January 18, 2022
The full version string for this update release is 11.0.14+8 (where "+" means "build"). The version number is 11.0.14.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.14 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 11 | 11.0.14+8 |
| 8 | 8u321-b07 |
| 7 | 7u331-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.14) be used after the next critical patch update scheduled for April 19, 2022.
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
destroyTokenAfterLogout (boolean, defaults to false) If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.
cleaner.shortInterval (integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).
cleaner.longInterval (integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.
The following root certificate from Google has been removed from the cacerts keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...) methods throw ZipException if the ZIP file contains these entries.
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
A new JNDI environment property “com.sun.jndi.ldap.tls.cbtype” has been added to enable TLS Channel Binding data in LDAP authentication over SSL/TLS protocol to the Windows AD server. A possible value is “tls-server-end-point” - Channel Binding data is created on the base of the TLS server certificate. See the module description of the java.naming module.
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.14:
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-8249548 | client-libs | backward focus traversal gets stuck in button group | |
| 2 | JDK-8273436 | client-libs | Backport JDK-8273426 caused build failure due to missing "All rights reserved." | |
| 3 | JDK-8211999 | client-libs | java.awt | Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) |
| 4 | JDK-8272806 | client-libs | java.awt | [macOS] "Apple AWT Internal Exception" when input method is changed |
| 5 | JDK-6722236 | client-libs | java.awt | 3 Choice regression testcases are failing from 6u10_b26 build onwards |
| 6 | JDK-8015886 | client-libs | java.awt | java/awt/Focus/DeiconifiedFrameLoosesFocus/DeiconifiedFrameLoosesFocus.java sometimes failed on ubuntu |
| 7 | JDK-8257242 | client-libs | java.awt | [macOS] Java app crashes while switching input methods |
| 8 | JDK-8274326 | client-libs | javax.accessibility | [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m |
| 9 | JDK-8274056 | client-libs | javax.accessibility | JavaAccessibilityUtilities leaks JNI objects |
| 10 | JDK-8274381 | client-libs | javax.accessibility | missing CAccessibility definitions in JNI code |
| 11 | JDK-8208747 | client-libs | javax.accessibility | [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on |
| 12 | JDK-8270893 | client-libs | javax.imageio | IndexOutOfBoundsException while reading large TIFF file |
| 13 | JDK-8239334 | client-libs | javax.swing | Tab Size does not work correctly in JTextArea with setLineWrap on |
| 14 | JDK-8269951 | client-libs | javax.swing | [macos] Focus not painted in JButton when setBorderPainted(false) is invoked |
| 15 | JDK-8259237 | client-libs | javax.swing | Demo selection changes with left/right arrow key. No need to press space for selection. |
| 16 | JDK-8269850 | core-libs | Most JDK releases report macOS version 12 as 10.16 instead of 12.0 | |
| 17 | JDK-8231717 | core-libs | java.lang | Improve performance of charset decoding when charset is always compactable |
| 18 | JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
| 19 | JDK-8276536 | core-libs | java.time | Update TimeZoneNames files to follow the changes made by JDK-8275766 |
| 20 | JDK-8273924 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() |
| 21 | JDK-8187649 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar |
| 22 | JDK-8245527 | core-libs | javax.naming | LDAP Channel Binding support for Java GSS/Kerberos |
| 23 | JDK-8195703 | core-svc | debugger | BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' |
| 24 | JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
| 25 | JDK-8235211 | core-svc | tools | serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file |
| 26 | JDK-8270886 | hotspot | compiler | Crash in PhaseIdealLoop::verify_strip_mined_scheduling |
| 27 | JDK-8210392 | hotspot | compiler | assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit |
| 28 | JDK-8223137 | hotspot | compiler | Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. |
| 29 | JDK-8223139 | hotspot | compiler | Rename mandatory policy-do routines. |
| 30 | JDK-8223923 | hotspot | compiler | C2: Missing interference with mismatched unsafe accesses |
| 31 | JDK-8223140 | hotspot | compiler | Clean-up in 'ok_to_convert()' |
| 32 | JDK-8272570 | hotspot | compiler | C2: crash in PhaseCFG::global_code_motion |
| 33 | JDK-8267652 | hotspot | compiler | c2 loop unrolling by 8 results in reading memory past array |
| 34 | JDK-8263303 | hotspot | compiler | C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint |
| 35 | JDK-8268019 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
| 36 | JDK-8268672 | hotspot | compiler | C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only |
| 37 | JDK-8252049 | hotspot | compiler | Native memory leak in ciMethodData ctor |
| 38 | JDK-8231501 | hotspot | compiler | VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 |
| 39 | JDK-8223138 | hotspot | compiler | Small clean-up in loop-tree support. |
| 40 | JDK-8271341 | hotspot | compiler | Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java |
| 41 | JDK-8271340 | hotspot | compiler | Crash PhaseIdealLoop::clone_outer_loop |
| 42 | JDK-8271459 | hotspot | compiler | C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity |
| 43 | JDK-8257919 | hotspot | compiler | [JVMCI] profiling info didn't change after reprofile |
| 44 | JDK-8263776 | hotspot | compiler | [JVMCI] add helper to perform Java upcalls |
| 45 | JDK-8272131 | hotspot | compiler | PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj |
| 46 | JDK-8268261 | hotspot | compiler | C2: assert(n != __null) failed: Bad immediate dominator info. |
| 47 | JDK-8272574 | hotspot | compiler | C2: assert(false) failed: Bad graph detected in build_loop_late |
| 48 | JDK-8215889 | hotspot | gc | assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC |
| 49 | JDK-8221584 | hotspot | jvmti | SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event |
| 50 | JDK-8217348 | hotspot | jvmti | assert(thread->is_Java_thread()) failed: just checking |
| 51 | JDK-8236177 | hotspot | runtime | assert(status == 0) failed: error ETIMEDOUT(60), cond_wait |
| 52 | JDK-8218483 | hotspot | runtime | Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" |
| 53 | JDK-8222446 | hotspot | runtime | assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ |
| 54 | JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
| 55 | JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
| 56 | JDK-8273342 | hotspot | runtime | Null pointer dereference in classFileParser.cpp:2817 |
| 57 | JDK-8269668 | hotspot | runtime | [aarch64] java.library.path not including /usr/lib64 |
| 58 | JDK-8230674 | hotspot | runtime | Heap dumps should exclude dormant CDS archived objects of unloaded classes |
| 59 | JDK-8272124 | hotspot | runtime | Cgroup v1 initialization causes NullPointerException when cgroup path contains colon |
| 60 | JDK-8269934 | hotspot | runtime | RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status |
| 61 | JDK-8181313 | hotspot | svc-agent | SA: Remove libthread_db dependency on Linux |
| 62 | JDK-8225083 | security-libs | java.security | Remove Google certificate that is expiring in December 2021 |
| 63 | JDK-8273826 | security-libs | java.security | Correct Manifest file name and NPE checks |
| 64 | JDK-8277224 | security-libs | java.security | sun.security.pkcs.PKCS9Attributes.toString() throws NPE |
| 65 | JDK-8269034 | security-libs | javax.crypto:pkcs11 | AccessControlException for SunPKCS11 daemon threads |
| 66 | JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
| 67 | JDK-8270344 | security-libs | javax.net.ssl | Session resumption errors |
| 68 | JDK-8217633 | security-libs | javax.net.ssl | Configurable extensions with system properties |
| 69 | JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
| 70 | JDK-8211148 | tools | javac | var in implicit lambdas shouldn't be accepted for source < 11 |
| 71 | JDK-8267459 | tools | jshell | Pasting Unicode characters into JShell does not work. |