The following sections summarize changes made in all Java SE 17.0.11 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8331885 | hotspot | compiler | C2: meet between unloaded and speculative types is not symmetric |
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8322726 | hotspot | compiler | C2: Unloaded signature class kills argument value |
JDK-8321151 | client-libs | javas.swing | JDK-8294427 breaks Windows L&F on all older Windows versions |
The full version string for this update release is 17.0.11+7 (where "+" means "build"). The version number is 17.0.11.
JDK 17.0.11 contains IANA time zone data 2024a which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 17.0.11 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
17 | 17.0.11+7 |
11 | 11.0.23+7 |
8 | 8u411-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.11) be used after the next critical patch update scheduled for July 16, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Oracle JDK 17 LTS, released in September 2021, has been permissively licensed under the free Java license and will continue to be so until one year after the subsequent LTS release. Oracle designated Oracle JDK 21, released in September of 2023, as a Long Term Support (LTS) release. Therefore, update releases of Oracle JDK 17 after September of 2024 will switch to the Java SE OTN license, the same license under which we offer updates to Java 8 and 11. Users wishing to receive updates of the Oracle JDK under the free Java license should migrate to Oracle JDK 21.
The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1
, SHA3_256_RSA_MGF1
, SHA3_384_RSA_MGF1
, and SHA3_512_RSA_MGF1
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.
Additionally, support for the following EdDSA signatures has been added: ED25519
and ED448
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here()
function by default. However, we recommend avoiding the use of the here()
function in new signatures and replacing existing signatures that use the here()
function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here()
function by setting the security property jdk.xml.dsig.hereFunctionSupported
to "false".
jpackage
Apps May Fail to Build on Debian Linux Distros Due to Missing Shared Libraries
(JDK-8295111)
There is an issue on Debian Linux distros where jpackage
could not always build an accurate list of required packages from shared libraries with symbolic links in their paths, causing installations to fail due to missing shared libraries.
The java.awt.SystemTray
API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.
Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported()
will return false where ever the JDK determines the platform bug is likely to be present.
The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.
The following root certificates have been added to the cacerts truststore:
+ Certainly
+ certainlyrootr1
DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
+ certainlyroote1
DN: CN=Certainly Root E1, O=Certainly, C=US
Library | New Version | Module | JBS |
---|---|---|---|
FreeType | 2.13.2 | java.desktop | JDK-8316028 |
HarfBuzz | 8.2.2 | java.desktop | JDK-8313643 |
libpng | 1.6.40 | java.desktop | JDK-8316030 |
Xalan Java | 2.7.3 | java.xml | JDK-8305814 |
XML Security for Java | 3.0.3 | java.xml.crypto | JDK-8319124 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.11:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8318951 | client-libs/2d | Additional negative value check in JPEG decoding |
2 | JDK-8301846 | client-libs/javax.sound | Invalid TargetDataLine after screen lock when using JFileChooser or COM library |
3 | JDK-8299058 | core-libs/java.net | AssertionError in sun.net.httpserver.ServerImpl when connection is idle |
4 | JDK-8321480 | core-libs/java.util:i18n | ISO 4217 Amendment 176 Update |
5 | JDK-8271118 | hotspot/compiler | C2: StressGCM should have higher priority than frequency-based policy |
6 | JDK-8316679 | hotspot/compiler | C2 SuperWord: wrong result, load should not be moved before store if not comparable |
7 | JDK-8274060 | hotspot/compiler | C2: Incorrect computation after JDK-8273454 |
8 | JDK-8273454 | hotspot/compiler | C2: Transform (-a)*(-b) into a*b |
9 | JDK-8315920 | hotspot/compiler | C2: "control input must dominate current control" assert failure |
10 | JDK-8297968 | hotspot/compiler | Crash in PrintOptoAssembly |
11 | JDK-8321215 | hotspot/compiler | Incorrect x86 instruction encoding for VSIB addressing mode |
12 | JDK-8316414 | hotspot/compiler | C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 |
13 | JDK-8320209 | hotspot/compiler | VectorMaskGen clobbers rflags on x86_64 |
14 | JDK-8318889 | hotspot/compiler | C2: add bailout after assert Bad graph detected in build_loop_late |
15 | JDK-8317507 | hotspot/compiler | C2 compilation fails with "Exceeded _node_regs array" |
16 | JDK-8277919 | hotspot/jfr | OldObjectSample event causing bloat in the class constant pool in JFR recording |
17 | JDK-8287113 | hotspot/jfr | JFR: Periodic task thread uses period for method sampling events |
18 | JDK-8322321 | hotspot/runtime | Add man page doc for -XX:+VerifySharedSpaces |
19 | JDK-8312585 | hotspot/runtime | Rename DisableTHPStackMitigation flag to THPStackMitigation |
20 | JDK-8312182 | hotspot/runtime | THPs cause huge RSS due to thread start timing issue |
21 | JDK-8312620 | hotspot/runtime | WSL Linux build crashes after JDK-8310233 |
22 | JDK-8312394 | hotspot/runtime | [linux] SIGSEGV if kernel was built without hugepage support |
23 | JDK-8323243 | hotspot/runtime | JNI invocation of an abstract instance method corrupts the stack |
24 | JDK-8320208 | security-libs/java.security | Update Public Suffix List to b5bf572 |
25 | JDK-8302182 | security-libs/java.security | Update Public Suffix List to 88467c9 |
26 | JDK-8307185 | security-libs/javax.crypto:pkcs11 | pkcs11 native libraries make JNI calls into java code while holding GC lock |
27 | JDK-8277307 | security-libs/javax.net.ssl | Pre shared key sent under both session_ticket and pre_shared_key extensions |
28 | JDK-8284910 | security-libs/javax.security | Buffer clean in PasswordCallback |
29 | JDK-8318971 | tools/jar | Better Error Handling for Jar Tool When Processing Non-existent Files |
30 | JDK-8308245 | tools/javac | Add -proc:full to describe current default annotation processing policy |
31 | JDK-8298087 | xml/javax.xml.validation | XML Schema Validation reports an required attribute twice via ErrorHandler |