Consolidated Release Notes

This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 11.

BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.

JDK 11.0.19 ( GA and BPR builds)

JDK 11.0.18 ( GA and BPR builds)

JDK 11.0.17 ( GA and BPR builds)

JDK 11.0.16.1 ( GA and BPR builds)

JDK 11.0.16 ( GA )

JDK 11.0.15.1 ( GA and BPR builds)

JDK 11.0.15 ( GA and BPR builds)

JDK 11.0.14 ( GA and BPR builds)

JDK 11.0.13 ( GA and BPR builds)

JDK 11.0.12 ( GA and BPR builds)

JDK 11.0.11 ( GA and BPR builds)

JDK 11.0.10 ( GA and BPR builds)

JDK 11.0.9 ( GA and BPR builds)

JDK 11.0.8 ( GA and BPR builds)

JDK 11.0.7 ( GA and BPR builds)

JDK 11.0.6 ( GA and BPR builds)

JDK 11.0.5 ( GA and BPR builds)

JDK 11.0.4 ( GA and BPR builds)

JDK 11.0.3 ( GA and BPR builds)

JDK 11.0.2 ( GA and BPR builds)

JDK 11.0.1 ( GA )

JDK 11 ( GA )

Java SE 11.0.19 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.19 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.19.0.2

Java™ SE Development Kit 11.0.19 (JDK 11.0.19)

April 18, 2023

The full version string for this update release is 11.0.19+9 (where "+" means "build"). The version number is 11.0.19.

IANA TZ Data 2022g

JDK 11.0.19 contains IANA time zone data 2022g which contains the following changes:

The northern edge of Chihuahua changes to US timekeeping.

Much of Greenland stops changing clocks after March 2023.

Fix some pre-1996 timestamps in northern Canada.

C89 is now deprecated; please use C99 or later.

Portability fixes for AIX, libintl, MS-Windows, musl, z/OS.

In C code, use more C23 features if available.

C23 timegm now supported by default.

Fixes for unlikely integer overflows.

For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.19 are specified in the following table:

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins . It is not recommended to use this JDK (version 11.0.19) after the next critical patch update release, scheduled for July 18, 2023.

New Features

security-libs/org.ietf.jgss

➜ Added a Default Native GSS-API Library on Windows ( JDK-6722928 )

A native GSS-API library named sspi_bridge.dll has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib system property to its path.

Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly system property should be set to false.

com.sun.security.auth.module.Krb5LoginModule does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule from JAAS config.

Other Notes

client-libs/javax.swing

➜ System Property to Handle HTML ObjectView Creation (JDK-8296832 (Not Public))

Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true .

security-libs/java.security

➜ Added Certigna(Dhimyotis) Root CA Certificate ( JDK-8245654 )

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis) + certignarootca DN: CN=Certigna, O=Dhimyotis, C=FR

security-libs/javax.net.ssl

➜ Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols ( JDK-8190492 )

SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.

After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols() , SSLServerSocket.getEnabledProtocols() , SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols or jdk.tls.server.protocols system properties or with the SSLSocket.setEnabledProtocols() , SSLServerSocket.setEnabledProtocols() and SSLEngine.setEnabledProtocols() APIs.

core-libs/java.io

➜ File::listRoots Changed to Return All Available Drives on Windows ( JDK-8208077 )

The behavior of the method java.io.File.listRoots() on Microsoft Windows has changed in this release so that the returned array includes a File object for all available disk drives. This differs from the behavior in JDK 10 to JDK 20, where this method filtered out disk drives that were not accessible or did not have media present. This change avoids performance issues observed in the previous releases and also ensures that the method is consistent with the root directories in the iteration returned by FileSystem.getDefault().getRootDirectories() .

security-libs/java.security

➜ Crypto-J Exception for Diffie-Hellman and DSA AlgorithmParameters Requests ( JDK-8278027 )

Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:

Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update .

➜ Issues fixed in 11.0.19:

1 JDK-8285399 client-libs/2dJNI exception pending in awt_GraphicsEnv.c:1432 2 JDK-8284023 client-libs/java.awtjava.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo 3 JDK-8296496 client-libs/java.awtOverzealous check in sizecalc.h prevents large memory allocation 4 JDK-8279614 client-libs/java.awtThe left line of the TitledBorder is not painted on 150 scale factor 5 JDK-8288332 client-libs/java.awtTier1 validate-source fails after 8279614 6 JDK-8295685 client-libs/java.awtUpdate Libpng to 1.6.38 7 JDK-8282958 client-libs/javax.swingRendering Issues with Borders on Windows High-DPI systems 9 JDK-8294378 core-libs/java.netURLPermission constructor exception when using tr locale 10 JDK-8297569 core-libs/java.netURLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 11 JDK-8299439 core-libs/java.textjava/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR 12 JDK-8295530 core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.2.13 13 JDK-8287180 core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-08-08 14 JDK-8267038 core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-03-02 15 JDK-8296239 core-libs/java.util:i18nISO 4217 Amendment 174 Update 16 JDK-8297548 core-libs/jdk.nashornUpdate double-conversion to 3.2.0 17 JDK-8169718 core-svc/debuggernsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false 18 JDK-8292541 core-svc/java.lang.management[Metrics] Reported memory limit may exceed physical machine memory 19 JDK-8216314 hotspot/compilerSIGILL in CodeHeapState::print_names() 20 JDK-8276066 hotspot/compilerReset LoopPercentProfileLimit for x86 due to suboptimal performance 21 JDK-8269574 hotspot/compilerC2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events 22 JDK-8270533 hotspot/compilerAArch64: size_fits_all_mem_uses should return false if its output is a CAS 23 JDK-8295066 hotspot/compilerFolding of loads is broken in C2 after JDK-8242115 24 JDK-8256934 hotspot/compilerC2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit 25 JDK-8296912 hotspot/compilerC2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 26 JDK-8290964 hotspot/compilerC2 compilation fails with assert "non-reduction loop contains reduction nodes" 27 JDK-8296924 hotspot/compilerC2: assert(is_valid_AArch64_address(dest.target())) failed: bad address 28 JDK-8285835 hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work 29 JDK-8295788 hotspot/compilerC2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" 30 JDK-8297951 hotspot/compilerC2: Create skeleton predicates for all If nodes in loop predication 31 JDK-8297264 hotspot/compilerC2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top 32 JDK-8295116 hotspot/compilerC2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead 33 JDK-8287425 hotspot/compilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path 34 JDK-8242115 hotspot/compilerC2 SATB barriers are not safepoint-safe 35 JDK-8272985 hotspot/gcReference discovery is confused about atomicity and degree of parallelism 36 JDK-8283199 hotspot/runtimeLinux os::cpu_microcode_revision() stalls cold startup 37 JDK-8271506 hotspot/runtimeAdd ResourceHashtable support for deleting selected entries 38 JDK-8048190 hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError 39 JDK-8291763 hotspot/runtimeInclude virtualization information in hs_err crash log on Solaris 40 JDK-8289424 hotspot/runtimeInclude LD_HWCAP in hs_err log output 41 JDK-8287107 hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller 42 JDK-8287741 hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete 43 JDK-8293472 hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present 44 JDK-8231610 hotspot/runtimeRelocate the CDS archive if it cannot be mapped to the requested address 45 JDK-8287011 hotspot/runtimeImprove container information 46 JDK-8286030 hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir 47 JDK-8298349 install/install/usr/java/latest points to wrong JDK 48 JDK-8298330 install/install/usr/java/latest is missing after one of JDK rpms is uninstalled 49 JDK-8242897 security-libs/java.securityKeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException 50 JDK-8280890 security-libs/java.securityCannot use '-Djava.system.class.loader' with class loader in signed JAR 51 JDK-8253829 security-libs/org.ietf.jgssWrong length compared in SSPI bridge 52 JDK-8225687 security-libs/org.ietf.jgssNewly added sspi.cpp in JDK-6722928 still contains some small errors 53 JDK-8222251 tools/javacpreflow visitor is not visiting lambda expressions 54 JDK-8222091 tools/javadoc(tool)Javadoc does not handle package annotations correctly on package-info.java 55 JDK-8296619 tools/javadoc(tool)Upgrade jQuery to 3.6.1 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java™ SE Development Kit 11.0.18 (JDK 11.0.18)

January 17, 2023

The full version string for this update release is 11.0.18+9 (where "+" means "build"). The version number is 11.0.18.

IANA TZ Data 2022d, 2022e, 2022f

JDK 11.0.18 contains IANA time zone data 2022d , 2022e , 2022f .

Palestine transitions are now Saturdays at 02:00.

Simplify three Ukraine zones into one.

Jordan and Syria switch from +02/+03 with DST to year-round +03.

Mexico will no longer observe DST except near the US border.

Chihuahua moves to year-round -06 on 2022-10-30.

Fiji no longer observes DST.

Move links to 'backward'.

In vanguard form, GMT is now a Zone and Etc/GMT a link.

zic now supports links to links, and vanguard form uses this.

Simplify four Ontario zones.

Fix a Y2438 bug when reading TZif data.

Enable 64-bit time_t on 32-bit glibc platforms.

Omit large-file support when no longer needed.

In C code, use some C23 features if available.

Remove no-longer-needed workaround for Qt bug 53071.

For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.18 are specified in the following table:

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.18) be used after the next critical patch update scheduled for April 18, 2023.

New Features

security-libs/javax.net.ssl

➜ DTLS Resumption Uses HelloVerifyRequest Messages (JDK-8287411 (not public))

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false . The property only affects the cookie exchange for resumption.

security-libs/java.security

➜ Support for RSASSA-PSS in OCSP Response ( JDK-8274471 )

An OCSP response signed with the RSASSA-PSS algorithm is now supported.

Known Issues

install/install

➜ Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8297475 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.

