JDK 11.0.21 Release Notes

Java SE 11.0.21 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 11.0.21 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.


Changes in Java SE

November 27, 2023

 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

BugId Component Subcomponent Summary
JDK-8312489 security-libs Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
JDK-8314880 (not public) security-libs org.ietf.jgss Migrate SEAM KDC from sc11152399 to jpg-seclibs-infra-1-sol
JDK-8316192 core-libs Increased startup time observed when upgrading from 8 to 11
JDK-8054022 core-libs HttpURLConnection timeouts with Expect: 100-Continue and no chunking

Changes in Java SE

BugId Component Subcomponent Summary
JDK-8314263 core-libs java.util.logging Signed jars triggering Logger finder recursion and StackOverflowError
JDK-8315696 core-libs java.util.logging test failed
JDK-8316087 core-libs java.util.logging Test is still failing
JDK-8232933 tools javac Javac inferred type does not conform to equality constraint
JDK-8309489 (not public) install install 17.0.7/11.0.19 and later fail to run jar file via UNC path when using .exe files under javapath

Java™ SE Development Kit 11.0.21 (JDK 11.0.21)

October 17, 2023

The full version string for this update release is 11.0.21+9 (where "+" means "build"). The version number is 11.0.21.


IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.21 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.21) be used after the next critical patch update scheduled for January 16, 2024.


New Features

 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:


Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c


Removed Features and Options

 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM, C=JP


Other Notes

 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

 Debian JDK Installer Changes (JDK-8284854 (not public))

The installation directory of Oracle JDK Debian packages has changed. It was originally `/usr/lib/jvm/jdk-${FEATURE}`. With this release, it has been changed to `/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}`.

The Oracle JDK Debian package registers jexec as an interpreter for launching .jar files from the command line.

The Oracle JDK Debian package configures storage for Java Preferences API in the /etc/.java/.systemPrefs directory.

The Oracle JDK Debian package registers JDK commands with the update-alternatives command and supplies the /usr/lib/jvm/.jdk-${FEATURE}-oracle-${ARCH}.jinfo file for the update-java-alternatives command.

 Ignore Allow and Disallow Options for System Property (JDK-8301118)

In JDK 12, two new token options for the system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the system property will be ignored.

 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

 Use Server Cipher Suites Preference by Default (JDK-8168261)

For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder​() method.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.21:

# JBS Component Summary
1JDK-8298887client-libsOn the latest macOS+XCode the Robot API may report wrong colors
2JDK-8306881client-libs/2dUpdate FreeType to 2.13.0
3JDK-8307301client-libs/2dUpdate HarfBuzz to 7.2.0
4JDK-8312555client-libs/2dIdeographic characters aren't stretched by AffineTransform.scale(2, 1)
5JDK-8304054client-libs/java.awtLinux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed
6JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
7JDK-8310054client-libs/java.awtScrollPane insets are incorrect
8JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
9JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
10JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
11JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
12JDK-8305517core-libs/java.netMemory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress()
13JDK-8248695core-libs/java.timeHostLocaleProviderAdapterImpl provides invalid date-only
14JDK-8254350core-libs/java.util.concurrentCompletableFuture.get may swallow InterruptedException
15JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ fails with internal timeout when executed with TieredCompilation1/3
16JDK-8313765core-libs/java.util.jarInvalid CEN header (invalid zip64 extra data field size)
17JDK-8234808core-svc/debuggerjdb quoted option parsing broken
18JDK-8292778core-svc/java.lang.instrumentEncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
19JDK-8300659core-svc/java.lang.managementRefactor TestMemoryAwareness to use WhiteBox api for host values
20JDK-8257993hotspot/jvmtivmTestbase/nsk/jvmti/RedefineClasses/StressRedefine/ crash intermittently
21JDK-8297887hotspot/runtimeUpdate Siphash
22JDK-8303215hotspot/runtimeMake thread stacks not use huge pages
23JDK-8220570hotspot/runtimeAdditional trace when native thread creation fails
24JDK-8283849hotspot/svcAsyncGetCallTrace may crash JVM on guarantee
25JDK-8301170hotspot/svcperfMemory_windows.cpp add free_security_attr to early returns
26JDK-8252530hotspot/testFix inconsistencies in hotspot whitebox
27JDK-8213059install/installJava .deb package implementation is incomplete
28JDK-8296452security-libs/javax.cryptoSolaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error
29JDK-8275233tools/javacIncorrect line number reported in exception stack trace thrown from a lambda expression