Consolidated JDK 11 Release Notes
source link: https://www.oracle.com/java/technologies/javase/11all-relnotes.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Consolidated JDK 11 Release Notes
Consolidated JDK 11 Release Notes
Consolidated Release Notes
This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 11.
BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.
- JDK 11.0.15 (GA and BPR builds)
- JDK 11.0.14 (GA and BPR builds)
- JDK 11.0.13 (GA and BPR builds)
- JDK 11.0.12 (GA and BPR builds)
- JDK 11.0.11 (GA and BPR builds)
- JDK 11.0.10 (GA and BPR builds)
- JDK 11.0.9 (GA and BPR builds)
- JDK 11.0.8 (GA and BPR builds)
- JDK 11.0.7 (GA and BPR builds)
- JDK 11.0.6 (GA and BPR builds)
- JDK 11.0.5 (GA and BPR builds)
- JDK 11.0.4 (GA and BPR builds)
- JDK 11.0.3 (GA and BPR builds)
- JDK 11.0.2 (GA and BPR builds)
- JDK 11.0.1 (GA)
- JDK 11 (GA)
Java SE 11.0.15 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.15 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.15.0.1-oracle
Bug Fixes
BugId Category Subcategory Description
JDK-8221741 client-libs 2d ClassCastException can happen when fontconfig.properties is used
JDK-8212904 client-libs javax.swing JTextArea line wrapping incorrect when using UI scale
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a
BugId Category Subcategory Description
JDK-8221741 client-libs 2d ClassCastException can happen when fontconfig.properties is used
JDK-8212904 client-libs javax.swing JTextArea line wrapping incorrect when using UI scale
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a
Java™ SE Development Kit 11.0.15 (JDK 11.0.15)
April 19, 2022
The full version string for this update release is 11.0.15+8 (where "+" means "build"). The version number is 11.0.15.
IANA TZ Data 2021e
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.15 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.15+8 8 8u331-b09 7 7u341-b08
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.15) be used after the next critical patch update scheduled for July 19, 2022.
New Features
SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:
ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
New TLS cipher suites using the ChaCha20-Poly1305
algorithm have been added to JSSE. These cipher suites are enabled by default. The TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. The following cipher suites are available for TLS 1.2:
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for details on these new TLS cipher suites.
Three processing limits have been added to the XML libraries. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
-
jdk.xml.xpathExprGrpLimit
andjdk.xml.xpathExprOpLimit
are supported by the XPath processor. -
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
- An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
- An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
Other Notes
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers as been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
The default value is "compat" for all of them.
- The "legacy" mode turns the new validation off.
- The "compat" mode limits incompatibilities.
- The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.
If an illegal URL string is found, a javax.naming.NamingException
(or a subclass of it) is raised.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.15 Bug Fixes page.
Java SE 11.0.14 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.14 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.14.0.2-oracle
Bug Fixes
BugId Category Subcategory Description
JDK-8218546 core-libs java.net Unable to connect to https://google.com using java.net.HttpClient
JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
BugId Category Subcategory Description
JDK-8218546 core-libs java.net Unable to connect to https://google.com using java.net.HttpClient
JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
Changes in Java SE 11.0.14.0.1-oracle
Fixes from the prior BPR are included in this version.
Java™ SE Development Kit 11.0.14 (JDK 11.0.14)
January 18, 2022
The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14.
IANA TZ Data 2021b, 2021c, 2021d, 2021e
- Jordan now starts DST on February's last Thursday.
- Samoa no longer observes DST.
- Merge more location-based Zones whose timestamps agree since 1970.
- Move some backward-compatibility links to 'backward'.
- Rename Pacific/Enderbury to Pacific/Kanton.
- Correct many pre-1993 transitions in Malawi, Portugal, etc.
- zic now creates each output file or link atomically.
- zic -L no longer omits the POSIX TZ string in its output.
- zic fixes for truncation and leap second table expiration.
- zic now follows POSIX for TZ strings using all-year DST.
- Fix some localtime crashes and bugs in obscure cases.
- zdump -v now outputs more-useful boundary cases.
- tzfile.5 better matches a draft successor to RFC 8536.
- A new file SECURITY.
- Revert most 2021b changes to 'backward'.
- Fix 'zic -b fat' bug in pre-1970 32-bit data.
- Fix two Link line typos.
- Distribute SECURITY file.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
- Fiji suspends DST for the 2021/2022 season.
- 'zic -r' marks unspecified timestamps with "-00".
- Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.14+8 8 8u321-b07 7 7u331-b06
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022.
New Features
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
-
destroyTokenAfterLogout
(boolean, defaults to false)If set to true, when
java.security.AuthProvider.logout()
is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable afterlogout()
calls. Note that a PKCS11 provider with this attribute set totrue
should not be added to the system provider list since the provider object is not usable after alogout()
method call. -
cleaner.shortInterval
(integer, defaults to 2000, in milliseconds)This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).
