The following sections summarize changes made in all Java SE 11.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8263773 | infrastructure | build | Reenable German localization for builds at Oracle |
JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
JDK-8245511 | hotspot | gc | G1 adaptive IHOP does not account for reclamation of humongous objects by young GC |
JDK-8246274 | hotspot | gc | G1 old gen allocation tracking is not in a separate class |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268347 | hotspot | compiler | C2: nested locks optimization may create unbalanced monitor enter/exit code |
JDK-8269304 | hotspot | compiler | Regression ~5% in 2005 in b27 |
JDK-8266653 (Confidential) | install | install | Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+ |
JDK-8260680 | tools | jshell | PipedOutputStream.write in a JShell throws error "pipe closed" |
JDK-8247403 | tools | jshell | JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder |
July 20, 2021
The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12.
JDK 11.0.12 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.12+8 |
8 | 8u301-b09 |
7 | 7u311-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021.
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security
file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts
keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
The JarFile
class now treats a signed JAR as unsigned if it detects a second manifest in the JAR file. A warning message, "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned."
, is logged if the system property -Djava.security.debug=jar
is set.
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
The ADDLOCAL=ToolsFeature,SourceFeature
argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.
The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy
is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacerts
keystore will not be restricted.These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or overriding it using the java.security.properties
system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset
to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.12:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259869 | client-libs | [macOS] Remove desktop module dependencies on JNF Reference APIs | |
2 | JDK-8260616 | client-libs | Removing remaining JNF dependencies in the java.desktop module | |
3 | JDK-8259343 | client-libs | [macOS] Update JNI error handling in Cocoa code. | |
4 | JDK-6847157 | client-libs | 2d | java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit |
5 | JDK-8261170 | client-libs | 2d | Upgrade to FreeType 2.10.4 |
6 | JDK-8260380 | client-libs | 2d | Upgrade to LittleCMS 2.12 |
7 | JDK-8259232 | client-libs | 2d | Bad JNI lookup during printing |
8 | JDK-8263311 | client-libs | 2d | Watch registry changes for remote printers update instead of polling |
9 | JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
10 | JDK-8213944 | client-libs | java.awt | Fix AIX build after the removal of Xrandr.h and add a configure check for it |
11 | JDK-8262461 | client-libs | java.awt | handle wcstombsdmp return value correctly in unix awt_InputMethod.c |
12 | JDK-8262446 | client-libs | java.awt | DragAndDrop hangs on Windows |
13 | JDK-8261231 | client-libs | java.awt | Windows IME was disabled after DnD operation |
14 | JDK-8255681 | client-libs | java.awt | Print callstack in error case in runAWTLoopWithApp |
15 | JDK-8264786 | client-libs | java.awt | [macOS] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched |
16 | JDK-8259585 | client-libs | java.awt | [macOS] Bad JNI lookup error : Accessible actions do not work on macOS |
17 | JDK-8259729 | client-libs | javax.accessibility | Missed JNFInstanceOf -> IsInstanceOf conversion |
18 | JDK-8261198 | client-libs | javax.accessibility | [macOS] Incorrect JNI parameters in number conversion in A11Y code |
19 | JDK-8239312 | client-libs | javax.swing | [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java |
20 | JDK-8252883 | core-libs | java.util.logging | AccessDeniedException caused by delayed file deletion on Windows |
21 | JDK-8262110 | core-libs | java.util:i18n | DST starts from incorrect time in 2038 |
22 | JDK-8255086 | core-libs | java.util:i18n | Update the root locale display names |
23 | JDK-8247432 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-09-29 |
24 | JDK-8241082 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry data to 03-16-2020 version |
25 | JDK-8242010 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-04-01 |
26 | JDK-8073446 | core-libs | java.util:i18n | TimeZone getOffset API does not return a DST offset between years 2038-2137 |
27 | JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
28 | JDK-8259785 | docs | Create man pages using pandoc from markdown sources | |
29 | JDK-8262465 | hotspot | compiler | Very long compilation times and high memory consumption in C2 debug builds |
30 | JDK-8262093 | hotspot | compiler | java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" |
31 | JDK-8261914 | hotspot | compiler | IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload |
32 | JDK-8261846 | hotspot | compiler | [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream |
33 | JDK-8261912 | hotspot | compiler | Code IfNode::fold_compares_helper more defensively |
34 | JDK-8262298 | hotspot | compiler | G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" |
35 | JDK-8262295 | hotspot | compiler | C2: Out-of-Bounds Array Load from Clone Source |
36 | JDK-8262739 | hotspot | compiler | String inflation C2 intrinsic prevents insertion of anti-dependencies |
37 | JDK-8262726 | hotspot | compiler | AArch64: C1 StubAssembler::call_RT can corrupt stack |
38 | JDK-8264360 | hotspot | compiler | Loop strip mining verification fails with "should be on the backedge" |
39 | JDK-8262837 | hotspot | compiler | handle split_USE correctly |
40 | JDK-8263448 | hotspot | compiler | CTW: fatal error: meet not symmetric |
41 | JDK-8263425 | hotspot | compiler | AArch64: two potential bugs in C1 LIRGenerator::generate_address() |
42 | JDK-8264958 | hotspot | compiler | C2 compilation fails with assert "n is later than its clone" |
