The following sections summarize changes made in all Java SE 17.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
January 17, 2023
The full version string for this update release is 17.0.6+9 (where "+" means "build"). The version number is 17.0.6.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.6 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.6+9 |
11 | 11.0.18+9 |
8 | 8u361-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.6) be used after the next critical patch update scheduled for April 18, 2023.
With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie
is false
. The property only affects the cookie exchange for resumption.
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
This issue prevents yum
from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum
but with the x86_64 architecture.
After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:
rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo
It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install
command to ensure the installation of the required packages.
The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.
If the JDK has a JavaScript script engine, it can be enabled by setting the system property: -Djavafx.allowjs=true
With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.
Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION}
to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
. Thus the 17.0.6, and 17.0.7 releases for x64 will both be installed in /usr/lib/jvm/jdk-17-oracle-x64
directory. RPM package will create /usr/java/jdk-${FEATURE}
link pointing to the installation directory for backward compatibility.
Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java
group of commands with the alternatives framework. The JDK 17 RPM package registers java
and javac
groups with the alternatives framework. java
group is for commands used to run applications: java
, keytool
, and rmiregistry
. javac
group is used for all other commands. The set of commands registered by the package has not changed.
Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-17-headless
and jdk-17-headful
. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-17-headless
is a Headless Java Runtime for running non-GUI applications. jdk-17-headful
is a Headful Java Runtime & Development Tools for developing and running applications of all types.
The combination of the OL-specific jdk-17-headless
and jdk-17-headful
packages provides the same JDK image and the same capabilities as jdk-17
OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist}
suffix.
Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE%
instead of %Program Files%\Java\jdk-%VNUM%
. I.e. all updates of the same release must share one installation directory.
Thus the 17.0.6 and 17.0.7 releases will both install into %Program Files%\Java\jdk-17
by default, and they both cannot be installed at the same time.
If the JDK17.0.7 installer is launched when JDK17.0.6 is already installed, it will auto-upgrade them to JDK17.0.7. There may be a Files In Use dialog shown if the older version was running and locking JDK files.
If the JDK17.0.6 installer is launched when JDK17.0.7 is already installed, it will show an error that a newer version of this JDK family is already installed.
The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk
to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk
. Thus the 17.0.6 and 17.0.7 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-17.jdk
installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 17.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 17 update release with JEP C208. However, JDK 17 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-17.jdk will be reused.
ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\"
, would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.
The Set
implementation that holds principals and credentials in a JAAS Subject
prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException
. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule
implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout()
method of the LoginModule
interface. Developers should verify and if necessary update any custom LoginModule
implementations to be compliant with this implementation advice.
As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.
If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.
The SunJSSE close notification checks for SSLEngine
to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.
Specifically, if an application tries to close its SSLEngine
inbound side using SSLEngine.closeInbound()
without having received a close notification message from its peer, the SSLEngine
will no longer:
The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException
. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the SSLEngine
will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus
value on the SSLEngine
. Any outstanding outbound data must still be obtained (SSLEngine.wrap()