-
cleaner.longInterval
(integer, defaults to 60000, in milliseconds)This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
Removed Features and Options
The following root certificate from Google has been removed from the cacerts
keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Other Notes
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype”
has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point”
- Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming
module.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.14 Bug Fixes page.
Java SE 11.0.13 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.13 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.13.0.3-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e
BugId Category Subcategory Description JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e BugId Category Subcategory Description JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
Changes in Java SE 11.0.13.0.2-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on
BugId Category Subcategory Description JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e BugId Category Subcategory Description JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
Changes in Java SE 11.0.13.0.1-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
BugId Category Subcategory Description JDK-8278069 tools javadoc(tool) JQuery v3.4.1 references still exists in Oracle JDK 11.0.13
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e BugId Category Subcategory Description JDK-8239334 client-libs javax.swing Tab Size does not work correctly in JTextArea with setLineWrap on BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
Java™ SE Development Kit 11.0.13 (JDK 11.0.13)
October 19, 2021
The full version string for this update release is 11.0.13+10 (where "+" means "build"). The version number is 11.0.13.
IANA TZ Data 2021a
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.13 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.13+10 8 8u311-b11 7 7u321-b08
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.13) be used after the next critical patch update scheduled for January 18, 2022.
New Features
Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.
The behavior is opt-in based on the presence of the jdk.serialFilterFactory
system property on the command line or the jdk.serialFilterFactory
security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.
The JVM-wide filter factory is a java.util.function.BinaryOperator<java.io.ObjectInputFilter>
function invoked when each ObjectInputStream
is constructed and when the stream-specific filter is set using ObjectInputStream.setObjectInputFilter(ObjectInputFilter)
. The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream
constructors, the first parameter is null
and the second parameter is the static JVM-wide filter
. When invoked from ObjectInputStream.setObjectInputFilter, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter given to ObjectInputStream.setObjectInputFilter
.
A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.
Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.
Removed Features and Options
The following root certificate from IdenTrust has been removed from the cacerts
keystore:
+ alias name "identrustdstx3 [jdk]"
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
The experimental Java-based JIT compiler, Graal JEP317, has been removed. Attempting to use it produces a JVMCI error: JVMCI compiler 'graal' not found
.
The Java Ahead-of-Time compilation experimental tool jaotc
has been removed. Using HotSpot VM AOT options defined by JEP295 produce "Unrecognized VM option" error on VM initialization.
Developers who wish to test the Graal compiler for either AOT or JIT compilation should use GraalVM.
Other Notes
This release doesn't correctly identify Windows 11. The property os.name
is set to Windows 10
on Windows 11. In HotSpot error logs, the OS is identified as Windows 10
; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.
On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version>
pattern instead of the jdk-<update_release_version>
pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11
, jdk-16
, and jdk-17
respectively.
The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.
If a user wants to have multiple update releases from the same family, the user must download the tar.gz
bundles.
The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.
For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.
For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:
- Cipher suites that do not preserve forward secrecy have been moved lower in priority than those that do support forward secrecy.
- Cipher suites that use SHA-1 have been moved lower in priority.
The scope of the com.sun.jndi.ldap.object.trustSerialData
system property has been extended to control the deserialization of java objects from the javaReferenceAddress
LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData
and javaReferenceAddress
LDAP attributes.
To prevent deserialization of java objects from these attributes, the system property can be set to false
. By default, the deserialization of java objects from javaSerializedData
and javaReferenceAddress
attributes is allowed.
This release doesn't correctly identify Windows Server 2022. The property os.name
is set to Windows Server 2019
on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019
; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above.
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".
This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.13 Bug Fixes page.
Java SE 11.0.12 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.12.0.3-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class
BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class
BugId Category Subcategory Description JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability BugId Category Subcategory Description JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
Changes in Java SE 11.0.12.0.2-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class
BugId Category Subcategory Description JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability BugId Category Subcategory Description JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
Changes in Java SE 11.0.12.0.1-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
BugId Category Subcategory Description JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class
BugId Category Subcategory Description JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability BugId Category Subcategory Description JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
Java™ SE Development Kit 11.0.12 (JDK 11.0.12)
July 20, 2021
The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12.
IANA TZ Data 2021a
JDK 11.0.12 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.12+8 8 8u301-b09 7 7u311-b07
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021.
New Features
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security
file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
Removed Features and Options
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts
keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
Other Notes
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy
is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset
to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.
In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.12 Bug Fixes page.
