDK-8289477hotspotruntimeMemory corruption with CPU_ALLOC, CPU_FREE on muslc
100JDK-8289799hotspotruntimeBuild warning in methodData.cpp memset zero-length parameter
101JDK-8239559hotspotruntimeCgroups: Incorrect detection logic on some systems
102JDK-8253435hotspotruntimeCgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
103JDK-8239785hotspotruntimeCgroups: Incorrect detection logic on old systems in hotspot
104JDK-8209414hotspotsvcAArch64: method handle invocation does not respect JVMTI interp_only mode
105JDK-8235220hotspotsvc-agentClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
106JDK-8186143security-libsjava.securitykeytool -ext option doesn't accept wildcards for DNS subject alternative names
107JDK-8263404security-libsjava.securityRsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
108JDK-8275887security-libsjava.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
109JDK-8281628security-libsjavax.cryptoKeyAgreement : generateSecret intermittently not resetting
110JDK-8284694security-libsjavax.net.sslAvoid evaluating SSLAlgorithmConstraints twice
111JDK-8286211security-libsjavax.smartcardioUpdate PCSC-Lite for Suse Linux to 1.9.5
112JDK-8285398security-libsjdk.securityCache the results of constraint checks
113JDK-8155701toolsjavacThe compiler fails with an AssertionError: typeSig ERROR
114JDK-8281316toolsjavacjavac performance issues with large number of jars on classpath
115JDK-8282214toolsjavadoc(tool)Upgrade JQuery to version 3.6.0
116JDK-8284367toolsjavadoc(tool)JQuery UI upgrade from 1.12.1 to 1.13.1
117JDK-8280373xmlavax.xml.parsersUpdate Xalan serializer / SystemIDResolver to align with JDK-8270492
118JDK-8289486xmljaxpImprove XSLT XPath operators count efficiency

Java SE 11.0.16.1 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.16.1 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.16.1.2

Bug Fixes

BugId Category Subcategory Description
JDK-8239785 hotspot runtime Cgroups: Incorrect detection logic on old systems in hotspot

 

Changes in Java SE 11.0.16.1.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11, Patch 11.0.16.1 (JDK 11.0.16.1)

August 18, 2022

The full version string for this update release is 11.0.16.1+1 (where "+" means "build"). The version number is 11.0.16.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 11.0.16.

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.16+11
8 8u341-b10
7 7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16.1) be used after the next critical patch update scheduled for October 18, 2022.

Oracle recommends that all JDK 11 users, even those that have already updated to 11.0.16, uptake the 11.0.16.1 patch release.

 

Changes

hotspot/compiler
 C2 Compilation Errors Unpredictably Crashes JVM

Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.


Java™ SE Development Kit 11.0.16 (JDK 11.0.16)

July 19, 2022

The full version string for this update release is 11.0.16+11 (where "+" means "build"). The version number is 11.0.16.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.16 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.16+11
8 8u341-b10
7 7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16) be used after the next critical patch update scheduled for October 18, 2022.

 

New Features

core-libs/java.net
 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully on the Networking Properties page.

Other Notes

core-libs/java.net
 Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals

The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)
 JDK Bundle Extensions Truncated When Downloading Using Firefox 102

On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

  • manually add a file extension to the file name after download.
  • use a different browser

See JDK-8277093
core-libs/java.io:serialization
 Vector Should Throw ClassNotFoundException for a Missing Class of an Element

java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object)when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

core-libs/java.util.jar
 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.16:

# JBS Component Subcomponent Summary
1JDK-8221741client-libs2dClassCastException can happen when fontconfig.properties is used
2JDK-8262470client-libs2dPrinted GlyphVector outline with low DPI has bad quality on Windows
3JDK-8251558client-libsdemoJ2DBench should support shaped and translucent windows
4JDK-8274751client-libsjava.awtDrag And Drop hangs on Windows
5JDK-8133713client-libsjavax.accessibility[macosx] Accessible JTables always reported as empty
6JDK-8277922client-libsjavax.accessibilityUnable to click JCheckBox in JTable through Java Access Bridge
7JDK-7124301client-libsjavax.accessibility[macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
8JDK-7124298client-libsjavax.accessibility[macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group
9JDK-7124293client-libsjavax.accessibility[macosx] VoiceOver reads percentages rather than the actual values for sliders.
10JDK-8274735client-libsjavax.imageiojavax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
11JDK-8212904client-libsjavax.swingJTextArea line wrapping incorrect when using UI scale
12JDK-8277093core-libsjava.io:serializationVector should throw ClassNotFoundException for a missing class of an element
13JDK-8267256core-libsjava.netExtend minimal retry for loopback connections on Windows to PlainSocketImpl
14JDK-8250521core-libsjava.netConfigure initial RTO to use minimal retry for loopback connections on Windows
15JDK-8255264core-libsjava.netSupport for identifying the full range of IPv4 localhost addresses on Windows
16JDK-8279842core-libsjava.netHTTPS Channel Binding support for Java GSS/Kerberos
17JDK-8282293core-libsjava.netDomain value for system property jdk.https.negotiate.cbt should be case-insensitive
18JDK-8258795core-libsjava.util:i18nUpdate IANA Language Subtag Registry to Version 2021-05-11
19JDK-8277368core-libsjavax.scriptMetaspace OOM thrown due to the leak of Nashorn ScriptEngine
20JDK-8279219hotspotcompiler[REDO] C2 crash when allocating array of size too large
21JDK-8234930hotspotcompilerUse MAP_JIT when allocating pages for code cache on macOS
22JDK-8224648hotspotcompilerassert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
23JDK-8225475hotspotcompilerNode budget asserts on x86_32/64
24JDK-8223143hotspotcompilerRestructure/clean-up for 'loopexit_or_null()'.
25JDK-8223363hotspotcompilerBad node estimate assertion failure
26JDK-8263403hotspotcompiler[JVMCI] output written to tty via HotSpotJVMCIRuntime can be garbled
27JDK-8283451hotspotcompilerC2: assert(_base == Long) failed: Not a Long
28JDK-8282312hotspotcompilerMinor corrections to evbroadcasti32x4 intrinsic on x86
29JDK-8254887hotspotcompilerC2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
30JDK-8253816hotspotcompilerSupport macOS W^X
31JDK-8253795hotspotcompilerImplementation of JEP 391: macOS/AArch64 Port
32JDK-8214004hotspotcompilerMissing space between compiler thread name and task info in hs_err
33JDK-8216137hotspotcompilerassert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
34JDK-8234605hotspotcompilerC2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
35JDK-8283641hotspotcompilerLarge value for CompileThresholdScaling causes assert
36JDK-8283408hotspotcompilerFix a C2 crash when filling arrays with unsafe
37JDK-8280867hotspotcompilerCpuid1Ecx feature parsing is incorrect for AMD CPUs
38JDK-8279837hotspotcompilerC2: assert(is_Loop()) failed: invalid node class: Region
39JDK-8279668hotspotcompilerx86: AVX2 versions of vpxor should be asserted
40JDK-8275330hotspotcompilerC2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
41JDK-8275337hotspotcompilerC1: assert(false) failed: live_in set of first block must be empty
42JDK-8280526hotspotcompilerx86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
43JDK-8279356hotspotcompilerMethod linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
44JDK-8262011hotspotcompiler[JVMCI] allow printing to tty from unattached libgraal thread
45JDK-8265480hotspotcompileradd basic JVMCI support for JEP 309: Dynamic Class-File Constants
46JDK-8262323hotspotcompilerdo not special case JVMCI in tiered compilation policy
47JDK-8258715hotspotcompiler[JVMCI] separate JVMCI code install timers for CompileBroker and hosted compilations
48JDK-8240335hotspotcompilerC2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
49JDK-8219520hotspotcompilerassert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
50JDK-8282231hotspotcompilerx86-32: runtime call to SharedRuntime::ldiv corrupts registers
51JDK-8284633hotspotruntimeCompressedClassPointers.java fails on macos-aarch64
52JDK-8230305hotspotruntimeCgroups v2: Container awareness
53JDK-8282589hotspotruntimeruntime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
54JDK-8253727hotspotruntime[cgroups v2] Memory and swap limits reported incorrectly
55JDK-8253714hotspotruntime[cgroups v2] Soft memory limit incorrectly using memory.high
56JDK-8208697hotspotruntimevmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
57JDK-8253817hotspotruntimeSupport macOS Aarch64 ABI in Interpreter
58JDK-8281275hotspotruntimeUpgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
59JDK-8214275hotspotruntimeCondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
60JDK-8218751hotspotruntimeDo not store original classfiles inside the CDS archive
61JDK-8281517installinstallImprove the error message shown when a user tries to install the aarch64 bundle on an intel mac
62JDK-8278851security-libsjava.securityCorrect signer logic for jars signed with multiple digest algorithms
63JDK-8255266security-libsjava.securityUpdate Public Suffix List to 3c213aa
64JDK-8268427security-libsjava.securityImprove AlgorithmConstraints:checkAlgorithm performance
65JDK-8274524security-libsjavax.net.sslSSLSocket.close() hangs if it is called during the ssl handshake
66JDK-8270317security-libsjavax.net.sslLarge Allocation in CipherSuite
67JDK-8275082security-libsjavax.xml.cryptoUpdate XML Security for Java to 2.3.0
68JDK-8279520security-libsorg.ietf.jgssSPNEGO has not passed channel binding info into the underlying mechanism
69JDK-8214026toolsjavacCanonicalized archive paths appearing in diagnostics
70JDK-8236210toolsjavacjavac generates wrong annotation for fields generated from record components
71JDK-8261205toolsjavacAssertionError: Cannot add metadata to an intersection type
72JDK-8210649toolsjavacAssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
73JDK-8225559toolsjavacassertion error at TransTypes.visitApply
74JDK-8166727toolsjlinkjavac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28

Java SE 11.0.15.1 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.15.1.2

 

Bug Fixes

BugId Component Subcomponent Description
JDK-8155701 tools javac The compiler fails with an AssertionError: typeSig ERROR

 

Changes in Java SE 11.0.15.1.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11, Patch 11.0.15.1 (JDK 11.0.15.1)

May 2, 2022

The full version string for this update release is 11.0.15.1+2 (where "+" means "build"). The version number is 11.0.15.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 11.0.15.

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.15+8
8 8u331-b09
7 7u341-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15.1) be used after the next critical patch update scheduled for July 19, 2022.

 

Changes

core-libs/java.io
 New System Property to Disable Windows Alternate Data Stream Support in java.io.File

The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File, the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

 

 

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:

BugId Component Subcomponent Description
JDK-8284920 xml javax.xml.path Incorrect Token type causes XPath expression to return incorrect results
JDK-8284548 xml jaxp Invalid XPath expression causes StringIndexOutOfBoundsException


Java SE 11.0.15 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.15.0.1

Bug Fixes

BugId Component Subcomponent Description
JDK-8221741 client-libs 2d ClassCastException can happen when fontconfig.properties is used
JDK-8212904 client-libs javax.swing JTextArea line wrapping incorrect when using UI scale
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 11.0.15 (JDK 11.0.15)

April 19, 2022

The full version string for this update release is 11.0.15+8 (where "+" means "build"). The version number is 11.0.15.

 

IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.15 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.15+8
8 8u331-b09
7 7u341-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15) be used after the next critical patch update scheduled for July 19, 2022.

 

New Features

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library

SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:

ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism

CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism  
CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism  
CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism

security-libs/javax.net.ssl
 ChaCha20 and Poly1305 TLS Cipher Suites

New TLS cipher suites using the ChaCha20-Poly1305 algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2:

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for details on these new TLS cipher suites.

xml/jaxp
 New XML Processing Limits

Three processing limits have been added to the XML libraries. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20

 

There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

security-libs/java.security
 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

core-libs/javax.naming
 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)

 

The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.15:

# BugId Component Subcomponent Description
1 JDK-8233827 client-libs Enable screenshots in the enhanced failure handler on Linux/macOS
2 JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
3 JDK-8258554 client-libs javax.swing javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
4 JDK-8257620 core-libs Do not use objc_msgSend_stret to get macOS version
5 JDK-8275650 core-libs java.io Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
6 JDK-8279833 core-libs java.lang Loop optimization issue in String.encodeUTF8_UTF16
7 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
8 JDK-8236596 core-libs java.net HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel
9 JDK-8218546 core-libs java.net Unable to connect to https://google.com using java.net.HttpClient
10 JDK-8262844 core-libs java.nio (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3
11 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
12 JDK-8214761 core-libs java.util.stream Bug in parallel Kahan summation implementation
13 JDK-8242283 core-libs java.util:i18n Can't start JVM when java home path includes non-ASCII character
14 JDK-8273790 core-libs java.util:i18n Potential cyclic dependencies between Gregorian and CalendarSystem
15 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
16 JDK-8277795 core-libs javax.naming LDAP connection timeout not honoured under contention
17 JDK-8266187 core-svc java.lang.instrument Memory leak in appendBootClassPath()
18 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
19 JDK-8258836 core-svc java.lang.management JNI local refs exceed capacity getDiagnosticCommandInfo
20 JDK-8251155 core-svc tools HostIdentifier fails to canonicalize hostnames starting with digits
21 JDK-8238710 core-svc tools LingeredApp doesn't log stdout/stderr if exits with non-zero code
22 JDK-8223141 hotspot compiler Change (count) suffix _ct into _cnt.
23 JDK-8229797 hotspot compiler [JVMCI] Clean up no longer used JVMCI::dependencies_invalid value
24 JDK-8251930 hotspot compiler AArch64: Native types mismatch in hotspot
25 JDK-8268882 hotspot compiler C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
26 JDK-8276105 hotspot compiler C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
27 JDK-8223142 hotspot compiler Clean-up WS and CB.
28 JDK-8211170 hotspot compiler AArch64: Warnings in C1 and template interpreter
29 JDK-8277441 hotspot compiler CompileQueue::add fails with assert(_last->next() == __null) failed: not last
30 JDK-8275610 hotspot compiler C2: Object field load floats above its null check resulting in a segfault
31 JDK-8275326 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
32 JDK-8262134 hotspot compiler compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
33 JDK-8277447 hotspot compiler Hotspot C1 compiler crashes on Kotlin suspend fun with loop
34 JDK-8273277 hotspot compiler C2: Move conditional negation into rc_predicate
35 JDK-8271202 hotspot compiler C1: assert(false) failed: live_in set of first block must be empty
36 JDK-8276157 hotspot compiler C2: Compiler stack overflow during escape analysis on Linux x86_32
37 JDK-8255004 hotspot compiler [JVMCI] expose JVM_ACC_FIELD_INITIALIZED_FINAL_UPDATE
38 JDK-8266923 hotspot compiler [JVMCI] expose StackOverflow::_stack_overflow_limit to JVMCI
39 JDK-8253842 hotspot compiler [JVMCI] Allow implicit exception to dispatch to other address in jvmci compilers.
40 JDK-8253015 hotspot compiler Aarch64: Move linux code out from generic CPU feature detection
41 JDK-8252518 hotspot compiler [JVMCI] cache the result of CompilerToVM.getComponentType
42 JDK-8261071 hotspot compiler AArch64: Refactor interpreter native wrappers
43 JDK-8279076 hotspot compiler C2: Bad AD file when matching SqrtF with UseSSE=0
44 JDK-8276314 hotspot compiler [JVMCI] check alignment of call displacement during code installation
45 JDK-8279225 hotspot compiler [arm32] C1 longs comparison operation destroys argument registers
46 JDK-8279412 hotspot compiler [JVMCI] failed speculations list must outlive any nmethod that refers to it
47 JDK-8278871 hotspot compiler [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
48 JDK-8210236 hotspot gc Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading
49 JDK-8222072 hotspot jvmti JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv
50 JDK-8276177 hotspot jvmti nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
51 JDK-8223400 hotspot runtime Replace some enums with static const members in hotspot/runtime
52 JDK-8240197 hotspot runtime Cannot start JVM when $JAVA_HOME includes CJK characters
53 JDK-8261075 hotspot runtime Create stubRoutines.inline.hpp with SafeFetch implementation
54 JDK-8263068 hotspot runtime Rename safefetch.hpp to safefetch.inline.hpp
55 JDK-8272345 hotspot runtime macos doesn't check `os::set_boot_path()` result
56 JDK-8254940 hotspot runtime AArch64: Cleanup non-product thread members
57 JDK-8266170 hotspot runtime -Wnonnull happens in classLoaderData.inline.hpp
58 JDK-8266172 hotspot runtime -Wstringop-overflow happens in vmError.cpp
59 JDK-8186780 hotspot runtime clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment()
60 JDK-8274338 hotspot runtime com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
61 JDK-8274714 hotspot runtime Incorrect verifier protected access error message
62 JDK-8277342 hotspot runtime vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
63 JDK-8278384 hotspot runtime Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
64 JDK-8278309 hotspot runtime [windows] use of uninitialized OSThread::_state
65 JDK-8207011 hotspot runtime Remove uses of the register storage class specifier
66 JDK-8273341 hotspot runtime Update Siphash to version 1.0
67 JDK-8265150 hotspot svc AsyncGetCallTrace crashes on ResourceMark
68 JDK-8258471 hotspot svc-agent "search codecache" clhsdb command does not work
69 JDK-8274736 security-libs java.security Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
70 JDK-8257769 security-libs javax.crypto Cipher.getParameters() throws NPE for ChaCha20-Poly1305
71 JDK-8259319 security-libs javax.crypto:pkcs11 Illegal package access when SunPKCS11 requires SunJCE's classes
72 JDK-8255410 security-libs javax.crypto:pkcs11 Add ChaCha20 and Poly1305 support to SunPKCS11 provider
73 JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
74 JDK-8140466 security-libs javax.net.ssl ChaCha20 and Poly1305 TLS Cipher Suites
75 JDK-8275811 security-libs javax.net.ssl Incorrect instance to dispose
76 JDK-8273894 security-libs org.ietf.jgss:krb5 ConcurrentModificationException raised every time ReferralsCache drops referral
77 JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
78 JDK-8273682 tools jshell Upgrade Jline to 3.20.0
79 JDK-8255035 xml jaxp Update BCEL to Version 6.5.0
80 JDK-8276141 xml jaxp XPathFactory set/getProperty method
81 JDK-8282761 xml jaxp XPathFactoryImpl remove setProperty and getProperty methods

Java SE 11.0.14 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.14 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.14.0.2

Bug Fixes

BugId Category Subcategory Description
JDK-8218546 core-libs java.net Unable to connect to https://google.com using java.net.HttpClient
JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor

 

Changes in Java SE 11.0.14.0.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11.0.14 (JDK 11.0.14)

January 18, 2022

The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14.

 

IANA TZ Data 2021b, 2021c, 2021d, 2021e

JDK 11.0.14 contains IANA time zone data 2021b, 2021c, 2021d, 2021e.
  • Jordan now starts DST on February's last Thursday.
  • Samoa no longer observes DST.
  • Merge more location-based Zones whose timestamps agree since 1970.
  • Move some backward-compatibility links to 'backward'.
  • Rename Pacific/Enderbury to Pacific/Kanton.
  • Correct many pre-1993 transitions in Malawi, Portugal, etc.
  • zic now creates each output file or link atomically.
  • zic -L no longer omits the POSIX TZ string in its output.
  • zic fixes for truncation and leap second table expiration.
  • zic now follows POSIX for TZ strings using all-year DST.
  • Fix some localtime crashes and bugs in obscure cases.
  • zdump -v now outputs more-useful boundary cases.
  • tzfile.5 better matches a draft successor to RFC 8536.
  • A new file SECURITY.
  • Revert most 2021b changes to 'backward'.
  • Fix 'zic -b fat' bug in pre-1970 32-bit data.
  • Fix two Link line typos.
  • Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

  • Fiji suspends DST for the 2021/2022 season.
  • 'zic -r' marks unspecified timestamps with "-00".
  • Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.14+8
8 8u321-b07
7 7u331-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022.

 

New Features

security-libs/javax.crypto:pkcs11
 New SunPKCS11 Configuration Properties

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

  1. destroyTokenAfterLogout (boolean, defaults to false)

    If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.

  2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds)

    This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).

  3. cleaner.longInterval (integer, defaults to 60000, in milliseconds)

    This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.

security-libs/javax.net.ssl
 Configurable Extensions With System Properties

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

 

Removed Features and Options

security-libs/java.security
 Removed Google's GlobalSign Root Certificate

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

 

Other Notes

core-libs/java.nio
 Zip File System Provider Throws ZipException When Entry Name Element Contains "." or ".."

