July 20, 2021
The full version string for this update release is 16.0.2+7 (where "+" means "build"). The version number is 16.0.2.
JDK 16.0.2 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 16.0.2 are specified in the following table:
|JRE Family Version||JRE Security Baseline (Full Version String)|
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 16.0.2) be used after the next critical patch update scheduled for October 19, 2021.
The following root certificate has been removed from the cacerts truststore:
+ Telia Company + soneraclass2ca DN: CN=Sonera Class2 CA, O=Sonera, C=FI
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide:
java-fonts. This clean-up of the list resolves existing and potential conflicts with modular rpms.
There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the
jdk-<feature_release_version> pattern instead of the
jdk-<update_release_version> pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are
The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.
If a user wants to have multiple update releases from the same family, the user must download the
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in
FTP passive mode.
In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a
PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the
jdk.net.ftp.trustPasvAddress system property can be set to
true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacertskeystore will not be restricted.
These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the
java.security configuration file (or overriding it using the
java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the
jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the
jdk.jar.disabledAlgorithms security property.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 16.0.2 Bug Fixes page.