Java SE 11.0.11 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.11 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.11.0.2-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8226530 core-libs java.util.jar ZipFile reads wrong entry size from ZIP64 entries
BugId Category Subcategory Description JDK-8226530 core-libs java.util.jar ZipFile reads wrong entry size from ZIP64 entries
BugId Category Subcategory Description JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64
Changes in Java SE 11.0.11.0.1-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64
BugId Category Subcategory Description JDK-8226530 core-libs java.util.jar ZipFile reads wrong entry size from ZIP64 entries
BugId Category Subcategory Description JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64
Java™ SE Development Kit 11.0.11 (JDK 11.0.11)
April 20, 2021
The full version string for this update release is 11.0.11+9 (where "+" means "build"). The version number is 11.0.11.
IANA TZ Data 2020e, 2020f, 2021a
JDK 11.0.11 contains IANA time zone data 2020e, 2020f, 2021a.
- * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
- * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.11 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 1111.0.11+9 88u291-b10 77u301-b09
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.11) be used after the next critical patch update scheduled for July 20, 2021.
New Features
jdeps --print-module-deps
, --list-deps
, and --list-reduce-deps
options have been enhanced as follows.
-
By default, they perform transitive module dependence analysis on libraries on the class path and module path, both directly and indirectly, as required by the given input JAR files or classes. Previously, they only reported the modules required by the given input JAR files or classes. The
--no-recursive
option can be used to request non-transitive dependence analysis. -
By default, they flag any missing dependency, i.e. not found from class path and module path, as an error. The
--ignore-missing-deps
option can be used to suppress missing dependence errors. Note that a custom image is created with the list of modules output by jdeps when using the--ignore-missing-deps
option for a non-modular application. Such an application, running on the custom image, might fail at runtime when missing dependence errors are suppressed.
Other Notes
jdk.jndi.object.factoriesFilter
: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.
com.sun.jndi.ldap.object.trustSerialData
: This system property allows control of the deserialization of java objects from the javaSerializedData
LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false
value. By default, deserialization of java objects from the javaSerializedData
attribute is allowed.
The following root certificates have been added to the cacerts truststore:
+ HARICA
+ haricarootca2015
DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+ haricaeccrootca2015
DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).
These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file.
In this release, some of the one-way byte-to-char mappings have been aligned with the preferred mappings provided by the Unicode Consortium.
>
In the java.lang.ProcessBuilder
implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false
ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess
. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands
property can be set to true
: jdk.lang.Process.allowAmbiguousCommands=true
or false
. If left unset, it is the same as setting it to true
.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.11 Bug Fixes page.
Java SE 11.0.10 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.10 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.10.0.2-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
JDK-8226810 core-libs java.lang Failed to launch JVM because of NullPointerException occured on System.props
JDK-8258878 core-libs java.time (tz) Upgrade time-zone data to tzdata2020e
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f
BugId Category Subcategory Description JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
JDK-8226810 core-libs java.lang Failed to launch JVM because of NullPointerException occured on System.props
JDK-8258878 core-libs java.time (tz) Upgrade time-zone data to tzdata2020e
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f
BugId Category Subcategory Description JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
Changes in Java SE 11.0.10.0.1-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
BugId Category Subcategory Description JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
JDK-8226810 core-libs java.lang Failed to launch JVM because of NullPointerException occured on System.props
JDK-8258878 core-libs java.time (tz) Upgrade time-zone data to tzdata2020e
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f
BugId Category Subcategory Description JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
Java™ SE Development Kit 11.0.10 (JDK 11.0.10)
January 19, 2021
The full version string for this update release is 11.0.10+8 (where "+" means "build"). The version number is 11.0.10.
IANA Data 2020d
JDK 11.0.10 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.10 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.10+8 8 1.8.0_281-b09 7 1.7.0_291-b09
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.10) be used after the next critical patch update scheduled for April 20, 2021.
New Features
A new -groupname
option has been added to keytool -genkeypair
so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1
will generate an EC key pair by using the secp384r1
curve. Because there might be multiple curves with the same size, using the -groupname
option is preferred over the -keysize
option.
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.
With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension
system property to true
. The default value of the property is false
.
Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension
is set to true
and the client trusts more CAs than the server implementation limit.
As an additional way to launch processes on Linux, the jdk.lang.Process.launchMechanism
property can be set to POSIX_SPAWN
. This option has been available for a long time on other *nix platforms. The default launch mechanism (VFORK
) on Linux is unchanged, so this additional option does not affect existing installations.
POSIX_SPAWN
mitigates rare pathological cases when spawning child processes, but it has not yet been excessively tested. Prudence is advised when using POSIX_SPAWN
in productive installations.
The named elliptic curve groups x25519
and x448
are now available for JSSE key agreement in TLS versions 1.0 to 1.3, with x25519
being the most preferred of the default enabled named groups. The default ordered list is now:
x25519, secp256r1, secp384r1, secp521r1, x448,
ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
The default list can be overridden by using the system property jdk.tls.namedGroups
.