Other Notes

javafx/fxml

➜ FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

It can be enabled by setting the system property: -Djavafx.allowjs=true

globalization

➜ Translated resource bundles for German ( JDK-8263773 )

With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.

install/install

➜ RPM JDK Installer Changes ( JDK-8292836 )

Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH} . Thus the 11.0.18, and 11.0.19 releases for x64 will both be installed in /usr/lib/jvm/jdk-11-oracle-x64 directory. RPM package will create /usr/java/jdk-${FEATURE} link pointing to the installation directory for backward compatibility.

Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 11 RPM package registers java and javac groups with the alternatives framework. java group is for commands used to run applications: java , jjs , keytool , pack200 , rmid , rmiregistry , unpack200 . javac group is used for all other commands. The set of commands registered by the package has not changed.

Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-11-headless and jdk-11-headful . These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-11-headless is a Headless Java Runtime for running non-GUI applications. jdk-11-headful is a Headful Java Runtime & Development Tools for developing and running applications of all types.

The combination of the OL-specific jdk-11-headless and jdk-11-headful packages provides the same JDK image and the same capabilities as jdk-11 OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix.

install/install

➜ Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers ( JDK-8292822 )

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM% . I.e. all updates of the same release must share one installation directory.

Thus the 11.0.18 and 11.0.19 releases will both install into %Program Files%\Java\jdk-11 by default, and they both cannot be installed at the same time.

If the JDK11.0.19 installer is launched when JDK11.0.18 is already installed, it will auto-upgrade them to JDK11.0.19. There may be a Files In Use dialog shown if the older version was running and locking JDK files.

If the JDK11.0.18 installer is launched when JDK11.0.19 is already installed, it will show an error that a newer version of this JDK family is already installed.

install/install

➜ All JDK Update Releases Are Installed Into the Same Directory on macOS ( JDK-8292830 )

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk . Thus the 11.0.18 and 11.0.19 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-11.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 11.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 11 update release with JEP C208. However, JDK 11 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-11.jdk will be reused.

core-libs/java.lang

➜ Incorrect Handling of Quoted Arguments in ProcessBuilder ( JDK-8282008 )

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568 . Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\" , would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

security-libs/javax.security

➜ New Implementation Note for LoginModule on Removing Null from a Principals or Credentials set ( JDK-8282730 )

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException . This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.

infrastructure

➜ Toolchain Upgrade to Visual Studio 2022 ( JDK-8283723 )

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.

security-libs/javax.net.ssl

➜ Change in SSLEngine.closeInbound() Behavior ( JDK-8273553 )

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368 .

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

trigger the transmission of a TLS fatal-level alert to the peer, and

invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException . But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine . Any outstanding outbound data must still be obtained ( SSLEngine.wrap() ) and sent in order to gracefully close the connection.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update .

➜ Issues fixed in 11.0.18:

1 JDK-8295429 client-libsUpdate harfbuzz md file 2 JDK-8293672 client-libsUpdate freetype md file 3 JDK-8240756 client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled 4 JDK-8284033 client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c 5 JDK-8277497 client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell 6 JDK-8273655 core-libs/java.netcontent-types.properties files are missing some common types 7 JDK-8280950 core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix 8 JDK-8281183 core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 9 JDK-8272352 core-libs/java.util:i18nJava launcher can not parse Chinese character when system locale is set to UTF-8 10 JDK-8294307 core-libs/java.util:i18nISO 4217 Amendment 173 Update 11 JDK-8215571 core-svc/debuggerjdb does not include jdk.* in the default class filter 12 JDK-8258894 hotspot/compilerC2: Forbid GCM to move stores into loops 13 JDK-8290781 hotspot/compilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses 14 JDK-8290711 hotspot/compilerassert(false) failed: infinite loop in PhaseIterGVN::optimize 15 JDK-8289043 hotspot/compilerC2: Vector constant materialization attempt 16 JDK-8290705 hotspot/compilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI" 17 JDK-8240281 hotspot/compilerRemove failing assertion code when selecting first memory state in SuperWord::co_locate_pack 18 JDK-8290529 hotspot/compilerC2: assert(BoolTest(btest).is_canonical()) failure 19 JDK-8288445 hotspot/compilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding 20 JDK-8261336 hotspot/compilerIGV: enhance default filters 21 JDK-8287091 hotspot/compileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn 22 JDK-8272094 hotspot/compilercompiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" 23 JDK-8293816 hotspot/compilerCI: ciBytecodeStream::get_klass() is not consistent 24 JDK-8293044 hotspot/compilerC1: Missing access check on non-accessible class 25 JDK-8292158 hotspot/compilerAES-CTR cipher state corruption with AVX-512 26 JDK-8284358 hotspot/compilerUnreachable loop is not removed from C2 IR, leading to a broken graph 27 JDK-8270947 hotspot/compilerAArch64: C1: use zero_words to initialize all objects 28 JDK-8290451 hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1 29 JDK-8209375 hotspot/gcZGC: Use dynamic base address for mark stack space 30 JDK-8288754 hotspot/gcGCC 12 fails to build zReferenceProcessor.cpp 31 JDK-8232533 hotspot/gcG1 uses only a single thread for pretouching the java heap 32 JDK-8241423 hotspot/gcNUMA APIs fail to work in dockers due to dependent syscalls are disabled by default 33 JDK-8281297 hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted) 34 JDK-8255716 hotspot/runtimeAArch64: Regression: JVM crashes if manually offline a core 35 JDK-8266490 hotspot/runtimeExtend the OSContainer API to support the pids controller of cgroups 36 JDK-8264593 hotspot/runtimedebug.cpp utilities should be available in product builds. 37 JDK-8273526 hotspot/runtimeExtend the OSContainer API pids controller with pids.current 38 JDK-8291459 hotspot/runtimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) 39 JDK-8292083 hotspot/runtimeDetected container memory limit may exceed physical machine memory 40 JDK-8209689 hotspot/testCompiler.isGraalEnabled should not check jvmci.Compiler property 41 JDK-8283723 infrastructureUpdate Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows 42 JDK-8236470 security-libs/java.securityDeal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId 43 JDK-8242151 security-libs/java.securityImprove OID mapping and reuse among JDK security providers for aliases registration 44 JDK-8257722 security-libs/java.securityImprove "keytool -printcert -jarfile" output 45 JDK-8239457 security-libs/javax.crypto:pkcs11call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect 46 JDK-8273553 security-libs/javax.net.sslsun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 47 JDK-8273026 security-libs/javax.securitySlow LoginContext.login() on multi threading application 48 JDK-8247964 security-libs/javax.xml.cryptoAll log0() in com/sun/org/slf4j/internal/Logger.java should be private 49 JDK-8247907 security-libs/javax.xml.cryptoXMLDsig logging does not work 50 JDK-8293578 tools/javacDuplicate ldc generated by javac 51 JDK-8266082 tools/javacAssertionError in Annotate.fromAnnotations with -Xdoclint 52 JDK-8193462 tools/javacFix Filer handling of package-info initial elements 53 JDK-8203277 tools/javacpreflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body 54 JDK-8286444 tools/javacjavac errors after JDK-8251329 are not helpful enough to find root cause 55 JDK-8286855 tools/javacjavac error on invalid jar should only print filename 56 JDK-8236490 tools/javacCompiler bug relating to @NonNull annotation 57 JDK-8215291 tools/javadoc(tool)Broken links when generating from project without modules 58 JDK-8287076 xml/org.w3c.domDocument.normalizeDocument() produces different results install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d

Java™ SE Development Kit 11.0.17 (JDK 11.0.17)

October 18, 2022

The full version string for this update release is 11.0.17+10 (where "+" means "build"). The version number is 11.0.17.

IANA TZ Data 2022b, 2022c

JDK 11.0.17 contains IANA time zone data 2022b , 2022c .

Chile's DST is delayed by a week in September 2022.

Iran no longer observes DST after 2022.

Rename Europe/Kiev to Europe/Kyiv.

New zic -R option

Vanguard form now uses %z.

Finish moving duplicate-since-1970 zones to 'backzone'.

New build option PACKRATLIST.

New tailored_tarballs target, replacing rearguard_tarballs.

Work around awk bug in FreeBSD, macOS, etc.

Improve tzselect on intercontinental Zones.

For more information, refer to Timezone Data Versions in the Java Runtime .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.17 are specified in the following table:

Keeping the JDK up to Date

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.17) be used after the next critical patch update scheduled for January 17, 2023.

New Features

security-libs/java.security

➜ Upgrade the Default PKCS12 MAC Algorithm ( JDK-8267880 )

The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.

For compatibility, use the keystore.pkcs12.legacy system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

core-libs/java.io:serialization

➜ JDK Flight Recorder Event for Deserialization ( JDK-8261160 )

It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named jdk.Deserialization , and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism; see the ObjectInputFilter specification. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security . For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation.

Other Notes

security-libs/java.security

➜ Disabled SHA-1 Signed JARs ( JDK-8269039 )

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""
     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk , remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

security-libs/org.ietf.jgss:krb5

➜ Deprecate 3DES and RC4 in Kerberos ( JDK-8139348 )

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5 ) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes , default_tgs_enctypes , or permitted_enctypes settings.

core-libs/java.net

➜ Make HttpURLConnection Default Keep Alive Timeout Configurable ( JDK-8278067 )

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties .

hotspot/runtime

➜ CPU Shares Ignored When Computing Active Processor Count ( JDK-8281181 )

Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.

Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.

core-libs/java.time

➜ Update Timezone Data to 2022c ( JDK-8294042 )

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b .

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.17 Bug Fixes page.

Java™ SE Development Kit 11, Patch 11.0.16.1 (JDK 11.0.16.1)

August 18, 2022

The full version string for this update release is 11.0.16.1+1 (where "+" means "build"). The version number is 11.0.16.1.

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines are unchanged from the release of JDK 11.0.16.

Keeping the JDK up to Date

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16.1) be used after the next critical patch update scheduled for October 18, 2022.

Oracle recommends that all JDK 11 users, even those that have already updated to 11.0.16, uptake the 11.0.16.1 patch release.

