java

JDK 11.0.12 Release Notes

Java SE 11.0.12 Based Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 11.0.12.0.3

Bug Fixes

BugId Component Subcomponent Summary
JDK-8263773 infrastructure build Reenable German localization for builds at Oracle
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8245511 hotspot gc G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
JDK-8246274 hotspot gc G1 old gen allocation tracking is not in a separate class

Changes in Java SE 11.0.12.0.2

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability

Changes in Java SE 11.0.12.0.1

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
JDK-8269304 hotspot compiler Regression ~5% in 2005 in b27
JDK-8266653 (Confidential) install install Change update mode for JDK rpm/deb installers as it breaks "yum update" for JDK11+
JDK-8260680 tools jshell PipedOutputStream.write in a JShell throws error "pipe closed"
JDK-8247403 tools jshell JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder

Java™ SE Development Kit 11.0.12 (JDK 11.0.12)

July 20, 2021

The full version string for this update release is 11.0.12+8 (where "+" means "build"). The version number is 11.0.12.

IANA TZ Data 2021a

JDK 11.0.12 contains IANA time zone data 2021a.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.12 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.12+8
8 8u301-b09
7 7u311-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.12) be used after the next critical patch update scheduled for October 19, 2021.

New Features

security-libs/org.ietf.jgss:krb5
 Support cross-realm MSSFU

The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.

By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.

[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94

See JDK-8005819

security-libs/java.security
 Customizing PKCS12 keystore Generation

New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.

Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256

See JDK-8076190

Removed Features and Options

security-libs/java.security
 Removed Root Certificates with 1024-bit Keys

The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:

+ alias name "thawtepremiumserverca [jdk]"

  Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

+ alias name "verisignclass2g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

+ alias name "verisignclass3ca [jdk]"
  Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

+ alias name "verisignclass3g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

+ alias name "verisigntsaca [jdk]"
  Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

See JDK-8243559

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA Certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI
See JDK-8225081

Other Notes

security-libs/java.security
 JarFile Treats Signed JARs with Multiple Manifests as Unsigned

The JarFile class now treats a signed JAR as unsigned if it detects a second manifest in the JAR file. A warning message, "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned.", is logged if the system property -Djava.security.debug=jar is set.

JDK-8260967 (not public)
install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

install/install
 ADDLOCAL=ToolsFeature,SourceFeature Argument No Longer Needed For Windows JDK Installer

The ADDLOCAL=ToolsFeature,SourceFeature argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.

JDK-8262043 (not public)

security-libs/java.security
 Upgraded the Default PKCS12 Encryption and MAC Algorithms

The default encryption and MAC algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

See JDK-8153005

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

See JDK-8196415

security-libs/javax.net.ssl
 Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

See JDK-8254631

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.12:

# BugId Component Subcomponent Summary
1 JDK-8259869 client-libs [macOS] Remove desktop module dependencies on JNF Reference APIs
2 JDK-8260616 client-libs Removing remaining JNF dependencies in the java.desktop module
3 JDK-8259343 client-libs [macOS] Update JNI error handling in Cocoa code.
4 JDK-6847157 client-libs 2d java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
5 JDK-8261170 client-libs 2d Upgrade to FreeType 2.10.4
6 JDK-8260380 client-libs 2d Upgrade to LittleCMS 2.12
7 JDK-8259232 client-libs 2d Bad JNI lookup during printing
8 JDK-8263311 client-libs 2d Watch registry changes for remote printers update instead of polling
9 JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
10 JDK-8213944 client-libs java.awt Fix AIX build after the removal of Xrandr.h and add a configure check for it
11 JDK-8262461 client-libs java.awt handle wcstombsdmp return value correctly in unix awt_InputMethod.c
12 JDK-8262446 client-libs java.awt DragAndDrop hangs on Windows
13 JDK-8261231 client-libs java.awt Windows IME was disabled after DnD operation
14 JDK-8255681 client-libs java.awt Print callstack in error case in runAWTLoopWithApp
15 JDK-8264786 client-libs java.awt [macOS] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
16 JDK-8259585 client-libs java.awt [macOS] Bad JNI lookup error : Accessible actions do not work on macOS
17 JDK-8259729 client-libs javax.accessibility Missed JNFInstanceOf -> IsInstanceOf conversion
18 JDK-8261198 client-libs javax.accessibility [macOS] Incorrect JNI parameters in number conversion in A11Y code
19 JDK-8239312 client-libs javax.swing [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
20 JDK-8252883 core-libs java.util.logging AccessDeniedException caused by delayed file deletion on Windows
21 JDK-8262110 core-libs java.util:i18n DST starts from incorrect time in 2038
22 JDK-8255086 core-libs java.util:i18n Update the root locale display names
23 JDK-8247432 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-09-29
24 JDK-8241082 core-libs java.util:i18n Upgrade IANA Language Subtag Registry data to 03-16-2020 version
25 JDK-8242010 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-04-01
26 JDK-8073446 core-libs java.util:i18n TimeZone getOffset API does not return a DST offset between years 2038-2137
27 JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
28 JDK-8259785 docs Create man pages using pandoc from markdown sources
29 JDK-8262465 hotspot compiler Very long compilation times and high memory consumption in C2 debug builds
30 JDK-8262093 hotspot compiler java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node"
31 JDK-8261914 hotspot compiler IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
32 JDK-8261846 hotspot compiler [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
33 JDK-8261912 hotspot compiler Code IfNode::fold_compares_helper more defensively
34 JDK-8262298 hotspot compiler G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
35 JDK-8262295 hotspot compiler C2: Out-of-Bounds Array Load from Clone Source
36 JDK-8262739 hotspot compiler String inflation C2 intrinsic prevents insertion of anti-dependencies
37 JDK-8262726 hotspot compiler AArch64: C1 StubAssembler::call_RT can corrupt stack
38 JDK-8264360 hotspot compiler Loop strip mining verification fails with "should be on the backedge"
39 JDK-8262837 hotspot compiler handle split_USE correctly
40 JDK-8263448 hotspot compiler CTW: fatal error: meet not symmetric
41 JDK-8263425 hotspot compiler AArch64: two potential bugs in C1 LIRGenerator::generate_address()
42 JDK-8264958 hotspot compiler C2 compilation fails with assert "n is later than its clone"
43 JDK-8263676 hotspot compiler AArch64: one potential bug in C1 LIRGenerator::generate_address()
44 JDK-8261730 hotspot compiler C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
45 JDK-8265154 hotspot compiler vinserti128 operand mix up for KNL platforms
46 JDK-8261812 hotspot compiler C2 compilation fails with assert(!had_error) failed: bad dominance
47 JDK-8261235 hotspot compiler C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
48 JDK-8260338 hotspot compiler Some fields in HaltNode is not cloned
49 JDK-8260284 hotspot compiler C2: assert(_base == Int) failed: Not an Int
50 JDK-8238812 hotspot compiler assert(false) failed: bad AD file
51 JDK-8255763 hotspot compiler C2: OSR miscompilation caused by invalid memory instruction placement
52 JDK-8252482 hotspot compiler disable cbcond instructions on SPARC64
53 JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
54 JDK-8259777 hotspot compiler Incorrect predication condition generated by ADLC
55 JDK-8259710 hotspot compiler Inlining trace leaks memory
56 JDK-8260420 hotspot compiler C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
57 JDK-8259061 hotspot compiler C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
58 JDK-8259619 hotspot compiler C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect
59 JDK-8259227 hotspot compiler C2 crashes with SIGFPE due to a division that floats above its zero check
60 JDK-8257822 hotspot compiler C2 crashes with SIGFPE due to a division that floats above its zero check
61 JDK-8257574 hotspot compiler C2: "failed: parsing found no loops but there are some" assert failure
62 JDK-8240353 hotspot compiler AArch64: missing support for -XX:+ExtendedDTraceProbes in C1
63 JDK-8263361 hotspot compiler Incorrect arraycopy stub selected by C2 for SATB collectors
64 JDK-8264918 hotspot compiler [JVMCI] getVtableIndexForInterfaceMethod doesn't check that type and method are related
65 JDK-8265689 hotspot compiler JVMCI: InternalError: Class java.lang.Object does not implement interface jdk.vm.ci.meta.JavaType
66 JDK-8259276 hotspot compiler C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
67 JDK-8248411 hotspot compiler AArch64: Insufficient error handling when CodeBuffer is exhausted
68 JDK-8211150 hotspot gc G1 Full GC not purging code root memory and hence causing memory leak
69 JDK-8235324 hotspot gc Dying objects are published from users of CollectedHeap::object_iterate
70 JDK-8260704 hotspot gc ParallelGC: oldgen expansion needs release-store for _end
71 JDK-8247201 hotspot gc Print potential pointer value of readable stack memory in hs_err file
72 JDK-8259271 hotspot gc gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
73 JDK-8232905 hotspot jfr JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant
74 JDK-8257569 hotspot jfr Failure observed with JfrVirtualMemory::initialize
75 JDK-8245283 hotspot jfr JFR: Can't handle constant dynamic used by Jacoco agent
76 JDK-8209385 hotspot runtime CDS runtime classpath checking is too strict when only classes from the system modules are archived
77 JDK-8234355 hotspot runtime Buffer overflow in jcmd GC.class_stats due to too many classes
78 JDK-8213231 hotspot runtime ThreadSnapshot::_threadObj can become stale
79 JDK-8208061 hotspot runtime runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode
80 JDK-8261916 hotspot runtime gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed
81 JDK-8263004 hotspot runtime SPARC CodeBuffer overflow in generate_satb_log_enqueue
82 JDK-8263407 hotspot runtime SPARC64 detection fails on Athena (SPARC64-X)
83 JDK-8261397 hotspot runtime try catch Method failing to work when dividing an integer by 0
84 JDK-8259843 hotspot runtime initialize dli_fname array before calling dll_address_to_library_name
85 JDK-8257746 hotspot runtime Regression introduced with JDK-8250984 - memory might be null in some machines
86 JDK-8259786 hotspot runtime initialize last parameter of getpwuid_r
87 JDK-8260349 hotspot runtime Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS
88 JDK-8238175 hotspot runtime CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
89 JDK-8261262 hotspot runtime Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
90 JDK-8236847 hotspot runtime CDS archive with 4K alignment unusable on machines with 64k pages
91 JDK-8266293 security-libs Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
92 JDK-8243559 security-libs java.security Remove root certificates with 1024-bit keys
93 JDK-8153005 security-libs java.security Upgrade the default PKCS12 encryption/MAC algorithms
94 JDK-8076190 security-libs java.security Customizing the generation of a PKCS12 keystore
95 JDK-8266929 security-libs java.security Unable to use algorithms from 3p providers
96 JDK-8196415 security-libs java.security Disable SHA-1 Signed JARs
97 JDK-8267100 security-libs java.security [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
98 JDK-8267599 security-libs java.security Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
99 JDK-8225081 security-libs java.security Remove Telia Company CA certificate expiring in April 2021
100 JDK-8226374 security-libs javax.net.ssl Restrict TLS signature schemes and named groups
101 JDK-8254631 security-libs javax.net.ssl Better support ALPN byte wire values in SunJSSE
102 JDK-8005819 security-libs org.ietf.jgss:krb5 Support cross-realm MSSFU
103 JDK-8253948 tools jlink Memory leak in ImageFileReader
104 JDK-8213725 tools jshell JShell NullPointerException due to class file with unexpected package
105 JDK-8247438 tools jshell JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
106 JDK-8235368 xml jaxp Update BCEL to Version 6.4.1