When signing a file that contains POSIX file permission or symlink attributes, jarsigner
now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the jarsigner -verify
operation for such files.
Note that the jar
tool does not read/write these attributes. This change is more visible to tools like unzip
where these attributes are preserved.
Other Notes
Oracle JDK-11.0.10 and later for Solaris 11 requires that
the OS provide the package library/desktop/harfbuzz
as part of the
system installation. This package is provided for Solaris 11.3 and later.
$ pkg info harfbuzz
Name: library/desktop/harfbuzz
Summary: HarfBuzz is an OpenType text shaping engine
Description: HarfBuzz is a library for text shaping, which converts
unicode text to glyph indices and positions. HarfBuzz is
used directly by libraries such as Pango, and the layout
engines in firefox.
Category: Desktop (GNOME)/Libraries
State: Installed
Publisher: solaris
This is a desktop library, but the font processing it does is part of some common backend server workloads. It should always be considered as required.
If this library is missing, then the pkg
mechanism will require it during installation of the JDK.
If installing the JDK by using a tar.gz
bundle (for example) and the library/desktop/harfbuzz
package is missing, a runtime link failure will occur when this package is needed.
The JDK update incorporates tzdata2020d. The main change is
- Palestine ends DST earlier than predicted, on 2020-10-24.
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.
The JDK update incorporates tzdata2020c. The main change is
- Fiji starts DST later than usual, on 2020-12-20.
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.
Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew
and systemv
have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew
data file is no longer available for use.
Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.10 Bug Fixes page.
Java SE 11.0.9 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.9 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.9.0.4-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
BugId Category Subcategory Description JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
BugId Category Subcategory Description JDK-8252394 (Confidential) core-libs javax.naming ldap failure due to JDK-8230944 changes in 11.0.8
BugId Category Subcategory Description JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.
Changes in Java SE 11.0.9.0.3-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8252394 (Confidential) core-libs javax.naming ldap failure due to JDK-8230944 changes in 11.0.8
BugId Category Subcategory Description JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
BugId Category Subcategory Description JDK-8252394 (Confidential) core-libs javax.naming ldap failure due to JDK-8230944 changes in 11.0.8
BugId Category Subcategory Description JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.
Changes in Java SE 11.0.9.0.2-oracle
Bug Fixes
BugId Category Subcategory Description JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.
BugId Category Subcategory Description JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
BugId Category Subcategory Description JDK-8252394 (Confidential) core-libs javax.naming ldap failure due to JDK-8230944 changes in 11.0.8
BugId Category Subcategory Description JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.
Java™ SE Development Kit 11.0.9 (JDK 11.0.9)
October 20, 2020
The full version string for this update release is 11.0.9+7 (where "+" means "build"). The version number is 11.0.9.
IANA Data 2020a
JDK 11.0.9 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.9 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.9+7 8 1.8.0_271-b09 7 1.7.0_281-b06
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.9) be used after the next critical patch update scheduled for January 19, 2021.
New Features
Weak named curves are disabled by default by adding them to the following disabledAlgorithms
security properties: jdk.tls.disabledAlgorithms
, jdk.certpath.disabledAlgorithms
, and jdk.jar.disabledAlgorithms
. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms
property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves
, is implemented that can list the named curves common to all of the disabledAlgorithms
properties. To use the new property in the disabledAlgorithms
properties, precede the full property name with the keyword include
. Users can still add individual named curves to disabledAlgorithms
properties separate from this new property. No other properties can be included in the disabledAlgorithms
properties.
To restore the named curves, remove the include jdk.disabled.namedCurves
either from specific or from all disabledAlgorithms
security properties.
To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves
property.
Curves that are disabled through jdk.disabled.namedCurves
include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals
security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals
security or system property to any positive value.
See further information in JDK-8223172.
A new system property, jdk.tls.maxHandshakeMessageSize
, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property, jdk.tls.maxCertificateChainLength
, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
The keytool
and jarsigner
tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms
security property in the java.security
configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
Other notes
A new environment property,
jdk.jndi.ldap.mechsAllowedToSendCredentials
, has been added to
control which LDAP authentication mechanisms are allowed to send
credentials over clear
LDAP connections - a connection not secured
with TLS. An encrypted
LDAP connection is a connection opened
by using ldaps
scheme, or a connection opened by using ldap
scheme
and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma
separated list of the mechanism names that are permitted to authenticate
over a clear
connection. If a value is not specified for the property, then all mechanisms
are allowed. If the specified value is an empty list, then no mechanisms are
allowed (except for none
and anonymous
). The default value for this property is 'null'
( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials")
returns 'null'). To explicitly permit all mechanisms to authenticate over a clear
connection, the property
value can be set to "all"
. If a connection is downgraded from
encrypted
to clear
, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
Note: none
and anonymous
authentication mechanisms are exempted
from these rules and are always allowed regardless of the property value.
