JDK 11.0.20 Release Notes

Java SE 11.0.20 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.20 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE

BugId Component Subcomponent Summary
JDK-8312555 client-libs 2d Ideographic characters aren't stretched by AffineTransform.scale(2, 1)
JDK-8255387 client-libs 2d Japanese characters were printed upside down on AIX

Changes in Java SE

BugId Component Subcomponent Summary
JDK-8313765 core-libs java.util.jar Invalid CEN header (invalid zip64 extra data field size)

Changes in Java SE

BugId Component Subcomponent Summary
JDK-8294427 client-libs javax.swing Check boxes and radio buttons have rendering issues on Windows in High DPI env
JDK-6176679 client-libs java.awt Application freezes when copying an animated gif image to the system clipboard
JDK-8286481 client-libs java.awt Exception printed to stdout on Windows when storing transparent image in clipboard

Java™ SE Development Kit 11.0.20 (JDK 11.0.20)

July 18, 2023

The full version string for this update release is 11.0.20+9 (where "+" means "build"). The version number is 11.0.20.


IANA TZ Data 2023c

JDK 11.0.20 contains IANA time zone data 2023c which contains the following changes:

  • Egypt now uses DST again, from April through October.
  • This year Morocco springs forward April 23, not April 30.
  • Palestine delays the start of DST this year.
  • Much of Greenland still uses DST from 2024 on.
  • America/Yellowknife now links to America/Edmonton.
  • tzselect can now use current time to help infer timezone.
  • The code now defaults to C99 or later.
  • Fix use of C23 attributes.
  • This release's code and data are identical to 2023a.

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.20 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.20) be used after the next critical patch update scheduled for October 17, 2023.


New Features

 Allow Additional Characters for GB18030-2022 Support (JDK-8301401)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 5 code points (U+9FEB - U+9FEF) from Unicode 11.0 into Java SE 11 to allow implementations to comply with their Implementation Level 1 requirements.

 Support for GB18030-2022 (JDK-8307229)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset implementation for this new standard has now replaced the prior 2000 standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030, is introduced. By setting its value to 2000, the previous JDK releases' mappings for the GB18030 Charset are used, which are based on the 2000 standard.

 Update the Javadoc in the Character Class to State Support for GB 18030-2022 Implementation Level 2 (JDK-8305682)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to state that Java SE 11 supports the Implementation Level 2 of the GB18030-2022 standard.

 Windows KeyStore Updated to Include Access to the Local Machine Location (JDK-6782021)

The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:


The following keystore types were also added, allowing developers to make it clear they map to the current user:

  • "Windows-MY-CURRENTUSER" (same as "Windows-MY")
  • "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")

 New JFR Event: jdk.InitialSecurityProperty (JDK-8292177)

A new Java Flight Recorder (JFR) event has been added to record details of initial security properties when loaded via the class.

The new event name is jdk.InitialSecurityProperty and contains the following fields:

Field name Field Description
key Security Property Key
value Corresponding Security Property Value

This new JFR event is enabled by default. The system property will also now print initial security properties to the standard error stream. With this new event and the already available jdk.SecurityPropertyModification event (when enabled since it is not enabled by default), a JFR recording can now monitor the initial settings of all security properties and any subsequent changes.

 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

 JDK Now Accepts RSA Keys in PKCS#1 Format (JDK-8023980)

RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.


Known Issues

 Problem Upgrading JDK on Windows if System User Is Using Shared Files (JDK-8310932 (not public))

Installing into the same, shared jdk-(family) directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.


Other Notes

 System Property to Turn off JDK-8251329 Restrictions (JDK-8302992)

A new system property, jdk.nio.zipfs.allowDotZipEntry, has been introduced. This system property can be used to remove the newly added restrictions in the Zip FS provider, which currently rejects ZIP files that contain entries with "." or ".." in name elements by default. Refer to the CSR for more detail.

 Missing /usr/java/default Symlink on Linux Restored (JDK-8306690)

A regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

 Installation of JDK RPM Corrupts Alternatives (JDK-8308244)

The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.

An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.

An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.

All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.

The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.

 Added TWCA Root CA Certificate (JDK-8305975)

The following root certificate has been added to the cacerts truststore:


  + twcaglobalrootca
    DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

 Added 4 GTS Root CA Certificates (JDK-8307134)

The following root certificates have been added to the cacerts truststore:

+ Google Trust Services LLC

 + gtsrootcar1
  DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootcar2
  DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar3
  DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar4
  DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US

 Added Microsoft Corporation's 2 TLS Root CA Certificates (JDK-8304760)

The following root certificates have been added to the cacerts truststore:

+ Microsoft Corporation

  + microsoftecc2017
    DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

+ Microsoft Corporation
  + microsoftrsa2017
    DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

 System Property for Java SE Specification Maintenance Version (JDK-8302365)

This JDK implements Maintenance Release 2 of the Java SE 11 specification (JSR 384). This is indicated by the new system property java.specification.maintenance.version having the value of "2".