Changes

hotspot/compiler

➜ C2 Compilation Errors Unpredictably Crashes JVM

Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.

See JDK-8292260

Java™ SE Development Kit 11.0.16 (JDK 11.0.16)

July 19, 2022

The full version string for this update release is 11.0.16+11 (where "+" means "build"). The version number is 11.0.16.

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.16 are specified in the following table:

JRE Family Version	JRE Security Baseline (Full Version String)
11	11.0.16+11
8	8u341-b10
7	7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16) be used after the next critical patch update scheduled for October 18, 2022.

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully on the Networking Properties page.

See JDK-8279842

Other Notes

core-libs/java.net

➜ Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals
The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)

➜ JDK Bundle Extensions Truncated When Downloading Using Firefox 102
On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

manually add a file extension to the file name after download.

use a different browser

See JDK-8277093

core-libs/java.io:serialization
➜ Vector Should Throw ClassNotFoundException for a Missing Class of an Element
java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object) when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

See JDK-8277093

core-libs/java.util.jar
➜ Default JDK Compressor Will Be Closed when IOException Is Encountered
DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

See JDK-8193682

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.16 Bug Fixes page.

Java™ SE Development Kit 11, Patch 11.0.15.1 (JDK 11.0.15.1)

May 2, 2022

The full version string for this update release is 11.0.15.1+2 (where "+" means "build"). The version number is 11.0.15.1.

IANA TZ Data 2022a
For more information, refer to Timezone Data Versions in the JRE Software .
Security Baselines
The security baselines are unchanged from the release of JDK 11.0.15.
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15.1) be used after the next critical patch update scheduled for July 19, 2022.
Changes

core-libs/java.io
➜ New System Property to Disable Windows Alternate Data Stream Support in java.io.File
The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File , the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

See JDK-8285445

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
BugId Category Subcategory Summary javax.xml.path Incorrect Token type causes XPath expression to return incorrect results JDK-8284548 Invalid XPath expression causes StringIndexOutOfBoundsException
Java™ SE Development Kit 11.0.15 (JDK 11.0.15)

April 19, 2022

The full version string for this update release is 11.0.15+8 (where "+" means "build"). The version number is 11.0.15.

IANA TZ Data 2021e
For more information, refer to Timezone Data Versions in the JRE Software .
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.15 are specified in the following table:
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15) be used after the next critical patch update scheduled for July 19, 2022.
New Features

security-libs/javax.crypto:pkcs11
➜ SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library
SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:

ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism

See JDK-8255410

security-libs/javax.net.ssl
➜ ChaCha20 and Poly1305 TLS Cipher Suites

New TLS cipher suites using the ChaCha20-Poly1305 algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for details on these new TLS cipher suites.

See JDK-8140466

xml/jaxp
➜ New XML Processing Limits
Three processing limits have been added to the XML libraries. These are:

jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory . For example,

TransformerFactory factory = TransformerFactory.newInstance(); factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