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation
+ sslrootrsaca
DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrootevrsaca
DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrooteccca
DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
The following root certificate has been added to the cacerts truststore:
+ Entrust
+ entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
English time zone names provided by the CLDR locale provider are now correctly synthesized following the CLDR spec, rather than substituted from the COMPAT provider. For example, SHORT style names are no longer synthesized abbreviations of LONG style names, but instead produce GMT offset formats.
The deserialization of java.lang.reflect.Proxy
objects can be limited by setting the system property jdk.serialProxyInterfaceLimit
.
The limit is the maximum number of interfaces allowed per Proxy in the stream.
Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.9 Bug Fixes page.
Java SE 11.0.8 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.8 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.8.0.4-oracle
Bug Fixes
BugId Category Subcategory Description
8249215 client-libs 2d JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
8213535 client-libs javax.swing Windows HiDPI html lightweight tooltips are truncated
BugId Category Subcategory Description
8249215 client-libs 2d JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
8213535 client-libs javax.swing Windows HiDPI html lightweight tooltips are truncated
Changes in Java SE 11.0.8.0.3-oracle
Bug Fixes
Changes in Java SE 11.0.8.0.2-oracle
Bug Fixes
BugId Category Subcategory Description 8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException
BugId Category Subcategory Description 8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException
Java™ SE Development Kit 11.0.8 (JDK 11.0.8)
July 14, 2020
The full version string for this update release is 11.0.8+10 (where "+" means "build"). The version number is 11.0.8.
IANA Data 2020a
JDK 11.0.8 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.8 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.8+10 8 1.8.0_261-b12 7 1.7.0_271-b10
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.8) be used after the next critical patch update scheduled for October 20, 2020.
New Features
security-libs/javax.net.ssl
➜ New System Properties to Configure the TLS Signature Schemes
Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes
is added for TLS client side, and jdk.tls.server.SignatureSchemes
for server side.
Each System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
See JDK-8242141
security-libs/javax.xml.crypto
➜ Apache Santuario Library Updated to Version 2.1.4
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size
has been introduced.
This new system property sets the pool size of the internal DocumentBuilder
cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size
system property used in Apache Santuario and has the same default value of 20.
See JDK-8231507
infrastructure
➜ Toolchain Upgrade to Xcode 10.1
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.
JDK-8232007 (not public)
The Oracle JDK installer for Windows provides java.exe
, javaw.exe
, javac.exe
, and jshell.exe
commands in a system location so that users can run Java applications without needing to provide the path to the Oracle JDK's installation folder.
Removed Features and Options
security-libs/java.security
➜ Removal of Comodo Root CA Certificate
The following expired Comodo root CA certificate was removed from the cacerts
keystore:
- alias name "addtrustclass1ca [jdk]"
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
See JDK-8225069
security-libs/java.security
➜ Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts
keystore:
- alias name "keynectisrootca [jdk]"
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
See JDK-8225068
Other notes
core-libs/java.util:collections
➜ Better Listing of Arrays
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection)
. In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.
JDK-8231800 (not public)
security-libs/javax.net.ssl
➜ Default SSLEngine Should Create in Server Role
In JDK 11 and later, javax.net.ssl.SSLEngine
by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine
would usually be used in server mode. From this JDK release onwards, SSLEngine
will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)
method may be used to configure the mode.
See JDK-8237474
core-svc/java.lang.management
➜ OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean
methods in this release return container specific information, if available. Otherwise, they return host specific data:
getFreePhysicalMemorySize()
getTotalPhysicalMemorySize()
getFreeSwapSpaceSize()
getTotalSwapSpaceSize()
getSystemCpuLoad()
See JDK-8226575
security-libs
➜ Default SSL Session Cache Size Updated to 20480
The default SSL session cache size has been updated to 20480 in this JDK release
See JDK-8210985
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.8 Bug Fixes page.
Java SE 11.0.7 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.7 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.7.0.1-oracle
Please note that fixes from the prior BPR are included in this version.
Java™ SE Development Kit 11.0.7 (JDK 11.0.7)
April 14, 2020
The full version string for this update release is 11.0.7+8 (where "+" means "build"). The version number is 11.0.7.
IANA Data 2019c
JDK 11.0.7 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.7 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.7+8 8 1.8.0_251-b08 7 1.7.0_261-b07
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.7) be used after the next critical patch update scheduled for July 14, 2020.
New Features
➜ Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA
, SHA256withECDSA
, etc.) are also supported.