The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...) methods throw ZipException if the ZIP file contains these entries.

core-libs/java.time
 Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

core-libs/javax.naming
 LDAP Channel Binding Support for Java GSS/Kerberos

A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype” has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point” - Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming module.

security-libs/javax.net.ssl
 SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.

hotspot/runtime
 OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware

For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.14:

# BugId Component Subcomponent Summary
1 JDK-8249548 client-libs backward focus traversal gets stuck in button group
2 JDK-8273436 client-libs Backport JDK-8273426 caused build failure due to missing "All rights reserved."
3 JDK-8211999 client-libs java.awt Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI)
4 JDK-8272806 client-libs java.awt [macOS] "Apple AWT Internal Exception" when input method is changed
5 JDK-6722236 client-libs java.awt 3 Choice regression testcases are failing from 6u10_b26 build onwards
6 JDK-8015886 client-libs java.awt java/awt/Focus/DeiconifiedFrameLoosesFocus/DeiconifiedFrameLoosesFocus.java sometimes failed on ubuntu
7 JDK-8257242 client-libs java.awt [macOS] Java app crashes while switching input methods
8 JDK-8274326 client-libs javax.accessibility [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
9 JDK-8274056 client-libs javax.accessibility JavaAccessibilityUtilities leaks JNI objects
10 JDK-8274381 client-libs javax.accessibility missing CAccessibility definitions in JNI code
11 JDK-8208747 client-libs javax.accessibility [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on
12 JDK-8270893 client-libs javax.imageio IndexOutOfBoundsException while reading large TIFF file
13 JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on
14 JDK-8269951 client-libs javax.swing [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
15 JDK-8259237 client-libs javax.swing Demo selection changes with left/right arrow key. No need to press space for selection.
16 JDK-8269850 core-libs Most JDK releases report macOS version 12 as 10.16 instead of 12.0
17 JDK-8231717 core-libs java.lang Improve performance of charset decoding when charset is always compactable
18 JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
19 JDK-8276536 core-libs java.time Update TimeZoneNames files to follow the changes made by JDK-8275766
20 JDK-8273924 core-libs java.util:i18n ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
21 JDK-8187649 core-libs java.util:i18n ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
22 JDK-8245527 core-libs javax.naming LDAP Channel Binding support for Java GSS/Kerberos
23 JDK-8195703 core-svc debugger BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2'
24 JDK-8247469 core-svc javax.management getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
25 JDK-8235211 core-svc tools serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
26 JDK-8270886 hotspot compiler Crash in PhaseIdealLoop::verify_strip_mined_scheduling
27 JDK-8210392 hotspot compiler assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
28 JDK-8223137 hotspot compiler Rename predicate 'do_unroll_only()' to 'is_unroll_only()'.
29 JDK-8223139 hotspot compiler Rename mandatory policy-do routines.
30 JDK-8223923 hotspot compiler C2: Missing interference with mismatched unsafe accesses
31 JDK-8223140 hotspot compiler Clean-up in 'ok_to_convert()'
32 JDK-8272570 hotspot compiler C2: crash in PhaseCFG::global_code_motion
33 JDK-8267652 hotspot compiler c2 loop unrolling by 8 results in reading memory past array
34 JDK-8263303 hotspot compiler C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
35 JDK-8268019 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
36 JDK-8268672 hotspot compiler C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
37 JDK-8252049 hotspot compiler Native memory leak in ciMethodData ctor
38 JDK-8231501 hotspot compiler VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99
39 JDK-8223138 hotspot compiler Small clean-up in loop-tree support.
40 JDK-8271341 hotspot compiler Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
41 JDK-8271340 hotspot compiler Crash PhaseIdealLoop::clone_outer_loop
42 JDK-8271459 hotspot compiler C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
43 JDK-8257919 hotspot compiler [JVMCI] profiling info didn't change after reprofile
44 JDK-8263776 hotspot compiler [JVMCI] add helper to perform Java upcalls
45 JDK-8272131 hotspot compiler PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
46 JDK-8268261 hotspot compiler C2: assert(n != __null) failed: Bad immediate dominator info.
47 JDK-8272574 hotspot compiler C2: assert(false) failed: Bad graph detected in build_loop_late
48 JDK-8215889 hotspot gc assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC
49 JDK-8221584 hotspot jvmti SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event
50 JDK-8217348 hotspot jvmti assert(thread->is_Java_thread()) failed: just checking
51 JDK-8236177 hotspot runtime assert(status == 0) failed: error ETIMEDOUT(60), cond_wait
52 JDK-8218483 hotspot runtime Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5"
53 JDK-8222446 hotspot runtime assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ
54 JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
55 JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
56 JDK-8273342 hotspot runtime Null pointer dereference in classFileParser.cpp:2817
57 JDK-8269668 hotspot runtime [aarch64] java.library.path not including /usr/lib64
58 JDK-8230674 hotspot runtime Heap dumps should exclude dormant CDS archived objects of unloaded classes
59 JDK-8272124 hotspot runtime Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
60 JDK-8269934 hotspot runtime RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
61 JDK-8181313 hotspot svc-agent SA: Remove libthread_db dependency on Linux
62 JDK-8225083 security-libs java.security Remove Google certificate that is expiring in December 2021
63 JDK-8273826 security-libs java.security Correct Manifest file name and NPE checks
64 JDK-8277224 security-libs java.security sun.security.pkcs.PKCS9Attributes.toString() throws NPE
65 JDK-8269034 security-libs javax.crypto:pkcs11 AccessControlException for SunPKCS11 daemon threads
66 JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
67 JDK-8270344 security-libs javax.net.ssl Session resumption errors
68 JDK-8217633 security-libs javax.net.ssl Configurable extensions with system properties
69 JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server
70 JDK-8211148 tools javac var in implicit lambdas shouldn't be accepted for source < 11
71 JDK-8267459 tools jshell Pasting Unicode characters into JShell does not work.


Java SE 11.0.13 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.13 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.13.0.3

Bug Fixes

BugId Component Subcomponent Summary
JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e

Changes in Java SE 11.0.13.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on

Changes in Java SE 11.0.13.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8263773 infrastructure build Reenable German localization for builds at Oracle


Java™ SE Development Kit 11.0.13 (JDK 11.0.13)

October 19, 2021

The full version string for this update release is 11.0.13+10 (where "+" means "build"). The version number is 11.0.13.

IANA TZ Data 2021a

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.13 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.13+10
8 8u311-b11
7 7u321-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.13) be used after the next critical patch update scheduled for January 18, 2022.

New Features

core-libs/java.io:serialization
 Context-specific Deserialization Filters

Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.

The behavior is opt-in based on the presence of the jdk.serialFilterFactory system property on the command line or the jdk.serialFilterFactory security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.

The JVM-wide filter factory is a java.util.function.BinaryOperator<java.io.ObjectInputFilter> function invoked when each ObjectInputStream is constructed and when the stream-specific filter is set using ObjectInputStream.setObjectInputFilter(ObjectInputFilter). The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream constructors, the first parameter is null and the second parameter is the static JVM-wide filter. When invoked from ObjectInputStream.setObjectInputFilter, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter given to ObjectInputStream.setObjectInputFilter.

A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.

JDK-8268624 (not public)

Removed Features and Options

security-libs/java.security
 Removed IdenTrust Root Certificate

The following root certificate from IdenTrust has been removed from the cacerts keystore:

+ alias name "identrustdstx3 [jdk]"

  Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.

hotspot/compiler
 Remove the Experimental AOT and JIT Compiler in OracleJDK 11u

The experimental Java-based JIT compiler, Graal JEP317, has been removed. Attempting to use it produces a JVMCI error: JVMCI compiler 'graal' not found.

The Java Ahead-of-Time compilation experimental tool jaotc has been removed. Using HotSpot VM AOT options defined by JEP295 produce "Unrecognized VM option" error on VM initialization.

Developers who wish to test the Graal compiler for either AOT or JIT compilation should use GraalVM.

JDK-8267704 (not public)

Other Notes

core-libs/java.lang
 Release Doesn't Correctly Recognize Windows 11

This release doesn't correctly identify Windows 11. The property os.name is set to Windows 10 on Windows 11. In HotSpot error logs, the OS is identified as Windows 10; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.

install
 Change to Package Names in Linux RPM/DEB Installers

On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version> pattern instead of the jdk-<update_release_version> pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11, jdk-16, and jdk-17 respectively.

The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.

If a user wants to have multiple update releases from the same family, the user must download the tar.gz bundles.

JDK-8266653 (not public)

security-libs/javax.net.ssl
 Updated the Default Enabled Cipher Suites Preference

The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.

For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.

For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:

  • Cipher suites that do not preserve forward secrecy have been moved lower in priority than those that do support forward secrecy.
  • Cipher suites that use SHA-1 have been moved lower in priority.

core-libs/javax.naming
 System Property to Control Reconstruction of Reference Address Objects by JDK's Built-in JNDI LDAP Implementation

The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to control the deserialization of java objects from the javaReferenceAddress LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData and javaReferenceAddress LDAP attributes.

To prevent deserialization of java objects from these attributes, the system property can be set to false. By default, the deserialization of java objects from javaSerializedData and javaReferenceAddress attributes is allowed.

JDK-8267712 (not public)

hotspot/runtime
 Release Doesn't Correctly Recognize Windows Server 2022

This release doesn't correctly identify Windows Server 2022. The property os.name is set to Windows Server 2019 on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above.

security-libs/java.security
 Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280

The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

security-libs/javax.crypto:pkcs11
 SunPKCS11 Initialization With NSS When External FIPS Modules Are in Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".

This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.13:

# BugId Component Subcomponent Summary
1 JDK-8264047 client-libs 2d Duplicate global variable 'jvm' in libjavajpeg and libawt
2 JDK-8261169 client-libs 2d Upgrade HarfBuzz to the latest 2.8.0
3 JDK-8242557 client-libs 2d Add length limit for strings in PNGImageWriter
4 JDK-8265761 client-libs 2d Font with missed font family name is not properly printed on Windows
5 JDK-8211055 client-libs 2d Provide print to a file (PDF) feature even when printer was not connected
6 JDK-8212040 client-libs 2d Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12
7 JDK-7179006 client-libs 2d [macosx] Print-to-file doesn't work: printing to the default printer instead
8 JDK-8256372 client-libs 2d [macos] Unexpected symbol was displayed on JTextField with Monospaced font
9 JDK-8262731 client-libs 2d [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
10 JDK-8262392 client-libs 2d Update Mesa 3-D Headers to version 21.0.3
11 JDK-8273358 client-libs 2d macOS Monterey does not have the font Times needed by Serif
12 JDK-8272602 client-libs java.awt [macos] not all KEY_PRESSED events sent when control modifier is used
13 JDK-8270216 client-libs java.awt [macOS] Update named used for Java run loop mode
14 JDK-8269984 client-libs java.awt [macos] JTabbedPane title looks like disabled
15 JDK-8268775 client-libs javax.accessibility Password is being converted to String in AccessibleJPasswordField
16 JDK-8190763 client-libs javax.swing Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit()
17 JDK-8247753 client-libs javax.swing UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32
18 JDK-8251377 client-libs javax.swing [macos11] JTabbedPane selected tab text is barely legible
19 JDK-8232243 client-libs javax.swing Wrong caret position in JTextPane on Windows with a screen resolution > 100%
20 JDK-8255227 core-libs java.net java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface
21 JDK-8233185 core-libs java.net HttpServer.stop() blocks indefinitely when called on dispatch thread
22 JDK-8241786 core-libs java.net Improve heuristic to determine default network interface on macOS
23 JDK-8227080 core-libs java.nio (fs) Files.newInputStream(...).skip(n) is slow
24 JDK-8227609 core-libs java.nio (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size
25 JDK-8226530 core-libs java.util.jar ZipFile reads wrong entry size from ZIP64 entries
26 JDK-8215411 core-svc some GetByteArrayElements calls miss corresponding Release
27 JDK-8253134 core-svc java.lang.management JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11
28 JDK-8216145 docs tools jarsigner doc is not precise when describing jar file re-signing
29 JDK-8265938 hotspot compiler C2's conditional move optimization does not handle top Phi
30 JDK-8269795 hotspot compiler C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV
31 JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
32 JDK-8265132 hotspot compiler C2 compilation fails with assert "missing precedence edge"
33 JDK-8267424 hotspot compiler CTW: C1 fails with "State must not be null"
34 JDK-8223050 hotspot compiler JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods
35 JDK-8266288 hotspot compiler assert root method not found in witnessed_reabstraction_in_supers is too strong
36 JDK-8268360 hotspot compiler Missing check for infinite loop during node placement
37 JDK-8262017 hotspot compiler C2: assert(n != __null) failed: Bad immediate dominator info.
38 JDK-8268369 hotspot compiler SIGSEGV in PhaseCFG::implicit_null_check due to missing null check
39 JDK-8260653 hotspot compiler Unreachable nodes keep speculative types alive
40 JDK-8268366 hotspot compiler Incorrect calculation of has_fpu_registers in C1 linear scan
41 JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
42 JDK-8258746 hotspot compiler illegal access to global field _jvmci_old_thread_counters by terminated thread causes crash
43 JDK-8266615 hotspot compiler C2 incorrectly folds subtype checks involving an interface array
44 JDK-8266480 hotspot compiler Implicit null check optimization does not update control of hoisted memory operation
45 JDK-8267773 hotspot compiler PhaseStringOpts::int_stringSize doesn't handle min_jint correctly
46 JDK-8269745 hotspot compiler [JVMCI] restore original qualified exports to Graal
47 JDK-8263227 hotspot compiler C2: inconsistent spilling due to dead nodes in exception block
48 JDK-8261147 hotspot compiler C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions
49 JDK-8268362 hotspot compiler [REDO] C2 crash when compile negative Arrays.copyOf length after loop
50 JDK-8264016 hotspot compiler [JVMCI] add some thread local fields for use by JVMCI
51 JDK-8210063 hotspot gc ZGC: Enable load barriers for IN_NATIVE runtime barriers
52 JDK-8264640 hotspot gc CMS ParScanClosure misses a barrier
53 JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
54 JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class
55 JDK-8269768 hotspot jfr JFR Terminology Refresh
56 JDK-8191521 hotspot runtime handle long relative path specified in -Xbootclasspath/a on windows
57 JDK-8231885 hotspot runtime Fix/remove malformed assert in os_windows.cpp
58 JDK-8231930 hotspot runtime Windows build fails after JDK-8191521
59 JDK-8262163 hotspot runtime Extend settings printout in jcmd VM.metaspace
60 JDK-8253572 hotspot runtime [windows] CDS archive may fail to open with long file names
61 JDK-8211296 hotspot runtime Remove HotSpot deprecation warning suppression for Mac/clang
62 JDK-8024368 hotspot runtime private methods are allocated vtable indices
63 JDK-8266642 hotspot runtime Improve ResolvedMethodTable hash function
64 JDK-8267396 hotspot runtime Avoid recording "pc" in unhandled oops detector for better performance
65 JDK-8227766 hotspot runtime CheckUnhandledOops is broken in MemAllocator
66 JDK-8218145 hotspot runtime block_if_requested is not proper inlined due to size
67 JDK-8267235 hotspot runtime [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
68 JDK-8268635 hotspot runtime Corrupt oop in ClassLoaderData
69 JDK-8266404 hotspot runtime Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
70 JDK-8269594 hotspot runtime assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
71 JDK-8212992 hotspot runtime Change mirror accessor in Klass::verify_on() to use AS_NO_KEEPALIVE
72 JDK-8227815 hotspot svc Minimal VM: set_state is not a member of AttachListener
73 JDK-8266473 install install javapath/java.exe strips double quotes from command line args
74 JDK-8218618 security-libs java.security Program fails when using JDK addressed by UNC path and using Security Manager
75 JDK-8257497 security-libs java.security Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
76 JDK-8225082 security-libs java.security Remove IdenTrust certificate that is expiring in September 2021
77 JDK-8236671 security-libs javax.crypto NullPointerException in JKS keystore
78 JDK-8238555 security-libs javax.crypto:pkcs11 Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB
79 JDK-8163326 security-libs javax.net.ssl Update the default enabled cipher suites preference
80 JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
81 JDK-8255255 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.2.1
82 JDK-8265773 tools incorrect jdeps message "jdk8internals" to describe a removed JDK internal API
83 JDK-8207160 tools javac ClassReader::adjustMethodParams can potentially return null if the args list is empty
84 JDK-8177068 tools javac incomplete classpath causes NPE in Flow
85 JDK-8210495 tools javac compiler crashes because of illegal signature in otherwise legal code
86 JDK-8241353 tools javac NPE in ToolProvider.getSystemJavaCompiler
87 JDK-8263432 tools javac javac may report an invalid package/class clash on case insensitive filesystems
88 JDK-8265524 tools javadoc(tool) Upgrading JSZip from v3.2.2 to v3.6.0
89 JDK-8272180 tools javadoc(tool) Upgrade JSZip from v3.6.0 to v3.7.1
90 JDK-8260690 tools jconsole JConsole User Guide Link from the Help menu is not accessible by keyboard
91 JDK-8239536 tools jshell Can't use `java.util.List` object after importing `java.awt.List`
92 JDK-8242919 tools jshell Paste locks up jshell
93 JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder


Java SE 11.0.12 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.12.0.3

Bug Fixes

BugId Component Subcomponent Summary
JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class

Changes in Java SE 11.0.12.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability

Changes in Java SE 11.0.12.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder

Java™ SE Development Kit 11.0.12 (JDK 11.0.12)

July 20, 2021

The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12.

IANA TZ Data 2021a

JDK 11.0.12 contains IANA time zone data 2021a.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.12+8
8 8u301-b09
7 7u311-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021.

New Features

security-libs/org.ietf.jgss:krb5
 Support cross-realm MSSFU

The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.

By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.

[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94

security-libs/java.security
 Customizing PKCS12 keystore Generation

New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.

Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256

Removed Features and Options

security-libs/java.security
 Removed Root Certificates with 1024-bit Keys

The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:

+ alias name "thawtepremiumserverca [jdk]"

  Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

+ alias name "verisignclass2g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

+ alias name "verisignclass3ca [jdk]"
  Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

+ alias name "verisignclass3g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

+ alias name "verisigntsaca [jdk]"
  Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA Certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI

Other Notes

security-libs/java.security
 JarFile Treats Signed JARs with Multiple Manifests as Unsigned

The JarFile class now treats a signed JAR as unsigned if it detects a second manifest in the JAR file. A warning message, "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned.", is logged if the system property -Djava.security.debug=jar is set.

JDK-8260967 (not public)
install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

install/install
 ADDLOCAL=ToolsFeature,SourceFeature Argument No Longer Needed For Windows JDK Installer

The ADDLOCAL=ToolsFeature,SourceFeature argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.