43 | JDK-8263676 | hotspot | compiler | AArch64: one potential bug in C1 LIRGenerator::generate_address() |
44 | JDK-8261730 | hotspot | compiler | C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge |
45 | JDK-8265154 | hotspot | compiler | vinserti128 operand mix up for KNL platforms |
46 | JDK-8261812 | hotspot | compiler | C2 compilation fails with assert(!had_error) failed: bad dominance |
47 | JDK-8261235 | hotspot | compiler | C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check |
48 | JDK-8260338 | hotspot | compiler | Some fields in HaltNode is not cloned |
49 | JDK-8260284 | hotspot | compiler | C2: assert(_base == Int) failed: Not an Int |
50 | JDK-8238812 | hotspot | compiler | assert(false) failed: bad AD file |
51 | JDK-8255763 | hotspot | compiler | C2: OSR miscompilation caused by invalid memory instruction placement |
52 | JDK-8252482 | hotspot | compiler | disable cbcond instructions on SPARC64 |
53 | JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
54 | JDK-8259777 | hotspot | compiler | Incorrect predication condition generated by ADLC |
55 | JDK-8259710 | hotspot | compiler | Inlining trace leaks memory |
56 | JDK-8260420 | hotspot | compiler | C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint |
57 | JDK-8259061 | hotspot | compiler | C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it |
58 | JDK-8259619 | hotspot | compiler | C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect |
59 | JDK-8259227 | hotspot | compiler | C2 crashes with SIGFPE due to a division that floats above its zero check |
60 | JDK-8257822 | hotspot | compiler | C2 crashes with SIGFPE due to a division that floats above its zero check |
61 | JDK-8257574 | hotspot | compiler | C2: "failed: parsing found no loops but there are some" assert failure |
62 | JDK-8240353 | hotspot | compiler | AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 |
63 | JDK-8263361 | hotspot | compiler | Incorrect arraycopy stub selected by C2 for SATB collectors |
64 | JDK-8264918 | hotspot | compiler | [JVMCI] getVtableIndexForInterfaceMethod doesn't check that type and method are related |
65 | JDK-8265689 | hotspot | compiler | JVMCI: InternalError: Class java.lang.Object does not implement interface jdk.vm.ci.meta.JavaType |
66 | JDK-8259276 | hotspot | compiler | C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization |
67 | JDK-8248411 | hotspot | compiler | AArch64: Insufficient error handling when CodeBuffer is exhausted |
68 | JDK-8211150 | hotspot | gc | G1 Full GC not purging code root memory and hence causing memory leak |
69 | JDK-8235324 | hotspot | gc | Dying objects are published from users of CollectedHeap::object_iterate |
70 | JDK-8260704 | hotspot | gc | ParallelGC: oldgen expansion needs release-store for _end |
71 | JDK-8247201 | hotspot | gc | Print potential pointer value of readable stack memory in hs_err file |
72 | JDK-8259271 | hotspot | gc | gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" |
73 | JDK-8232905 | hotspot | jfr | JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant |
74 | JDK-8257569 | hotspot | jfr | Failure observed with JfrVirtualMemory::initialize |
75 | JDK-8245283 | hotspot | jfr | JFR: Can't handle constant dynamic used by Jacoco agent |
76 | JDK-8209385 | hotspot | runtime | CDS runtime classpath checking is too strict when only classes from the system modules are archived |
77 | JDK-8234355 | hotspot | runtime | Buffer overflow in jcmd GC.class_stats due to too many classes |
78 | JDK-8213231 | hotspot | runtime | ThreadSnapshot::_threadObj can become stale |
79 | JDK-8208061 | hotspot | runtime | runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode |
80 | JDK-8261916 | hotspot | runtime | gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed |
81 | JDK-8263004 | hotspot | runtime | SPARC CodeBuffer overflow in generate_satb_log_enqueue |
82 | JDK-8263407 | hotspot | runtime | SPARC64 detection fails on Athena (SPARC64-X) |
83 | JDK-8261397 | hotspot | runtime | try catch Method failing to work when dividing an integer by 0 |
84 | JDK-8259843 | hotspot | runtime | initialize dli_fname array before calling dll_address_to_library_name |
85 | JDK-8257746 | hotspot | runtime | Regression introduced with JDK-8250984 - memory might be null in some machines |
86 | JDK-8259786 | hotspot | runtime | initialize last parameter of getpwuid_r |
87 | JDK-8260349 | hotspot | runtime | Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS |
88 | JDK-8238175 | hotspot | runtime | CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class |
89 | JDK-8261262 | hotspot | runtime | Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION |
90 | JDK-8236847 | hotspot | runtime | CDS archive with 4K alignment unusable on machines with 64k pages |
91 | JDK-8266293 | security-libs | Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" | |
92 | JDK-8243559 | security-libs | java.security | Remove root certificates with 1024-bit keys |
93 | JDK-8153005 | security-libs | java.security | Upgrade the default PKCS12 encryption/MAC algorithms |
94 | JDK-8076190 | security-libs | java.security | Customizing the generation of a PKCS12 keystore |
95 | JDK-8266929 | security-libs | java.security | Unable to use algorithms from 3p providers |
96 | JDK-8196415 | security-libs | java.security | Disable SHA-1 Signed JARs |
97 | JDK-8267100 | security-libs | java.security | [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs |
98 | JDK-8267599 | security-libs | java.security | Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u |
99 | JDK-8225081 | security-libs | java.security | Remove Telia Company CA certificate expiring in April 2021 |
100 | JDK-8226374 | security-libs | javax.net.ssl | Restrict TLS signature schemes and named groups |
101 | JDK-8254631 | security-libs | javax.net.ssl | Better support ALPN byte wire values in SunJSSE |
102 | JDK-8005819 | security-libs | org.ietf.jgss:krb5 | Support cross-realm MSSFU |
103 | JDK-8253948 | tools | jlink | Memory leak in ImageFileReader |
104 | JDK-8213725 | tools | jshell | JShell NullPointerException due to class file with unexpected package |
105 | JDK-8247438 | tools | jshell | JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown |
106 | JDK-8235368 | xml | jaxp | Update BCEL to Version 6.4.1 |