See JDK-8026953
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.7 Bug Fixes page.
Java SE 11.0.6 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.6.0.2-oracle
Bug Fixes
BugId Category Subcategory Description 8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications 8238596 hotspot runtime AVX enabled by default for Skylake even when unsupported BugId Category Subcategory Description 8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications 8238596 hotspot runtime AVX enabled by default for Skylake even when unsupported
Changes in Java SE 11.0.6.0.1-oracle
Bug Fixes
BugId Category Subcategory Description 8214578 client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings 8234786 client-libs java.awt Fix for JDK-8214578 breaks OS X 10.12 compatibility BugId Category Subcategory Description 8214578 client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings 8234786 client-libs java.awt Fix for JDK-8214578 breaks OS X 10.12 compatibility
Java™ SE Development Kit 11.0.6 (JDK 11.0.6)
January 14, 2020
The full version string for this update release is 11.0.6+8 (where "+" means "build"). The version number is 11.0.6.
IANA Data 2019c
JDK 11.0.6 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.6 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.6+8 8 1.8.0_241-b07 7 1.7.0_251-b08
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.6) be used after the next critical patch update scheduled for April 14, 2020.
New Features
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms
argument of Sasl.createSaslClient
or the mechanism
argument of Sasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
Other notes
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor
has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
See JDK-8232019
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=US
See JDK-8233223
➜ Turn off AOT by Default and Change Related Flags to Experimental
Following AOT support related flags have been made experimental: UseAOT
, PrintAOT
and AOTLibrary
. Also default value of UseAOT
has been changed from enabled to disabled.
See JDK-8227439
Bug Fixes
The following are some of the notable bug fixes included in this release:
➜ Memory Growth Issue in SunPKCS11 Fixed
A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed.
A system property, sun.security.pkcs11.disableKeyExtraction
has been introduced to disable the fix. A "true
" value disables the fix, while a "false
" value (default) keeps it enabled.
When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes.
Further information and implementation details can be found in the CSR: JDK-8213430
See JDK-6913047
➜ Better Serial Filter Handling
The jdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter
. Setting the jdk.serialFilter with java.lang.System.setProperty
has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.6 Bug Fixes page.
Java SE 11.0.5 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.5.0.3-oracle+1
Bug Fixes
BugId Category Subcategory Description 8233097 client-libs 2d Fontmetrics for large Fonts has zero width 8229800 client-libs 2d WindowsServerCore 1809 does not provide d2d1.dll library required by awt.dll
BugId Category Subcategory Description 8233097 client-libs 2d Fontmetrics for large Fonts has zero width 8229800 client-libs 2d WindowsServerCore 1809 does not provide d2d1.dll library required by awt.dll
Changes in Java SE 11.0.5.0.2-oracle+1
Bug Fixes
Java™ SE Development Kit 11.0.5 (JDK 11.0.5)
October 15, 2019
The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.
IANA Data 2019b
JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.5+10 8 1.8.0_231-b11 7 1.7.0_241-b09
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.
New Features
security-libs/java.security
➜New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
-
jdk.SecurityPropertyModification
- Records
Security.setProperty(String key, String value)
method calls
- Records
-
jdk.TLSHandshake
-
Records TLS handshake activity. The event fields include:
- Peer hostname
- Peer port
- TLS protocol version negotiated
- TLS cipher suite negotiated
- Certificate id of peer client
-
Records TLS handshake activity. The event fields include:
-
jdk.X509Validation
- Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
-
jdk.X509Certificate
-
Records details of X.509 Certificates. The event fields include:
- Certificate algorithm
- Certificate serial number
- Certificate subject
- Certificate issuer
- Key type
- Key length
- Certificate id
- Validity of certificate
-
Records details of X.509 Certificates. The event fields include:
See JDK-8148188
Other notes
docs
➜Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1,
sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...
JDK-8228825 (not public)
security-libs/javax.crypto
➜Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init()
.
See JDK-8218723
install
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
- Stop JAWS before running the Java installer.
- Uninstall the existing JRE(s) before installing the new version of Java.
- Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto
module has been updated to version 2.1.3 of Apache Santuario. New features include:
- Added support for embedding elliptic curve public keys in the KeyValue element
See JDK-8219013
security-libs/javax.crypto
➜System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
in the command line. Setting the option to true or the empty string is not recommended.
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
core-libs/java.util
➜Changed Properties.loadFromXML to Comply with Specification
The implementation of the java.util.Properties.loadFromXML
method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException
as specified by the loadFromXML
method.
