java

JDK 11.0.16 Release Notes

Java Development Kit 11 Release Notes

Java SE 11.0.16.1 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.16.1 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 11.0.16.1.2-oracle

Bug Fixes

BugId Category Subcategory Description
JDK-8239785 hotspot runtime Cgroups: Incorrect detection logic on old systems in hotspot

 

Changes in Java SE 11.0.16.1.1-oracle

Fixes from the prior BPR are included in this version.

Java™ SE Development Kit 11, Patch 11.0.16.1 (JDK 11.0.16.1)

August 18, 2022

The full version string for this update release is 11.0.16.1+1 (where "+" means "build"). The version number is 11.0.16.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 11.0.16.

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.16+11
8 8u341-b10
7 7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16.1) be used after the next critical patch update scheduled for October 18, 2022.

Oracle recommends that all JDK 11 users, even those that have already updated to 11.0.16, uptake the 11.0.16.1 patch release.

 

Changes

hotspot/compiler
 C2 Compilation Errors Unpredictably Crashes JVM

Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.

Java™ SE Development Kit 11.0.16 (JDK 11.0.16)

July 19, 2022

The full version string for this update release is 11.0.16+11 (where "+" means "build"). The version number is 11.0.16.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.16 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.16+11
8 8u341-b10
7 7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.16) be used after the next critical patch update scheduled for October 18, 2022.

 

New Features

core-libs/java.net
 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully on the Networking Properties page.

Other Notes

core-libs/java.net
 Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals

The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)
 JDK Bundle Extensions Truncated When Downloading Using Firefox 102

On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

  • manually add a file extension to the file name after download.
  • use a different browser

See JDK-8277093
core-libs/java.io:serialization
 Vector Should Throw ClassNotFoundException for a Missing Class of an Element

java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object)when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

core-libs/java.util.jar
 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.16 Bug Fixes page.