October 15, 2019
The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.
JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
11 | 11.0.5+10 |
8 | 1.8.0_231-b11 |
7 | 1.7.0_241-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.
security-libs/java.security
➜New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
jdk.SecurityPropertyModification
Security.setProperty(String key, String value)
method callsjdk.TLSHandshake
jdk.X509Validation
jdk.X509Certificate
See JDK-8148188
docs
➜Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1,
sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...
JDK-8228825 (not public)
security-libs/javax.crypto
➜Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init()
.
See JDK-8218723
install
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto
module has been updated to version 2.1.3 of Apache Santuario. New features include:
See JDK-8219013
security-libs/javax.crypto
➜System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify
-Djdk.security.useLegacyECC
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
core-libs/java.util
➜Changed Properties.loadFromXML to Comply with Specification
The implementation of the java.util.Properties.loadFromXML
method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException
as specified by the loadFromXML
method.
The effect of the change is as follows:
Documents created by Properties.storeToXML
: No change. Properties.loadFromXML
will have no problem reading such files.
Documents not created by Properties.storeToXML
: Any documents containing DTDs not in the format as specified in Properties.loadFromXML
will be rejected. This means the DTD shall be exactly as follows (as generated by the Properties.storeToXML
method):
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
See JDK-8213325
core-libs/java.lang
➜Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
client-libs/2d
➜Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship a dll
required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll
, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.
See JDK-8229800
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.5:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8217676 | client-libs | Upgrade libpng to 1.6.37 | |
2 | JDK-8214579 | client-libs | JFrame does not paint content in XVFB / X11vnc environment | |
3 | JDK-8222108 | client-libs | 2d | Reduce minRefreshTime for updating remote printer list on Windows |
4 | JDK-8224825 | client-libs | 2d | java/awt/Color/AlphaColorTest.java fails in linux-x64 system |
5 | JDK-8139178 | client-libs | 2d | Wrong fontMetrics when printing in Landscape (OpenJDK) |
6 | JDK-8221411 | client-libs | 2d | NullPointerException in RasterPrinterJob without PrinterResolution |
7 | JDK-8222362 | client-libs | 2d | Upgrade to Freetype 2.10.0 |
8 | JDK-8218854 | client-libs | 2d | FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth |
9 | JDK-8221304 | client-libs | 2d | Problem list java/awt/FontMetrics/MaxAdvanceIsMax.java |
10 | JDK-8227392 | client-libs | java.awt | Colors with alpha are painted incorrectly on Linux, after JDK-8214579 |
11 | JDK-8196681 | client-libs | javax.accessibility | Java Access Bridge logging and debug flags dynamically controlled |
12 | JDK-8225423 | client-libs | javax.swing | GTK L&F: JSplitPane: There is no divider shown |
13 | JDK-8226964 | client-libs | javax.swing | [Yaru] GTK L&F: There is no difference between menu selected and de-selected |
14 | JDK-8214702 | client-libs | javax.swing | Wrong text position for whitespaced string in printing Swing text |
15 | JDK-8217366 | core-libs | ZoneStrings are not populated for all the Locales | |
16 | JDK-8216205 | core-libs | java.lang | Java API documentation formatting error in System.getEnv() |
17 | JDK-8225425 | core-libs | java.net | java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries |
18 | JDK-8217364 | core-libs | java.net | Custom URLStreamHandler for jrt or file protocol can override default handler. |
19 | JDK-8213406 | core-libs | java.nio | (fs) More than one instance of built-in FileSystem observed in heap |
20 | JDK-8224202 | core-libs | java.util | Speed up Properties.load |
21 | JDK-8213325 | core-libs | java.util | (props) Properties.loadFromXML does not fully comply with the spec |
22 | JDK-8214687 | core-libs | java.util:collections | Optimize Collections.nCopies().hashCode() and equals() |
23 | JDK-8221924 | core-libs | java.util:collections | get(null) on single-entry unmodifiable Map returns null instead of throwing NPE |
24 | JDK-8226876 | core-libs | java.util:i18n | Assertion in sun/util/locale/provider/CalendarDataUtility on Windows after JDK-8218960 |
25 | JDK-8222980 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to Version 2019-04-03 |
26 | JDK-8220037 | core-libs | java.util:i18n | Inconsistencies of generated timezone files between Windows and Linux |
27 | JDK-8219890 | core-libs | java.util:i18n | Calendar.getDisplayName() returns empty string for new Japanese Era on some locales |
28 | JDK-8218960 | core-libs | java.util:i18n | CONFIG level logging statements printed in CLDRCalendarDataProviderImpl.java even when default log Level is INFO |
29 | JDK-8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
30 | JDK-8206879 | globalization | locale-data | Currency decimal marker incorrect for Peru |
31 | JDK-8219448 | hotspot | compiler | split-if update_uses accesses stale idom data |