jdk.xml.xpathExprGrpLimit=20 There are two known issues: An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details. JDK-8270504 (not public) Other Notes security-libs/java.security ➜ Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain. JDK-8278449 (not public) core-libs/javax.naming ➜ Parsing of URL Strings in Built-in JNDI Providers Is More Strict The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties: -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs) -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs) -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs) The default value is "compat" for all of the three providers. The "legacy" mode turns the new validation off. The "compat" mode limits incompatibilities. The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid. In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings. If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised. JDK-8278972 (not public) Java™ SE Development Kit 11.0.14 (JDK 11.0.14) January 18, 2022 The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14. IANA TZ Data 2021b, 2021c, 2021d, 2021e JDK 11.0.14 contains IANA time zone data 2021b, 2021c, 2021d, 2021e. Jordan now starts DST on February's last Thursday. Samoa no longer observes DST. Merge more location-based Zones whose timestamps agree since 1970. Move some backward-compatibility links to 'backward'. Rename Pacific/Enderbury to Pacific/Kanton. Correct many pre-1993 transitions in Malawi, Portugal, etc. zic now creates each output file or link atomically. zic -L no longer omits the POSIX TZ string in its output. zic fixes for truncation and leap second table expiration. zic now follows POSIX for TZ strings using all-year DST. Fix some localtime crashes and bugs in obscure cases. zdump -v now outputs more-useful boundary cases. tzfile.5 better matches a draft successor to RFC 8536. A new file SECURITY. Revert most 2021b changes to 'backward'. Fix 'zic -b fat' bug in pre-1970 32-bit data. Fix two Link line typos. Distribute SECURITY file. This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released. Fiji suspends DST for the 2021/2022 season. 'zic -r' marks unspecified timestamps with "-00". Palestine will fall back 10-29 (not 10-30) at 01:00. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022. New Features security-libs/javax.crypto:pkcs11 ➜ New SunPKCS11 Configuration Properties SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout. The 3 new attributes for SunPKCS11 provider configuration file are: destroyTokenAfterLogout (boolean, defaults to false) If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call. cleaner.shortInterval (integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue). cleaner.longInterval (integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected. See JDK-8240256 security-libs/javax.net.ssl ➜ Configurable Extensions With System Properties Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages. The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact. See JDK-8217633 Removed Features and Options security-libs/java.security ➜ Removed Google's GlobalSign Root Certificate The following root certificate from Google has been removed from the cacerts keystore: + alias name "globalsignr2ca [jdk]" Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 See JDK-8225083 Other Notes core-libs/java.nio ➜ Zip File System Provider Throws ZipException When Entry Name Element Contains "." or ".." The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...) methods throw ZipException if the ZIP file contains these entries. See JDK-8251329 core-libs/java.time ➜ Update Timezone Data to 2021c IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b See JDK-8274407 core-libs/javax.naming ➜ LDAP Channel Binding Support for Java GSS/Kerberos A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype” has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point” - Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming module. See JDK-8245527 security-libs/javax.net.ssl ➜ SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException. See JDK-8259662 hotspot/runtime ➜ OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs. See JDK-8269851 Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. ➜ Issues fixed in 11.0.14: 1 JDK-8249548 client-libs backward focus traversal gets stuck in button group 2 JDK-8273436 client-libs Backport JDK-8273426 caused build failure due to missing "All rights reserved." 3 JDK-8211999 client-libs java.awt Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) 4 JDK-8272806 client-libs java.awt [macOS] "Apple AWT Internal Exception" when input method is changed 5 JDK-6722236 client-libs java.awt 3 Choice regression testcases are failing from 6u10_b26 build onwards 6 JDK-8015886 client-libs java.awt java/awt/Focus/DeiconifiedFrameLoosesFocus/DeiconifiedFrameLoosesFocus.java sometimes failed on ubuntu 7 JDK-8257242 client-libs java.awt [macOS] Java app crashes while switching input methods 8 JDK-8274326 client-libs javax.accessibility [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m 9 JDK-8274056 client-libs javax.accessibility JavaAccessibilityUtilities leaks JNI objects 10 JDK-8274381 client-libs javax.accessibility missing CAccessibility definitions in JNI code 11 JDK-8208747 client-libs javax.accessibility [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on 12 JDK-8270893 client-libs javax.imageio IndexOutOfBoundsException while reading large TIFF file 13 JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on 14 JDK-8269951 client-libs javax.swing [macos] Focus not painted in JButton when setBorderPainted(false) is invoked 15 JDK-8259237 client-libs javax.swing Demo selection changes with left/right arrow key. No need to press space for selection. 16 JDK-8269850 core-libs Most JDK releases report macOS version 12 as 10.16 instead of 12.0 17 JDK-8231717 core-libs java.lang Improve performance of charset decoding when charset is always compactable 18 JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST 19 JDK-8276536 core-libs java.time Update TimeZoneNames files to follow the changes made by JDK-8275766 20 JDK-8273924 core-libs java.util:i18n ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() 21 JDK-8187649 core-libs java.util:i18n ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar 22 JDK-8245527 core-libs javax.naming LDAP Channel Binding support for Java GSS/Kerberos 23 JDK-8195703 core-svc debugger BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' 24 JDK-8247469 core-svc javax.management getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available 25 JDK-8235211 core-svc tools serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file 26 JDK-8270886 hotspot compiler Crash in PhaseIdealLoop::verify_strip_mined_scheduling 27 JDK-8210392 hotspot compiler assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit 28 JDK-8223137 hotspot compiler Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. 29 JDK-8223139 hotspot compiler Rename mandatory policy-do routines. 30 JDK-8223923 hotspot compiler C2: Missing interference with mismatched unsafe accesses 31 JDK-8223140 hotspot compiler Clean-up in 'ok_to_convert()' 32 JDK-8272570 hotspot compiler C2: crash in PhaseCFG::global_code_motion 33 JDK-8267652 hotspot compiler c2 loop unrolling by 8 results in reading memory past array 34 JDK-8263303 hotspot compiler C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint 35 JDK-8268019 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected 36 JDK-8268672 hotspot compiler C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only 37 JDK-8252049 hotspot compiler Native memory leak in ciMethodData ctor 38 JDK-8231501 hotspot compiler VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 39 JDK-8223138 hotspot compiler Small clean-up in loop-tree support. 40 JDK-8271341 hotspot compiler Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java 41 JDK-8271340 hotspot compiler Crash PhaseIdealLoop::clone_outer_loop 42 JDK-8271459 hotspot compiler C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity 43 JDK-8257919 hotspot compiler [JVMCI] profiling info didn't change after reprofile 44 JDK-8263776 hotspot compiler [JVMCI] add helper to perform Java upcalls 45 JDK-8272131 hotspot compiler PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj 46 JDK-8268261 hotspot compiler C2: assert(n != __null) failed: Bad immediate dominator info. 47 JDK-8272574 hotspot compiler C2: assert(false) failed: Bad graph detected in build_loop_late 48 JDK-8215889 hotspot gc assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC 49 JDK-8221584 hotspot jvmti SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event 50 JDK-8217348 hotspot jvmti assert(thread->is_Java_thread()) failed: just checking 51 JDK-8236177 hotspot runtime assert(status == 0) failed: error ETIMEDOUT(60), cond_wait 52 JDK-8218483 hotspot runtime Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" 53 JDK-8222446 hotspot runtime assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ 54 JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022 55 JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11 56 JDK-8273342 hotspot runtime Null pointer dereference in classFileParser.cpp:2817 57 JDK-8269668 hotspot runtime [aarch64] java.library.path not including /usr/lib64 58 JDK-8230674 hotspot runtime Heap dumps should exclude dormant CDS archived objects of unloaded classes 59 JDK-8272124 hotspot runtime Cgroup v1 initialization causes NullPointerException when cgroup path contains colon 60 JDK-8269934 hotspot runtime RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status 61 JDK-8181313 hotspot svc-agent SA: Remove libthread_db dependency on Linux 62 JDK-8225083 security-libs java.security Remove Google certificate that is expiring in December 2021 63 JDK-8273826 security-libs java.security Correct Manifest file name and NPE checks 64 JDK-8277224 security-libs java.security sun.security.pkcs.PKCS9Attributes.toString() throws NPE 65 JDK-8269034 security-libs javax.crypto:pkcs11 AccessControlException for SunPKCS11 daemon threads 66 JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider 67 JDK-8270344 security-libs javax.net.ssl Session resumption errors 68 JDK-8217633 security-libs javax.net.ssl Configurable extensions with system properties 69 JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server 70 JDK-8211148 tools javac var in implicit lambdas shouldn't be accepted for source < 11 71 JDK-8267459 tools jshell Pasting Unicode characters into JShell does not work. Java™ SE Development Kit 11.0.13 (JDK 11.0.13) October 19, 2021 The full version string for this update release is 11.0.13+10 (where "+" means "build"). The version number is 11.0.13. IANA TZ Data 2021a For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.13 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.13) be used after the next critical patch update scheduled for January 18, 2022. New Features core-libs/java.io:serialization ➜ Context-specific Deserialization Filters Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file. The behavior is opt-in based on the presence of the jdk.serialFilterFactory system property on the command line or the jdk.serialFilterFactory security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set. The JVM-wide filter factory is a java.util.function.BinaryOperator<java.io.ObjectInputFilter> function invoked when each ObjectInputStream is constructed and when the stream-specific filter is set using ObjectInputStream.setObjectInputFilter(ObjectInputFilter). The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream constructors, the first parameter is null and the second parameter is the static JVM-wide filter. When invoked from ObjectInputStream.setObjectInputFilter, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter given to ObjectInputStream.setObjectInputFilter. A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters. Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details. JDK-8268624 (not public) Removed Features and Options security-libs/java.security ➜ Removed IdenTrust Root Certificate The following root certificate from IdenTrust has been removed from the cacerts keystore: + alias name "identrustdstx3 [jdk]" Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. See JDK-8225082 hotspot/compiler ➜ Remove the Experimental AOT and JIT Compiler in OracleJDK 11u The experimental Java-based JIT compiler, Graal JEP317, has been removed. Attempting to use it produces a JVMCI error: JVMCI compiler 'graal' not found. The Java Ahead-of-Time compilation experimental tool jaotc has been removed. Using HotSpot VM AOT options defined by JEP295 produce "Unrecognized VM option" error on VM initialization. Developers who wish to test the Graal compiler for either AOT or JIT compilation should use GraalVM. JDK-8267704 (not public) Other Notes core-libs/java.lang ➜ Release Doesn't Correctly Recognize Windows 11 This release doesn't correctly identify Windows 11. The property os.name is set to Windows 10 on Windows 11. In HotSpot error logs, the OS is identified as Windows 10; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above. See JDK-8274840 install ➜ Change to Package Names in Linux RPM/DEB Installers On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version> pattern instead of the jdk-<update_release_version> pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11, jdk-16, and jdk-17 respectively. The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers. If a user wants to have multiple update releases from the same family, the user must download the tar.gz bundles. JDK-8266653 (not public) security-libs/javax.net.ssl ➜ Updated the Default Enabled Cipher Suites Preference The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted. For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256. For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows: Cipher suites that do not preserve forward secrecy have been moved lower in priority than those that do support forward secrecy. Cipher suites that use SHA-1 have been moved lower in priority. See JDK-8163326 core-libs/javax.naming ➜ System Property to Control Reconstruction of Reference Address Objects by JDK's Built-in JNDI LDAP Implementation The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to control the deserialization of java objects from the javaReferenceAddress LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData and javaReferenceAddress LDAP attributes. To prevent deserialization of java objects from these attributes, the system property can be set to false. By default, the deserialization of java objects from javaSerializedData and javaReferenceAddress attributes is allowed. JDK-8267712 (not public) hotspot/runtime ➜ Release Doesn't Correctly Recognize Windows Server 2022 This release doesn't correctly identify Windows Server 2022. The property os.name is set to Windows Server 2019 on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above. See JDK-8273229 security-libs/java.security ➜ Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280. See JDK-8257497 security-libs/javax.crypto:pkcs11 ➜ SunPKCS11 Initialization With NSS When External FIPS Modules Are in Security Modules Database The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module". This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on. See JDK-8238555 hotspot G1 adaptive IHOP does not account for reclamation of humongous objects by young GC JDK-8246274 hotspot G1 old gen allocation tracking is not in a separate class hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27 JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+ JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed" JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder Java™ SE Development Kit 11.0.12 (JDK 11.0.12) July 20, 2021 The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12. IANA TZ Data 2021a JDK 11.0.12 contains IANA time zone data 2021a. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021. New Features security-libs/org.ietf.jgss:krb5 ➜ Support cross-realm MSSFU The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments. By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms. [1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94 See JDK-8005819 security-libs/java.security ➜ Customizing PKCS12 keystore Generation New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file. Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256 See JDK-8076190 Removed Features and Options security-libs/java.security ➜ Removed Root Certificates with 1024-bit Keys The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore: + alias name "thawtepremiumserverca [jdk]" Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + alias name "verisignclass2g2ca [jdk]" Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisignclass3ca [jdk]" Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + alias name "verisignclass3g2ca [jdk]" Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + alias name "verisigntsaca [jdk]" Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA See JDK-8243559 security-libs/java.security ➜ Removed Telia Company's Sonera Class2 CA Certificate The following root certificate has been removed from the cacerts truststore: + Telia Company + soneraclass2ca DN: CN=Sonera Class2 CA, O=Sonera, C=FI See JDK-8225081 Other Notes install/install ➜ Updated List of Capabilities Provided by JDK RPMs The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs. There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change. JDK-8263575 (not public) install/install ➜ ADDLOCAL=ToolsFeature,SourceFeature Argument No Longer Needed For Windows JDK Installer The ADDLOCAL=ToolsFeature,SourceFeature argument is no longer needed for the JDK installer silent mode. All required files are now installed by default. JDK-8262043 (not public) security-libs/java.security ➜ Upgraded the Default PKCS12 Encryption and MAC Algorithms The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information. For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property. See JDK-8153005 security-libs/java.security ➜ Disable SHA-1 JARs JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy: Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted. Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted. These exceptions may be removed in a future JDK release. Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property. See JDK-8196415 security-libs/javax.net.ssl ➜ Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer. SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior. See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information. See JDK-8254631 core-libs/java.net ➜ URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client. The following system property has been added for validation of server addresses in FTP passive mode. jdk.net.ftp.trustPasvAddress. In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected. To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command JDK-8258432 (not public) Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.12 Bug Fixes page. Java™ SE Development Kit 11.0.11 (JDK 11.0.11) April 20, 2021 The full version string for this update release is 11.0.11+9 (where "+" means "build"). The version number is 11.0.11. IANA TZ Data 2020e, 2020f, 2021a JDK 11.0.11 contains IANA time zone data 2020e, 2020f, 2021a. * Volgograd switches to Moscow time on 2020-12-27 at 02:00. * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.11 are specified in the following table: Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.11) be used after the next critical patch update scheduled for July 20, 2021. New Features tools ➜ jdeps --print-module-deps Reports Transitive Dependences jdeps --print-module-deps, --list-deps, and --list-reduce-deps options have been enhanced as follows. By default, they perform transitive module dependence analysis on libraries on the class path and module path, both directly and indirectly, as required by the given input JAR files or classes. Previously, they only reported the modules required by the given input JAR files or classes. The --no-recursive option can be used to request non-transitive dependence analysis. By default, they flag any missing dependency, i.e. not found from class path and module path, as an error. The --ignore-missing-deps option can be used to suppress missing dependence errors. Note that a custom image is created with the list of modules output by jdeps when using the --ignore-missing-deps option for a non-modular application. Such an application, running on the custom image, might fail at runtime when missing dependence errors are suppressed. See JDK-8213909 Other Notes core-libs/javax.naming ➜ New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object. com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed. JDK-8244473 (not public) security-libs/java.security ➜ Added 2 HARICA Root CA Certificates The following root certificates have been added to the cacerts truststore: + HARICA + haricarootca2015 DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + haricaeccrootca2015 DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR See JDK-8256421 security-libs/javax.net.ssl ➜ Disable TLS 1.0 and 1.1 TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3). These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file. See JDK-8202343 core-libs/java.nio.charsets ➜ Modified the MS950 charset Encoder's Conversion Table In this release, some of the one-way byte-to-char mappings have been aligned with the preferred mappings provided by the Unicode Consortium. See JDK-8232161 core-libs/java.lang ➜ Less Ambiguous Processing of ProcessBuilder Quotes on Windows >In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands property can be set to true: jdk.lang.Process.allowAmbiguousCommands=true or false. If left unset, it is the same as setting it to true. JDK-8250568 (not public) Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.11 Bug Fixes page. core-libs java.lang Failed to launch JVM because of NullPointerException occured on System.props JDK-8258878 core-libs java.time (tz) Upgrade time-zone data to tzdata2020e JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f Java™ SE Development Kit 11.0.10 (JDK 11.0.10) January 19, 2021 The full version string for this update release is 11.0.10+8 (where "+" means "build"). The version number is 11.0.10. IANA Data 2020d JDK 11.0.10 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.10 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.10) be used after the next critical patch update scheduled for April 20, 2021. New Features security-libs/java.security ➜ -groupname Option Added to keytool Key Pair Generation A new -groupname option has been added to keytool -genkeypair so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair by using the secp384r1 curve. Because there might be multiple curves with the same size, using the -groupname option is preferred over the -keysize option. See JDK-8213400 security-libs/javax.net.ssl ➜ Support for certificate_authorities Extension The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection. With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection. Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false. Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit. See JDK-8206925 core-libs/java.lang ➜ POSIX_SPAWN Option on Linux As an additional way to launch processes on Linux, the jdk.lang.Process.launchMechanism property can be set to POSIX_SPAWN. This option has been available for a long time on other *nix platforms. The default launch mechanism (VFORK) on Linux is unchanged, so this additional option does not affect existing installations. POSIX_SPAWN mitigates rare pathological cases when spawning child processes, but it has not yet been excessively tested. Prudence is advised when using POSIX_SPAWN in productive installations. See JDK-8212828 security-libs/javax.net.ssl ➜ Support for X25519 and X448 in TLS The named elliptic curve groups x25519 and x448 are now available for JSSE key agreement in TLS versions 1.0 to 1.3, with x25519 being the most preferred of the default enabled named groups. The default ordered list is now: x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 The default list can be overridden by using the system property jdk.tls.namedGroups. See JDK-8252226 security-libs/java.security ➜ jarsigner Preserves POSIX File Permission and symlink Attributes When signing a file that contains POSIX file permission or symlink attributes, jarsigner now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify operation for such files. Note that the jar tool does not read/write these attributes. This change is more visible to tools like unzip where these attributes are preserved. See JDK-8218021 Other Notes client-libs/2d ➜ Oracle JDK11u for Solaris Now Requires harfbuzz to be Installed Oracle JDK-11.0.10 and later for Solaris 11 requires that the OS provide the package library/desktop/harfbuzz as part of the system installation. This package is provided for Solaris 11.3 and later. $ pkg info harfbuzz Name: library/desktop/harfbuzz Summary: HarfBuzz is an OpenType text shaping engine Description: HarfBuzz is a library for text shaping, which converts unicode text to glyph indices and positions. HarfBuzz is used directly by libraries such as Pango, and the layout engines in firefox. Category: Desktop (GNOME)/Libraries State: Installed Publisher: solaris This is a desktop library, but the font processing it does is part of some common backend server workloads. It should always be considered as required. If this library is missing, then the pkg mechanism will require it during installation of the JDK. If installing the JDK by using a tar.gz bundle (for example) and the library/desktop/harfbuzz package is missing, a runtime link failure will occur when this package is needed. JDK-8251907 (not public) core-libs/java.time ➜ JDK time-zone data upgraded to tzdata2020d The JDK update incorporates tzdata2020d. The main change is Palestine ends DST earlier than predicted, on 2020-10-24. Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information. See JDK-8255226 core-libs/java.time ➜ JDK time-zone data upgraded to tzdata2020c The JDK update incorporates tzdata2020c. The main change is Fiji starts DST later than usual, on 2020-12-20. Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information. See JDK-8254982 core-libs/java.time ➜ US/Pacific-New Zone Name Removed as Part of tzdata2020b Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew and systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew data file is no longer available for use. Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html See JDK-8254177 Java™ SE Development Kit 11.0.9 (JDK 11.0.9) October 20, 2020 The full version string for this update release is 11.0.9+7 (where "+" means "build"). The version number is 11.0.9. IANA Data 2020a JDK 11.0.9 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.9 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.9) be used after the next critical patch update scheduled for January 19, 2021. New Features security-libs/java.security ➜ Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by DefaultWeak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below. With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties. To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property. Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448 See JDK-8233228 security-libs/org.ietf.jgss:krb5 ➜ Support for Kerberos Cross-Realm Referrals (RFC 6806)The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension. As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service). Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals security or system property to any positive value. See further information in JDK-8223172. See JDK-8215032 security-libs/javax.net.ssl ➜ Improve Certificate Chain HandlingA new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes). A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10. JDK-8245417 (not public) security-libs/java.security ➜ Tools Warn If Weak Algorithms Are UsedThe keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys. See JDK-8172404 security-libs/org.ietf.jgss:krb5 ➜ Support for canonicalize in krb5.confThe 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested. The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties). See JDK-8239385 Other notes core-libs/javax.naming ➜ Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear ConnectionsA new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation. The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed. The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence. Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value. JDK-8237990 (not public) security-libs/java.security ➜ Added 3 SSL Corporation Root CA CertificatesThe following root certificates have been added to the cacerts truststore: + SSL Corporation + sslrootrsaca DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrootevrsaca DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrooteccca DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US See JDK-8243320 security-libs/java.security ➜ Added Entrust Root Certification Authority - G4 certificate The following root certificate has been added to the cacerts truststore: + Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US See JDK-8243321 core-libs/java.util:i18n ➜ Localized Time Zone Name Inconsistency Between English and Other LocalesEnglish time zone names provided by the CLDR locale provider are now correctly synthesized following the CLDR spec, rather than substituted from the COMPAT provider. For example, SHORT style names are no longer synthesized abbreviations of LONG style names, but instead produce GMT offset formats. See JDK-8236548 core-libs/java.io:serialization ➜ Enhanced Support of Proxy ClassThe deserialization of java.lang.reflect.Proxy objects can be limited by setting the system property jdk.serialProxyInterfaceLimit. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations. JDK-8236862 (not public) Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.9 Bug Fixes page. security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider 8247925 (Confidential) JDK8u251- XSL transformer fails with TransformerConfigurationException Java™ SE Development Kit 11.0.8 (JDK 11.0.8) July 14, 2020 The full version string for this update release is 11.0.8+10 (where "+" means "build"). The version number is 11.0.8. IANA Data 2020a JDK 11.0.8 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.8 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.8) be used after the next critical patch update scheduled for October 20, 2020. New Features security-libs/javax.net.ssl ➜ New System Properties to Configure the TLS Signature Schemes Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes is added for TLS client side, and jdk.tls.server.SignatureSchemes for server side. Each System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used for the TLS connections. The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification. See JDK-8242141 security-libs/javax.xml.crypto ➜ Apache Santuario Library Updated to Version 2.1.4 The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size has been introduced. This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size system property used in Apache Santuario and has the same default value of 20. See JDK-8231507 infrastructure ➜ Toolchain Upgrade to Xcode 10.1 Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1. JDK-8232007 (not public) install/install ➜ Oracle JDK Installer for Windows Provides Executables (javac, etc) in a Path Reachable From Any Command Prompt The Oracle JDK installer for Windows provides java.exe, javaw.exe, javac.exe, and jshell.exe commands in a system location so that users can run Java applications without needing to provide the path to the Oracle JDK's installation folder. JDK-8222383 (not public) Removed Features and Options security-libs/java.security ➜ Removal of Comodo Root CA Certificate The following expired Comodo root CA certificate was removed from the cacerts keystore: alias name "addtrustclass1ca [jdk]" Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE See JDK-8225069 security-libs/java.security ➜ Removal of DocuSign Root CA Certificate The following expired DocuSign root CA certificate was removed from the cacerts keystore: alias name "keynectisrootca [jdk]" Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR See JDK-8225068 Other notes core-libs/java.io:serialization ➜ Improved Serialization Handling When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException. JDK-8234836 (not public) core-libs/java.util:collections ➜ Better Listing of Arrays The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy. JDK-8231800 (not public) security-libs/javax.net.ssl ➜ Default SSLEngine Should Create in Server Role In JDK 11 and later, javax.net.ssl.SSLEngine by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine would usually be used in server mode. From this JDK release onwards, SSLEngine will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode(boolean mode) method may be used to configure the mode. See JDK-8237474 core-svc/java.lang.management ➜ OperatingSystemMXBean Methods Inside a Container Return Container Specific Data When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data: getFreePhysicalMemorySize() getTotalPhysicalMemorySize() getFreeSwapSpaceSize() getTotalSwapSpaceSize() getSystemCpuLoad() See JDK-8226575 security-libs ➜ Default SSL Session Cache Size Updated to 20480 The default SSL session cache size has been updated to 20480 in this JDK release See JDK-8210985 client-libs/javax.swing ➜ Deprecated NSWindowStyleMaskTexturedBackground After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook and textured Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar property be set to true to make the title of the frame invisible again. The apple.awt.fullWindowContent property can also be used. Please note that Textured window support was implemented by using the NSTexturedBackgroundWindowMask value of NSWindowStyleMask. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground, which was deprecated in macOS 10.14. For additional information, refer to the following documentation: apple.awt.brushMetalLook apple.awt.transparentTitleBar apple.awt.fullWindowContent See JDK-8240995 Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. ➜ Issues fixed in 11.0.8: 1 JDK-6933331 client-libs 2d (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created 2 JDK-8196181 client-libs 2d sun/java2d/GdiRendering/InsetClipping.java fails 3 JDK-8209113 client-libs 2d Use WeakReference for lastFontStrike for created Fonts 4 JDK-8214481 client-libs 2d freetype path does not disable TrueType hinting with AA+FM hints 5 JDK-8224109 client-libs 2d Text spaced incorrectly by drawString under rotation with fractional metrics 6 JDK-8234398 client-libs 2d Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps 7 JDK-8235904 client-libs 2d Infinite loop when rendering huge lines 8 JDK-8236996 client-libs 2d Incorrect Roboto font rendering on Windows with subpixel antialiasing 9 JDK-8239091 client-libs 2d Reversed arguments in call to strstr in freetype "debug" code. 10 JDK-8176359 client-libs java.awt Frame#setMaximizedbounds not working properly in multi screen environments 11 JDK-8196019 client-libs java.awt java/awt/Window/Grab/GrabTest.java fails on Windows 12 JDK-8211301 client-libs java.awt [macos] support full window content options 13 JDK-8225126 client-libs java.awt Test SetBoundsPaintTest.html failed on Windows when desktop is scaled 14 JDK-8226806 client-libs java.awt [macOS 10.14] Methods of Java Robot should be called from appropriate thread 15 JDK-8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported 16 JDK-8231564 client-libs java.awt setMaximizedBounds is broken with large display scale and multiple monitors 17 JDK-8233573 client-libs java.awt Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException 18 JDK-8233707 client-libs java.awt systemScale.cpp could not compile with VS2019 19 JDK-8234107 client-libs java.awt Several AWT modal dialog tests failing on Linux after JDK-8231991 20 JDK-8237221 client-libs java.awt [macos] java/awt/MenuBar/SeparatorsNavigation/SeparatorsNavigation.java fails 21 JDK-8238575 client-libs java.awt DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) 22 JDK-8242174 client-libs java.awt [macos] The NestedModelessDialogTest test make the macOS unstable 23 JDK-8242498 client-libs java.awt Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash 24 JDK-8226253 client-libs javax.accessibility JAWS reports wrong number of radio buttons when buttons are hidden 25 JDK-8238842 client-libs javax.imageio AIOOBE in GIFImageReader.initializeStringTable 26 JDK-8221445 client-libs javax.sound FastSysexMessage constructor crashes MIDI receiption thread 27 JDK-8040630 client-libs javax.swing Popup menus and tooltips flicker with previous popup contents when first shown 28 JDK-8198339 client-libs javax.swing Test javax/swing/border/Test6981576.java is unstable 29 JDK-8183369 core-libs java.net RFC unconformity of HttpURLConnection with proxy 30 JDK-8210147 core-libs java.net adjust some WSAGetLastError usages in windows network coding 31 JDK-8232854 core-libs java.net URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails 32 JDK-8044365 core-libs java.nio (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) 33 JDK-8221531 core-libs java.nio Incorrect copyright header in src/java.base/windows/native/libnio/ch/FileChannelImpl.c 34 JDK-8205399 core-libs java.util:collections Set node color on pinned HashMap.TreeNode deletion 35 JDK-8160768 core-libs javax.naming Add capability to custom resolve host/domain names within the default JNDI LDAP provider 36 JDK-8214440 core-libs javax.naming ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" 37 JDK-8217606 core-libs javax.naming LdapContext#reconnect always opens a new connection 38 JDK-8240523 core-libs javax.naming JCK Test Case api/modulegraph/index.html#ModuleGraphTest failed in CI 39 JDK-8193879 core-svc debugger Java debugger hangs on method invocation 40 JDK-8239055 core-svc debugger Wrong implementation of VMState.hasListener 41 JDK-8206179 core-svc javax.management com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value 42 JDK-8132849 hotspot compiler Increased stop time in cleanup phase because of single-threaded walk of thread stacks in NMethodSweeper::mark_active_nmethods() 43 JDK-8156207 hotspot compiler Resource allocated BitMaps are often cleared unnecessarily 44 JDK-8163511 hotspot compiler Allocation of compile task fails with assert: "Leaking compilation tasks?" 