JDK 17.0.5 Release Notes

Java SE 17.0.5 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.


Changes in Java SE

Bug Fixes

BugId Category Subcategory Description
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d

Java™ SE Development Kit 17.0.5 (JDK 17.0.5)

October 18, 2022

The full version string for this update release is 17.0.5+9 (where "+" means "build"). The version number is 17.0.5.


IANA TZ Data 2022b, 2022c

JDK 17.0.5 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.5 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.5) be used after the next critical patch update scheduled for January 17, 2023.


Other Notes

 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the configuration file (or override it by using the system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

 Make HttpURLConnection Default Keep Alive Timeout Configurable (JDK-8278067)

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties.

 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

 New System Property to Limit the Number of Open Connections to (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.5:

# JBS Component Summary
1JDK-8285686client-libs/2dUpdate FreeType to 2.12.0
2JDK-8264666client-libs/2dChange implementation of safeAdd/safeMult in the LCMSImageLayout class
3JDK-8289853client-libs/2dUpdate HarfBuzz to 4.4.1
4JDK-8290334client-libs/2dUpdate FreeType to 2.12.1
5JDK-8274939client-libs/java.awtIncorrect size of the pixel storage is used by the robot on macOS
6JDK-8273506client-libs/java.awtjava Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
7JDK-8255439client-libs/java.awtSystem Tray icons get corrupted when Windows scaling changes
8JDK-8287740client-libs/javax.accessibilityNSAccessibilityShowMenuAction not working for text editors
9JDK-8284690client-libs/javax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
10JDK-8284014client-libs/javax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
11JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
12JDK-8278609client-libs/javax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
13JDK-8283383client-libs/javax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
14JDK-8286266client-libs/javax.accessibility[macos] VoiceOver : Moving JTable column to be the first column JVM crashes
15JDK-8287917core-libs/java.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
16JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
17JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
18JDK-8288769core-libs/java.util.jarRevert unintentional change to deflate.c
19JDK-8283277core-libs/java.util:i18nISO 4217 Amendment 171 Update
20JDK-8289549core-libs/java.util:i18nISO 4217 Amendment 172 Update
21JDK-8276990core-svc/debuggerMemory leak in invoker.c fillInvokeRequest() during JDI operations
22JDK-8281615core-svc/debuggerDeadlock caused by jdwp agent
23JDK-8284094core-svc/debuggerMemory leak in invoker_completeInvokeRequest()
24JDK-8284848hotspot/compilerC2: Compiler blackhole arguments should be treated as globally escaping
25JDK-8282467hotspot/compileradd extra diagnostics for JDK-8268184
26JDK-8284883hotspot/compilerJVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
27JDK-8285923hotspot/compiler[REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
28JDK-8282555hotspot/compilerMissing memory edge when spilling MoveF2I, MoveD2L etc
29JDK-8286638hotspot/compilerC2: CmpU needs to do more precise over/underflow analysis
30JDK-8288303hotspot/compilerC1: Miscompilation due to broken Class.getModifiers intrinsic
31JDK-8270090hotspot/compilerC2: LCM may prioritize CheckCastPP nodes over projections
32JDK-8280696hotspot/compilerC2 compilation hits assert(is_dominator(c, n_ctrl)) failed
33JDK-8285820hotspot/compilerC2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
34JDK-8287091hotspot/compileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
35JDK-8287396hotspot/compilerLIR_Opr::vreg_number() and data() can return negative number
36JDK-8286625hotspot/compilerC2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
37JDK-8288467hotspot/compilerremove memory_operand assert for spilled instructions
38JDK-8276546hotspot/compiler[IR Framework] Whitelist and ignore CompileThreshold
39JDK-8279622hotspot/compilerC2: miscompilation of map pattern as a vector reduction
40JDK-8286177hotspot/compilerC2: "failed: non-reduction loop contains reduction nodes" assert failure
41JDK-8284944hotspot/compilerassert(cnt++ < 40) failed: infinite cycle in loop optimization
42JDK-8287223hotspot/compilerC1: Inlining attempt through MH::invokeBasic() with null receiver
43JDK-8272736hotspot/compiler[JVMCI] Add API for reading and writing JVMCI thread locals
44JDK-8284358hotspot/compilerUnreachable loop is not removed from C2 IR, leading to a broken graph
45JDK-8288360hotspot/compilerCI: ciInstanceKlass::implementor() is not consistent for well-known classes
46JDK-8288781hotspot/compilerC1: LIR_OpVisitState::maxNumberOfOperands too small
47JDK-8287432hotspot/compilerC2: assert(tn->in(0) != __null) failed: must have live top node
48JDK-8283441hotspot/compilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
49JDK-8289127hotspot/compilerApache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
50JDK-8286314hotspot/compilerTrampoline not created for far runtime targets outside small CodeCache
51JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
52JDK-8283597hotspot/jvmti[REDO] Invalid generic signature for redefined classes
53JDK-8278753hotspot/runtimeRuntime crashes with access violation during JNI_CreateJavaVM call
54JDK-8283469hotspot/runtimeDon't use memset to initialize members in FileMapInfo and fix memory leak
55JDK-8268773hotspot/runtimeImprovements related to: Failed to start thread - pthread_create failed (EAGAIN)
56JDK-8289477hotspot/runtimeMemory corruption with CPU_ALLOC, CPU_FREE on muslc
57JDK-8289799hotspot/runtimeBuild warning in methodData.cpp memset zero-length parameter
58JDK-8290417hotspot/runtimeCDS cannot archive lamda proxy with useImplMethodHandle
59JDK-8287107hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
60JDK-8287741hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
61JDK-8283723infrastructureUpdate Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
62JDK-8275887security-libs/java.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
63JDK-8281628security-libs/javax.cryptoKeyAgreement : generateSecret intermittently not resetting
64JDK-8284694security-libs/ evaluating SSLAlgorithmConstraints twice
65JDK-8286211security-libs/javax.smartcardioUpdate PCSC-Lite for SUSE Linux to 1.9.5
66JDK-8285398security-libs/jdk.securityCache the results of constraint checks
67JDK-8155701tools/javacThe compiler fails with an AssertionError: typeSig ERROR
68JDK-8281316tools/javacjavac performance issues with large number of jars on classpath
69JDK-8282214tools/javadoc(tool)Upgrade JQuery to version 3.6.0
70JDK-8284367tools/javadoc(tool)JQuery UI upgrade from 1.12.1 to 1.13.1
71JDK-8277494tools/jpackage[BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged"
72JDK-8284675tools/jpackage"jpackage.exe" creates application launcher without Windows Application Manfiest
73JDK-8276837tools/jpackage[macos]: Error when signing the additional launcher
74JDK-8278311tools/jpackageDebian packaging doesn't work
75JDK-8279370tools/jpackagejdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
76JDK-8284067tools/jpackagejpackage'd launcher reports non-zero exit codes with error prompt
77JDK-8289486xml/jaxpImprove XSLT XPath operators count efficiency