July 14, 2020
The full version string for this update release is 11.0.8+10 (where "+" means "build"). The version number is 11.0.8.
JDK 11.0.8 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.8 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 11 | 11.0.8+10 |
| 8 | 1.8.0_261-b12 |
| 7 | 1.7.0_271-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.8) be used after the next critical patch update scheduled for October 20, 2020.
security-libs/javax.net.ssl
➜ New System Properties to Configure the TLS Signature Schemes
Two new System Properties are added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes is added for TLS client side, and jdk.tls.server.SignatureSchemes for server side.
Each System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
See JDK-8242141
security-libs/javax.xml.crypto
➜ Apache Santuario Library Updated to Version 2.1.4
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size has been introduced.
This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size system property used in Apache Santuario and has the same default value of 20.
See JDK-8231507
infrastructure
➜ Toolchain Upgrade to Xcode 10.1
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.
JDK-8232007 (not public)
The Oracle JDK installer for Windows provides java.exe, javaw.exe, javac.exe, and jshell.exe commands in a system location so that users can run Java applications without needing to provide the path to the Oracle JDK's installation folder.
security-libs/java.security
➜ Removal of Comodo Root CA Certificate
The following expired Comodo root CA certificate was removed from the cacerts keystore:
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
See JDK-8225069
security-libs/java.security
➜ Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts keystore:
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
See JDK-8225068
When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException.
core-libs/java.util:collections
➜ Better Listing of Arrays
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.
JDK-8231800 (not public)
security-libs/javax.net.ssl
➜ Default SSLEngine Should Create in Server Role
In JDK 11 and later, javax.net.ssl.SSLEngine by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. SSLEngine would usually be used in server mode. From this JDK release onwards, SSLEngine will default to server mode. The javax.net.ssl.SSLEngine.setUseClientMode(boolean mode) method may be used to configure the mode.
See JDK-8237474
core-svc/java.lang.management
➜ OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:
getFreePhysicalMemorySize()getTotalPhysicalMemorySize()getFreeSwapSpaceSize()getTotalSwapSpaceSize()getSystemCpuLoad()See JDK-8226575
security-libs
➜ Default SSL Session Cache Size Updated to 20480
The default SSL session cache size has been updated to 20480 in this JDK release
See JDK-8210985
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 11.0.8 Bug Fixes page.