JDK-8262043 (not public)

security-libs/java.security
 Upgraded the Default PKCS12 Encryption and MAC Algorithms

The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

security-libs/javax.net.ssl
 Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.12:

# BugId Component Subcomponent Summary
1 JDK-8259869 client-libs [macOS] Remove desktop module dependencies on JNF Reference APIs
2 JDK-8260616 client-libs Removing remaining JNF dependencies in the java.desktop module
3 JDK-8259343 client-libs [macOS] Update JNI error handling in Cocoa code.
4 JDK-6847157 client-libs 2d java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
5 JDK-8261170 client-libs 2d Upgrade to FreeType 2.10.4
6 JDK-8260380 client-libs 2d Upgrade to LittleCMS 2.12
7 JDK-8259232 client-libs 2d Bad JNI lookup during printing
8 JDK-8263311 client-libs 2d Watch registry changes for remote printers update instead of polling
9 JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
10 JDK-8213944 client-libs java.awt Fix AIX build after the removal of Xrandr.h and add a configure check for it
11 JDK-8262461 client-libs java.awt handle wcstombsdmp return value correctly in unix awt_InputMethod.c
12 JDK-8262446 client-libs java.awt DragAndDrop hangs on Windows
13 JDK-8261231 client-libs java.awt Windows IME was disabled after DnD operation
14 JDK-8255681 client-libs java.awt Print callstack in error case in runAWTLoopWithApp
15 JDK-8264786 client-libs java.awt [macOS] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
16 JDK-8259585 client-libs java.awt [macOS] Bad JNI lookup error : Accessible actions do not work on macOS
17 JDK-8259729 client-libs javax.accessibility Missed JNFInstanceOf -> IsInstanceOf conversion
18 JDK-8261198 client-libs javax.accessibility [macOS] Incorrect JNI parameters in number conversion in A11Y code
19 JDK-8239312 client-libs javax.swing [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
20 JDK-8252883 core-libs java.util.logging AccessDeniedException caused by delayed file deletion on Windows
21 JDK-8262110 core-libs java.util:i18n DST starts from incorrect time in 2038
22 JDK-8255086 core-libs java.util:i18n Update the root locale display names
23 JDK-8247432 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-09-29
24 JDK-8241082 core-libs java.util:i18n Upgrade IANA Language Subtag Registry data to 03-16-2020 version
25 JDK-8242010 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-04-01
26 JDK-8073446 core-libs java.util:i18n TimeZone getOffset API does not return a DST offset between years 2038-2137
27 JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
28 JDK-8259785 docs Create man pages using pandoc from markdown sources
29 JDK-8262465 hotspot compiler Very long compilation times and high memory consumption in C2 debug builds
30 JDK-8262093 hotspot compiler java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node"
31 JDK-8261914 hotspot compiler IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
32 JDK-8261846 hotspot compiler [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
33 JDK-8261912 hotspot compiler Code IfNode::fold_compares_helper more defensively
34 JDK-8262298 hotspot compiler G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
35 JDK-8262295 hotspot compiler C2: Out-of-Bounds Array Load from Clone Source
36 JDK-8262739 hotspot compiler String inflation C2 intrinsic prevents insertion of anti-dependencies
37 JDK-8262726 hotspot compiler AArch64: C1 StubAssembler::call_RT can corrupt stack
38 JDK-8264360 hotspot compiler Loop strip mining verification fails with "should be on the backedge"
39 JDK-8262837 hotspot compiler handle split_USE correctly
40 JDK-8263448 hotspot compiler CTW: fatal error: meet not symmetric
41 JDK-8263425 hotspot compiler AArch64: two potential bugs in C1 LIRGenerator::generate_address()
42 JDK-8264958 hotspot compiler C2 compilation fails with assert "n is later than its clone"
43 JDK-8263676 hotspot compiler AArch64: one potential bug in C1 LIRGenerator::generate_address()
44 JDK-8261730 hotspot compiler C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
45 JDK-8265154 hotspot compiler vinserti128 operand mix up for KNL platforms
46 JDK-8261812 hotspot compiler C2 compilation fails with assert(!had_error) failed: bad dominance
47 JDK-8261235 hotspot compiler C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
48 JDK-8260338 hotspot compiler Some fields in HaltNode is not cloned
49 JDK-8260284 hotspot compiler C2: assert(_base == Int) failed: Not an Int
50 JDK-8238812 hotspot compiler assert(false) failed: bad AD file
51 JDK-8255763 hotspot compiler C2: OSR miscompilation caused by invalid memory instruction placement
52 JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64
53 JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
54 JDK-8259777 hotspot compiler Incorrect predication condition generated by ADLC
55 JDK-8259710 hotspot compiler Inlining trace leaks memory
56 JDK-8260420 hotspot compiler C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
57 JDK-8259061 hotspot compiler C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
58 JDK-8259619 hotspot compiler C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect
59 JDK-8259227 hotspot compiler C2 crashes with SIGFPE due to a division that floats above its zero check
60 JDK-8257822 hotspot compiler C2 crashes with SIGFPE due to a division that floats above its zero check
61 JDK-8257574 hotspot compiler C2: "failed: parsing found no loops but there are some" assert failure
62 JDK-8240353 hotspot compiler AArch64: missing support for -XX:+ExtendedDTraceProbes in C1
63 JDK-8263361 hotspot compiler Incorrect arraycopy stub selected by C2 for SATB collectors
64 JDK-8264918 hotspot compiler [JVMCI] getVtableIndexForInterfaceMethod doesn't check that type and method are related
65 JDK-8265689 hotspot compiler JVMCI: InternalError: Class java.lang.Object does not implement interface jdk.vm.ci.meta.JavaType
66 JDK-8259276 hotspot compiler C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
67 JDK-8248411 hotspot compiler AArch64: Insufficient error handling when CodeBuffer is exhausted
68 JDK-8211150 hotspot gc G1 Full GC not purging code root memory and hence causing memory leak
69 JDK-8235324 hotspot gc Dying objects are published from users of CollectedHeap::object_iterate
70 JDK-8260704 hotspot gc ParallelGC: oldgen expansion needs release-store for _end
71 JDK-8247201 hotspot gc Print potential pointer value of readable stack memory in hs_err file
72 JDK-8259271 hotspot gc gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
73 JDK-8232905 hotspot jfr JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant
74 JDK-8257569 hotspot jfr Failure observed with JfrVirtualMemory::initialize
75 JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
76 JDK-8209385 hotspot runtime CDS runtime classpath checking is too strict when only classes from the system modules are archived
77 JDK-8234355 hotspot runtime Buffer overflow in jcmd GC.class_stats due to too many classes
78 JDK-8213231 hotspot runtime ThreadSnapshot::_threadObj can become stale
79 JDK-8208061 hotspot runtime runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode
80 JDK-8261916 hotspot runtime gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed
81 JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
82 JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
83 JDK-8261397 hotspot runtime try catch Method failing to work when dividing an integer by 0
84 JDK-8259843 hotspot runtime initialize dli_fname array before calling dll_address_to_library_name
85 JDK-8257746 hotspot runtime Regression introduced with JDK-8250984 - memory might be null in some machines
86 JDK-8259786 hotspot runtime initialize last parameter of getpwuid_r
87 JDK-8260349 hotspot runtime Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS
88 JDK-8238175 hotspot runtime CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
89 JDK-8261262 hotspot runtime Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
90 JDK-8236847 hotspot runtime CDS archive with 4K alignment unusable on machines with 64k pages
91 JDK-8266293 security-libs Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
92 JDK-8243559 security-libs java.security Remove root certificates with 1024-bit keys
93 JDK-8153005 security-libs java.security Upgrade the default PKCS12 encryption/MAC algorithms
94 JDK-8076190 security-libs java.security Customizing the generation of a PKCS12 keystore
95 JDK-8266929 security-libs java.security Unable to use algorithms from 3p providers
96 JDK-8196415 security-libs java.security Disable SHA-1 Signed JARs
97 JDK-8267100 security-libs java.security [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
98 JDK-8267599 security-libs java.security Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
99 JDK-8225081 security-libs java.security Remove Telia Company CA certificate expiring in April 2021
100 JDK-8226374 security-libs javax.net.ssl Restrict TLS signature schemes and named groups
101 JDK-8254631 security-libs javax.net.ssl Better support ALPN byte wire values in SunJSSE
102 JDK-8005819 security-libs org.ietf.jgss:krb5 Support cross-realm MSSFU
103 JDK-8253948 tools jlink Memory leak in ImageFileReader
104 JDK-8213725 tools jshell JShell NullPointerException due to class file with unexpected package
105 JDK-8247438 tools jshell JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
106 JDK-8235368 xml jaxp Update BCEL to Version 6.4.1

Java SE 11.0.11 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.11 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.11.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8226530 core-libs java.util.jar ZipFile reads wrong entry size from ZIP64 entries

Changes in Java SE 11.0.11.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64

Java™ SE Development Kit 11.0.11 (JDK 11.0.11)

April 20, 2021

The full version string for this update release is 11.0.11+9 (where "+" means "build"). The version number is 11.0.11.

IANA TZ Data 2020e, 2020f, 2021a

JDK 11.0.11 contains IANA time zone data 2020e, 2020f, 2021a.

  • Volgograd switches to Moscow time on 2020-12-27 at 02:00.
  • South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.11 are specified in the following table:


JRE Family Version JRE Security Baseline (Full Version String)
1111.0.11+9
88u291-b10
77u301-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.11) be used after the next critical patch update scheduled for July 20, 2021.

New Features

tools
 jdeps --print-module-deps Reports Transitive Dependences

jdeps --print-module-deps, --list-deps, and --list-reduce-deps options have been enhanced as follows.

  1. By default, they perform transitive module dependence analysis on libraries on the class path and module path, both directly and indirectly, as required by the given input JAR files or classes. Previously, they only reported the modules required by the given input JAR files or classes. The --no-recursive option can be used to request non-transitive dependence analysis.

  2. By default, they flag any missing dependency, i.e. not found from class path and module path, as an error. The --ignore-missing-deps option can be used to suppress missing dependence errors. Note that a custom image is created with the list of modules output by jdeps when using the --ignore-missing-deps option for a non-modular application. Such an application, running on the custom image, might fail at runtime when missing dependence errors are suppressed.

Other Notes

core-libs/javax.naming
 New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations

jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.

com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed.

JDK-8244473 (not public)

security-libs/java.security
 Added 2 HARICA Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ HARICA

  + haricarootca2015
    DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

  + haricaeccrootca2015
    DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

security-libs/javax.net.ssl
 Disable TLS 1.0 and 1.1

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

core-libs/java.nio.charsets
 Modified the MS950 charset Encoder's Conversion Table

In this release, some of the one-way byte-to-char mappings have been aligned with the preferred mappings provided by the Unicode Consortium.

core-libs/java.lang
 Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands property can be set to true: jdk.lang.Process.allowAmbiguousCommands=true or false. If left unset, it is the same as setting it to true.

JDK-8250568 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.11:

# BugId Component Subcomponent Summary
1 JDK-8244088 client-libs 2d [Regression] Switch of Gnome theme ends up in deadlocked UI
2 JDK-8247872 client-libs 2d Upgrade HarfBuzz to the latest 2.7.2
3 JDK-8244621 client-libs 2d [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
4 JDK-8258805 client-libs java.awt Japanese characters not entered by mouse click on Windows 10
5 JDK-8212678 client-libs java.awt Windows IME related patch
6 JDK-8239137 client-libs javax.accessibility JAWS does not always announce the value of JSliders in JColorChooser
7 JDK-8249588 client-libs javax.accessibility libwindowsaccessbridge issues on 64bit Windows
8 JDK-6532025 client-libs javax.imageio GIF reader throws misleading exception with truncated images
9 JDK-8237495 client-libs javax.sound Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7
10 JDK-8255880 client-libs javax.swing UI of Swing components is not redrawn after their internal state changed
11 JDK-8240704 core-libs java.lang ProcessBuilder/checkHandles/CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent."
12 JDK-8239893 core-libs java.lang Windows handle Leak when starting processes using ProcessBuilder
13 JDK-8251397 core-libs java.lang NPE on ClassValue.ClassValueMap.cacheArray
14 JDK-8235351 core-libs java.lang.invoke Lookup::unreflect should bind with the original caller independent of Method's accessible flag
15 JDK-7146776 core-libs java.net Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
16 JDK-8232161 core-libs java.nio.charsets Align some one-way conversion in MS950 charset with Windows
17 JDK-8254854 core-svc tools [cgroups v1] Metric limits not properly detected on some join controller combinations
18 JDK-8218966 hotspot compiler AArch64: String.compareTo() can read memory after string
19 JDK-8244164 hotspot compiler AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base
20 JDK-8245051 hotspot compiler c1 is broken if it is compiled by gcc without -fno-lifetime-dse
21 JDK-8253404 hotspot compiler C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit
22 JDK-8247766 hotspot compiler AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn
23 JDK-8255479 hotspot compiler AArch64: assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity
24 JDK-8255466 hotspot compiler C2 crashes at ciObject::get_oop() const+0x0
25 JDK-8245512 hotspot compiler CRC32 optimization using AVX512 instructions
26 JDK-8257575 hotspot compiler C2: "failed: only phis" assert failure in loop strip mining verification
27 JDK-8254734 hotspot compiler "dead loop detected" assert failure with patch from 8223051
28 JDK-8257594 hotspot compiler C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle
29 JDK-8256807 hotspot compiler C2: Not marking stores correctly as mismatched in string opts
30 JDK-8256061 hotspot compiler RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers
31 JDK-8257561 hotspot compiler Some code is not vectorized after 8251925 and 8250607
32 JDK-8256025 hotspot compiler AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls
33 JDK-8257910 hotspot compiler [JVMCI] Set exception_seen accordingly in the runtime.
34 JDK-8257220 hotspot compiler [JVMCI] option validation should not result in a heavy-weight VM crash
35 JDK-8211320 hotspot compiler AArch64: unsafe.compareAndSetByte() and unsafe.compareAndSetShort() c2 intrinsics broken with negative expected value
36 JDK-8215792 hotspot compiler AArch64: String.indexOf generates incorrect result
37 JDK-8214025 hotspot compiler assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2
38 JDK-8229701 hotspot compiler aarch64: C2 OSR compilation fails with "shouldn't process one node several times" in final graph reshaping
39 JDK-8255550 hotspot compiler x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect
40 JDK-8255058 hotspot compiler C1: assert(is_virtual()) failed: type check
41 JDK-8253756 hotspot compiler C2 CompilerThread0 crash in Node::add_req(Node*)
42 JDK-8251923 hotspot compiler "Invalid JNI handle" assertion failure in JVMCICompiler::force_comp_at_level_simple()
43 JDK-8253524 hotspot compiler C2: Refactor code that clones predicates during loop unswitching
44 JDK-8250825 hotspot compiler C2 crashes with assert(field != __null) failed: missing field
45 JDK-8252881 hotspot compiler [JVMCI] ResolvedJavaType.resolveMethod fails in fastdebug when invoked with a constructor
46 JDK-8251925 hotspot compiler C2: RenaissanceStressTest fails with assert(!had_error): bad dominance
47 JDK-8253644 hotspot compiler C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected
48 JDK-8247691 hotspot compiler [aarch64] Incorrect handling of VM exceptions in C1 deopt stub/traps
49 JDK-8247200 hotspot compiler AArch64: assert((unsigned)fpargs < 32)
50 JDK-8248336 hotspot compiler AArch64: C2: offset overflow in BoxLockNode::emit
51 JDK-8258015 hotspot compiler [JVMCI] JVMCI_lock shouldn't be held while initializing box classes
52 JDK-8256056 hotspot compiler Deoptimization stub doesn't save vector registers on x86
53 JDK-8258380 hotspot compiler [JVMCI] don't clear InstalledCode reference when unloading JVMCI nmethods
54 JDK-8255578 hotspot compiler [JVMCI] be more careful about reflective reads of Class.componentType.
55 JDK-8257513 hotspot compiler C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset())
56 JDK-8259339 hotspot compiler AllocateUninitializedArray C2 intrinsic fails with void.class input
57 JDK-8245026 hotspot gc PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused
58 JDK-8258396 hotspot jfr SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk()
59 JDK-8214180 hotspot runtime Need better granularity for sleeping
60 JDK-8215583 hotspot runtime Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java
61 JDK-8234742 hotspot runtime Improve handshake logging
62 JDK-8234796 hotspot runtime Refactor Handshake::execute to take a more complex type than ThreadClosure
63 JDK-8256359 hotspot runtime AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails
64 JDK-8227275 hotspot runtime Within native OOM error handling, assertions may hang the process
65 JDK-8228400 hotspot runtime Remove built-in AArch64 simulator
66 JDK-8257168 hotspot runtime Use SkippedException instead of RuntimeException for docker not able to pull the repository
67 JDK-8255544 hotspot runtime Create a checked cast
68 JDK-8258077 hotspot runtime Using -Xcheck:jni can lead to a double-free after JDK-8193234
69 JDK-8242565 security-libs java.security Policy initialization issues when the denyAfter constraint is enabled
70 JDK-8244154 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v3.0 header files
71 JDK-8240871 security-libs javax.net.ssl SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3
72 JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
73 JDK-8253368 security-libs javax.net.ssl TLS connection always receives close_notify exception
74 JDK-8202343 security-libs javax.net.ssl Disable TLS 1.0 and 1.1
75 JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
76 JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
77 JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
78 JDK-8213909 tools jdeps --print-module-deps should report missing dependences
79 JDK-8234687 tools javac change javap reporting on unknown attributes
80 JDK-8221759 tools javac Crash when completing "java.io.File.path"
81 JDK-8255845 tools jlink Memory leak in imageFile.cpp
82 JDK-8223688 tools jshell JShell: crash on the instantiation of raw anonymous class
83 JDK-8242030 tools jshell Wrong package declarations in jline classes after JDK-8241598
84 JDK-8211694 tools jshell JShell: Redeclared variable should be reset
85 JDK-8210527 tools jshell JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack
86 JDK-8241598 tools jshell Upgrade JLine to 3.14.0
87 JDK-8218287 tools jshell jshell tool: input behavior unstable after 12-ea+24 on Windows
88 JDK-8249867 xml jaxp XML declaration is not followed by a newline

Java SE 11.0.10 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.10 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.10.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
JDK-8226810 core-libs java.lang Failed to launch JVM because of NullPointerException occured on System.props
JDK-8258878 core-libs java.time (tz) Upgrade time-zone data to tzdata2020e
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f

Changes in Java SE 11.0.10.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

Java™ SE Development Kit 11.0.10 (JDK 11.0.10)

January 19, 2021

The full version string for this update release is 11.0.10+8 (where "+" means "build"). The version number is 11.0.10.

IANA Data 2020d

JDK 11.0.10 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.10 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.10+8
8 1.8.0_281-b09
7 1.7.0_291-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.10) be used after the next critical patch update scheduled for April 20, 2021.

New Features

security-libs/java.security
 -groupname Option Added to keytool Key Pair Generation

A new -groupname option has been added to keytool -genkeypair so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair by using the secp384r1 curve. Because there might be multiple curves with the same size, using the -groupname option is preferred over the -keysize option.

security-libs/javax.net.ssl
 Support for certificate_authorities Extension

The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit.

core-libs/java.lang
 POSIX_SPAWN Option on Linux

As an additional way to launch processes on Linux, the jdk.lang.Process.launchMechanism property can be set to POSIX_SPAWN. This option has been available for a long time on other *nix platforms. The default launch mechanism (VFORK) on Linux is unchanged, so this additional option does not affect existing installations.

POSIX_SPAWN mitigates rare pathological cases when spawning child processes, but it has not yet been excessively tested. Prudence is advised when using POSIX_SPAWN in productive installations.

security-libs/javax.net.ssl
 Support for X25519 and X448 in TLS

The named elliptic curve groups x25519 and x448 are now available for JSSE key agreement in TLS versions 1.0 to 1.3, with x25519 being the most preferred of the default enabled named groups. The default ordered list is now:

    x25519, secp256r1, secp384r1, secp521r1, x448,

    ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192

The default list can be overridden by using the system property jdk.tls.namedGroups.

security-libs/java.security
 jarsigner Preserves POSIX File Permission and symlink Attributes

When signing a file that contains POSIX file permission or symlink attributes, jarsigner now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify operation for such files.

Note that the jar tool does not read/write these attributes. This change is more visible to tools like unzip where these attributes are preserved.

Other Notes

client-libs/2d
 Oracle JDK11u for Solaris Now Requires harfbuzz to be Installed

Oracle JDK-11.0.10 and later for Solaris 11 requires that the OS provide the package library/desktop/harfbuzz as part of the system installation. This package is provided for Solaris 11.3 and later.

$ pkg info harfbuzz

       Name: library/desktop/harfbuzz
     Summary: HarfBuzz is an OpenType text shaping engine
   Description: HarfBuzz is a library for text shaping, which converts
          unicode text to glyph indices and positions. HarfBuzz is
          used directly by libraries such as Pango, and the layout
          engines in firefox.
     Category: Desktop (GNOME)/Libraries
      State: Installed
    Publisher: solaris

This is a desktop library, but the font processing it does is part of some common backend server workloads. It should always be considered as required.

If this library is missing, then the pkg mechanism will require it during installation of the JDK. If installing the JDK by using a tar.gz bundle (for example) and the library/desktop/harfbuzz package is missing, a runtime link failure will occur when this package is needed.

JDK-8251907 (not public)

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020d

The JDK update incorporates tzdata2020d. The main change is

  • Palestine ends DST earlier than predicted, on 2020-10-24.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020c

The JDK update incorporates tzdata2020c. The main change is

  • Fiji starts DST later than usual, on 2020-12-20.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.

core-libs/java.time
 US/Pacific-New Zone Name Removed as Part of tzdata2020b

Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew and systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew data file is no longer available for use.

Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.10:

# BugId Component Subcomponent Summary
1 JDK-8245400 client-libs 2d Upgrade to LittleCMS 2.11
2 JDK-8247867 client-libs 2d Upgrade to freetype 2.10.2
3 JDK-8249215 client-libs 2d JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
4 JDK-7185258 client-libs java.awt [macosx] Deadlock in SunToolKit.realSync()
5 JDK-8198334 client-libs java.awt java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
6 JDK-8207938 client-libs java.awt At step6,Click Add button,case failed automatically.
7 JDK-8212226 client-libs java.awt SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows)
8 JDK-8230480 client-libs java.awt check malloc/calloc results in java.desktop
9 JDK-8231445 client-libs java.awt check ZALLOC return values in awt coding
10 JDK-8232114 client-libs java.awt JVM crashed at imjpapi.dll in native code
11 JDK-8241797 client-libs java.awt Add some tests to the problem list
12 JDK-8248532 client-libs java.awt Every time I change keyboard language at my MacBook, Java crashes
13 JDK-8249183 client-libs java.awt JVM crash in "AwtFrame::WmSize" method
14 JDK-8252470 client-libs java.awt java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
15 JDK-8152332 client-libs javax.swing [macosx] JFileChooser cannot be serialized on Mac OS X
16 JDK-8203281 client-libs javax.swing [Windows] JComboBox change in ui when editor.setBorder() is called
17 JDK-8204963 client-libs javax.swing javax.swing.border.TitledBorder has a memory leak
18 JDK-8209343 client-libs javax.swing Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful
19 JDK-8213535 client-libs javax.swing Windows HiDPI html lightweight tooltips are truncated
20 JDK-8240633 client-libs javax.swing Memory leaks in the implementations of FileChooserUI
21 JDK-8240690 client-libs javax.swing Race condition between EDT and BasicDirectoryModel.FilesLoader.run0()
22 JDK-8213017 core-libs java.lang jspawnhelper: need to handle pipe write failure when sending return code
23 JDK-8232846 core-libs java.lang ProcessHandle.Info command with non-English shows question marks
24 JDK-8233920 core-libs java.lang.invoke MethodHandles::tryFinally generates illegal bytecode for long/double return types
25 JDK-8222448 core-libs java.lang:reflect java/lang/reflect/PublicMethods/PublicMethodsTest.java times out
26 JDK-8217429 core-libs java.net WebSocket over authenticating proxy fails to send Upgrade headers
27 JDK-8225037 core-libs java.net java.net.JarURLConnection::getJarEntry() throws NullPointerException
28 JDK-8233958 core-libs java.net Memory retention due to HttpsURLConnection finalizer that serves no purpose
29 JDK-8241138 core-libs java.net http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector
30 JDK-8241568 core-libs java.nio (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted"
31 JDK-8242541 core-libs java.nio.charsets Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C)
32 JDK-8239351 core-libs java.util.jar Give more meaningful InternalError messages in Deflater.c
33 JDK-8252497 core-libs java.util:i18n Incorrect numeric currency code for ROL
34 JDK-8241130 core-libs javax.naming com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException
35 JDK-8067354 core-svc debugger com/sun/jdi/GetLocalVariables4Test.sh failed
36 JDK-8203393 core-svc debugger com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout
37 JDK-8209517 core-svc debugger com/sun/jdi/BreakpointWithFullGC.java fails with timeout
38 JDK-8209605 core-svc debugger com/sun/jdi/BreakpointWithFullGC.java fails with ZGC
39 JDK-8210725 core-svc debugger com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds
40 JDK-8212629 core-svc debugger [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest
41 JDK-8212665 core-svc debugger com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55
42 JDK-8214061 core-svc debugger Buffer written into itself
43 JDK-8231209 core-svc java.lang.management [REDO] JDK-8207266 ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread
44 JDK-8231968 core-svc java.lang.management getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes
45 JDK-8242480 core-svc java.lang.management Negative value may be returned by getFreeSwapSpaceSize() in the docker
46 JDK-8252157 core-svc java.lang.management JDK-8231209 11u backport breaks jmm binary compatibility
47 JDK-8222533 core-svc tools jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine
48 JDK-8250665 globalization locale-data Wrong translation for the month of May in ar_JO, ar_LB and ar_SY
49 JDK-8022574 hotspot compiler remove HaltNode code after uncommon trap calls
50 JDK-8220420 hotspot compiler Cleanup c1_LinearScan
51 JDK-8225653 hotspot compiler Provide more information when hitting SIGILL from HaltNode
52 JDK-8227647 hotspot compiler [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled"
53 JDK-8231720 hotspot compiler Some perf regressions after 8225653
54 JDK-8236944 hotspot compiler The legVecZ operand should be limited to zmm0-zmm15 registers
55 JDK-8237950 hotspot compiler C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization
56 JDK-8240676 hotspot compiler Meet not symmetric failure when running lucene on jdk8
57 JDK-8243114 hotspot compiler Implement montgomery{Multiply,Square}intrinsics on Windows
58 JDK-8244278 hotspot compiler Excessive code cache flushes and sweeps
59 JDK-8246381 hotspot compiler VM crashes with "Current BasicObjectLock* below than low_mark"
60 JDK-8247246 hotspot compiler [JVMCI] `ResolvedJavaType.getDeclaredMethod()` can throw NoClassDefFoundError.
61 JDK-8247502 hotspot compiler PhaseStringOpts crashes while optimising effectively dead code
62 JDK-8247763 hotspot compiler assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined()
63 JDK-8248226 hotspot compiler TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing
64 JDK-8248347 hotspot compiler windows build broken by JDK-8243114
65 JDK-8248552 hotspot compiler C2 crashes with SIGFPE due to division by zero
66 JDK-8248791 hotspot compiler sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing
67 JDK-8248822 hotspot compiler 8 vm/classfmt/atr_ann/atr_rtm_annot007/atr_rtm_annot00709 tests fail w/ AOT
68 JDK-8248987 hotspot compiler AOT's Linker.java seems to eagerly fail-fast on Windows.
69 JDK-8249602 hotspot compiler C2: assert(cnt == _outcnt) failed: no insertions allowed
70 JDK-8249603 hotspot compiler C1: assert(has_error == false) failed: register allocation invalid
71 JDK-8249605 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
72 JDK-8249607 hotspot compiler C2: assert(!had_error) failed: bad dominance
73 JDK-8249608 hotspot compiler Vector register used by C2 compiled method corrupted at safepoint
74 JDK-8249749 hotspot compiler modify a primitive array through a stream and a for cycle causes jre crash
75 JDK-8249880 hotspot compiler JVMCI calling register_nmethod without CodeCache lock
76 JDK-8250233 hotspot compiler -XX:+CITime triggers guarantee(events != NULL) in jvmci.cpp:173
77 JDK-8250548 hotspot compiler libgraal can deadlock in -Xcomp mode
78 JDK-8250609 hotspot compiler C2 crash in IfNode::fold_compares
79 JDK-8251458 hotspot compiler Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed"
80 JDK-8252696 hotspot compiler Loop unswitching may cause out of bound array load to be executed
81 JDK-8253118 hotspot compiler Avoid unnecessary deopts when OSR nmethods of the same level are present.
82 JDK-8254104 hotspot compiler MethodCounters must exist before nmethod is installed
83 JDK-8254790 hotspot compiler SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics
84 JDK-8248214 hotspot gc Add paddings for TaskQueueSuper to reduce false-sharing cache contention
85 JDK-8250928 hotspot jfr JFR: Improve hash algorithm for stack traces
86 JDK-8252090 hotspot jfr JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9)
87 JDK-8252754 hotspot jfr Hash code calculation of JfrStackTrace is inconsistent
88 JDK-8173361 hotspot jvmti various crashes in JvmtiExport::post_compiled_method_load
89 JDK-8173658 hotspot jvmti JvmtiExport::post_class_unload() is broken for non-JavaThread initiators
90 JDK-8210131 hotspot jvmti vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code
91 JDK-8210926 hotspot jvmti vmTestbase/nsk/jvmti/scenarios/allocation/AP11/ap11t001/TestDescription.java failed with JVMTI_ERROR_INVALID_CLASS in CDS mode
92 JDK-8212160 hotspot jvmti JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value"
93 JDK-8216324 hotspot jvmti GetClassMethods is confused by the presence of default methods in super interfaces
94 JDK-8224555 hotspot jvmti vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed
95 JDK-8247615 hotspot jvmti Initialize the bytes left for the heap sampler
96 JDK-8217338 hotspot runtime [Containers] Improve systemd slice memory limit support
97 JDK-8217766 hotspot runtime Container Support doesn't work for some Join Controllers combinations
98 JDK-8218851 hotspot runtime JVM crash in custom classloader stress test, JDK 12 & 13
99 JDK-8220718 hotspot runtime Missing ResourceMark in nmethod::metadata_do
100 JDK-8227006 hotspot runtime [linux] Runtime.availableProcessors execution time increased by factor of 100
101 JDK-8233386 hotspot runtime Initialize NULL fields for unused decorations
102 JDK-8235243 hotspot runtime handle VS2017 15.9 and VS2019 in abstract_vm_version
103 JDK-8237512 hotspot runtime AArch64: aarch64TestHook leaks a BufferBlob
104 JDK-8243290 hotspot runtime Improve diagnostic messages for class verification and redefinition failures
105 JDK-8244340 hotspot runtime Handshake processing thread lacks yielding
106 JDK-8246648 hotspot runtime issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480
107 JDK-8249192 hotspot runtime MonitorInfo stores raw oops across safepoints
108 JDK-8249672 hotspot runtime Include microcode revision in features_string on x86
109 JDK-8250598 hotspot runtime Hyper-V is detected in spite of running on host OS
110 JDK-8250984 hotspot runtime Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities
111 JDK-8251945 hotspot runtime SIGSEGV in PackageEntry::purge_qualified_exports()
112 JDK-8209332 hotspot svc [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect
113 JDK-8250968 security-libs java.security Symlinks attributes not preserved when using jarsigner on zip files
114 JDK-8224997 security-libs javax.net.ssl ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException
115 JDK-8244151 security-libs javax.smartcardio Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26
116 JDK-8250582 security-libs org.ietf.jgss:krb5 Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
117 JDK-8230094 xml javax.xml.stream CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter
118 JDK-8233686 xml javax.xml.transform XML transformer uses excessive amount of memory

Java SE 11.0.9 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.9 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.9.0.4

Bug Fixes

BugId Component Subcomponent Summary
JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c

Changes in Java SE 11.0.9.0.3

Bug Fixes

BugId Component Subcomponent Summary
JDK-8252394 (Confidential) core-libs javax.naming ldap failure due to JDK-8230944 changes in 11.0.8

Changes in Java SE 11.0.9.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.

Java™ SE Development Kit 11.0.9 (JDK 11.0.9)

October 20, 2020

The full version string for this update release is 11.0.9+7 (where "+" means "build"). The version number is 11.0.9.

IANA Data 2020a

JDK 11.0.9 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.9 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.9+7
8 1.8.0_271-b09
7 1.7.0_281-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.9) be used after the next critical patch update scheduled for January 19, 2021.

New Features

security-libs/java.security
 Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties.

To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property.

Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448

security-libs/org.ietf.jgss:krb5
 Support for Kerberos Cross-Realm Referrals (RFC 6806)

The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.

As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).

Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals security or system property to any positive value.

See further information in JDK-8223172.

security-libs/javax.net.ssl
 Improve Certificate Chain Handling

A new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).

A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.

JDK-8245417 (not public)

security-libs/java.security
 Tools Warn If Weak Algorithms Are Used

The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

security-libs/org.ietf.jgss:krb5
 Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).

Other notes

core-libs/javax.naming
 Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections

A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation.

The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed.

The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.

Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.

JDK-8237990 (not public)

security-libs/java.security
 Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ SSL Corporation

  + sslrootrsaca
    DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrootevrsaca
    DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrooteccca
    DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US

security-libs/java.security
 Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore:

+ Entrust

  + entrustrootcag4
    DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", 
    OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

core-libs/java.util:i18n
 Localized Time Zone Name Inconsistency Between English and Other Locales

English time zone names provided by the CLDR locale provider are now correctly synthesized following the CLDR spec, rather than substituted from the COMPAT provider. For example, SHORT style names are no longer synthesized abbreviations of LONG style names, but instead produce GMT offset formats.

core-libs/java.io:serialization
 Enhanced Support of Proxy Class

The deserialization of java.lang.reflect.Proxy objects can be limited by setting the system property jdk.serialProxyInterfaceLimit. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.

JDK-8236862 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.9:

# BugId Component Subcomponent Summary
1 JDK-8220150 client-libs 2d [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
2 JDK-8244818 client-libs 2d [macos] Java2D Queue Flusher crash while moving application window to external monitor
3 JDK-8240518 client-libs java.awt Incorrect JNU_ReleaseStringPlatformChars in Windows Print
4 JDK-8243925 client-libs java.awt Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows)
5 JDK-8249278 client-libs javax.accessibility Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
6 JDK-8215396 client-libs javax.swing JTabbedPane preferred size calculation is wrong for SCROLL_TAB_LAYOUT
7 JDK-8249251 client-libs javax.swing [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
8 JDK-8233452 core-libs java.math java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result
9 JDK-8216974 core-libs java.net HttpConnection not returned to the pool after 204 response
10 JDK-8238270 core-libs java.net java.net HTTP/2 client does not decrease stream count when receives 204 response
11 JDK-8218948 core-libs java.text SimpleDateFormat :: format - Zone Names are not reflected correctly during run time
12 JDK-8246807 core-libs java.util Incorrect copyright header in TimeZoneDatePermissionCheck.sh
13 JDK-8234347 core-libs java.util:i18n "Turkey" meta time zone does not generate composed localized names
14 JDK-8062947 core-libs javax.naming Fix exception message to correctly represent LDAP connection failure
15 JDK-8222529 core-svc debugger sun.jdwp.listenerAddress agent property uses wrong encoding
16 JDK-8227269 core-svc debugger Slow class loading when running with JDWP
17 JDK-8229378 core-svc debugger jdwp library loader in linker_md.c quietly truncates on buffer overflow
18 JDK-8244703 core-svc debugger "platform encoding not initialized" exceptions with debugger, JNI
19 JDK-8234968 core-svc java.lang.instrument check calloc rv in libinstrument InvocationAdapter
20 JDK-8203026 core-svc tools java.rmi.NoSuchObjectException: no such object in table
21 JDK-8227435 core-svc tools Perf::attach() should not throw a java.lang.Exception
22 JDK-8214074 hotspot compiler Optimize Ghash using AVX instructions
23 JDK-8224580 hotspot compiler Matcher can cause oop field/array element to be reloaded
24 JDK-8225625 hotspot compiler AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions
25 JDK-8230402 hotspot compiler Allocation of compile task fails with assert: "Leaking compilation tasks?"
26 JDK-8231586 hotspot compiler enlarge encoding space for OopMapValue offsets
27 JDK-8231756 hotspot compiler [JVMCI] need support for deoptimizing virtual byte arrays encoding non-byte primitives
28 JDK-8232083 hotspot compiler Minimal VM is broken after JDK-8231586
29 JDK-8233027 hotspot compiler OopMapSet::all_do does oms.next() twice during iteration
30 JDK-8236179 hotspot compiler C1 register allocation failure with T_ADDRESS
31 JDK-8236647 hotspot compiler java/lang/invoke/CallSiteTest.java failed with InvocationTargetException in Graal mode
32 JDK-8239083 hotspot compiler C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method");
33 JDK-8240610 hotspot compiler [JVMCI] Export VMVersion::_has_intel_jcc_erratum to JVMCI compiler
34 JDK-8241234 hotspot compiler Unify monitor enter/exit runtime entries.
35 JDK-8244407 hotspot compiler JVM crashes after transformation in C2 IdealLoopTree::split_fall_in
36 JDK-8244672 hotspot compiler [JVMCI] Export InstanceKlass::being_initialized to JVMCI compilers
37 JDK-8244719 hotspot compiler CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it"
38 JDK-8245714 hotspot compiler "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch
39 JDK-8245801 hotspot compiler StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!"
40 JDK-8246153 hotspot compiler TestEliminateArrayCopy fails with -XX:+StressReflectiveCode
41 JDK-8246203 hotspot compiler Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN
42 JDK-8246453 hotspot compiler TestClone crashes with "all collected exceptions must come from the same place"
43 JDK-8247350 hotspot compiler [aarch64] assert(false) failed: wrong size of mach node
44 JDK-8247992 hotspot compiler [JVMCI] HotSpotNmethod.executeVarargs can try execute a zombie nmethod
45 JDK-8248321 hotspot compiler [JVMCI] improve libgraal logging and fatal error handling
46 JDK-8248359 hotspot compiler Update JVMCI
47 JDK-8248410 hotspot compiler Correct Fix for 8236647: java/lang/invoke/CallSiteTest.java failed with InvocationTargetException in Graal mode
48 JDK-8248987 hotspot compiler AOT's Linker.java seems to eagerly fail-fast on Windows.
49 JDK-8248851 hotspot gc CMS: Missing memory fences between free chunk check and klass read
50 JDK-8210024 hotspot jfr JFR calls virtual is_Java_thread from ~Thread()
51 JDK-8210977 hotspot jfr jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject
52 JDK-8219904 hotspot jfr ClassCastException when calling FlightRecorderMXBean#getRecordings()
53 JDK-8230767 hotspot jfr FlightRecorderListener returns null recording
54 JDK-8243489 hotspot jfr Thread CPU Load event may contain wrong data for CPU time under certain conditions
55 JDK-8211064 hotspot runtime [AArch64] Interpreter and c1 don't correctly handle jboolean results in native calls
56 JDK-8213410 hotspot runtime UseCompressedOops requirement check fails fails on 32-bit system
57 JDK-8213574 hotspot runtime Deadlock in string table expansion when dumping lots of CDS classes
58 JDK-8215342 hotspot runtime [Zero] Build fails after JDK-8200613
59 JDK-8215879 hotspot runtime Aarch64: ReservedStackAccess may leave stack guard in inconsistent state
60 JDK-8215961 hotspot runtime jdk/jfr/event/os/TestCPUInformation.java fails on AArch64
61 JDK-8218185 hotspot runtime aarch64: missing LoadStore barrier in TemplateTable::putfield_or_static
62 JDK-8219635 hotspot runtime aarch64: missing LoadStore barrier in TemplateTable::fast_storefield
63 JDK-8219698 hotspot runtime aarch64: SIGILL triggered when specifying unsupported hardware features
64 JDK-8219712 hotspot runtime code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs
65 JDK-8221220 hotspot runtime AArch64: Add StoreStore membar explicitly for Volatile Writes in TemplateTable
66 JDK-8224828 hotspot runtime aarch64: rflags is not correct after safepoint poll
67 JDK-8225329 hotspot runtime -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms
68 JDK-8228601 hotspot runtime AArch64: Fix interpreter code at JVMCI deoptimization entry
69 JDK-8233466 hotspot runtime aarch64: remove unnecessary load of mdo when profiling return and parameters type
70 JDK-8233839 hotspot runtime aarch64: missing memory barrier in NewObjectArrayStub and NewTypeArrayStub
71 JDK-8234270 hotspot runtime [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area
72 JDK-8240295 hotspot runtime hs_err elapsed time in seconds is not accurate enough
73 JDK-8241586 hotspot runtime compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64
74 JDK-8248219 hotspot runtime aarch64: missing memory barrier in fast_storefield and fast_accessfield
75 JDK-8228448 hotspot svc Jconsole can't connect to itself
76 JDK-8163805 hotspot svc-agent hotspot/test/serviceability/sa/sadebugd/SADebugDTest.java failed with timed out
77 JDK-8196969 hotspot svc-agent JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE
78 JDK-8203364 hotspot svc-agent Some serviceability/sa/ tests intermittently fail with java.io.IOException: LingeredApp terminated with non-zero exit code 3
79 JDK-8204994 hotspot svc-agent SA might fail to attach to process with "Windbg Error: WaitForEvent failed"
80 JDK-8205534 hotspot svc-agent Remove SymbolTable dependency from serviceability agent
81 JDK-8209790 hotspot svc-agent SA tools not providing option to connect to debug server
82 JDK-8214797 hotspot svc-agent TestJmapCoreMetaspace.java timed out
83 JDK-8223665 hotspot svc-agent SA: debugd options should follow jhsdb style
84 JDK-8223814 hotspot svc-agent SA: jhsdb common help needs to be more detailed
85 JDK-8225636 hotspot svc-agent SA can't handle prelinked libraries
86 JDK-8232592 hotspot svc-agent <Unknown compiled code> is shown in jstack mixed mode
87 JDK-8235637 hotspot svc-agent jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled
88 JDK-8235846 hotspot svc-agent Improve WindbgDebuggerLocal implementation
89 JDK-8244310 other-libs other Validate-headers failed for HugeArenaTracking.java
90 JDK-8215694 security-libs java.security keytool cannot generate RSASSA-PSS certificates
91 JDK-8238448 security-libs java.security RSASSA-PSS signature verification fail when using certain odd key sizes
92 JDK-8242184 security-libs java.security Default signature algorithm for an RSASSA-PSS key
93 JDK-8242556 security-libs java.security Cannot load RSASSA-PSS public key with non-null params from byte array
94 JDK-8244087 security-libs java.security 2020-04-24 public suffix list update v ff6fcea
95 JDK-8245151 security-libs java.security jarsigner should not raise duplicate warnings on verification
96 JDK-8215443 security-libs javax.net.ssl The use of TransportContext.fatal() leads to bad coding style
97 JDK-8219991 security-libs javax.net.ssl New fix of the deadlock in sun.security.ssl.SSLSocketImpl
98 JDK-8236464 security-libs javax.net.ssl SO_LINGER option is ignored by SSLSocket in JDK 11
99 JDK-8226719 security-libs org.ietf.jgss Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"
100 JDK-8227381 security-libs org.ietf.jgss GSS login fails with PREAUTH_FAILED
101 JDK-8227437 security-libs org.ietf.jgss:krb5 S4U2proxy cannot continue because server's TGT cannot be found
102 JDK-8246193 security-libs org.ietf.jgss:krb5 Possible NPE in ENC-PA-REP search in AS-REQ
103 JDK-8193367 tools javac annotated type variables bounds crash javac
104 JDK-8213703 tools javac LambdaConversionException: Invalid receiver type not a subtype of implementation type interface
105 JDK-8214571 tools javac -Xdoclint of array serialField gives "error: array type not allowed here"
106 JDK-8244763 tools javac Update --release 8 symbol information after JSR 337 MR3
107 JDK-8240169 tools javadoc(tool) javadoc fails to link to docs with non-matching modularity
108 JDK-8245981 tools javadoc(tool) Upgrade to jQuery 3.5.1
109 JDK-8080353 tools jshell JShell: Better error message on attempting to add default method
110 JDK-8159740 tools jshell JShell: corralled declarations do not have correct source to wrapper mapping
111 JDK-8212167 tools jshell JShell : Stack trace of exception has wrong line number
112 JDK-8214491 tools jshell Upgrade to JLine 3.9.0
113 JDK-8215243 tools jshell JShell tests failing intermitently with "Problem cleaning up the following threads:"
114 JDK-8215244 tools jshell jdk/jshell/ToolBasicTest.java testHistoryReference failed
115 JDK-8215438 tools jshell jshell tool: Ctrl-D causes EOF
116 JDK-8229815 tools jshell Upgrade Jline to 3.12.1
117 JDK-8241445 tools launcher Fix copyrights after JDK-8240629 change
118 JDK-8248348 xml jaxp Regression caused by the update to BCEL 6.0