45 JDK-8187078 hotspot compiler -XX:+VerifyOops finds numerous problems when running JPRT 46 JDK-8208277 hotspot compiler Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages 47 JDK-8209420 hotspot compiler Track membars for volatile accesses so they can be properly optimized 48 JDK-8209439 hotspot compiler C2 library_call can potentially ignore Math.pow intrinsic or use null pointer 49 JDK-8209684 hotspot compiler Intrinsics that assume some input non null should use GraphKit::must_be_not_null() 50 JDK-8209686 hotspot compiler cleanup arguments to PhaseIdealLoop() constructor 51 JDK-8210284 hotspot compiler "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 52 JDK-8210389 hotspot compiler C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc 53 JDK-8211129 hotspot compiler compiler/whitebox/ForceNMethodSweepTest.java fails after JDK-8132849 54 JDK-8211233 hotspot compiler MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better 55 JDK-8211332 hotspot compiler code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs 56 JDK-8211740 hotspot compiler [AOT] -XX:AOTLibrary doesn't accept windows path 57 JDK-8211743 hotspot compiler [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames 58 JDK-8214344 hotspot compiler C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0 59 JDK-8214444 hotspot compiler Wrong strncat limits in dfa.cpp 60 JDK-8214857 hotspot compiler "bad trailing membar" assert failure at memnode.cpp:3220 61 JDK-8214862 hotspot compiler assert(proj != __null) at compile.cpp:3251 62 JDK-8215551 hotspot compiler Missing case label in nmethod::reloc_string_for() 63 JDK-8215555 hotspot compiler TieredCompilation C2 threads can excessively block handshakes 64 JDK-8216151 hotspot compiler [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug 65 JDK-8216154 hotspot compiler C4819 warnings at HotSpot sources on Windows 66 JDK-8216541 hotspot compiler CompiledICHolders of VM locked unloaded nmethods are released too late 67 JDK-8217230 hotspot compiler assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() 68 JDK-8217447 hotspot compiler Develop flag TraceICs is broken 69 JDK-8219214 hotspot compiler Infinite Loop in CodeSection::dump() 70 JDK-8219919 hotspot compiler RuntimeStub's name lost with PrintFrameConverterAssembly 71 JDK-8220341 hotspot compiler Class redefinition fails with assert(!is_unloaded()) failed: unloaded method on the stack 72 JDK-8221482 hotspot compiler Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode 73 JDK-8221782 hotspot compiler [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.jdk.vm.ci.services 74 JDK-8225567 hotspot compiler Wrong file headers with 8202414 fix changeset 75 JDK-8225783 hotspot compiler Incorrect use of binary operators on booleans in type.cpp 76 JDK-8226198 hotspot compiler use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state 77 JDK-8226879 hotspot compiler Memory leak in Type::hashcons 78 JDK-8227034 hotspot compiler Graal crash with gcbasher 79 JDK-8227632 hotspot compiler Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 80 JDK-8229855 hotspot compiler C2 fails with assert(false) failed: bad AD file 81 JDK-8231515 hotspot compiler [Graal] Crash during exception throwing in InterpreterRuntime::resolve_invoke 82 JDK-8232106 hotspot compiler [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it 83 JDK-8233019 hotspot compiler java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit 84 JDK-8233364 hotspot compiler Fix undefined behavior in Canonicalizer::do_ShiftOp 85 JDK-8235332 hotspot compiler TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM 86 JDK-8235762 hotspot compiler JVM crash in SWPointer during C2 compilation 87 JDK-8235984 hotspot compiler C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop 88 JDK-8236285 hotspot compiler [JVMCI] improve TranslatedException traces 89 JDK-8236709 hotspot compiler struct SwitchRange in HS violates C++ One Definition Rule 90 JDK-8236759 hotspot compiler ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling 91 JDK-8237045 hotspot compiler JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 92 JDK-8237086 hotspot compiler assert(is_MachReturn()) running CTW with fix for JDK-8231291 93 JDK-8237375 hotspot compiler SimpleThresholdPolicy misses CounterDecay timestamp initialization 94 JDK-8237945 hotspot compiler CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo 95 JDK-8237951 hotspot compiler CTW: C2 compilation fails with "malformed control flow" 96 JDK-8238190 hotspot compiler [JVMCI] Fix single implementor speculation for diamond shapes. 97 JDK-8238356 hotspot compiler CodeHeap::blob_count() overestimates the number of blobs 98 JDK-8238438 hotspot compiler SuperWord::co_locate_pack picks memory state of first instead of last load 99 JDK-8238756 hotspot compiler C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node 100 JDK-8238765 hotspot compiler PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly 101 JDK-8238811 hotspot compiler C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges 102 JDK-8239142 hotspot compiler C2's UseUniqueSubclasses optimization is broken for array accesses 103 JDK-8239456 hotspot compiler [win][x86] vtable stub generation: assert failure (code size estimate) 104 JDK-8239852 hotspot compiler java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed 105 JDK-8239931 hotspot compiler [win][x86] vtable stub generation: assert failure (code size estimate) follow-up 106 JDK-8240220 hotspot compiler IdealLoopTree::dump_head predicate printing is broken 107 JDK-8240223 hotspot compiler Use consistent predicate order in and with PhaseIdealLoop::find_predicate 108 JDK-8240576 hotspot compiler JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges 109 JDK-8240831 hotspot compiler [JVMCI] Export missing vmStructs entries used by JVMCI compilers 110 JDK-8240905 hotspot compiler assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? 111 JDK-8240976 hotspot compiler [JVMCI] MethodProfileWidth flag is broken 112 JDK-8241556 hotspot compiler Memory leak if -XX:CompileCommand is set 113 JDK-8241900 hotspot compiler Loop unswitching may cause dependence on null check to be lost 114 JDK-8242108 hotspot compiler Performance regression after fix for JDK-8229496 115 JDK-8242357 hotspot compiler [JVMCI] Incorrect use of JVMCI_CHECK_ on return statement 116 JDK-8243467 hotspot compiler [BACKOUT] JDK-8132849 and JDK-8211129 from 11.0.8-oracle 117 JDK-8204834 hotspot gc Fix confusing "allocate" naming in OopStorage 118 JDK-8221534 hotspot gc Incorrect copyright header in src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/gc/z/ZPageTableEntry.java 119 JDK-8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate 120 JDK-8189633 hotspot runtime Missing -Xcheck:jni checking for DeleteWeakGlobalRef 121 JDK-8203911 hotspot runtime Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni 122 JDK-8209850 hotspot runtime Allow NamedThreads to use GlobalCounter critical sections 123 JDK-8209976 hotspot runtime Improve iteration over non-JavaThreads 124 JDK-8210303 hotspot runtime VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" 125 JDK-8212933 hotspot runtime Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks 126 JDK-8213250 hotspot runtime CDS archive creation aborts due to metaspace object allocation failure 127 JDK-8219241 hotspot runtime Provide basic virtualization related info in the hs_error file on linux/windows x86_64 128 JDK-8219562 hotspot runtime Line of code in osContainer_linux.cpp#L102 appears unreachable 129 JDK-8222720 hotspot runtime Provide extended VMWare/vSphere virtualization related info in the hs_error file on linux/windows x86_64 130 JDK-8224793 hotspot runtime os::die() does not honor CreateCoredumpOnCrash option 131 JDK-8240529 hotspot runtime CheckUnhandledOops breaks NULL check in Modules::define_module 132 JDK-8241296 hotspot runtime Segfault in JNIHandleBlock::oops_do() 133 JDK-8241464 hotspot runtime [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action 134 JDK-8241660 hotspot runtime Add virtualization information output to hs_err file on macOS 135 JDK-8237589 other-libs other Fix copyright header formatting 136 JDK-7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck 137 JDK-8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic 138 JDK-8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class 139 JDK-8238452 security-libs java.security Keytool generates wrong expiration date if validity is set to 2050/01/01 140 JDK-8246613 security-libs java.security Choose the default SecureRandom algo based on registration ordering 141 JDK-8240983 security-libs javax.crypto Incorrect copyright header in Apache Santuario 2.1.3 files 142 JDK-8238898 security-libs javax.crypto:pkcs11 Missing hash characters for header on license file 143 JDK-8209333 security-libs javax.net.ssl Socket reset issue for TLS 1.3 socket close 144 JDK-8211339 security-libs javax.net.ssl NPE during SSL handshake caused by HostnameChecker 145 JDK-8215711 security-libs javax.net.ssl Missing key_share extension for (EC)DHE key exchange should alert missing_extension 146 JDK-8223482 security-libs javax.net.ssl Unsupported ciphersuites may be offered by a TLS client 147 JDK-8223940 security-libs javax.net.ssl Private key not supported by chosen signature algorithm 148 JDK-8233621 security-libs javax.net.ssl Mismatch in jsse.enableMFLNExtension property name 149 JDK-8235874 security-libs javax.net.ssl The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property. 150 JDK-8236039 security-libs javax.net.ssl JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 151 JDK-8239798 security-libs javax.net.ssl SSLSocket closes socket both socket endpoints on a SocketTimeoutException 152 JDK-8242294 security-libs javax.net.ssl JSSE Client does not throw SSLException when an alert occurs during handshaking 153 JDK-8246031 security-libs javax.net.ssl SSLSocket.getSession() doesn't close connection for timeout/ interrupts 154 JDK-8163251 security-libs javax.smartcardio Hard coded loop limit prevents reading of smart card data greater than 8k 155 JDK-8210197 tools javac javac can't tell during speculative attribution if a diamond expression is creating an anonymous inner class or not 156 JDK-8213908 tools javac AssertionError in DeferredAttr at setOverloadKind 157 JDK-8214345 tools javac infinite recursion while checking super class 158 JDK-8218268 tools javac Javac treats Manifest Class-Path entries as Paths instead of URLs 159 JDK-8200432 tools javadoc(tool) javadoc fails with ClassCastException on {@link byte[]} 160 JDK-8212233 tools javadoc(tool) javadoc fails on jdk12 with "The code being documented uses modules but the packages defined in $URL are in the unnamed module." 161 JDK-8214856 tools javadoc(tool) Errors with JSZip in web console after upgrade to 3.1.5 162 JDK-8236700 tools javadoc(tool) Upgrading JSZip from v3.1.5 to v3.2.2 163 JDK-8216261 tools javap Javap ignores default modifier on interfaces 164 JDK-8217093 tools launcher Support extended-length paths in parse_manifest.c on Windows 165 JDK-8240629 tools launcher argfiles parsing broken for argfiles with comment cross 4096 bytes chunk 166 JDK-8221533 xml jaxp Incorrect copyright header in DurationDayTimeImpl.java, DurationYearMonthImpl.java and XMLStreamException.java 167 JDK-8242470 xml jaxp Update Xerces to Version 2.12.1 Java SE 11.0.7 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 11.0.7 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR. Changes in Java SE 11.0.7.0.1-oracle Please note that fixes from the prior BPR are included in this version. Java™ SE Development Kit 11.0.7 (JDK 11.0.7) April 14, 2020 The full version string for this update release is 11.0.7+8 (where "+" means "build"). The version number is 11.0.7. IANA Data 2019c JDK 11.0.7 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.7 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.7) be used after the next critical patch update scheduled for July 14, 2020. New Features security-libs/javax.crypto ➜ Support for MS Cryptography Next Generation (CNG) The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA, SHA256withECDSA, etc.) are also supported. See JDK-8026953 Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.7 Bug Fixes page. Java SE 11.0.6 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 11.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR. Changes in Java SE 11.0.6.0.2-oracle Bug Fixes client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings 8234786 client-libs java.awt Fix for JDK-8214578 breaks OS X 10.12 compatibility Java™ SE Development Kit 11.0.6 (JDK 11.0.6) January 14, 2020 The full version string for this update release is 11.0.6+8 (where "+" means "build"). The version number is 11.0.6. IANA Data 2019c JDK 11.0.6 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.6 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.6) be used after the next critical patch update scheduled for April 14, 2020. New Features security-libs/javax.security ➜ Allow SASL Mechanisms to Be Restricted A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box. See JDK-8200400 security-libs/javax.crypto:pkcs11 ➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40 The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library. See JDK-8080462 Other notes core-libs/java.rmi ➜ Improve Registry Support The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification: Methods declared in interfaces that directly or indirectly extend java.rmi.Remote can be invoked remotely Methods declared in interfaces that do not extend Remote directly or indirectly cannot be invoked remotely This affects remote objects in the java.rmi.registry.Registry and any other remote object. JDK-8230967 (not public) security-libs/java.security ➜ New Checks on Trust Anchor Certificates New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set. A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions. The default value of this property, if not set, is "false". Note that the property does not apply to X.509 v1 certificates (since they don't support extensions). This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations. JDK-8230318 (not public) security-libs/java.security ➜ Exact Match Required for Trusted TLS Server Certificate A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection. JDK-8227758 (not public) security-libs/java.security ➜ Added LuxTrust Global Root 2 Certificate The following root certificate has been added to the cacerts truststore: hotspot/compiler ➜ Turn off AOT by Default and Change Related Flags to Experimental Following AOT support related flags have been made experimental: UseAOT, PrintAOT and AOTLibrary. Also default value of UseAOT has been changed from enabled to disabled. See JDK-8227439 hotspot/gc ➜ Epsilon GC handled checked array stores incorrectly Epsilon GC may have violated the specification requirements by accepting the type-incompatible store into the array, instead of throwing the ArrayStoreException. This is now handled correctly, both in this release, and associated backports. Users are advised to upgrade as soon as possible. See JDK-8215724 Bug Fixes The following are some of the notable bug fixes included in this release: security-libs/javax.crypto:pkcs11 ➜ Memory Growth Issue in SunPKCS11 Fixed A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed. A system property, sun.security.pkcs11.disableKeyExtraction has been introduced to disable the fix. A "true" value disables the fix, while a "false" value (default) keeps it enabled. When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes. Further information and implementation details can be found in the CSR: JDK-8213430 See JDK-6913047 core-libs/java.io:serialization ➜ Better Serial Filter Handling The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect. JDK-8231422 (not public) This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.6 Bug Fixes page. Java SE 11.0.5 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 11.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR. Changes in Java SE 11.0.5.0.3-oracle+1 Bug Fixes Java™ SE Development Kit 11.0.5 (JDK 11.0.5) October 15, 2019 The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5. IANA Data 2019b JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software. Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table: Keeping the JDK up to Date Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020. New Features security-libs/java.security ➜New Java Flight Recorder (JFR) Security Events Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options. jdk.SecurityPropertyModification Records Security.setProperty(String key, String value) method calls jdk.TLSHandshake Records TLS handshake activity. The event fields include: Peer hostname Peer port TLS protocol version negotiated TLS cipher suite negotiated Certificate id of peer client ➜Using the JDK or JRE on macOS Catalina (10.15) Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html. JDK-8230057 (not public) security-libs/javax.net.ssl ➜Remove Obsolete NIST EC Curves from the Default TLS Algorithms This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1. To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example: java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...

