We’re sorry. We could not find a match for your search.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try "application" instead of "software."
  • Start a new search.
Cloud Account Sign in to Cloud
Oracle Account

JDK 11.0.14 Release Notes

Java Development Kit 11 Release Notes

Java™ SE Development Kit 11.0.14 (JDK 11.0.14)

January 18, 2022

The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14.

 

IANA TZ Data 2021b, 2021c, 2021d, 2021e

JDK 11.0.14 contains IANA time zone data 2021b, 2021c, 2021d, 2021e.
  • Jordan now starts DST on February's last Thursday.
  • Samoa no longer observes DST.
  • Merge more location-based Zones whose timestamps agree since 1970.
  • Move some backward-compatibility links to 'backward'.
  • Rename Pacific/Enderbury to Pacific/Kanton.
  • Correct many pre-1993 transitions in Malawi, Portugal, etc.
  • zic now creates each output file or link atomically.
  • zic -L no longer omits the POSIX TZ string in its output.
  • zic fixes for truncation and leap second table expiration.
  • zic now follows POSIX for TZ strings using all-year DST.
  • Fix some localtime crashes and bugs in obscure cases.
  • zdump -v now outputs more-useful boundary cases.
  • tzfile.5 better matches a draft successor to RFC 8536.
  • A new file SECURITY.
  • Revert most 2021b changes to 'backward'.
  • Fix 'zic -b fat' bug in pre-1970 32-bit data.
  • Fix two Link line typos.
  • Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

  • Fiji suspends DST for the 2021/2022 season.
  • 'zic -r' marks unspecified timestamps with "-00".
  • Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.14+8
8 8u321-b07
7 7u331-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022.

 

New Features

security-libs/javax.crypto:pkcs11
 New SunPKCS11 Configuration Properties

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

  1. destroyTokenAfterLogout (boolean, defaults to false)

    If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.

  2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds)

    This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).

  3. cleaner.longInterval (integer, defaults to 60000, in milliseconds)

    This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.

security-libs/javax.net.ssl
 Configurable Extensions With System Properties

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

 

Removed Features and Options

security-libs/java.security
 Removed Google's GlobalSign Root Certificate

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

 

Other Notes

core-libs/java.nio
 Zip File System Provider Throws ZipException When Entry Name Element Contains "." or ".."

The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...) methods throw ZipException if the ZIP file contains these entries.

core-libs/java.time
 Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

core-libs/javax.naming
 LDAP Channel Binding Support for Java GSS/Kerberos

A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype” has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point” - Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming module.

security-libs/javax.net.ssl
 SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.14 Bug Fixes page.