Java SE 11.0.8 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.8 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.8.0.4

Bug Fixes

BugId Component Subcomponent Summary
8249215 client-libs 2d JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
8213535 client-libs javax.swing Windows HiDPI html lightweight tooltips are truncated

Changes in Java SE 11.0.8.0.3

Bug Fixes

BugId Component Subcomponent Summary
8244407 hotspot compiler JVM crashes after transformation in C2 IdealLoopTree::split_fall_in

Changes in Java SE 11.0.8.0.2

Bug Fixes

BugId Component Subcomponent Summary
8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException

Java™ SE Development Kit 11.0.8 (JDK 11.0.8)

July 14, 2020

The full version string for this update release is 11.0.8+10 (where "+" means "build"). The version number is 11.0.8.

IANA Data 2020a

JDK 11.0.8 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.8 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.8+10
8 1.8.0_261-b12
7 1.7.0_271-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.8) be used after the next critical patch update scheduled for October 20, 2020.

New Features

security-libs/javax.net.ssl
New System Properties to Configure the TLS Signature Schemes
Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes is added for TLS client side, and jdk.tls.server.SignatureSchemes for server side.

Each System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.

security-libs/javax.xml.crypto
Apache Santuario Library Updated to Version 2.1.4
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size has been introduced.

This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size system property used in Apache Santuario and has the same default value of 20.

infrastructure
Toolchain Upgrade to Xcode 10.1
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.

JDK-8232007 (not public)

install/install
 Oracle JDK Installer for Windows Provides Executables (javac, etc) in a Path Reachable From Any Command Prompt

The Oracle JDK installer for Windows provides java.exe, javaw.exe, javac.exe, and jshell.exe commands in a system location so that users can run Java applications without needing to provide the path to the Oracle JDK's installation folder.

JDK-8222383 (not public)

Removed Features and Options

security-libs/java.security
Removal of Comodo Root CA Certificate
The following expired Comodo root CA certificate was removed from the cacerts keystore:

  • alias name "addtrustclass1ca [jdk]"

    Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

security-libs/java.security
Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts keystore:

  • alias name "keynectisrootca [jdk]"

    Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

Other notes

core-libs/java.io:serialization
 Improved Serialization Handling

When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException.

JDK-8234836 (not public)

core-libs/java.util:collections
 Better Listing of Arrays
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.

JDK-8231800 (not public)

security-libs/javax.net.ssl
Default SSLEngine Should Create in Server Role
In JDK 11 and later, javax.net.ssl.SSLEngine by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine would usually be used in server mode. From this JDK release onwards, SSLEngine will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode​(boolean mode) method may be used to configure the mode.

core-svc/java.lang.management
OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

  • getFreePhysicalMemorySize()
  • getTotalPhysicalMemorySize()
  • getFreeSwapSpaceSize()
  • getTotalSwapSpaceSize()
  • getSystemCpuLoad()

security-libs
Default SSL Session Cache Size Updated to 20480
The default SSL session cache size has been updated to 20480 in this JDK release

client-libs/javax.swing
Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook and textured Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar property be set to true to make the title of the frame invisible again. The apple.awt.fullWindowContent property can also be used.

Please note that Textured window support was implemented by using the NSTexturedBackgroundWindowMask value of NSWindowStyleMask. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground, which was deprecated in macOS 10.14.

For additional information, refer to the following documentation:

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.8:

# BugId Component Subcomponent Summary
1 JDK-6933331 client-libs 2d (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created
2 JDK-8196181 client-libs 2d sun/java2d/GdiRendering/InsetClipping.java fails
3 JDK-8209113 client-libs 2d Use WeakReference for lastFontStrike for created Fonts
4 JDK-8214481 client-libs 2d freetype path does not disable TrueType hinting with AA+FM hints
5 JDK-8224109 client-libs 2d Text spaced incorrectly by drawString under rotation with fractional metrics
6 JDK-8234398 client-libs 2d Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps
7 JDK-8235904 client-libs 2d Infinite loop when rendering huge lines
8 JDK-8236996 client-libs 2d Incorrect Roboto font rendering on Windows with subpixel antialiasing
9 JDK-8239091 client-libs 2d Reversed arguments in call to strstr in freetype "debug" code.
10 JDK-8176359 client-libs java.awt Frame#setMaximizedbounds not working properly in multi screen environments
11 JDK-8196019 client-libs java.awt java/awt/Window/Grab/GrabTest.java fails on Windows
12 JDK-8211301 client-libs java.awt [macos] support full window content options
13 JDK-8225126 client-libs java.awt Test SetBoundsPaintTest.html failed on Windows when desktop is scaled
14 JDK-8226806 client-libs java.awt [macOS 10.14] Methods of Java Robot should be called from appropriate thread
15 JDK-8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
16 JDK-8231564 client-libs java.awt setMaximizedBounds is broken with large display scale and multiple monitors
17 JDK-8233573 client-libs java.awt Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException
18 JDK-8233707 client-libs java.awt systemScale.cpp could not compile with VS2019
19 JDK-8234107 client-libs java.awt Several AWT modal dialog tests failing on Linux after JDK-8231991
20 JDK-8237221 client-libs java.awt [macos] java/awt/MenuBar/SeparatorsNavigation/SeparatorsNavigation.java fails
21 JDK-8238575 client-libs java.awt DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows)
22 JDK-8242174 client-libs java.awt [macos] The NestedModelessDialogTest test make the macOS unstable
23 JDK-8242498 client-libs java.awt Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
24 JDK-8226253 client-libs javax.accessibility JAWS reports wrong number of radio buttons when buttons are hidden
25 JDK-8238842 client-libs javax.imageio AIOOBE in GIFImageReader.initializeStringTable
26 JDK-8221445 client-libs javax.sound FastSysexMessage constructor crashes MIDI receiption thread
27 JDK-8040630 client-libs javax.swing Popup menus and tooltips flicker with previous popup contents when first shown
28 JDK-8198339 client-libs javax.swing Test javax/swing/border/Test6981576.java is unstable
29 JDK-8183369 core-libs java.net RFC unconformity of HttpURLConnection with proxy
30 JDK-8210147 core-libs java.net adjust some WSAGetLastError usages in windows network coding
31 JDK-8232854 core-libs java.net URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails
32 JDK-8044365 core-libs java.nio (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
33 JDK-8221531 core-libs java.nio Incorrect copyright header in src/java.base/windows/native/libnio/ch/FileChannelImpl.c
34 JDK-8205399 core-libs java.util:collections Set node color on pinned HashMap.TreeNode deletion
35 JDK-8160768 core-libs javax.naming Add capability to custom resolve host/domain names within the default JNDI LDAP provider
36 JDK-8214440 core-libs javax.naming ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
37 JDK-8217606 core-libs javax.naming LdapContext#reconnect always opens a new connection
38 JDK-8240523 core-libs javax.naming JCK Test Case api/modulegraph/index.html#ModuleGraphTest failed in CI
39 JDK-8193879 core-svc debugger Java debugger hangs on method invocation
40 JDK-8239055 core-svc debugger Wrong implementation of VMState.hasListener
41 JDK-8206179 core-svc javax.management com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
42 JDK-8132849 hotspot compiler Increased stop time in cleanup phase because of single-threaded walk of thread stacks in NMethodSweeper::mark_active_nmethods()
43 JDK-8156207 hotspot compiler Resource allocated BitMaps are often cleared unnecessarily
44 JDK-8163511 hotspot compiler Allocation of compile task fails with assert: "Leaking compilation tasks?"
45 JDK-8187078 hotspot compiler -XX:+VerifyOops finds numerous problems when running JPRT
46 JDK-8208277 hotspot compiler Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages
47 JDK-8209420 hotspot compiler Track membars for volatile accesses so they can be properly optimized
48 JDK-8209439 hotspot compiler C2 library_call can potentially ignore Math.pow intrinsic or use null pointer
49 JDK-8209684 hotspot compiler Intrinsics that assume some input non null should use GraphKit::must_be_not_null()
50 JDK-8209686 hotspot compiler cleanup arguments to PhaseIdealLoop() constructor
51 JDK-8210284 hotspot compiler "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4
52 JDK-8210389 hotspot compiler C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
53 JDK-8211129 hotspot compiler compiler/whitebox/ForceNMethodSweepTest.java fails after JDK-8132849
54 JDK-8211233 hotspot compiler MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better
55 JDK-8211332 hotspot compiler code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs
56 JDK-8211740 hotspot compiler [AOT] -XX:AOTLibrary doesn't accept windows path
57 JDK-8211743 hotspot compiler [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames
58 JDK-8214344 hotspot compiler C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0
59 JDK-8214444 hotspot compiler Wrong strncat limits in dfa.cpp
60 JDK-8214857 hotspot compiler "bad trailing membar" assert failure at memnode.cpp:3220
61 JDK-8214862 hotspot compiler assert(proj != __null) at compile.cpp:3251
62 JDK-8215551 hotspot compiler Missing case label in nmethod::reloc_string_for()
63 JDK-8215555 hotspot compiler TieredCompilation C2 threads can excessively block handshakes
64 JDK-8216151 hotspot compiler [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug
65 JDK-8216154 hotspot compiler C4819 warnings at HotSpot sources on Windows
66 JDK-8216541 hotspot compiler CompiledICHolders of VM locked unloaded nmethods are released too late
67 JDK-8217230 hotspot compiler assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
68 JDK-8217447 hotspot compiler Develop flag TraceICs is broken
69 JDK-8219214 hotspot compiler Infinite Loop in CodeSection::dump()
70 JDK-8219919 hotspot compiler RuntimeStub's name lost with PrintFrameConverterAssembly
71 JDK-8220341 hotspot compiler Class redefinition fails with assert(!is_unloaded()) failed: unloaded method on the stack
72 JDK-8221482 hotspot compiler Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode
73 JDK-8221782 hotspot compiler [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.jdk.vm.ci.services
74 JDK-8225567 hotspot compiler Wrong file headers with 8202414 fix changeset
75 JDK-8225783 hotspot compiler Incorrect use of binary operators on booleans in type.cpp
76 JDK-8226198 hotspot compiler use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state
77 JDK-8226879 hotspot compiler Memory leak in Type::hashcons
78 JDK-8227034 hotspot compiler Graal crash with gcbasher
79 JDK-8227632 hotspot compiler Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4
80 JDK-8229855 hotspot compiler C2 fails with assert(false) failed: bad AD file
81 JDK-8231515 hotspot compiler [Graal] Crash during exception throwing in InterpreterRuntime::resolve_invoke
82 JDK-8232106 hotspot compiler [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it
83 JDK-8233019 hotspot compiler java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
84 JDK-8233364 hotspot compiler Fix undefined behavior in Canonicalizer::do_ShiftOp
85 JDK-8235332 hotspot compiler TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM
86 JDK-8235762 hotspot compiler JVM crash in SWPointer during C2 compilation
87 JDK-8235984 hotspot compiler C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop
88 JDK-8236285 hotspot compiler [JVMCI] improve TranslatedException traces
89 JDK-8236709 hotspot compiler struct SwitchRange in HS violates C++ One Definition Rule
90 JDK-8236759 hotspot compiler ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling
91 JDK-8237045 hotspot compiler JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648
92 JDK-8237086 hotspot compiler assert(is_MachReturn()) running CTW with fix for JDK-8231291
93 JDK-8237375 hotspot compiler SimpleThresholdPolicy misses CounterDecay timestamp initialization
94 JDK-8237945 hotspot compiler CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo
95 JDK-8237951 hotspot compiler CTW: C2 compilation fails with "malformed control flow"
96 JDK-8238190 hotspot compiler [JVMCI] Fix single implementor speculation for diamond shapes.
97 JDK-8238356 hotspot compiler CodeHeap::blob_count() overestimates the number of blobs
98 JDK-8238438 hotspot compiler SuperWord::co_locate_pack picks memory state of first instead of last load
99 JDK-8238756 hotspot compiler C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node
100 JDK-8238765 hotspot compiler PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly
101 JDK-8238811 hotspot compiler C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges
102 JDK-8239142 hotspot compiler C2's UseUniqueSubclasses optimization is broken for array accesses
103 JDK-8239456 hotspot compiler [win][x86] vtable stub generation: assert failure (code size estimate)
104 JDK-8239852 hotspot compiler java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed
105 JDK-8239931 hotspot compiler [win][x86] vtable stub generation: assert failure (code size estimate) follow-up
106 JDK-8240220 hotspot compiler IdealLoopTree::dump_head predicate printing is broken
107 JDK-8240223 hotspot compiler Use consistent predicate order in and with PhaseIdealLoop::find_predicate
108 JDK-8240576 hotspot compiler JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges
109 JDK-8240831 hotspot compiler [JVMCI] Export missing vmStructs entries used by JVMCI compilers
110 JDK-8240905 hotspot compiler assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once?
111 JDK-8240976 hotspot compiler [JVMCI] MethodProfileWidth flag is broken
112 JDK-8241556 hotspot compiler Memory leak if -XX:CompileCommand is set
113 JDK-8241900 hotspot compiler Loop unswitching may cause dependence on null check to be lost
114 JDK-8242108 hotspot compiler Performance regression after fix for JDK-8229496
115 JDK-8242357 hotspot compiler [JVMCI] Incorrect use of JVMCI_CHECK_ on return statement
116 JDK-8243467 hotspot compiler [BACKOUT] JDK-8132849 and JDK-8211129 from 11.0.8-oracle
117 JDK-8204834 hotspot gc Fix confusing "allocate" naming in OopStorage
118 JDK-8221534 hotspot gc Incorrect copyright header in src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/gc/z/ZPageTableEntry.java
119 JDK-8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
120 JDK-8189633 hotspot runtime Missing -Xcheck:jni checking for DeleteWeakGlobalRef
121 JDK-8203911 hotspot runtime Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni
122 JDK-8209850 hotspot runtime Allow NamedThreads to use GlobalCounter critical sections
123 JDK-8209976 hotspot runtime Improve iteration over non-JavaThreads
124 JDK-8210303 hotspot runtime VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable"
125 JDK-8212933 hotspot runtime Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks
126 JDK-8213250 hotspot runtime CDS archive creation aborts due to metaspace object allocation failure
127 JDK-8219241 hotspot runtime Provide basic virtualization related info in the hs_error file on linux/windows x86_64
128 JDK-8219562 hotspot runtime Line of code in osContainer_linux.cpp#L102 appears unreachable
129 JDK-8222720 hotspot runtime Provide extended VMWare/vSphere virtualization related info in the hs_error file on linux/windows x86_64
130 JDK-8224793 hotspot runtime os::die() does not honor CreateCoredumpOnCrash option
131 JDK-8240529 hotspot runtime CheckUnhandledOops breaks NULL check in Modules::define_module
132 JDK-8241296 hotspot runtime Segfault in JNIHandleBlock::oops_do()
133 JDK-8241464 hotspot runtime [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action
134 JDK-8241660 hotspot runtime Add virtualization information output to hs_err file on macOS
135 JDK-8237589 other-libs other Fix copyright header formatting
136 JDK-7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
137 JDK-8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
138 JDK-8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
139 JDK-8238452 security-libs java.security Keytool generates wrong expiration date if validity is set to 2050/01/01
140 JDK-8246613 security-libs java.security Choose the default SecureRandom algo based on registration ordering
141 JDK-8240983 security-libs javax.crypto Incorrect copyright header in Apache Santuario 2.1.3 files
142 JDK-8238898 security-libs javax.crypto:pkcs11 Missing hash characters for header on license file
143 JDK-8209333 security-libs javax.net.ssl Socket reset issue for TLS 1.3 socket close
144 JDK-8211339 security-libs javax.net.ssl NPE during SSL handshake caused by HostnameChecker
145 JDK-8215711 security-libs javax.net.ssl Missing key_share extension for (EC)DHE key exchange should alert missing_extension
146 JDK-8223482 security-libs javax.net.ssl Unsupported ciphersuites may be offered by a TLS client
147 JDK-8223940 security-libs javax.net.ssl Private key not supported by chosen signature algorithm
148 JDK-8233621 security-libs javax.net.ssl Mismatch in jsse.enableMFLNExtension property name
149 JDK-8235874 security-libs javax.net.ssl The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property.
150 JDK-8236039 security-libs javax.net.ssl JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
151 JDK-8239798 security-libs javax.net.ssl SSLSocket closes socket both socket endpoints on a SocketTimeoutException
152 JDK-8242294 security-libs javax.net.ssl JSSE Client does not throw SSLException when an alert occurs during handshaking
153 JDK-8246031 security-libs javax.net.ssl SSLSocket.getSession() doesn't close connection for timeout/ interrupts
154 JDK-8163251 security-libs javax.smartcardio Hard coded loop limit prevents reading of smart card data greater than 8k
155 JDK-8210197 tools javac javac can't tell during speculative attribution if a diamond expression is creating an anonymous inner class or not
156 JDK-8213908 tools javac AssertionError in DeferredAttr at setOverloadKind
157 JDK-8214345 tools javac infinite recursion while checking super class
158 JDK-8218268 tools javac Javac treats Manifest Class-Path entries as Paths instead of URLs
159 JDK-8200432 tools javadoc(tool) javadoc fails with ClassCastException on {@link byte[]}
160 JDK-8212233 tools javadoc(tool) javadoc fails on jdk12 with "The code being documented uses modules but the packages defined in $URL are in the unnamed module."
161 JDK-8214856 tools javadoc(tool) Errors with JSZip in web console after upgrade to 3.1.5
162 JDK-8236700 tools javadoc(tool) Upgrading JSZip from v3.1.5 to v3.2.2
163 JDK-8216261 tools javap Javap ignores default modifier on interfaces
164 JDK-8217093 tools launcher Support extended-length paths in parse_manifest.c on Windows
165 JDK-8240629 tools launcher argfiles parsing broken for argfiles with comment cross 4096 bytes chunk
166 JDK-8221533 xml jaxp Incorrect copyright header in DurationDayTimeImpl.java, DurationYearMonthImpl.java and XMLStreamException.java
167 JDK-8242470 xml jaxp Update Xerces to Version 2.12.1

Java SE 11.0.7 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.7 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.7.0.1

Please note that fixes from the prior BPR are included in this version.


