JDK 11.0.5 Release Notes

Java Development Kit 11 Release Notes

Java™ SE Development Kit 11.0.5 (JDK 11.0.5)

October 15, 2019

The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.

IANA Data 2019b

JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
11 11.0.5+10
8 1.8.0_231-b11
7 1.7.0_241-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.

New Features

security-libs/java.security
New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

  • jdk.SecurityPropertyModification

    • Records Security.setProperty(String key, String value) method calls
  • jdk.TLSHandshake

    • Records TLS handshake activity. The event fields include:
      • Peer hostname
      • Peer port
      • TLS protocol version negotiated
      • TLS cipher suite negotiated
      • Certificate id of peer client
  • jdk.X509Validation

    • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
  • jdk.X509Certificate

    • Records details of X.509 Certificates. The event fields include:
      • Certificate algorithm
      • Certificate serial number
      • Certificate subject
      • Certificate issuer
      • Key type
      • Key length
      • Certificate id
      • Validity of certificate

See JDK-8148188

Other notes

docs
Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see https://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.

JDK-8230057 (not public)

security-libs/javax.net.ssl
Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:



java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, 
sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ... 

JDK-8228825 (not public)

security-libs/javax.crypto
Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail on Mac.init().

See JDK-8218723

install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

security-libs/javax.xml.crypto
Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

  • Added support for embedding elliptic curve public keys in the KeyValue element

See JDK-8219013

security-libs/javax.crypto
System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property, jdk.security.useLegacyECC, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.

JDK-8224499 (not public)

core-libs/java.util
Changed Properties.loadFromXML to Comply with Specification
The implementation of the java.util.Properties.loadFromXML method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an InvalidPropertiesFormatException as specified by the loadFromXML method.

The effect of the change is as follows:

  • Documents created by Properties.storeToXML: No change. Properties.loadFromXML will have no problem reading such files.

  • Documents not created by Properties.storeToXML: Any documents containing DTDs not in the format as specified in Properties.loadFromXML will be rejected. This means the DTD shall be exactly as follows (as generated by the Properties.storeToXML method):


    
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> 

See JDK-8213325

core-libs/java.lang
Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true.

Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

JDK-8221858 (not public)

client-libs/2d
Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship a dll required by JDK in order to run. Specifically, if a Java application, including a headless one, requires awt.dll, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.

See JDK-8229800

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 11.0.5:

# BugId Component Subcomponent Summary
1 JDK-8217676 client-libs   Upgrade libpng to 1.6.37
2 JDK-8214579 client-libs   JFrame does not paint content in XVFB / X11vnc environment
3 JDK-8222108 client-libs 2d Reduce minRefreshTime for updating remote printer list on Windows
4 JDK-8224825 client-libs 2d java/awt/Color/AlphaColorTest.java fails in linux-x64 system
5 JDK-8139178 client-libs 2d Wrong fontMetrics when printing in Landscape (OpenJDK)
6 JDK-8221411 client-libs 2d NullPointerException in RasterPrinterJob without PrinterResolution
7 JDK-8222362 client-libs 2d Upgrade to Freetype 2.10.0
8 JDK-8218854 client-libs 2d FontMetrics.getMaxAdvance may be less than the maximum FontMetrics.charWidth
9 JDK-8221304 client-libs 2d Problem list java/awt/FontMetrics/MaxAdvanceIsMax.java
10 JDK-8227392 client-libs java.awt Colors with alpha are painted incorrectly on Linux, after JDK-8214579
11 JDK-8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled
12 JDK-8225423 client-libs javax.swing GTK L&F: JSplitPane: There is no divider shown
13 JDK-8226964 client-libs javax.swing [Yaru] GTK L&F: There is no difference between menu selected and de-selected
14 JDK-8214702 client-libs javax.swing Wrong text position for whitespaced string in printing Swing text
15 JDK-8217366 core-libs   ZoneStrings are not populated for all the Locales
16 JDK-8216205 core-libs java.lang Java API documentation formatting error in System.getEnv()
17 JDK-8225425 core-libs java.net java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
18 JDK-8217364 core-libs java.net Custom URLStreamHandler for jrt or file protocol can override default handler.
19 JDK-8213406 core-libs java.nio (fs) More than one instance of built-in FileSystem observed in heap
20 JDK-8224202 core-libs java.util Speed up Properties.load
21 JDK-8213325 core-libs java.util (props) Properties.loadFromXML does not fully comply with the spec
22 JDK-8214687 core-libs java.util:collections Optimize Collections.nCopies().hashCode() and equals()
23 JDK-8221924 core-libs java.util:collections get(null) on single-entry unmodifiable Map returns null instead of throwing NPE
24 JDK-8226876 core-libs java.util:i18n Assertion in sun/util/locale/provider/CalendarDataUtility on Windows after JDK-8218960
25 JDK-8222980 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to Version 2019-04-03
26 JDK-8220037 core-libs java.util:i18n Inconsistencies of generated timezone files between Windows and Linux
27 JDK-8219890 core-libs java.util:i18n Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
28 JDK-8218960 core-libs java.util:i18n CONFIG level logging statements printed in CLDRCalendarDataProviderImpl.java even when default log Level is INFO
29 JDK-8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
30 JDK-8206879 globalization locale-data Currency decimal marker incorrect for Peru
31 JDK-8219448 hotspot compiler split-if update_uses accesses stale idom data
32 JDK-8220198 hotspot compiler Lots of com/sun/crypto/provider/Cipher tests fail on x86_32 due to missing SHA512 stubs
33 JDK-8219335 hotspot compiler "failed: unexpected type" assert failure in ConnectionGraph::split_unique_types() with unsafe accesses
34 JDK-8220714 hotspot compiler C2 Compilation failure when accessing off-heap memory using Unsafe
35 JDK-8188133 hotspot compiler C2: Static field accesses in clinit can trigger deoptimizations
36 JDK-8177899 hotspot compiler Tests fail due to code cache exhaustion on machines with many cores
37 JDK-8222670 hotspot compiler pathological case of JIT recompilation and code cache bloat
38 JDK-8220374 hotspot compiler C2: LoopStripMining doesn't strip as expected
39 JDK-8213825 hotspot compiler assert(false) failed: Non-balanced monitor enter/exit! Likely JNI locking
40 JDK-8223537 hotspot compiler testlibrary_tests/ctw/ClassesListTest.java fails with Agent timeout frequently
41 JDK-8207965 hotspot compiler C2-only debug build fails
42 JDK-8202414 hotspot compiler Unsafe write after primitive array creation may result in array length change
43 JDK-8215483 hotspot compiler Off heap memory accesses should be vectorized
44 JDK-8219807 hotspot compiler C2 crash in IfNode::up_one_dom(Node*, bool)
45 JDK-8218721 hotspot compiler C1's CEE optimization produces safepoint poll with invalid debug information
46 JDK-8213419 hotspot compiler C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1
47 JDK-8214059 hotspot compiler Undefined behaviour in ADLC
48 JDK-8214189 hotspot compiler test/hotspot/jtreg/compiler/intrinsics/mathexact/MulExactLConstantTest.java fails on Windows x64 when run with -XX:-TieredCompilation
49 JDK-8200365 hotspot gc TestOptionsWithRanges.java of '-XX:TLABWasteTargetPercent=100' fails intermittently
50 JDK-8214161 hotspot jfr java.lang.IllegalAccessError: class jdk.internal.event.X509CertificateEvent (in module java.base) cannot access class jdk.jfr.internal.handlers.EventHandler (in module jdk.jfr) because module java.base does not read module jdk.jfr
51 JDK-8213172 hotspot jfr CDS and JFR tests fail with assert(JdkJfrEvent::is(klass)) failed: invariant
52 JDK-8203629 hotspot jfr Produce events in the JDK without a dependency on jdk.jfr
53 JDK-8214287 hotspot jfr SpecJbb2005StressModule got uncaught exception
54 JDK-8216049 hotspot runtime stringTable::intern creates redundant String when looking up existing one
55 JDK-8217994 hotspot runtime os::print_hex_dump should be more resilient against unreadable memory
56 JDK-8216308 hotspot runtime StackTraceElement::fill_in can use injected Class source-file
57 JDK-8217315 hotspot runtime Proper units should print more significant digits
58 JDK-8216302 hotspot runtime StackTraceElement::fill_in can use cached Class.name
59 JDK-8202835 hotspot runtime jfr/event/os/TestSystemProcess.java fails on missing events
60 JDK-8202353 hotspot runtime os::readdir should use readdir instead of readdir_r
61 JDK-8210457 hotspot runtime JVM crash in ResolvedMethodTable::add_method(Handle)
62 JDK-8222914 hotspot runtime Partial backport of JDK-8218266
63 JDK-8206075 hotspot runtime On x86, assert on unbound assembler Labels used as branch targets
64 JDK-8208480 hotspot runtime Test failure: assert(is_bound() || is_unused()) after JDK-8206075 in C1
65 JDK-8222985 install uninstall need to build 64-bit JavaUninstallTool.exe as 32-bit exe
66 JDK-8229773 security-libs java.security Resolve permissions for code source URLs lazily
67 JDK-8224589 security-libs java.security Improve startup behavior of SecurityProperties
68 JDK-8147502 security-libs java.security Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
69 JDK-8221801 security-libs java.security Update src/java.base/share/legal/public_suffix.md
70 JDK-8148188 security-libs java.security Enhance the security libraries to record events of interest
71 JDK-8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
72 JDK-8218723 security-libs javax.crypto Use SunJCE Mac in SecretKeyFactory PBKDF2 implementation
73 JDK-8133489 security-libs javax.net.ssl Better messaging for PKIX path validation matching
74 JDK-8216039 security-libs javax.net.ssl TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
75 JDK-8216326 security-libs javax.net.ssl SSLSocket stream close() does not close the associated socket
76 JDK-8218780 security-libs javax.smartcardio Update MUSCLE PCSC-Lite header files
77 JDK-8219013 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.1.3
78 JDK-8225005 xml jaxp Xerces 2.12.0: License file
79 JDK-8222415 xml jaxp Xerces 2.12.0: Parsing Configuration
80 JDK-8222743 xml jaxp Xerces 2.12.0: DOM Implementation
81 JDK-8222991 xml jaxp Xerces 2.12.0: Validation
82 JDK-8213117 xml org.w3c.dom adoptNode corrupts attribute values
83 JDK-8213734 xml org.xml.sax SAXParser.parse(File, ..) does not close resources when Exception occurs.