The effect of the change is as follows:
-
Documents created by
Properties.storeToXML
: No change.Properties.loadFromXML
will have no problem reading such files. -
Documents not created by
Properties.storeToXML
: Any documents containing DTDs not in the format as specified inProperties.loadFromXML
will be rejected. This means the DTD shall be exactly as follows (as generated by theProperties.storeToXML
method):
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
See JDK-8213325
core-libs/java.lang
➜Runtime.exec and ProcessBuilder Argument RestrictionsRuntime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
client-libs/2d
➜Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship a dll
required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll
, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.
See JDK-8229800
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.5 Bug Fixes page.
Java SE 11.0.4 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 11.0.4.0.1-oracle+1
Please note that fixes from prior BPR are included in this version.
Bug Fixes
Java™ SE Development Kit 11.0.4 (JDK 11.0.4)
July 16, 2019
The full version string for this update release is 11.0.4+10 (where "+" means "build"). The version number is 11.0.4.
IANA Data 2018i
JDK 11.0.4 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.4 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.4+10 8 1.8.0_221-b11 7 1.7.0_231-b08
Oracle JDK Expiration Date
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.4) will expire with the release of the next critical patch update scheduled for October 15, 2019.
New Features
➜HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name
system property and the hs_err_pid
file.
See JDK-8211106
Removed Features and Options
➜Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts
keystore:
-
alias name "certplusclass2primaryca [jdk]"
Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR
-
alias name "certplusclass3pprimaryca [jdk]"
Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR
See JDK-8223499
➜Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts
keystore:
-
alias name "utnuserfirstclientauthemailca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
-
alias name "utnuserfirsthardwareca [jdk]"
Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
See JDK-8222136
➜Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts
keystore:
-
alias name "deutschetelekomrootca2 [jdk]"
Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
See JDK-8222137
➜Removal of GTE CyberTrust Global Root
The GTE CyberTrust Global Root certificate is expired and has been removed from the cacerts
keystore:
-
alias name "gtecybertrustglobalca [jdk]"
Distinguished Name: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
See JDK-8195793
Other notes
➜ com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in or being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character ( or ) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks
system property may be set to a value of true
if an application is unable to handle encoded output data including the carriage return character ( or ).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
➜System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC
, has been introduced that enables switching between implementations of ECC.
When the system property, jdk.security.useLegacyECC
, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
in the command line.
If the option is explicitly set to "false", the provider decides which implementation of ECC is used.
The default value of the option is "true". Note that the default value might change in a future update release of the JDK.
JDK-8217763 (not public)
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.4 Bug Fixes page.
Java SE 11.0.3 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.3 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Changes in Java SE 11.0.3+31
Please note that fixes from prior BPR (11.0.2+32) are included in this version.
Bug Fixes
Java™ SE Development Kit 11.0.3 (JDK 11.0.3)
April 16, 2019
The full version string for this update release is 11.0.3+12 (where "+" means "build"). The version number is 11.0.3.
IANA Data 2018g
JDK 11.0.3 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.3 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.3+12 10 10.0.99 9 9.0.99 8 1.8.0_211-b12 7 1.7.0_221-b08 6 1.6.0_221
Oracle JDK Expiration Date
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.3) will expire with the release of the next critical patch update scheduled for July 16, 2019.
New Features
➜Square Character Support for Japanese New Era
The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character
class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.
See JDK-8211398
Known Issues
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
- Stop JAWS before running the Java installer.
- Uninstall the existing JRE(s) before installing the new version of Java.
- Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
Changes
➜Added GlobalSign R6 Root Certificate
The following root certificate has been added to the cacerts truststore:
-
GlobalSign
-
globalsignrootcar6
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
-
globalsignrootcar6
JDK-8216577 (not public)
➜Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.
TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).
An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.
The restrictions are enforced in the JDK implementation (the SunJSSE
Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA:
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"
If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Root Certificates distrusted after 2019-04-16
FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=USB4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=USA0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=USA4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C
[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=USA4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=USEB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C
Distinguished Name SHA-256 Fingerprint CN=GeoTrust Global CA, O=GeoTrust Inc., C=USFF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=USB4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=USA0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=USA4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C
[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=USA4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=USEB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C
Subordinate Certificates distrusted after 2019-12-31
AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=USA4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED
Distinguished Name SHA-256 Fingerprint CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=USAC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=USA4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED
If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.
See JDK-8207258
➜New Japanese Era Name Reiwa
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3)
or JapaneseEra.valueOf("Reiwa")
. JDK 13 and later will have a new public field to represent this era.
The placeholder name, "NewEra
", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")
) will no longer work.
See JDK-8205432
➜Support New Japanese Era in java.time.chrono.JapaneseEra
The JapaneseEra class and its of(int)
, valueOf(String)
, and values()
methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.
See JDK-8212941
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.3 Bug Fixes page.