Java™ SE Development Kit 11.0.7 (JDK 11.0.7)

April 14, 2020

The full version string for this update release is 11.0.7+8 (where "+" means "build"). The version number is 11.0.7.

IANA Data 2019c

JDK 11.0.7 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.7 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.7+8
8 1.8.0_251-b08
7 1.7.0_261-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.7) be used after the next critical patch update scheduled for July 14, 2020.

New Features

security-libs/javax.crypto

Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA, SHA256withECDSA, etc.) are also supported.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.7:

# BugId Component Subcomponent Summary
1 JDK-6511207 client-libs 2d java/awt/FullScreen/VramExaustionFSTest/VramExaustionFSTest.java fails
2 JDK-8227324 client-libs 2d Upgrade to freetype 2.10.1
3 JDK-8234769 client-libs 2d Duplicate attribution in freetype.md
4 JDK-8220322 client-libs java.awt This case automatically fails, it cannot find symbol variable OldScrollb at class OldScrollEvents
5 JDK-8224821 client-libs java.awt java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64
6 JDK-8224830 client-libs java.awt test/jdk/java/awt/Focus/ModalExcludedWindowClickTest/ModalExcludedWindowClickTest.java fails on linux-x64
7 JDK-8225105 client-libs java.awt java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10
8 JDK-8225487 client-libs java.awt giflib legal file is missing attribution for openbsd-reallocarray.c.
9 JDK-8230597 client-libs java.awt Update GIFlib library to the 5.2.1
10 JDK-8230926 client-libs java.awt [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout
11 JDK-8232433 client-libs java.awt [macos 10.15] java/awt/Window/LocationAtScreenCorner/LocationAtScreenCorner.java may fail
12 JDK-7054477 client-libs javax.swing closed/javax/swing/BufferStrategyPaintManager/6354265/bug6354265.java failed
13 JDK-8194944 client-libs javax.swing Regression automated test 'open/test/jdk/javax/swing/JInternalFrame/8145896/TestJInternalFrameMaximize.java' fails
14 JDK-8196467 client-libs javax.swing javax/swing/JInternalFrame/Test6325652.java fails
15 JDK-8198321 client-libs javax.swing javax/swing/JEditorPane/5076514/bug5076514.java fails
16 JDK-8198398 client-libs javax.swing Test javax/swing/JColorChooser/Test6199676.java fails in mach5
17 JDK-8199072 client-libs javax.swing Test javax/swing/GroupLayout/6613904/bug6613904.java is unstable
18 JDK-8203904 client-libs javax.swing javax/swing/JSplitPane/4816114/bug4816114.java: The divider location is wrong
19 JDK-8209418 client-libs javax.swing Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2
20 JDK-8209494 client-libs javax.swing Create a test for SwingSet3 InternalFrameDemo
21 JDK-8209499 client-libs javax.swing Create test for SwingSet3 EditorPaneDemo
22 JDK-8209789 client-libs javax.swing Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2
23 JDK-8209993 client-libs javax.swing Create a test for SwingSet3 ToolTipDemo
24 JDK-8210052 client-libs javax.swing Enable testing for all the available look and feels in SwingSet3 demo tests
25 JDK-8210055 client-libs javax.swing Enable different look and feel tests in SwingSet3 demo tests
26 JDK-8210057 client-libs javax.swing Enable different look and feels in SwingSet3 demo test InternalFrameDemoTest
27 JDK-8210910 client-libs javax.swing Create test for FileChooserDemo
28 JDK-8210994 client-libs javax.swing Create test for SwingSet3 FrameDemo
29 JDK-8211443 client-libs javax.swing Enable different look and feels in SwingSet3 demo test SplitPaneDemoTest
30 JDK-8211703 client-libs javax.swing JInternalFrame : java.lang.AssertionError: cannot find the internal frame
31 JDK-8212897 client-libs javax.swing Some improvements in the EditorPaneDemotest
32 JDK-8213168 client-libs javax.swing Enable different look and feel tests in SwingSet3 demo test FileChooserDemoTest
33 JDK-8214471 client-libs javax.swing Enable different look and feel tests in SwingSet3 demo test ToolTipDemoTest
34 JDK-8216353 client-libs javax.swing Use utility APIs introduced in org/netbeans/jemmy/util/LookAndFeel class in client sanity test cases
35 JDK-8217235 client-libs javax.swing Create automated test for SwingSet ColorChooserDemoTest
36 JDK-8221312 client-libs javax.swing test/jdk/sanity/client/SwingSet/src/ColorChooserDemoTest.java failed
37 JDK-8222519 client-libs javax.swing ButtonDemoScreenshotTest fails randomly with "still state to be reached"
38 JDK-8224475 client-libs javax.swing JTextPane does not show images in HTML rendering
39 JDK-8225144 client-libs javax.swing [macos] In Aqua L&F backspace key does not delete when Shift is pressed
40 JDK-8226892 client-libs javax.swing ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
41 JDK-8235744 client-libs javax.swing PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64
42 JDK-8218280 core-libs java.io LineNumberReader throws "Mark invalid" exception if CRLF straddles buffer.
43 JDK-8229899 core-libs java.io java.io.File.isInvalid() is racy
44 JDK-6996807 core-libs java.io:serialization FieldReflectorKey hash code computation can be improved
45 JDK-8208715 core-libs java.lang Conversion of milliseconds to nanoseconds in UNIXProcess contains bug.
46 JDK-8224181 core-libs java.lang On child process spawn, child may write to random file descriptor instead of the fail pipe
47 JDK-8206955 core-libs java.lang.invoke MethodHandleProxies.asInterfaceInstance does not support default methods
48 JDK-8225117 core-libs java.math java/math/BigInteger/SymmetricRangeTests.java fails with ParseException
49 JDK-8216355 core-libs java.net missing NULL checks in libnet in interface iteration and potential resource leak in getMacAddress
50 JDK-8218662 core-libs java.net Allow 204 responses with Content-Length:0
51 JDK-8202252 core-libs java.nio (aio) Closed AsynchronousSocketChannel keeps completion handler alive
52 JDK-8229888 core-libs java.nio (zipfs) Updating an existing zip file does not preserve original permissions
53 JDK-8234824 core-libs java.nio java/nio/channels/SocketChannel/AdaptSocket.java fails on Windows 10
54 JDK-8237368 core-libs java.rmi Problem with NullPointerException in RMI TCPEndpoint.read
55 JDK-8221120 core-libs java.util.concurrent CopyOnWriteArrayList.set should always have volatile write semantics
56 JDK-8221892 core-libs java.util.concurrent ThreadPoolExecutor: Thread.isAlive() is not equivalent to not being startable
57 JDK-8222930 core-libs java.util.concurrent ConcurrentSkipListMap.clone() shares size variable between original and clone
58 JDK-8234466 core-libs java.util.jar Class loading deadlock involving X509Factory#commitEvent()
59 JDK-8237508 core-libs java.util.jar Simplify JarFile.isInitializing
60 JDK-8234423 core-libs java.util:collections Modifying ArrayList.subList().subList() resets modCount of subList
61 JDK-8226869 core-libs java.util:i18n Test java/util/Locale/LocaleProvidersRun.java should enable assertions
62 JDK-8223260 core-libs javax.naming NamingManager should cache InitialContextFactory
63 JDK-8193042 hotspot compiler NativeLookup::lookup_critical_entry() should only load shared library once
64 JDK-8206963 hotspot compiler [AOT] bug with multiple class loaders
65 JDK-8209574 hotspot compiler [AOT] breakpoint events are generated in different threads does not meet expected count when testcase vm/jvmti/Breakpoint/brkp001/brkp00102/brkp00102.html is executed
66 JDK-8210220 hotspot compiler [AOT] jdwp test cases are failing with error # ERROR: TEST FAILED: Cought IOException while receiving event packet: # ERROR: java.net.SocketTimeoutException: Read timed out
67 JDK-8213604 hotspot compiler Fix missing includes after JDK-8212673
68 JDK-8214557 hotspot compiler Filter out VM flags which don't affect AOT code generation
69 JDK-8215322 hotspot compiler add @file support to jaotc
70 JDK-8216199 hotspot compiler Local variable arg defined but never used in BCEscapeAnalyzer::compute_escape_for_intrinsic()
71 JDK-8218201 hotspot compiler Failures when vmIntrinsics::_getClass is not inlined
72 JDK-8218879 hotspot compiler Keep track of memory accesses originated from Unsafe
73 JDK-8224658 hotspot compiler Unsafe access C2 compile fails with assert(flat != TypePtr::BOTTOM) failed: cannot alias-analyze an untyped ptr: adr_type = NULL
74 JDK-8225019 hotspot compiler Update JVMCI
75 JDK-8225199 hotspot compiler [Graal] compiler/jvmci/compilerToVM/IsMatureVsReprofileTest.java fails with -XX:CompileThresholdScaling=0.1
76 JDK-8228888 hotspot compiler C2 compilation fails with assert "m has strange control"
77 JDK-8229377 hotspot compiler [JVMCI] Improve InstalledCode.invalidate for large code caches
78 JDK-8229961 hotspot compiler Assert failure in compiler/graalunit/HotspotTest.java
79 JDK-8229994 hotspot compiler assert(false) failed: Bad graph detected in get_early_ctrl_for_expensive
80 JDK-8231620 hotspot compiler assert(bol->is_Bool()) crash during split if due to FastLockNode
81 JDK-8232539 hotspot compiler SIGSEGV in C2 Node::unique_ctrl_out
82 JDK-8233081 hotspot compiler C1: PatchingStub for field access copies too much
83 JDK-8233745 hotspot compiler [JVMCI] TranslatedException should serialize classloader and module info
84 JDK-8233820 hotspot compiler Test crashed with assert(phi->operand_count() != 1 || phi->subst() != phi) failed: missed trivial simplification
85 JDK-8233900 hotspot compiler [JVMCI] improve help text for EnableJVMCIProduct option
86 JDK-8234359 hotspot compiler [JVMCI] invalidate_nmethod_mirror shouldn't use a phantom reference
87 JDK-8234610 hotspot compiler MaxVectorSize set wrongly when UseAVX=3 is specified after JDK-8221092
88 JDK-8234617 hotspot compiler C1: Incorrect result of field load due to missing narrowing conversion
89 JDK-8234681 hotspot compiler Remove UseJVMCIClassLoader logic from JVMCI code
90 JDK-8235288 hotspot compiler AVX 512 instructions inadvertently used on Xeon for small vector width operations
91 JDK-8235438 hotspot compiler [JVMCI] StackTraceElement::decode should use the original Method
92 JDK-8235539 hotspot compiler [JVMCI] -XX:+EnableJVMCIProduct breaks -XX:-EnableJVMCI
93 JDK-8236140 hotspot compiler assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it
94 JDK-8204529 hotspot gc gc/TestAllocateHeapAtMultiple.java fail with Agent 7 timed out
95 JDK-8211211 hotspot gc vmTestbase/metaspace/stressDictionary/StressDictionary.java timeout
96 JDK-8229020 hotspot gc Failure on CPUs allowing loads reordering: assert(_tasks[t] == 1) failed: What else?
97 JDK-8229169 hotspot gc False failure of GenericTaskQueue::pop_local on architectures with weak memory model
98 JDK-8213015 hotspot jfr Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions
99 JDK-8213617 hotspot jfr JFR should record the PID of the recorded process
100 JDK-8215284 hotspot jfr Reduce noise induced by periodic task getFileSize()
101 JDK-8215771 hotspot jfr The jfr tool should pretty print reference chains
102 JDK-8216064 hotspot jfr -XX:StartFlightRecording:settings= doesn't work properly
103 JDK-8216486 hotspot jfr Possibility of integer overflow in JfrThreadSampler::run()
104 JDK-8219205 hotspot jfr JFR file without license header
105 JDK-8220657 hotspot jfr JFR.dump does not work when filename is set
106 JDK-8221569 hotspot jfr JFR tool produces incorrect output when both --categories and --events are specified
107 JDK-8223697 hotspot jfr jfr tool can't format duration values greater than 1 minute
108 JDK-8224217 hotspot jfr RecordingInfo should use textual representation of path
109 JDK-8225694 hotspot jfr Destination option missing in FlightRecorderMXBeanImpl
110 JDK-8227411 hotspot jfr TestTimeMultiple.java failed "assert(!lease()) failed: invariant"
111 JDK-8227605 hotspot jfr Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant"
112 JDK-8233075 hotspot jfr JFR - nmetods - misspelled in several places
113 JDK-8209361 hotspot jvmti [AOT] Unexpected number of references for JVMTI_HEAP_REFERENCE_CONSTANT_POOL [111-->111]: 0 (expected at least 1)
114 JDK-8207832 hotspot runtime serviceability/sa/ClhsdbCDSCore.java failed with java.lang.Error: Couldn't find core file location in:
115 JDK-8216977 hotspot runtime ShowHiddenFrames use in java_lang_StackTraceElement::fill_in appears broken
116 JDK-8223336 hotspot runtime Assert in VirtualMemoryTracker::remove_released_region when running the SharedArchiveConsistency.java test with -XX:NativeMemoryTracking=detail
117 JDK-8226406 hotspot runtime JVM fails to detect mismatched or corrupt CDS archive
118 JDK-8229345 hotspot runtime Memory leak due to vtable stubs not being shared on SPARC
119 JDK-8232052 hotspot runtime use string literal for format string when handling PauseAtStartupFile
120 JDK-8204308 hotspot svc-agent SA: serviceability/sa/TestInstanceKlassSize*.java fails when running in CDS mode
121 JDK-8227645 hotspot svc-agent Some tests in serviceability/sa run with fixed -Xmx values and risk running out of memory
122 JDK-8223671 infrastructure The latest Java 8 is not ready to use in applications on future macOS versions
123 JDK-8225180 security-libs java.security SignedObject with invalid Key not throwing the InvalidKeyException in Windows
124 JDK-8228969 security-libs java.security 2019-09-28 public suffix list update
125 JDK-8223003 security-libs javax.crypto SunMSCAPI keys are not cleaned up
126 JDK-8183107 security-libs javax.crypto:pkcs11 PKCS11 regression regarding checkKeySize
127 JDK-8232950 security-libs javax.crypto:pkcs11 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
128 JDK-4919790 security-libs javax.net.ssl Errors in alert ssl message does not reflect the actual certificate status
129 JDK-8225766 security-libs javax.net.ssl Curve in certificate should not affect signature scheme when using TLSv1.3
130 JDK-8207395 tools jar jar should support UNC-path arguments for the jar -C parameter
131 JDK-8218152 tools javac [javac] fails and exits with no error if a bad annotation processor provided
132 JDK-8208269 tools javadoc(tool) Javadoc does not support module-info in a multi-release jar
133 JDK-8215026 tools jlink Incorrect amount of memory unmapped with ImageFileReader::close()
134 JDK-8215123 tools jlink Crash in runtime image built with jlink --compress=2
135 JDK-8234696 tools jlink tools/jlink/plugins/VendorInfoPluginsTest.java times out
136 JDK-8234339 tools launcher replace JLI_StrTok in java_md_solinux.c
137 JDK-8016914 xml javax.xml.parsers CoreDocumentImpl.setXmlVersion NPE
138 JDK-8180901 xml javax.xml.transform Transformer.reset() resets the state only once
139 JDK-8207760 xml javax.xml.transform SAXException: Invalid UTF-16 surrogate detected: d83c ?
140 JDK-8233548 xml jaxp Update CUP to v0.11b

Java SE 11.0.6 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.6.0.2

Bug Fixes

BugId Component Subcomponent Summary
8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
8238596 hotspot runtime AVX enabled by default for Skylake even when unsupported

Changes in Java SE 11.0.6.0.1

Bug Fixes

BugId Component Subcomponent Summary
8214578 client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings
8234786 client-libs java.awt Fix for JDK-8214578 breaks OS X 10.12 compatibility

Java™ SE Development Kit 11.0.6 (JDK 11.0.6)

January 14, 2020

The full version string for this update release is 11.0.6+8 (where "+" means "build"). The version number is 11.0.6.

IANA Data 2019c

JDK 11.0.6 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.6 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.6+8
8 1.8.0_241-b07
7 1.7.0_251-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.6) be used after the next critical patch update scheduled for April 14, 2020.

New Features

security-libs/javax.security

Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.

security-libs/javax.crypto:pkcs11

SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

Other notes

core-libs/java.rmi
 Improve Registry Support

The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:

  • Methods declared in interfaces that directly or indirectly extend java.rmi.Remote can be invoked remotely
  • Methods declared in interfaces that do not extend Remote directly or indirectly cannot be invoked remotely

This affects remote objects in the java.rmi.registry.Registry and any other remote object.

JDK-8230967 (not public)

security-libs/java.security

New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.

The default value of this property, if not set, is "false".

Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).

This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.

JDK-8230318 (not public)

security-libs/java.security

Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.

JDK-8227758 (not public)

security-libs/java.security

Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:

+ LuxTrust
  + luxtrustglobalroot2ca

    DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
security-libs/java.security

Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:

+ Amazon
  + amazonrootca1
    DN: CN=Amazon Root CA 1, O=Amazon, C=US

  + amazonrootca2
    DN: CN=Amazon Root CA 2, O=Amazon, C=US

  + amazonrootca3
    DN: CN=Amazon Root CA 3, O=Amazon, C=US

  + amazonrootca4
    DN: CN=Amazon Root CA 4, O=Amazon, C=US
hotspot/compiler

Turn off AOT by Default and Change Related Flags to Experimental
Following AOT support related flags have been made experimental: UseAOT, PrintAOT and AOTLibrary. Also default value of UseAOT has been changed from enabled to disabled.

 

hotspot/gc
 Epsilon GC handled checked array stores incorrectly

Epsilon GC may have violated the specification requirements by accepting the type-incompatible store into the array, instead of throwing the ArrayStoreException. This is now handled correctly, both in this release, and associated backports. Users are advised to upgrade as soon as possible.

 

Bug Fixes

The following are some of the notable bug fixes included in this release:

security-libs/javax.crypto:pkcs11

Memory Growth Issue in SunPKCS11 Fixed
A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed.

A system property, sun.security.pkcs11.disableKeyExtraction has been introduced to disable the fix. A "true" value disables the fix, while a "false" value (default) keeps it enabled.

When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes.

Further information and implementation details can be found in the CSR: JDK-8213430

core-libs/java.io:serialization

Better Serial Filter Handling
The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.