32 | JDK-8220198 | hotspot | compiler | Lots of com/sun/crypto/provider/Cipher tests fail on x86_32 due to missing SHA512 stubs |
33 | JDK-8219335 | hotspot | compiler | "failed: unexpected type" assert failure in ConnectionGraph::split_unique_types() with unsafe accesses |
34 | JDK-8220714 | hotspot | compiler | C2 Compilation failure when accessing off-heap memory using Unsafe |
35 | JDK-8188133 | hotspot | compiler | C2: Static field accesses in clinit can trigger deoptimizations |
36 | JDK-8177899 | hotspot | compiler | Tests fail due to code cache exhaustion on machines with many cores |
37 | JDK-8222670 | hotspot | compiler | pathological case of JIT recompilation and code cache bloat |
38 | JDK-8220374 | hotspot | compiler | C2: LoopStripMining doesn't strip as expected |
39 | JDK-8213825 | hotspot | compiler | assert(false) failed: Non-balanced monitor enter/exit! Likely JNI locking |
40 | JDK-8223537 | hotspot | compiler | testlibrary_tests/ctw/ClassesListTest.java fails with Agent timeout frequently |
41 | JDK-8207965 | hotspot | compiler | C2-only debug build fails |
42 | JDK-8202414 | hotspot | compiler | Unsafe write after primitive array creation may result in array length change |
43 | JDK-8215483 | hotspot | compiler | Off heap memory accesses should be vectorized |
44 | JDK-8219807 | hotspot | compiler | C2 crash in IfNode::up_one_dom(Node*, bool) |
45 | JDK-8218721 | hotspot | compiler | C1's CEE optimization produces safepoint poll with invalid debug information |
46 | JDK-8213419 | hotspot | compiler | C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1 |
47 | JDK-8214059 | hotspot | compiler | Undefined behaviour in ADLC |
48 | JDK-8214189 | hotspot | compiler | test/hotspot/jtreg/compiler/intrinsics/mathexact/MulExactLConstantTest.java fails on Windows x64 when run with -XX:-TieredCompilation |
49 | JDK-8200365 | hotspot | gc | TestOptionsWithRanges.java of '-XX:TLABWasteTargetPercent=100' fails intermittently |
50 | JDK-8214161 | hotspot | jfr | java.lang.IllegalAccessError: class jdk.internal.event.X509CertificateEvent (in module java.base) cannot access class jdk.jfr.internal.handlers.EventHandler (in module jdk.jfr) because module java.base does not read module jdk.jfr |
51 | JDK-8213172 | hotspot | jfr | CDS and JFR tests fail with assert(JdkJfrEvent::is(klass)) failed: invariant |
52 | JDK-8203629 | hotspot | jfr | Produce events in the JDK without a dependency on jdk.jfr |
53 | JDK-8214287 | hotspot | jfr | SpecJbb2005StressModule got uncaught exception |
54 | JDK-8216049 | hotspot | runtime | stringTable::intern creates redundant String when looking up existing one |
55 | JDK-8217994 | hotspot | runtime | os::print_hex_dump should be more resilient against unreadable memory |
56 | JDK-8216308 | hotspot | runtime | StackTraceElement::fill_in can use injected Class source-file |
57 | JDK-8217315 | hotspot | runtime | Proper units should print more significant digits |
58 | JDK-8216302 | hotspot | runtime | StackTraceElement::fill_in can use cached Class.name |
59 | JDK-8202835 | hotspot | runtime | jfr/event/os/TestSystemProcess.java fails on missing events |
60 | JDK-8202353 | hotspot | runtime | os::readdir should use readdir instead of readdir_r |
61 | JDK-8210457 | hotspot | runtime | JVM crash in ResolvedMethodTable::add_method(Handle) |
62 | JDK-8222914 | hotspot | runtime | Partial backport of JDK-8218266 |
63 | JDK-8206075 | hotspot | runtime | On x86, assert on unbound assembler Labels used as branch targets |
64 | JDK-8208480 | hotspot | runtime | Test failure: assert(is_bound() || is_unused()) after JDK-8206075 in C1 |
65 | JDK-8222985 | install | uninstall | need to build 64-bit JavaUninstallTool.exe as 32-bit exe |
66 | JDK-8229773 | security-libs | java.security | Resolve permissions for code source URLs lazily |
67 | JDK-8224589 | security-libs | java.security | Improve startup behavior of SecurityProperties |
68 | JDK-8147502 | security-libs | java.security | Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size |
69 | JDK-8221801 | security-libs | java.security | Update src/java.base/share/legal/public_suffix.md |
70 | JDK-8148188 | security-libs | java.security | Enhance the security libraries to record events of interest |
71 | JDK-8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
72 | JDK-8218723 | security-libs | javax.crypto | Use SunJCE Mac in SecretKeyFactory PBKDF2 implementation |
73 | JDK-8133489 | security-libs | javax.net.ssl | Better messaging for PKIX path validation matching |
74 | JDK-8216039 | security-libs | javax.net.ssl | TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange |
75 | JDK-8216326 | security-libs | javax.net.ssl | SSLSocket stream close() does not close the associated socket |
76 | JDK-8218780 | security-libs | javax.smartcardio | Update MUSCLE PCSC-Lite header files |
77 | JDK-8219013 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.1.3 |
78 | JDK-8225005 | xml | jaxp | Xerces 2.12.0: License file |
79 | JDK-8222415 | xml | jaxp | Xerces 2.12.0: Parsing Configuration |
80 | JDK-8222743 | xml | jaxp | Xerces 2.12.0: DOM Implementation |
81 | JDK-8222991 | xml | jaxp | Xerces 2.12.0: Validation |
82 | JDK-8213117 | xml | org.w3c.dom | adoptNode corrupts attribute values |
83 | JDK-8213734 | xml | org.xml.sax | SAXParser.parse(File, ..) does not close resources when Exception occurs. |