JDK-8228825 (not public)

security-libs/javax.crypto ➜ Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init() . See JDK-8218723 install ➜ Java Access Bridge Installation Workaround There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory ( C:\Windows\System32 ) for 64bit Java products or the system directory used by WOW64 ( C:\Windows\SysWoW64 ) for 32bit Java products. To prevent breaking Java Access Bridge functionality, use one of the following workarounds: Stop JAWS before running the Java installer. Uninstall the existing JRE(s) before installing the new version of Java. Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted. The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running. JDK-8223293 (not public) security-libs/javax.xml.crypto ➜ Updated XML Signature Implementation to Apache Santuario 2.1.3 The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include: Added support for embedding elliptic curve public keys in the KeyValue element See JDK-8219013 security-libs/javax.crypto ➜ System Property jdk.security.useLegacyECC is Turned Off by Default The system property jdk.security.useLegacyECC , which was introduced in the update releases 7u231 and 8u221, is turned off by default. This option allows control of which implementation of ECC is in use. When the system property, jdk.security.useLegacyECC , is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. Setting the option to true or the empty string is not recommended. If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC. JDK-8224499 (not public) core-libs/java.util ➜ Changed Properties.loadFromXML to Comply with Specification The implementation of the java.util.Properties.loadFromXML method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException as specified by the loadFromXML method. The effect of the change is as follows: Documents created by Properties.storeToXML : No change. Properties.loadFromXML will have no problem reading such files. Documents not created by Properties.storeToXML : Any documents containing DTDs not in the format as specified in Properties.loadFromXML will be rejected. This means the DTD shall be exactly as follows (as generated by the Properties.storeToXML method): <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">

