January 19, 2021
The full version string for this update release is 11.0.10+8 (where "+" means "build"). The version number is 11.0.10.
JDK 11.0.10 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.10 are specified in the following table:
|JRE Family Version||JRE Security Baseline (Full Version String)|
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.10) be used after the next critical patch update scheduled for April 20, 2021.
-groupname option has been added to
keytool -genkeypair so that a user can specify a named group when generating a key pair. For example,
keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair by using the
secp384r1 curve. Because there might be multiple curves with the same size, using the
-groupname option is preferred over the
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.
With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the
jdk.tls.client.enableCAExtension system property to
true. The default value of the property is
Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when
jdk.tls.client.enableCAExtension is set to
true and the client trusts more CAs than the server implementation limit.
As an additional way to launch processes on Linux, the
jdk.lang.Process.launchMechanism property can be set to
POSIX_SPAWN. This option has been available for a long time on other *nix platforms. The default launch mechanism (
VFORK) on Linux is unchanged, so this additional option does not affect existing installations.
POSIX_SPAWN mitigates rare pathological cases when spawning child processes, but it has not yet been excessively tested. Prudence is advised when using
POSIX_SPAWN in productive installations.
The named elliptic curve groups
x448 are now available for JSSE key agreement in TLS versions 1.0 to 1.3, with
x25519 being the most preferred of the default enabled named groups. The default ordered list is now:
x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
The default list can be overridden by using the system property
When signing a file that contains POSIX file permission or symlink attributes,
jarsigner now preserves these attributes in the newly signed file but warns that these attributes are unsigned and not protected by the signature. The same warning is printed during the
jarsigner -verify operation for such files.
Note that the
jar tool does not read/write these attributes. This change is more visible to tools like
unzip where these attributes are preserved.
Oracle JDK-11.0.10 and later for Solaris 11 requires that
the OS provide the package
library/desktop/harfbuzz as part of the
system installation. This package is provided for Solaris 11.3 and later.
$ pkg info harfbuzz Name: library/desktop/harfbuzz Summary: HarfBuzz is an OpenType text shaping engine Description: HarfBuzz is a library for text shaping, which converts unicode text to glyph indices and positions. HarfBuzz is used directly by libraries such as Pango, and the layout engines in firefox. Category: Desktop (GNOME)/Libraries State: Installed Publisher: solaris
This is a desktop library, but the font processing it does is part of some common backend server workloads. It should always be considered as required.
If this library is missing, then the
pkg mechanism will require it during installation of the JDK.
If installing the JDK by using a
tar.gz bundle (for example) and the
library/desktop/harfbuzz package is missing, a runtime link failure will occur when this package is needed.
The JDK update incorporates tzdata2020d. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.
The JDK update incorporates tzdata2020c. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.
Following the JDK's update to tzdata2020b, the long-obsolete files named
systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the
pacificnew data file is no longer available for use.
Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.10 Bug Fixes page.