 GregorianCalender.computeTime() JVM Crash (JDK-8308884)

A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime() method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.

 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive. (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

 Throw Error If Default File Fails to Load (JDK-8155246)

A behavioral change has been made when the default conf/security/ security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError.

Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.

 New System Property to Control the Maximum Size of Signature Files (JDK-8300596 (not public))

A new system property, jdk.jar.maxSignatureFileSize, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.

 Improved ZIP64 Extra Field Validation (JDK-8302483 (not public)) has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property to true.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.20:

# JBS Component Summary
1JDK-8297241client-libs/2dUpdate sun/java2d/DirectX/OnScreenRenderingResizeTest/
2JDK-8022403client-libs/2dsun/java2d/DirectX/OnScreenRenderingResizeTest/ fails
3JDK-8301998client-libs/2dUpdate HarfBuzz to 7.0.1
4JDK-8302151client-libs/javax.imageioBMPImageReader throws an exception reading BMP images
5JDK-8227257client-libs/javax.swingjavax/swing/JFileChooser/4847375/ fails with AssertionError
6JDK-8284756core-libs[11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
7JDK-8283059core-libsUninitialized warning in check_code.c with GCC 11.2
8JDK-8275735core-libs[linux] Remove deprecated Metrics api (kernel memory limit)
9JDK-8285497core-libs/java.langAdd system property for Java SE specification maintenance version
10JDK-8291638core-libs/java.netKeep-Alive timeout of 0 should close connection immediately
11JDK-8291637core-libs/java.netHttpClient default keep alive timeout not followed if server sends invalid value
12JDK-8211382core-libs/java.nio.charsetsISO2022JP and GB18030 NIO converter issues
13JDK-8301119core-libs/java.nio.charsetsSupport for GB18030-2022
14JDK-8209167core-libs/java.util:i18nUse CLDR's time zone mappings for Windows
15JDK-8305400core-libs/java.util:i18nISO 4217 Amendment 175 Update
16JDK-8275721core-libs/java.util:i18nName of UTC timezone in a locale changes depending on previous code
17JDK-8293540core-svc[Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
18JDK-8219583performance/hotspotWindows build failure after JDK-8214777 (Avoid some GCC 8.X strncpy() errors in HotSpot)
19JDK-8252051hotspot/compilerMake mlvmJvmtiUtils strncpy uses GCC 10.x friendly
20JDK-8303564hotspot/compilerC2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
21JDK-8299570hotspot/compiler[JVMCI] Insufficient error handling when CodeBuffer is exhausted
22JDK-8300079hotspot/compilerSIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
23JDK-8299259hotspot/compilerC2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
24JDK-8297730hotspot/compilerC2: Arraycopy intrinsic throws incorrect exception
25JDK-8301491hotspot/compilerC2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
26JDK-8201516hotspot/compilerDebugNonSafepoints generates incorrect information
27JDK-8269746hotspot/compilerC2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
28JDK-8289748hotspot/compilerC2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
29JDK-8303511hotspot/compilerC2: assert(get_ctrl(n) == cle_out) during unrolling
30JDK-8257621hotspot/jfrJFR StringPool misses cached items across consecutive recordings
31JDK-8243936hotspot/runtimeNonWriteable system properties are actually writeable
32JDK-8295974hotspot/runtimejni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
33JDK-8287007hotspot/runtime[cgroups] Consistently use stringStream throughout parsing code
34JDK-8292297security-libs/java.securityFix up loading of override properties file
35JDK-8255348security-libs/java.securityNPE in PKIXCertPathValidator event logging code
36JDK-8293858security-libs/java.securityChange PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
37JDK-8294906security-libs/javax.crypto:pkcs11Memory leak in PKCS11 NSS TLS server
38JDK-8217375security-libs/jdk.securityjarsigner breaks old signature with long lines in manifest
39JDK-8274205security-libs/org.ietf.jgss:krb5Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
40JDK-8221871tools/javadoc(tool)javadoc should not set role=region on <section> elements
41JDK-8219142tools/jlinkRemove unused JIMAGE_ResourcePath
42JDK-8297587tools/jshellUpgrade JLine to 3.22.0
43JDK-8301269xml/jaxpUpdate Commons BCEL to Version 6.7.0