Java SE 11.0.2 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.2 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Changes in Java SE 11.0.2+32
Bug Fixes
Changes in Java SE 11.0.2+31
Bug Fixes
BugId Category Subcategory Description 8209055 tools javac c.s.t.javac.code.DeferredCompletionFailureHandler seems to use WeakHashMap incorrectly 8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) 8211765 core-libs java.util.jar JarFile constructor throws undocumented java.nio.file.InvalidPathException 8211698 hotspot compiler Crash in C2 compiled code during execution of double array heavy processing code 8210483 tools javac AssertionError in DeferredAttr at setOverloadKind caused by JDK-8203679 8215398 hotspot runtime -Xlog option usage => Invalid decorator '\temp\app_cds.log'. 8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound 8201633 security-libs javax.crypto Problems with AES-GCM native acceleration 8201317 security-libs javax.crypto X25519/X448 code improvements 8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements
BugId Category Subcategory Description 8209055 tools javac c.s.t.javac.code.DeferredCompletionFailureHandler seems to use WeakHashMap incorrectly 8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) 8211765 core-libs java.util.jar JarFile constructor throws undocumented java.nio.file.InvalidPathException 8211698 hotspot compiler Crash in C2 compiled code during execution of double array heavy processing code 8210483 tools javac AssertionError in DeferredAttr at setOverloadKind caused by JDK-8203679 8215398 hotspot runtime -Xlog option usage => Invalid decorator '\temp\app_cds.log'. 8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound 8201633 security-libs javax.crypto Problems with AES-GCM native acceleration 8201317 security-libs javax.crypto X25519/X448 code improvements 8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements
Java™ SE Development Kit 11.0.2 (JDK 11.0.2)
January 15, 2019
The full version string for this update release is 11.0.2+9 (where "+" means "build"). The version number is 11.0.2.
IANA Data 2018g
JDK 11.0.2 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.2 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.2+9 10 10.0.99 9 9.0.99 8 1.8.0_201-b09 7 1.7.0_211-b07 6 1.6.0_221
Oracle JDK Expiration Date
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.2) will expire with the release of the next critical patch update scheduled for April 16, 2019.
Known Issues
➜GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.
See JDK-8219072
Changes
➜TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms
security property and are now disabled by default.
See JDK-8211883
➜Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.
JDK-8196902 (not public)
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.2 Bug Fixes page.
Java™ SE Development Kit 11.0.1 (JDK 11.0.1)
October 16, 2018
The full version string for this update release is 11.0.1+13 (where "+" means "build"). The version number is 11.0.1.
IANA Data 2018e
JDK 11.0.1 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.1 are specified in the following table:
JRE Family Version JRE Security Baseline (Full Version String) 11 11.0.1+13 10 10.0.99 9 9.0.99 8 1.8.0_191-b12 7 1.7.0_201-b11 6 1.6.0_211-b11
Oracle JDK Expiration Date
The JDK expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JDK (version 11.0.1) will expire with the release of the next critical patch update scheduled for January 15, 2019.
Changes
The following root certificate have been added to the OpenJDK cacerts truststore:
-
TeliaSonera
-
teliasonerarootcav1
DN: CN=TeliaSonera Root CA v1, O=TeliaSonera
-
Endpoint identification has been enabled on LDAPS connections.
To improve robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification
.
Define this system property (or set it to true
) to disable endpoint identification algorithms.
The file system location in Windows for the usagetracker.properties
file has been moved from %ProgramData%\Oracle\Java\
to %ProgramFiles%\Java\conf
There is no change in the file path for Linux, Solaris, or macOS.
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias
method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-
If application code implements javax.net.ssl.X509KeyManager
, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType
String array in the first call to chooseClientAlias: String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms
security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms
security property in the java.security
file or by dynamically calling the Security.setProperty()
method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites()
or SSLEngine.setEnabledCipherSuites()
methods.
Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms
security property.
The specification of javax.crypto.CipherInputStream
has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.
Bug Fixes
The following are some of the notable bug fixes included in this release:
➜LDAPS Communication Failure
Application code using LDAPS with a socket connect timeout that is <= 0 (the default value) may encounter an exception when establishing the connection.
The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...
See JDK-8211107
➜
Better HTTP Redirection Support
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection
has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false)
for the original request.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.1 Bug Fixes page.
JDK 11 Documentation
The Java Platform, Standard Edition 11 Development Kit (JDK 11) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas.
You can use the links on this page to open the Release Notes describing important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 11 and Java SE 11.
Links to other sources of information about JDK 11 are also provided. The JDK Guides and Reference Documentation link below displays a page containing links to the user guides, troubleshooting information, and specific information of interest to users moving from previous versions of the JDK. Links to the JDK 11 API Specification and the Java Language and Virtual Machine Specifications are provided below in the JDK 11 Specifications group.
Note: The Release Notes files are located only on our website.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK