JDK 11.0.18 Release Notes

Java SE 11.0.18 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.18 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.


Changes in Java SE

Bug Fixes

BugId Component Subcomponent Summary
JDK-8208077 core-libs File.listRoots performance degradation


Changes in Java SE

Bug Fixes

BugId Component Subcomponent Summary
JDK-8280890 security-libs Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java™ SE Development Kit 11.0.18 (JDK 11.0.18)

January 17, 2023

The full version string for this update release is 11.0.18+9 (where "+" means "build"). The version number is 11.0.18.


IANA TZ Data 2022d, 2022e, 2022f

JDK 11.0.18 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.18 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.18) be used after the next critical patch update scheduled for April 18, 2023.


New Features

 DTLS Resumption Uses HelloVerifyRequest Messages (JDK-8287411 (not public))

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption.

 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.


Known Issues

 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8297475 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.


Other Notes

 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

It can be enabled by setting the system property: -Djavafx.allowjs=true

 Translated resource bundles for German (JDK-8263773)

With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.

 RPM JDK Installer Changes (JDK-8292836)

Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}. Thus the 11.0.18, and 11.0.19 releases for x64 will both be installed in /usr/lib/jvm/jdk-11-oracle-x64 directory. RPM package will create /usr/java/jdk-${FEATURE} link pointing to the installation directory for backward compatibility.

Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 11 RPM package registers java and javac groups with the alternatives framework. java group is for commands used to run applications: java, jjs, keytool, pack200, rmid, rmiregistry, unpack200. javac group is used for all other commands. The set of commands registered by the package has not changed.

Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-11-headless and jdk-11-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-11-headless is a Headless Java Runtime for running non-GUI applications. jdk-11-headful is a Headful Java Runtime & Development Tools for developing and running applications of all types.

The combination of the OL-specific jdk-11-headless and jdk-11-headful packages provides the same JDK image and the same capabilities as jdk-11 OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix.

 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292822)

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. I.e. all updates of the same release must share one installation directory.

Thus the 11.0.18 and 11.0.19 releases will both install into %Program Files%\Java\jdk-11 by default, and they both cannot be installed at the same time.

If the JDK11.0.19 installer is launched when JDK11.0.18 is already installed, it will auto-upgrade them to JDK11.0.19. There may be a Files In Use dialog shown if the older version was running and locking JDK files.

If the JDK11.0.18 installer is launched when JDK11.0.19 is already installed, it will show an error that a newer version of this JDK family is already installed.

 All JDK Update Releases Are Installed Into the Same Directory on macOS (JDK-8292830)

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk. Thus the 11.0.18 and 11.0.19 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-11.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 11.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 11 update release with JEP C208. However, JDK 11 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-11.jdk will be reused.

 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

 New Implementation Note for LoginModule on Removing Null from a Principals or Credentials set (JDK-8282730)

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.

 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.

 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.18:

# JBS Component Summary
1JDK-8295429client-libsUpdate harfbuzz md file
2JDK-8293672client-libsUpdate freetype md file
3JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
4JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
5JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
6JDK-8273655core-libs/ files are missing some common types
7JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
8JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
9JDK-8272352core-libs/java.util:i18nJava launcher can not parse Chinese character when system locale is set to UTF-8
10JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
11JDK-8215571core-svc/debuggerjdb does not include jdk.* in the default class filter
12JDK-8258894hotspot/compilerC2: Forbid GCM to move stores into loops
13JDK-8290781hotspot/compilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
14JDK-8290711hotspot/compilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
15JDK-8289043hotspot/compilerC2: Vector constant materialization attempt
16JDK-8290705hotspot/compilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
17JDK-8240281hotspot/compilerRemove failing assertion code when selecting first memory state in SuperWord::co_locate_pack
18JDK-8290529hotspot/compilerC2: assert(BoolTest(btest).is_canonical()) failure
19JDK-8288445hotspot/compilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
20JDK-8261336hotspot/compilerIGV: enhance default filters
21JDK-8287091hotspot/compileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
22JDK-8272094hotspot/compilercompiler/codecache/ crashes with "failed to allocate space for trampoline"
23JDK-8293816hotspot/compilerCI: ciBytecodeStream::get_klass() is not consistent
24JDK-8293044hotspot/compilerC1: Missing access check on non-accessible class
25JDK-8292158hotspot/compilerAES-CTR cipher state corruption with AVX-512
26JDK-8284358hotspot/compilerUnreachable loop is not removed from C2 IR, leading to a broken graph
27JDK-8270947hotspot/compilerAArch64: C1: use zero_words to initialize all objects
28JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
29JDK-8209375hotspot/gcZGC: Use dynamic base address for mark stack space
30JDK-8288754hotspot/gcGCC 12 fails to build zReferenceProcessor.cpp
31JDK-8232533hotspot/gcG1 uses only a single thread for pretouching the java heap
32JDK-8241423hotspot/gcNUMA APIs fail to work in dockers due to dependent syscalls are disabled by default
33JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
34JDK-8255716hotspot/runtimeAArch64: Regression: JVM crashes if manually offline a core
35JDK-8266490hotspot/runtimeExtend the OSContainer API to support the pids controller of cgroups
36JDK-8264593hotspot/runtimedebug.cpp utilities should be available in product builds.
37JDK-8273526hotspot/runtimeExtend the OSContainer API pids controller with pids.current
38JDK-8291459hotspot/runtimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
39JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
40JDK-8209689hotspot/testCompiler.isGraalEnabled should not check jvmci.Compiler property
41JDK-8283723infrastructureUpdate Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
42JDK-8236470security-libs/java.securityDeal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
43JDK-8242151security-libs/java.securityImprove OID mapping and reuse among JDK security providers for aliases registration
44JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
45JDK-8239457security-libs/javax.crypto:pkcs11call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect
46JDK-8273553security-libs/ also has similar error of JDK-8253368
47JDK-8273026security-libs/javax.securitySlow LoginContext.login() on multi threading application
48JDK-8247964security-libs/javax.xml.cryptoAll log0() in com/sun/org/slf4j/internal/ should be private
49JDK-8247907security-libs/javax.xml.cryptoXMLDsig logging does not work
50JDK-8293578tools/javacDuplicate ldc generated by javac
51JDK-8266082tools/javacAssertionError in Annotate.fromAnnotations with -Xdoclint
52JDK-8193462tools/javacFix Filer handling of package-info initial elements
53JDK-8203277tools/javacpreflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body
54JDK-8286444tools/javacjavac errors after JDK-8251329 are not helpful enough to find root cause
55JDK-8286855tools/javacjavac error on invalid jar should only print filename
56JDK-8236490tools/javacCompiler bug relating to @NonNull annotation
57JDK-8215291tools/javadoc(tool)Broken links when generating from project without modules
58JDK-8287076xml/org.w3c.domDocument.normalizeDocument() produces different results