See JDK-8213325

core-libs/java.lang ➜ Runtime.exec and ProcessBuilder Argument Restrictions Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager. In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false . In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true . Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in " .exe " may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions. For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is " false " or there is no security manager and property is not " false ". JDK-8221858 (not public) client-libs/2d ➜ Windows 2019 Core Server Is Not Supported Windows Core Server 2019 does not ship a dll required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll , the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported. See JDK-8229800 Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.5 Bug Fixes page. Java SE 11.0.4 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 11.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR. Changes in Java SE 11.0.4.0.1-oracle+1 Please note that fixes from prior BPR are included in this version. Bug Fixes Java™ SE Development Kit 11.0.4 (JDK 11.0.4) July 16, 2019 The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4. IANA Data 2018i JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software . Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table: Oracle JDK Expiration Date The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins . This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019. New Features hotspot/runtime ➜ HotSpot Windows OS Detection Correctly Identifies Windows Server 2019 Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file. See JDK-8211106 Removed Features and Options security-libs/java.security ➜ Removal of Two DocuSign Root CA Certificates Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore: alias name "certplusclass2primaryca [jdk]" Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR alias name "certplusclass3pprimaryca [jdk]" Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR See JDK-8223499 security-libs/java.security ➜ Removal of Two Comodo Root CA Certificates Two Comodo root CA certificates are expired and have been removed from the cacerts keystore: alias name "utnuserfirstclientauthemailca [jdk]" Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US alias name "utnuserfirsthardwareca [jdk]" Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US See JDK-8222136 security-libs/java.security ➜ Removal of T-Systems Deutsche Telekom Root CA 2 Certificate The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore: alias name "deutschetelekomrootca2 [jdk]" Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE See JDK-8222137 security-libs/java.security ➜ Removal of GTE CyberTrust Global Root The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts keystore: alias name "gtecybertrustglobalca [jdk]" Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US See JDK-8195793 Other notes security-libs/javax.xml.crypto ➜ com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045. An application may continue working with the encoded output data containing the carriage return character ( &#xd or &#13 ) if the application coding logic allows such output. The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character ( &#xd or &#13 ). Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482. See JDK-8219013 security-libs/javax.crypto ➜ System Property to Switch Between Implementations of ECC A new boolean system property, jdk.security.useLegacyECC , has been introduced that enables switching between implementations of ECC. When the system property, jdk.security.useLegacyECC , is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. If the option is explicitly set to "false", the provider decides which implementation of ECC is used. The default value of the option is "true". Note that the default value might change in a future update release of the JDK. JDK-8217763 (not public) Bug Fixes This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.4 Bug Fixes page. Java SE 11.0.3 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates The following sections summarize changes made in all Java SE 11.0.3 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. To determine the version of your JDK software, use the following command: java -version Changes in Java SE 11.0.3+31 Please note that fixes from prior BPR (11.0.2+32) are included in this version. Bug Fixes Java™ SE Development Kit 11.0.3 (JDK 11.0.3) April 16, 2019 The full version string for this update release is 11.0.3+12 (where "+" means "build"). The version number is 11.0.3. IANA Data 2018g JDK 11.0.3 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software . Security Baselines The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.3 are specified in the following table: Oracle JDK Expiration Date The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins . This JDK (version 11.0.3) will expire with the release of the next critical patch update scheduled for July 16, 2019. New Features core-libs/java.util:i18n ➜ Square Character Support for Japanese New Era The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html . See JDK-8211398 Known Issues install ➜ Java Access Bridge Installation Workaround There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory ( C:\Windows\System32 ) for 64bit Java products or the system directory used by WOW64 ( C:\Windows\SysWoW64 ) for 32bit Java products. To prevent breaking Java Access Bridge functionality, use one of the following workarounds: Stop JAWS before running the Java installer. Uninstall the existing JRE(s) before installing the new version of Java. Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted. The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running. JDK-8223293 (not public) Changes security-libs/java.security ➜ Added GlobalSign R6 Root Certificate The following root certificate has been added to the cacerts truststore: GlobalSign globalsignrootcar6 DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6 security-libs/javax.net.ssl ➜ Distrust TLS Server Certificates Anchored by Symantec Root CAs The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017). An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019. The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below. An application will receive an Exception with a message indicating the trust anchor is not trusted, ex: "TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Symantec Root certificates included in the JDK:

Root Certificates distrusted after 2019-04-16
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.

See JDK-8207258

core-libs/java.time

➜ New Japanese Era Name Reiwa
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3) or JapaneseEra.valueOf("Reiwa") . JDK 13 and later will have a new public field to represent this era.

The placeholder name, " NewEra ", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088 ) to obtain the new era singleton ( JapaneseEra.valueOf("NewEra") ) will no longer work.

See JDK-8205432

core-libs/java.time

➜ Support New Japanese Era in java.time.chrono.JapaneseEra
The JapaneseEra class and its of(int) , valueOf(String) , and values() methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.

See JDK-8212941

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.3 Bug Fixes page.

Java SE 11.0.2 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.2 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 11.0.2+32

Bug Fixes
client-libs java.awt Exception in thread "AWT-EventQueue-1" java.lang.IllegalArgumentException: null source 8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. tools javac c.s.t.javac.code.DeferredCompletionFailureHandler seems to use WeakHashMap incorrectly 8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) 8211765 core-libs java.util.jar JarFile constructor throws undocumented java.nio.file.InvalidPathException 8211698 hotspot compiler Crash in C2 compiled code during execution of double array heavy processing code 8210483 tools javac AssertionError in DeferredAttr at setOverloadKind caused by JDK-8203679 8215398 hotspot runtime -Xlog option usage => Invalid decorator '\temp\app_cds.log'. 8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound 8201633 security-libs javax.crypto Problems with AES-GCM native acceleration 8201317 security-libs javax.crypto X25519/X448 code improvements 8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements
Java™ SE Development Kit 11.0.2 (JDK 11.0.2)

January 15, 2019

The full version string for this update release is 11.0.2+9 (where "+" means "build"). The version number is 11.0.2.

IANA Data 2018g

JDK 11.0.2 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.2 are specified in the following table:

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins . This JDK (version 11.0.2) will expire with the release of the next critical patch update scheduled for April 16, 2019.

Known Issues

client-libs

➜ GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.

See JDK-8219072

Changes

security-libs/javax.net.ssl

➜ TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

See JDK-8211883

hotspot/runtime

➜ Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.

JDK-8196902 (not public)

security-libs/javax.net.ssl

➜ Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation. However, Java Access Bridge can still be enabled and disabled by following these steps:

Copy %JAVAHOME%\bin\windowsaccessbridge-64.dll to %WINDOWSHOME%\SYSTEM32 . A reboot might be required after this step.

Run %JAVAHOME%\bin\jabswitch /enable and %JAVAHOME%\bin\jabswitch /disable .
Notes:
%WINDOWSHOME% is the directory where Microsoft Windows is installed (for example, C:\WINDOWS )

%JAVAHOME% is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11 )

See JDK-8208637

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.2 Bug Fixes page.

Java™ SE Development Kit 11.0.1 (JDK 11.0.1)

October 16, 2018

The full version string for this update release is 11.0.1+13 (where "+" means "build"). The version number is 11.0.1.

IANA Data 2018e

JDK 11.0.1 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software .

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.1 are specified in the following table:

Oracle JDK Expiration Date

The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins . This JDK (version 11.0.1) will expire with the release of the next critical patch update scheduled for January 15, 2019.

Changes

security-libs/java.security
➜ Added Additional TeliaSonera Root Certificate
The following root certificate have been added to the OpenJDK cacerts truststore:
TeliaSonera
teliasonerarootcav1

DN: CN=TeliaSonera Root CA v1, O=TeliaSonera

core-libs/javax.naming
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.

To improve robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification .

Define this system property (or set it to true ) to disable endpoint identification algorithms.

JDK-8200666 (not public)

core-svc
➜ Changed Central File System Location for usagetracker.properties File
The file system location in Windows for the usagetracker.properties file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)

security-libs/javax.net.ssl
➜ Problem looking up Client Certificates in keystore
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager , ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)

See JDK-8261624

security-libs/javax.net.ssl
➜ Disabled All DES TLS Cipher Suites
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350

security-libs/javax.crypto
➜ Improved Cipher Inputs
The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs/javax.naming

➜ LDAPS Communication Failure
Application code using LDAPS with a socket connect timeout that is <= 0 (the default value) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed at com.sun.jndi.ldap.Connection.readReply(Unknown Source) at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source) See JDK-8211107 core-libs/java.net Better HTTP Redirection Support In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request. JDK-8196902 (not public) This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update . For a more complete list of the bug fixes included in this release, see the JDK 11.0.1 Bug Fixes page. JDK 11 Documentation The Java Platform, Standard Edition 11 Development Kit (JDK 11) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas. You can use the links on this page to open the Release Notes describing important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 11 and Java SE 11. Links to other sources of information about JDK 11 are also provided. The JDK Guides and Reference Documentation link below displays a page containing links to the user guides, troubleshooting information, and specific information of interest to users moving from previous versions of the JDK. Links to the JDK 11 API Specification and the Java Language and Virtual Machine Specifications are provided below in the JDK 11 Specifications group. Note: The Release Notes files are located only on our website. JDK 11 Release Notes JDK and JRE README JDK Guides and Reference Documentation JDK 11 Specifications: JDK 11 API Specification Java Language and Virtual Machine Specifications JDK and JRE Certified System Configurations JDK and JRE Supported Locales Submitting a Bug Report and Available Support Options

推荐文章

热心肠的钱包 · PHP混淆代码破解神器：揭秘在线解密之道_php代码混淆解密-CSDN博客
1 年前

单身的皮带 · System.Linq.Dynamic.Core vs System.Linq.Dynamic - Stack Overflow
1 年前

很酷的南瓜 · 可共享链接概述和故障排除 - Outlook | Microsoft Learn
1 年前