JDK-8231422 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.6:

# BugId Component Subcomponent Summary
1 JDK-8208179 client-libs 2d Devanagari not shown with logical fonts on Windows after removal of Lucida Sans from JDK
2 JDK-8210384 client-libs 2d SunLayoutEngine.isAAT() font is expensive on MacOS
3 JDK-8212071 client-libs 2d Need to set the FreeType LCD Filter to reduce fringing.
4 JDK-8213568 client-libs 2d Typo in java/awt/GraphicsEnvironment/LoadLock/GE_init5.java
5 JDK-8217707 client-libs 2d JNICALL declaration breaks Splash screen functions
6 JDK-8220231 client-libs 2d Cache HarfBuzz face object for same font's text layout calls
7 JDK-8228711 client-libs 2d Path rendered incorrectly when it goes outside the clipping region
8 JDK-8230728 client-libs 2d Thin stroked shapes are not rendered if affine transform has flip bit
9 JDK-8230769 client-libs 2d BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
10 JDK-8144125 client-libs java.awt [macos] java/awt/event/ComponentEvent/MovedResizedTwiceTest/MovedResizedTwiceTest.java failed automatically
11 JDK-8211267 client-libs java.awt StackOverflowError happened by TextField.setFont(...)
12 JDK-8211810 client-libs java.awt X11 Time stamp data should be unsigned
13 JDK-8211826 client-libs java.awt StringIndexOutOfBoundsException happens via GetStringUTFRegion()
14 JDK-8211992 client-libs java.awt GraphicsConfiguration.getDevice().getDisplayMode() causes JVM crash on Mac
15 JDK-8212677 client-libs java.awt X11 default visual support for IM status window on VNC
16 JDK-8213119 client-libs java.awt [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails
17 JDK-8213292 client-libs java.awt Input freezes after MacOS key-selector (press&hold) usage on macOS Mojave
18 JDK-8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
19 JDK-8215105 client-libs java.awt java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
20 JDK-8215200 client-libs java.awt IllegalArgumentException in sun.lwawt.macosx.CPlatformWindow
21 JDK-8215756 client-libs java.awt Memory leaks in the AWT on macOS
22 JDK-8219504 client-libs java.awt Test for JDK-8211435 can be run on all platforms
23 JDK-8221246 client-libs java.awt NullPointerException within Win32ShellFolder2
24 JDK-8224152 client-libs java.awt [macOS] ProblemList tests that leave rubbish on the screen
25 JDK-8230782 client-libs java.awt Robot.createScreenCapture() fails if “awt.robot.gtk” is set to false
26 JDK-8211393 client-libs java.awt:i18n Memory leak issue on awt_InputMethod.c
27 JDK-8211147 client-libs java.beans Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder
28 JDK-8221244 client-libs java.beans Unexpected behavior of PropertyDescription.getReadMethod for boolean properties
29 JDK-8225505 client-libs javax.swing ctrl-F1 does not show the tooltip of a menu item (JMenuItems)
30 JDK-8185898 core-libs java.net setRequestProperty(key, null) results in HTTP header without colon in request
31 JDK-8221395 core-libs java.net HttpClient leaving connections in CLOSE_WAIT state until Java process ends
32 JDK-8222968 core-libs java.net ByteArrayPublisher is not thread-safe resulting in broken re-use of HttpRequests
33 JDK-8227127 core-libs java.text Era designator not displayed correctly using the COMPAT provider
34 JDK-8212970 core-libs java.time TZ database in "vanguard" format support
35 JDK-8231770 core-libs java.util.jar Test java/util/zip/FlaterTest.java fails with -Xcheck:jni
36 JDK-8227368 core-libs java.util:collections EnumSet.class serialization broken in JDK 9+
37 JDK-8220227 core-libs java.util:i18n Host Locale Provider getDisplayCountry returns error message under non-English Win10
38 JDK-8227391 core-libs jdk.nashorn Update double-conversion to version 3.1.5
39 JDK-8232984 core-libs jdk.nashorn Upgrading Joni License version to 2.1.16
40 JDK-8230303 core-svc debugger JDB hangs when running monitor command
41 JDK-8220474 core-svc java.lang.instrument Incorrect GPL header in src/java.instrument/share/classes/java/lang/instrument/package-info.java
42 JDK-8220175 core-svc tools serviceability/dcmd/framework/VMVersionTest.java fails with a timeout
43 JDK-8087128 hotspot compiler C2: Disallow definition split on MachCopySpill nodes
44 JDK-8202952 hotspot compiler C2: Unexpected dead nodes after matching
45 JDK-8209691 hotspot compiler Allow MemBar on single memory slice
46 JDK-8209833 hotspot compiler C2 compilation fails with "assert(ex_map->jvms()->same_calls_as(_exceptions->jvms())) failed: all collected exceptions must come from the same place"
47 JDK-8210387 hotspot compiler C2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced"
48 JDK-8210390 hotspot compiler C2 still crashes with "assert(mode == ControlAroundStripMined && use == sfpt) failed: missed a node"
49 JDK-8211232 hotspot compiler GraphKit::make_runtime_call() sometimes attaches wrong memory state to call
50 JDK-8211776 hotspot compiler 8210887 broke arraycopy optimization when ZGC is enabled
51 JDK-8212673 hotspot compiler jtreg/applications/runthese/RunThese30M.java fails in C2 with "assert(!had_error) failed: bad dominance"
52 JDK-8213014 hotspot compiler Crash in CompileBroker::make_thread due to OOM
53 JDK-8214773 hotspot compiler Replace use of thread unsafe strtok
54 JDK-8215044 hotspot compiler C2 crash in loopTransform.cpp with assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
55 JDK-8215265 hotspot compiler C2: range check elimination may allow illegal out of bound access
56 JDK-8215708 hotspot compiler ZGC: Add missing LoadBarrierNode::size_of()
57 JDK-8215755 hotspot compiler ZGC: split_barrier_thru_phi: check number of inputs of phi
58 JDK-8216135 hotspot compiler C2 assert(!had_error) failed: bad dominance
59 JDK-8216427 hotspot compiler ciMethodData::load_extra_data() does not always unpack the last entry
60 JDK-8216549 hotspot compiler Mismatched unsafe access to non escaping object fails
61 JDK-8216987 hotspot compiler ciMethodData::load_data() unpacks MDOs with non-atomic copy
62 JDK-8217359 hotspot compiler C2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal
63 JDK-8217371 hotspot compiler Incorrect LP64 guard in x86.ad after JDK-8210764 (Update avx512 implementation)
64 JDK-8217760 hotspot compiler C2: Missing symbolic info on a call from intrinsics when invoked through MethodHandle
65 JDK-8218163 hotspot compiler C2: Continuous deoptimization w/ Reason_speculate_class_check and Action_none
66 JDK-8218468 hotspot compiler Load barrier slow path node should be MachTypeNode
67 JDK-8219517 hotspot compiler assert(false) failed: infinite loop in PhaseIterGVN::optimize
68 JDK-8221456 hotspot compiler nmethod::make_unloaded() clears _method member too early
69 JDK-8224538 hotspot compiler LoadBarrierNode::common_barrier must check address
70 JDK-8224558 hotspot compiler Fix replicateB encoding
71 JDK-8225141 hotspot compiler Better handling of classes in error state by fast class initialization checks
72 JDK-8229906 hotspot compiler Backout backport 8227318 which was incomplete
73 JDK-8230711 hotspot compiler ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG
74 JDK-8214315 hotspot gc G1: fatal error: acquiring lock SATB_Q_FL_lock/1 out of order with lock tty_lock/0
75 JDK-8215724 hotspot gc Epsilon: ArrayStoreExceptionTest.java fails; missing arraycopy check
76 JDK-8221913 hotspot gc Add GC.selected() jtreg-ext function
77 JDK-8225716 hotspot gc G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding
78 JDK-8230706 hotspot gc Waiting on completion of strong nmethod processing causes long pause times with G1
79 JDK-8205516 hotspot jfr JFR tool
80 JDK-8213834 hotspot jvmti JVMTI ResourceExhausted should not be posted in CompilerThread
81 JDK-8227277 hotspot jvmti HeapInspection::find_instances_at_safepoint walks dead objects
82 JDK-8193234 hotspot runtime When using -Xcheck:jni an internally allocated buffer can leak
83 JDK-8200109 hotspot runtime NMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type")
84 JDK-8210043 hotspot runtime Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
85 JDK-8210559 hotspot runtime ClassLoaderData Symbols can leak
86 JDK-8212173 hotspot runtime Thread._stack_base/_stack_size initialized too late for new threads
87 JDK-8212205 hotspot runtime VM asserts after CDS archive has been unmapped
88 JDK-8212937 hotspot runtime Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
89 JDK-8214975 hotspot runtime No hs-err file if fatal error is raised during dynamic initialization.
90 JDK-8215699 hotspot runtime -Xlog::file cannot be used with named pipe
91 JDK-8215962 hotspot runtime Support ThreadPriorityPolicy mode 1 for non-root users on linux/bsd
92 JDK-8216426 hotspot runtime Usage of array placement new may lead to memory corruption
93 JDK-8216970 hotspot runtime condy causes JVM crash
94 JDK-8216982 hotspot runtime Assertion poison page established too early
95 JDK-8218581 hotspot runtime Incorrect exception message generation
96 JDK-8220173 hotspot runtime assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
97 JDK-8220394 hotspot runtime bufferedStream does not honor size limit
98 JDK-8221437 hotspot runtime assert(java_lang_invoke_ResolvedMethodName::vmtarget(resolved_method()) == m()) failed: Should not change after link resolution
99 JDK-8222387 hotspot runtime Out-of-bounds access to CPU _family_id_xxx array
100 JDK-8223572 hotspot runtime ~ThreadInVMForHandshake() should call handle_special_runtime_exit_condition()
101 JDK-8224193 hotspot runtime stringStream should not use Resource Area
102 JDK-8224487 hotspot runtime outputStream should not be copyable
103 JDK-8225225 hotspot runtime stringStream internal buffer should always be zero terminated
104 JDK-8227117 hotspot runtime normal interpreter table is not restored after single stepping with TLH
105 JDK-8227497 hotspot runtime No documented method for setting module addexports to JNI_CreateJavaVM
106 JDK-8228485 hotspot runtime JVM crashes when bootstrap method for condy triggers loading of class whose static initializer throws exception
107 JDK-8021335 hotspot svc Missing synchronization when reading counters for live threads and peak thread count
108 JDK-8221532 hotspot svc Incorrect copyright header in FileSystemSupport_md.c
109 JDK-8225388 hotspot svc Running jcmd Compiler.CodeHeap_Analytics all 0 cause crash.
110 JDK-8200613 hotspot svc-agent SA: jstack throws UnmappedAddressException with a CDS core file
111 JDK-8220682 hotspot svc-agent Heap dumping and inspection fails with JDK-8214712
112 JDK-8218553 security-libs java.security Enhance keystore load debug output
113 JDK-8213008 security-libs javax.crypto:pkcs11 Cipher with UNWRAP_MODE should support the generation of an AES key type
114 JDK-8216597 security-libs javax.crypto:pkcs11 SIGBUS in Java_sun_security_pkcs11_wrapper_PKCS11_getNativeKeyInfo after JDK-6913047
115 JDK-8225695 security-libs javax.crypto:pkcs11 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
116 JDK-8226651 security-libs javax.crypto:pkcs11 Setting the mgfHash in CK_RSA_PKCS_PSS_PARAMS has no effect
117 JDK-8228835 security-libs javax.crypto:pkcs11 Memory leak in PKCS11 provider when using AES GCM
118 JDK-8211866 security-libs javax.net.ssl TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
119 JDK-8212738 security-libs javax.net.ssl Incorrectly named signature scheme ecdsa_secp512r1_sha512
120 JDK-8212752 security-libs javax.net.ssl Typo in SSL log message related to inactive/disabled signature scheme
121 JDK-8214098 security-libs javax.net.ssl sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
122 JDK-8215524 security-libs javax.net.ssl Finished message validation failure should be decrypt_error alert
123 JDK-8226607 security-libs javax.smartcardio Inconsistent info between pcsclite.md and MUSCLE headers

Java SE 11.0.5 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.5.0.3

Bug Fixes

BugId Component Subcomponent Summary
8233097 client-libs 2d Fontmetrics for large Fonts has zero width
8229800 client-libs 2d WindowsServerCore 1809 does not provide d2d1.dll library required by awt.dll

Changes in Java SE 11.0.5.0.2

Bug Fixes

BugId Component Subcomponent Summary
8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina

Java™ SE Development Kit 11.0.5 (JDK 11.0.5)

October 15, 2019

The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.

IANA Data 2019b

JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.5+10
8 1.8.0_231-b11
7 1.7.0_241-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.

New Features

security-libs/java.security
New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

  • jdk.SecurityPropertyModification

    • Records Security.setProperty(String key, String value) method calls
  • jdk.TLSHandshake

    • Records TLS handshake activity. The event fields include:
      • Peer hostname
      • Peer port
      • TLS protocol version negotiated
      • TLS cipher suite negotiated
      • Certificate id of peer client
  • jdk.X509Validation

    • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
  • jdk.X509Certificate

    • Records details of X.509 Certificates. The event fields include:
      • Certificate algorithm
      • Certificate serial number
      • Certificate subject
      • Certificate issuer
      • Key type
      • Key length
      • Certificate id
      • Validity of certificate

Other notes

docs
Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.

JDK-8230057 (not public)

security-libs/javax.net.ssl
Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:

java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, 
sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...

JDK-8228825 (not public)

security-libs/javax.crypto
Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init().

install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

security-libs/javax.xml.crypto
Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

  • Added support for embedding elliptic curve public keys in the KeyValue element

security-libs/javax.crypto
System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property, jdk.security.useLegacyECC, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.

JDK-8224499 (not public)

core-libs/java.util
Changed Properties.loadFromXML to Comply with Specification
The implementation of the java.util.Properties.loadFromXML method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException as specified by the loadFromXML method.

The effect of the change is as follows:

  • Documents created by Properties.storeToXML: No change. Properties.loadFromXML will have no problem reading such files.

  • Documents not created by Properties.storeToXML: Any documents containing DTDs not in the format as specified in Properties.loadFromXML will be rejected. This means the DTD shall be exactly as follows (as generated by the Properties.storeToXML method):

<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">

core-libs/java.lang
Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true.

Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

JDK-8221858 (not public)

client-libs/2d
Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship a dll required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.5:

# BugId Component Subcomponent Summary
1 JDK-8217676 client-libs   Upgrade libpng to 1.6.37
2 JDK-8214579 client-libs   JFrame does not paint content in XVFB / X11vnc environment
3 JDK-8222108 client-libs 2d Reduce minRefreshTime for updating remote printer list on Windows
4 JDK-8224825 client-libs 2d java/awt/Color/AlphaColorTest.java fails in linux-x64 system
5 JDK-8139178 client-libs 2d Wrong fontMetrics when printing in Landscape (OpenJDK)
6 JDK-8221411 client-libs 2d NullPointerException in RasterPrinterJob without PrinterResolution
7 JDK-8222362 client-libs 2d Upgrade to Freetype 2.10.0
8 JDK-8218854 client-libs 2d FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth
9 JDK-8221304 client-libs 2d Problem list java/awt/FontMetrics/MaxAdvanceIsMax.java
10 JDK-8227392 client-libs java.awt Colors with alpha are painted incorrectly on Linux, after JDK-8214579
11 JDK-8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled
12 JDK-8225423 client-libs javax.swing GTK L&F: JSplitPane: There is no divider shown
13 JDK-8226964 client-libs javax.swing [Yaru] GTK L&F: There is no difference between menu selected and de-selected
14 JDK-8214702 client-libs javax.swing Wrong text position for whitespaced string in printing Swing text
15 JDK-8217366 core-libs   ZoneStrings are not populated for all the Locales
16 JDK-8216205 core-libs java.lang Java API documentation formatting error in System.getEnv()
17 JDK-8225425 core-libs java.net java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
18 JDK-8217364 core-libs java.net Custom URLStreamHandler for jrt or file protocol can override default handler.
19 JDK-8213406 core-libs java.nio (fs) More than one instance of built-in FileSystem observed in heap
20 JDK-8224202 core-libs java.util Speed up Properties.load
21 JDK-8213325 core-libs java.util (props) Properties.loadFromXML does not fully comply with the spec
22 JDK-8214687 core-libs java.util:collections Optimize Collections.nCopies().hashCode() and equals()
23 JDK-8221924 core-libs java.util:collections get(null) on single-entry unmodifiable Map returns null instead of throwing NPE
24 JDK-8226876 core-libs java.util:i18n Assertion in sun/util/locale/provider/CalendarDataUtility on Windows after JDK-8218960
25 JDK-8222980 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to Version 2019-04-03
26 JDK-8220037 core-libs java.util:i18n Inconsistencies of generated timezone files between Windows and Linux
27 JDK-8219890 core-libs java.util:i18n Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
28 JDK-8218960 core-libs java.util:i18n CONFIG level logging statements printed in CLDRCalendarDataProviderImpl.java even when default log Level is INFO
29 JDK-8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
30 JDK-8206879 globalization locale-data Currency decimal marker incorrect for Peru
31 JDK-8219448 hotspot compiler split-if update_uses accesses stale idom data
32 JDK-8220198 hotspot compiler Lots of com/sun/crypto/provider/Cipher tests fail on x86_32 due to missing SHA512 stubs
33 JDK-8219335 hotspot compiler "failed: unexpected type" assert failure in ConnectionGraph::split_unique_types() with unsafe accesses
34 JDK-8220714 hotspot compiler C2 Compilation failure when accessing off-heap memory using Unsafe
35 JDK-8188133 hotspot compiler C2: Static field accesses in clinit can trigger deoptimizations
36 JDK-8177899 hotspot compiler Tests fail due to code cache exhaustion on machines with many cores
37 JDK-8222670 hotspot compiler pathological case of JIT recompilation and code cache bloat
38 JDK-8220374 hotspot compiler C2: LoopStripMining doesn't strip as expected
39 JDK-8213825 hotspot compiler assert(false) failed: Non-balanced monitor enter/exit! Likely JNI locking
40 JDK-8223537 hotspot compiler testlibrary_tests/ctw/ClassesListTest.java fails with Agent timeout frequently
41 JDK-8207965 hotspot compiler C2-only debug build fails
42 JDK-8202414 hotspot compiler Unsafe write after primitive array creation may result in array length change
43 JDK-8215483 hotspot compiler Off heap memory accesses should be vectorized
44 JDK-8219807 hotspot compiler C2 crash in IfNode::up_one_dom(Node*, bool)
45 JDK-8218721 hotspot compiler C1's CEE optimization produces safepoint poll with invalid debug information
46 JDK-8213419 hotspot compiler C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1
47 JDK-8214059 hotspot compiler Undefined behaviour in ADLC
48 JDK-8214189 hotspot compiler test/hotspot/jtreg/compiler/intrinsics/mathexact/MulExactLConstantTest.java fails on Windows x64 when run with -XX:-TieredCompilation
49 JDK-8200365 hotspot gc TestOptionsWithRanges.java of '-XX:TLABWasteTargetPercent=100' fails intermittently
50 JDK-8214161 hotspot jfr java.lang.IllegalAccessError: class jdk.internal.event.X509CertificateEvent (in module java.base) cannot access class jdk.jfr.internal.handlers.EventHandler (in module jdk.jfr) because module java.base does not read module jdk.jfr
51 JDK-8213172 hotspot jfr CDS and JFR tests fail with assert(JdkJfrEvent::is(klass)) failed: invariant
52 JDK-8203629 hotspot jfr Produce events in the JDK without a dependency on jdk.jfr
53 JDK-8214287 hotspot jfr SpecJbb2005StressModule got uncaught exception
54 JDK-8216049 hotspot runtime stringTable::intern creates redundant String when looking up existing one
55 JDK-8217994 hotspot runtime os::print_hex_dump should be more resilient against unreadable memory
56 JDK-8216308 hotspot runtime StackTraceElement::fill_in can use injected Class source-file
57 JDK-8217315 hotspot runtime Proper units should print more significant digits
58 JDK-8216302 hotspot runtime StackTraceElement::fill_in can use cached Class.name
59 JDK-8202835 hotspot runtime jfr/event/os/TestSystemProcess.java fails on missing events
60 JDK-8202353 hotspot runtime os::readdir should use readdir instead of readdir_r
61 JDK-8210457 hotspot runtime JVM crash in ResolvedMethodTable::add_method(Handle)
62 JDK-8222914 hotspot runtime Partial backport of JDK-8218266
63 JDK-8206075 hotspot runtime On x86, assert on unbound assembler Labels used as branch targets
64 JDK-8208480 hotspot runtime Test failure: assert(is_bound() || is_unused()) after JDK-8206075 in C1
65 JDK-8222985 install uninstall need to build 64-bit JavaUninstallTool.exe as 32-bit exe
66 JDK-8229773 security-libs java.security Resolve permissions for code source URLs lazily
67 JDK-8224589 security-libs java.security Improve startup behavior of SecurityProperties
68 JDK-8147502 security-libs java.security Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
69 JDK-8221801 security-libs java.security Update src/java.base/share/legal/public_suffix.md
70 JDK-8148188 security-libs java.security Enhance the security libraries to record events of interest
71 JDK-8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
72 JDK-8218723 security-libs javax.crypto Use SunJCE Mac in SecretKeyFactory PBKDF2 implementation
73 JDK-8133489 security-libs javax.net.ssl Better messaging for PKIX path validation matching
74 JDK-8216039 security-libs javax.net.ssl TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
75 JDK-8216326 security-libs javax.net.ssl SSLSocket stream close() does not close the associated socket
76 JDK-8218780 security-libs javax.smartcardio Update MUSCLE PCSC-Lite header files
77 JDK-8219013 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.1.3
78 JDK-8225005 xml jaxp Xerces 2.12.0: License file
79 JDK-8222415 xml jaxp Xerces 2.12.0: Parsing Configuration
80 JDK-8222743 xml jaxp Xerces 2.12.0: DOM Implementation
81 JDK-8222991 xml jaxp Xerces 2.12.0: Validation
82 JDK-8213117 xml org.w3c.dom adoptNode corrupts attribute values
83 JDK-8213734 xml org.xml.sax SAXParser.parse(File, ..) does not close resources when Exception occurs.