) and sent in order to gracefully close the connection.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.6:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8295429 | client-libs | Update harfbuzz md file |
2 | JDK-8293672 | client-libs | Update freetype md file |
3 | JDK-8289697 | client-libs/2d | buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad |
4 | JDK-8240756 | client-libs/2d | [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled |
5 | JDK-8284033 | client-libs/java.awt | Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c |
6 | JDK-8273655 | core-libs/java.net | content-types.properties files are missing some common types |
7 | JDK-8272352 | core-libs/java.util:i18n | Java launcher can not parse Chinese character when system locale is set to UTF-8 |
8 | JDK-8294307 | core-libs/java.util:i18n | ISO 4217 Amendment 173 Update |
9 | JDK-8293657 | core-svc/javax.management | sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" |
10 | JDK-8293319 | hotspot/compiler | [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if |
11 | JDK-8280511 | hotspot/compiler | AArch64: Combine shift and negate to a single instruction |
12 | JDK-8276108 | hotspot/compiler | Wrong instruction generation in aarch64 backend |
13 | JDK-8251216 | hotspot/compiler | Implement MD5 intrinsics on AArch64 |
14 | JDK-8186670 | hotspot/compiler | Implement _onSpinWait() intrinsic for AArch64 |
15 | JDK-8290781 | hotspot/compiler | Segfault at PhaseIdealLoop::clone_loop_handle_data_uses |
16 | JDK-8282347 | hotspot/compiler | AARCH64: Untaken branch in has_negatives stub |
17 | JDK-8282049 | hotspot/compiler | AArch64: Use ZR for integer zero immediate volatile stores |
18 | JDK-8291775 | hotspot/compiler | C2: assert(r != __null && r->is_Region()) failed: this phi must have a region |
19 | JDK-8290711 | hotspot/compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
20 | JDK-8287349 | hotspot/compiler | AArch64: Merge LDR instructions to improve C1 OSR performance |
21 | JDK-8277411 | hotspot/compiler | C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check |
22 | JDK-8277358 | hotspot/compiler | Accelerate CRC32-C |
23 | JDK-8291599 | hotspot/compiler | Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 |
24 | JDK-8290705 | hotspot/compiler | StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" |
25 | JDK-8290529 | hotspot/compiler | C2: assert(BoolTest(btest).is_canonical()) failure |
26 | JDK-8288445 | hotspot/compiler | AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding |
27 | JDK-8280872 | hotspot/compiler | Reorder code cache segments to improve code density |
28 | JDK-8272094 | hotspot/compiler | compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" |
29 | JDK-8293816 | hotspot/compiler | CI: ciBytecodeStream::get_klass() is not consistent |
30 | JDK-8293044 | hotspot/compiler | C1: Missing access check on non-accessible class |
31 | JDK-8292158 | hotspot/compiler | AES-CTR cipher state corruption with AVX-512 |
32 | JDK-8270947 | hotspot/compiler | AArch64: C1: use zero_words to initialize all objects |
33 | JDK-8287425 | hotspot/compiler | Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path |
34 | JDK-8290451 | hotspot/compiler | Incorrect result when switching to C2 OSR compilation from C1 |
35 | JDK-8268779 | hotspot/gc | ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" |
36 | JDK-8278389 | hotspot/gc | SuspendibleThreadSet::_suspend_all should be volatile/atomic |
37 | JDK-8288754 | hotspot/gc | GCC 12 fails to build zReferenceProcessor.cpp |
38 | JDK-8279398 | hotspot/jfr | jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" |
39 | JDK-8268297 | hotspot/jfr | jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out |
40 | JDK-8291459 | hotspot/runtime | JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) |
41 | JDK-8292083 | hotspot/runtime | Detected container memory limit may exceed physical machine memory |
42 | JDK-8293156 | hotspot/svc | Dcmd VM.classloaders fails to print the full hierarchy |
43 | JDK-8257722 | security-libs/java.security | Improve "keytool -printcert -jarfile" output |
44 | JDK-8273553 | security-libs/javax.net.ssl | sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 |
45 | JDK-8276764 | core-svc/tools | Enable deterministic file content ordering for Jar and Jmod |
46 | JDK-8276766 | tools/jar | Enable jar and jmod to produce deterministic timestamped content |
47 | JDK-8293578 | tools/javac | Duplicate ldc generated by javac |
48 | JDK-8266082 | tools/javac | AssertionError in Annotate.fromAnnotations with -Xdoclint |
49 | JDK-8272776 | tools/javac | NullPointerException not reported |
50 | JDK-8286444 | tools/javac | javac errors after JDK-8251329 are not helpful enough to find root cause |
51 | JDK-8286855 | tools/javac | javac error on invalid jar should only print filename |
52 | JDK-8287076 | xml/org.w3c.dom | Document.normalizeDocument() produces different results |