Java SE 11.0.4 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.4.0.1

Please note that fixes from prior BPR are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8217610 security-libs javax.net.ssl TLSv1.3 fail with ClassException when EC keys are stored in PKCS11

Java™ SE Development Kit 11.0.4 (JDK 11.0.4)

July 16, 2019

The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4.

IANA Data 2018i

JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.4+10
8 1.8.0_221-b11
7 1.7.0_231-b08

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019.

New Features

hotspot/runtime

HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file.

Removed Features and Options

security-libs/java.security

Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "certplusclass2primaryca [jdk]"

    Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR

  • alias name "certplusclass3pprimaryca [jdk]"

    Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR

security-libs/java.security

Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "utnuserfirstclientauthemailca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

  • alias name "utnuserfirsthardwareca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

security-libs/java.security

Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore:

  • alias name "deutschetelekomrootca2 [jdk]"

    Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

security-libs/java.security

Removal of GTE CyberTrust Global Root
The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts keystore:

  • alias name "gtecybertrustglobalca [jdk]"

    Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

Other notes

security-libs/javax.xml.crypto

 com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

An application may continue working with the encoded output data containing the carriage return character (&#xd or &#13) if the application coding logic allows such output.

The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (&#xd or &#13).

Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.

security-libs/javax.crypto

System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.

When the system property, jdk.security.useLegacyECC, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line.

If the option is explicitly set to "false", the provider decides which implementation of ECC is used.

The default value of the option is "true". Note that the default value might change in a future update release of the JDK.

JDK-8217763 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.4:

# BugId Component Subcomponent Summary
1 JDK-8190361 client-libs   Incorrect version info in jaccessinspector.exe and jaccesswalker.exe
2 JDK-8214252 client-libs   Expanded & Collapsed nodes of a JTree look the same on GTK3
3 JDK-8210782 client-libs   Upgrade HarfBuzz to the latest 2.3.1
4 JDK-8212202 client-libs 2d [Windows] Exception if no printers are installed.
5 JDK-8218020 client-libs 2d Fix version number in mesa.md 3rd party legal file
6 JDK-8210886 client-libs java.awt Remove references in xwindows.md to non-existent files.
7 JDK-8214109 client-libs java.awt XToolkit is not correctly displayed color on 16-bit high color setting
8 JDK-8214765 client-libs java.awt All TrayIcon MessageType icons does not show up with gtk3 option set
9 JDK-8213183 client-libs java.awt:i18n InputMethod cannot be used after its restarting
10 JDK-8220349 client-libs javax.swing The fix done for JDK-8214253 have caused issues in JTree behaviour
11 JDK-8214112 client-libs javax.swing The whole text in target JPasswordField image are not selected.
12 JDK-8214253 client-libs javax.swing Tooltip is transparent rather than having a black background
13 JDK-8214111 client-libs javax.swing There is no icon in all JOptionPane target image
14 JDK-8218674 client-libs javax.swing HTML Tooltip with "img src=" on component doesn't show
15 JDK-8220166 core-libs java.io:serialization Performance regression in deserialization (4-6% in SPECjbb)
16 JDK-8217094 core-libs java.net HttpClient SSL race if a socket IOException is raised before ALPN is available
17 JDK-8213294 core-libs java.util:i18n Upgrade IANA LSR data
18 JDK-8214935 core-libs java.util:i18n Upgrade IANA LSR data
19 JDK-8218781 core-libs java.util:i18n Localized names for Japanese Era Reiwa in COMPAT provider
20 JDK-8217564 hotspot compiler idempotent protection missing in crc32c.h
21 JDK-8209951 hotspot compiler Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining
22 JDK-8220293 hotspot jfr Deadlock in JFR string pool
23 JDK-8205633 hotspot runtime TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently
24 JDK-8211106 hotspot runtime [windows] Update OS detection code to recognize Windows Server 2019
25 JDK-8217765 hotspot runtime Internal Error (javaCalls.cpp:61) guarantee(thread->can_call_java()) failed
26 JDK-8202884 hotspot svc-agent SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching
27 JDK-8218180 install   JAB description in Control Panel is messed
28 JDK-8195793 security-libs java.security Remove GTE CyberTrust Global Root
29 JDK-8223499 security-libs java.security Remove two DocuSign root certificates that are expiring
30 JDK-8222137 security-libs java.security Remove T-Systems root CA certificate
31 JDK-8222136 security-libs java.security Remove two Comodo root CA certificates that are expiring
32 JDK-8217690 security-libs java.security Update public suffix version
33 JDK-8204909 security-libs javax.crypto Improved ECC Implementation
34 JDK-8210989 security-libs javax.net.ssl RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
35 JDK-8215790 security-libs javax.net.ssl Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
36 JDK-8214339 security-libs javax.net.ssl SSLSocketImpl erroneously wraps SocketException
37 JDK-8219389 security-libs javax.net.ssl Delegated task created by SSLEngine throws BufferUnderflowException
38 JDK-8216045 security-libs javax.net.ssl The size of key_exchange may be wrong on FFDHE
39 JDK-8217878 security-libs javax.xml.crypto ENVELOPING XML signature no longer works in JDK 11
40 JDK-8218629 security-libs javax.xml.crypto XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
41 JDK-8209914 tools javadoc(tool) javadoc search sometimes generates bad URIs
42 JDK-8214468 tools javadoc(tool) jQuery UI upgrade from 1.11.4 to 1.12.1

Java SE 11.0.3 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.3 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 11.0.3+31

Bug Fixes

BugId Component Subcomponent Summary
8210739 client-libs javax.swing Calling JSpinner's setFont with null throws NullPointerException

Java™ SE Development Kit 11.0.3 (JDK 11.0.3)

April 16, 2019

The full version string for this update release is 11.0.3+12 (where "+" means "build"). The version number is 11.0.3.

IANA Data 2018g

JDK 11.0.3 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.3 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.3+12
10 10.0.99
9 9.0.99
8 1.8.0_211-b12
7 1.7.0_221-b08
6 1.6.0_221

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.3) will expire with the release of the next critical patch update scheduled for July 16, 2019.

New Features

core-libs/java.util:i18n

Square Character Support for Japanese New Era
The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.

Known Issues

install

Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

Changes

security-libs/java.security

Added GlobalSign R6 Root Certificate
The following root certificate has been added to the cacerts truststore:

  • GlobalSign
    • globalsignrootcar6

      DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6

JDK-8216577 (not public)

security-libs/javax.net.ssl

Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.

TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).

An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA:
 CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Symantec Root certificates included in the JDK:

Root Certificates distrusted after 2019-04-16

Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A

CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US

37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C

CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66

CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4

CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12

CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F

CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US

A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57

CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B

CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44

CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79

CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF

CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A

CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US

37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C

CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66

CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4

CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12

CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F

CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US

A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57

CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B

CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44

CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79

CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF

CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Subordinate Certificates distrusted after 2019-12-31

Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US

AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B

CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US

A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED

Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US

AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B

CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US

A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED

If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.

core-libs/java.time

New Japanese Era Name Reiwa
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3) or JapaneseEra.valueOf("Reiwa"). JDK 13 and later will have a new public field to represent this era.

The placeholder name, "NewEra", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")) will no longer work.

core-libs/java.time

Support New Japanese Era in java.time.chrono.JapaneseEra
The JapaneseEra class and its of(int), valueOf(String), and values() methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.3:

# BugId Component Subcomponent Summary
1 JDK-8207070 client-libs java.awt Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
2 JDK-8211295 core-libs java.sql DriverManager::getConnection fails to find driver if it's called from JDBC RowSet
3 JDK-8212941 core-libs java.time Support new Japanese era in java.time.chrono.JapaneseEra
4 JDK-8211398 core-libs java.util:i18n Square character support for the Japanese new era
5 JDK-8208275 hotspot compiler C2 crash in Node::add_req(Node*)
6 JDK-8209758 hotspot gc 2 classes with same name G1PrintCollectionSetClosure cause crash when logging is enabled
7 JDK-8211821 hotspot runtime PrintStringTableStatistics crashes JVM
8 JDK-8214827 hotspot runtime Incorrect call ClassLoaders.toFileURL("jrt:/java.compiler")
9 JDK-8215397 hotspot runtime jsig.c missing classpath exception
10 JDK-8213952 security-libs java.security Relax DNSName restriction as per RFC 1123
11 JDK-8213782 security-libs javax.net.ssl NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
12 JDK-8212885 security-libs javax.net.ssl TLS 1.3 resumed session does not retain peer certificate chain
13 JDK-8207258 security-libs javax.net.ssl Distrust TLS server certificates anchored by Symantec Root CAs
14 JDK-8214129 security-libs javax.net.ssl SSL session resumption/SNI with TLS1.2 causes StackOverflowError
15 JDK-8209615 xml javax.xml.stream ParseError in XMLEventReader on a valid input
16 JDK-8210874 xml javax.xml.stream Test for JDK-8209615
17 JDK-8215330 xml jaxp javax.xml.catalog.CatalogResolverImpl: GroupEntry.matchURI fails to match

Java SE 11.0.2 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.2 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 11.0.2+32

Bug Fixes

BugId Component Subcomponent Summary
8211435 client-libs java.awt Exception in thread "AWT-EventQueue-1" java.lang.IllegalArgumentException: null source
8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.

Changes in Java SE 11.0.2+31

Bug Fixes

BugId Component Subcomponent Summary
8209055 tools javac c.s.t.javac.code.DeferredCompletionFailureHandler seems to use WeakHashMap incorrectly
8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
8211765 core-libs java.util.jar JarFile constructor throws undocumented java.nio.file.InvalidPathException
8211698 hotspot compiler Crash in C2 compiled code during execution of double array heavy processing code
8210483 tools javac AssertionError in DeferredAttr at setOverloadKind caused by JDK-8203679
8215398 hotspot runtime -Xlog option usage => Invalid decorator '\temp\app_cds.log'.
8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound
8201633 security-libs javax.crypto Problems with AES-GCM native acceleration
8201317 security-libs javax.crypto X25519/X448 code improvements
8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements

Java™ SE Development Kit 11.0.2 (JDK 11.0.2)

January 15, 2019

The full version string for this update release is 11.0.2+9 (where "+" means "build"). The version number is 11.0.2.

IANA Data 2018g

JDK 11.0.2 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.2 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.2+9
10 10.0.99
9 9.0.99
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.2) will expire with the release of the next critical patch update scheduled for April 16, 2019.

Known Issues

client-libs

GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.

Changes

security-libs/javax.net.ssl

TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

hotspot/runtime

Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.

JDK-8196902 (not public)

security-libs/javax.net.ssl

Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation. However, Java Access Bridge can still be enabled and disabled by following these steps:

  1. Copy %JAVAHOME%\bin\windowsaccessbridge-64.dll to %WINDOWSHOME%\SYSTEM32. A reboot might be required after this step.
  2. Run %JAVAHOME%\bin\jabswitch /enable and %JAVAHOME%\bin\jabswitch /disable.
Notes:
  • %WINDOWSHOME% is the directory where Microsoft Windows is installed (for example, C:\WINDOWS)
  • %JAVAHOME% is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.2:

# BugId Component Subcomponent Summary
1 JDK-7017058 client-libs 2d Malayalam glyph substitution is failing for Malayalam with Windows Kartika font.
2 JDK-8210335 client-libs 2d Clipping problems with complex affine transforms: negative scaling factors or small scaling factors
3 JDK-8206392 client-libs javax.swing [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut
4 JDK-8209786 core-libs   JDK12 fails to build on s390x with gcc 7.3
5 JDK-8211437 core-libs java.net java.net.http.HttpClient hangs on 204 reply without Content-length 0
6 JDK-8203850 core-libs java.net java.net.http HTTP client should allow specifying Origin and Referer headers
7 JDK-8211420 core-libs java.net com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code
8 JDK-8212926 core-libs java.net HttpClient does not retrieve files with large sizes over HTTP/1.1
9 JDK-8209576 core-libs java.nio.charsets java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
10 JDK-8206389 core-libs java.util.jar JarEntry.setCreation/LastAccessTime without setLastModifiedTime causes Invalid CEN header
11 JDK-8209775 core-libs java.util:i18n ISO 4217 Amendment #169 Update
12 JDK-8208746 core-libs java.util:i18n ISO 4217 Amendment #168 Update
13 JDK-8210153 core-libs java.util:i18n localized currency symbol of VES
14 JDK-8210490 core-libs java.util:i18n TimeZone.getDisplayName given Locale.US doesn't always honor the Locale
15 JDK-8212795 core-svc java.lang.management ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
16 JDK-8212197 core-svc java.lang.management OpenDataException thrown when constructing CompositeData for StackTraceElement
17 JDK-8209996 hotspot   [PPC64] Fix JFR profiling.
18 JDK-8211105 hotspot compiler AArch64: Disable cos/sin and log intrinsics in jdk11u pending fix
19 JDK-8210497 hotspot compiler [PPC64] Vector registers not saved across safepoint
20 JDK-8210319 hotspot compiler [s390]: Use of shift operators not covered by cpp standard
21 JDK-8209950 hotspot compiler SIGBUS in CodeHeapState::print_names()
22 JDK-8210355 hotspot compiler Minimal and Zero non-PCH builds fail after JDK-8207343 (Automate vtable/itable stub size calculation)
23 JDK-8210357 hotspot compiler Zero builds fail after JDK-8207343 (Automate vtable/itable stub size calculation)
24 JDK-8207343 hotspot compiler Automate vtable/itable stub size calculation
25 JDK-8211375 hotspot compiler Minimal VM build failures after JDK-8211251 (Default mask register for avx512 instructions)
26 JDK-8211272 hotspot compiler x86_32 build failures after JDK-8210764 (Update avx512 implementation)
27 JDK-8211251 hotspot compiler Default mask register for avx512 instructions
28 JDK-8210764 hotspot compiler Update avx512 implementation
29 JDK-8209588 hotspot compiler SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
30 JDK-8209639 hotspot compiler assert failure in coalesce.cpp: attempted to spill a non-spillable item
31 JDK-8211061 hotspot compiler Tests fail with assert(VM_Version::supports_sse4_1()) on ThreadRipper CPU
32 JDK-8211231 hotspot compiler BarrierSetC1::generate_referent_check() confuses register allocator
33 JDK-8211856 hotspot compiler [ppc, s390] ProblemList some failing tests.
34 JDK-8209942 hotspot gc [epsilon] range function for EpsilonTLABElasticity causes compiler warning
35 JDK-8212177 hotspot gc Epsilon alignment adjustments can overflow max TLAB size
36 JDK-8212005 hotspot gc Epsilon elastic TLAB sizing may cause misalignment
37 JDK-8211768 hotspot jfr [s390] Implement JFR profiling.
38 JDK-8210775 hotspot jvmti JVM TI Spec missing copyright
39 JDK-8212754 hotspot jvmti Build failure: undefined JvmtiSampledObjectAllocEventCollector::object_alloc_is_safe_to_sample
40 JDK-8211909 hotspot jvmti JDWP Transport Listener: dt_socket thread crash
41 JDK-8211065 hotspot runtime Private method check in linkResolver is incorrect
42 JDK-8211208 hotspot runtime make AllocateHeapAt an unsupported option on AIX
43 JDK-8211852 hotspot runtime inspect stack during error reporting
44 JDK-8027434 hotspot runtime "-XX:OnOutOfMemoryError" uses fork instead of vfork
45 JDK-8211714 hotspot runtime Need to update vm_version.cpp to recognise VS2017 minor versions
46 JDK-8210754 hotspot runtime print_location is not reliable enough (printing register info)
47 JDK-8210964 hotspot runtime add more ld preloading info to hs_error file on Linux
48 JDK-8209889 hotspot runtime RedefineStress tests crash
49 JDK-8211956 hotspot runtime AppCDS crashes for some uses with JRuby
50 JDK-8210836 hotspot svc-agent Build fails with warn_unused_result in openjdk/src/jdk.hotspot.agent/linux/native/libsaproc/ps_core.c
51 JDK-8211012 install uninstall [Linux] JDK 11, warning when uninstall rpm package "warning: %postun(jdk-11-2000:11-ga.x86_64) scriptlet failed, exit status 2
52 JDK-8209862 security-libs javax.crypto CipherCore performance improvement
53 JDK-8210334 security-libs javax.net.ssl TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
54 JDK-8211883 security-libs javax.net.ssl Disable anon and NULL cipher suites
55 JDK-8211806 security-libs javax.net.ssl TLS 1.3 handshake server name indication is missing on a session resume
56 JDK-8210502 tools   jdeps does not handle properly on analyzing a mixture of MR JARs and non-MR JARs
57 JDK-8205593 tools javadoc(tool) Javadoc -link makes broken links if module name matches package name
58 JDK-8210810 tools launcher Escaped character at specific position in argument file is not handled properly
59 JDK-8212178 xml javax.xml.stream Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator

Java™ SE Development Kit 11.0.1 (JDK 11.0.1)

October 16, 2018

The full version string for this update release is 11.0.1+13 (where "+" means "build"). The version number is 11.0.1.

IANA Data 2018e

JDK 11.0.1 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.1 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.1+13
10 10.0.99
9 9.0.99
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.1) will expire with the release of the next critical patch update scheduled for January 15, 2019.

Changes

security-libs/java.security
 Added Additional TeliaSonera Root Certificate

The following root certificate have been added to the OpenJDK cacerts truststore:

  • TeliaSonera
    • teliasonerarootcav1

      DN: CN=TeliaSonera Root CA v1, O=TeliaSonera

core-libs/javax.naming
 Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

core-svc
 Changed Central File System Location for usagetracker.properties File

The file system location in Windows for the usagetracker.properties file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)

security-libs/javax.net.ssl
 Problem looking up Client Certificates in keystore

Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)

security-libs/javax.net.ssl
 Disabled All DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

security-libs/javax.crypto
 Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)


Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs/javax.naming

LDAPS Communication Failure 
Application code using LDAPS with a socket connect timeout that is <= 0 (the default value) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:

javax.naming.ServiceUnavailableException: <server:port>; socket closed
at   com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at   com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...
core-libs/java.net

Better HTTP Redirection Support 
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.1:

# BugId Component Subcomponent Summary
1 JDK-8210345 core-libs java.io The Japanese message of FileNotFoundException garbled.
2 JDK-8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181
3 JDK-8208350 security-libs javax.net.ssl Disable all DES cipher suites
4 JDK-8209916 security-libs javax.net.ssl NPE in SupportedGroupsExtension
5 JDK-8210846 security-libs javax.net.ssl TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth

JDK 11 Documentation

The Java Platform, Standard Edition 11 Development Kit (JDK 11) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas.

You can use the links on this page to open the Release Notes describing important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 11 and Java SE 11.

Links to other sources of information about JDK 11 are also provided. The JDK Guides and Reference Documentation link below displays a page containing links to the user guides, troubleshooting information, and specific information of interest to users moving from previous versions of the JDK. Links to the JDK 11 API Specification and the Java Language and Virtual Machine Specifications are provided below in the JDK 11 Specifications group.

Note: The Release Notes files are located only on our website.