JDK 17.0.6 Release Notes

Java SE 17.0.6 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.


Changes in Java SE

Bug Fixes

BugId Category Subcategory Description
JDK-8280890 security-libs Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java™ SE Development Kit 17.0.6 (JDK 17.0.6)

January 17, 2023

The full version string for this update release is 17.0.6+9 (where "+" means "build"). The version number is 17.0.6.


IANA TZ Data 2022d, 2022e, 2022f

JDK 17.0.6 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.6 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.6) be used after the next critical patch update scheduled for April 18, 2023.


New Features

 DTLS Resumption Uses HelloVerifyRequest Messages (JDK-8287411 (not public))

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption.

 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.


Known Issues

 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8305976 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.


Other Notes

 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

If the JDK has a JavaScript script engine, it can be enabled by setting the system property: -Djavafx.allowjs=true

 Translated resource bundles for German (JDK-8263773)

With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.

 RPM JDK Installer Changes (JDK-8292834)

Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}. Thus the 17.0.6, and 17.0.7 releases for x64 will both be installed in /usr/lib/jvm/jdk-17-oracle-x64 directory. RPM package will create /usr/java/jdk-${FEATURE} link pointing to the installation directory for backward compatibility.

Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 17 RPM package registers java and javac groups with the alternatives framework. java group is for commands used to run applications: java, keytool, and rmiregistry. javac group is used for all other commands. The set of commands registered by the package has not changed.

Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-17-headless and jdk-17-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-17-headless is a Headless Java Runtime for running non-GUI applications. jdk-17-headful is a Headful Java Runtime & Development Tools for developing and running applications of all types.

The combination of the OL-specific jdk-17-headless and jdk-17-headful packages provides the same JDK image and the same capabilities as jdk-17 OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix.

 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292820)

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. I.e. all updates of the same release must share one installation directory.

Thus the 17.0.6 and 17.0.7 releases will both install into %Program Files%\Java\jdk-17 by default, and they both cannot be installed at the same time.

If the JDK17.0.7 installer is launched when JDK17.0.6 is already installed, it will auto-upgrade them to JDK17.0.7. There may be a Files In Use dialog shown if the older version was running and locking JDK files.

If the JDK17.0.6 installer is launched when JDK17.0.7 is already installed, it will show an error that a newer version of this JDK family is already installed.

 All JDK Update Releases Are Installed Into the Same Directory on macOS (JDK-8292827)

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk. Thus the 17.0.6 and 17.0.7 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-17.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 17.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 17 update release with JEP C208. However, JDK 17 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-17.jdk will be reused.

 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

 New Implementation Note for LoginModule on Removing Null from a Principals or Credentials set (JDK-8282730)

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.

 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.

 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.6:

# JBS Component Summary
1JDK-8295429client-libsUpdate harfbuzz md file
2JDK-8293672client-libsUpdate freetype md file
3JDK-8289697client-libs/2dbuffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
4JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
5JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
6JDK-8273655core-libs/ files are missing some common types
7JDK-8272352core-libs/java.util:i18nJava launcher can not parse Chinese character when system locale is set to UTF-8
8JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
9JDK-8293657core-svc/javax.managementsun/management/jmxremote/bootstrap/ failed with "SSLHandshakeException: Remote host terminated the handshake"
10JDK-8293319hotspot/compiler[C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
11JDK-8280511hotspot/compilerAArch64: Combine shift and negate to a single instruction
12JDK-8276108hotspot/compilerWrong instruction generation in aarch64 backend
13JDK-8251216hotspot/compilerImplement MD5 intrinsics on AArch64
14JDK-8186670hotspot/compilerImplement _onSpinWait() intrinsic for AArch64
15JDK-8290781hotspot/compilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
16JDK-8282347hotspot/compilerAARCH64: Untaken branch in has_negatives stub
17JDK-8282049hotspot/compilerAArch64: Use ZR for integer zero immediate volatile stores
18JDK-8291775hotspot/compilerC2: assert(r != __null && r->is_Region()) failed: this phi must have a region
19JDK-8290711hotspot/compilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
20JDK-8287349hotspot/compilerAArch64: Merge LDR instructions to improve C1 OSR performance
21JDK-8277411hotspot/compilerC2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
22JDK-8277358hotspot/compilerAccelerate CRC32-C
23JDK-8291599hotspot/compilerAssertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
24JDK-8290705hotspot/compilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
25JDK-8290529hotspot/compilerC2: assert(BoolTest(btest).is_canonical()) failure
26JDK-8288445hotspot/compilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
27JDK-8280872hotspot/compilerReorder code cache segments to improve code density
28JDK-8272094hotspot/compilercompiler/codecache/ crashes with "failed to allocate space for trampoline"
29JDK-8293816hotspot/compilerCI: ciBytecodeStream::get_klass() is not consistent
30JDK-8293044hotspot/compilerC1: Missing access check on non-accessible class
31JDK-8292158hotspot/compilerAES-CTR cipher state corruption with AVX-512
32JDK-8270947hotspot/compilerAArch64: C1: use zero_words to initialize all objects
33JDK-8287425hotspot/compilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
34JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
35JDK-8268779hotspot/gcZGC: runtime/InternalApi/ failed with "OutOfMemoryError: Java heap space"
36JDK-8278389hotspot/gcSuspendibleThreadSet::_suspend_all should be volatile/atomic
37JDK-8288754hotspot/gcGCC 12 fails to build zReferenceProcessor.cpp
38JDK-8279398hotspot/jfrjdk/jfr/api/recording/time/ failed with "RuntimeException: getStopTime() > afterStop"
39JDK-8268297hotspot/jfrjdk/jfr/api/consumer/streaming/ times out
40JDK-8291459hotspot/runtimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
41JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
42JDK-8293156hotspot/svcDcmd VM.classloaders fails to print the full hierarchy
43JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
44JDK-8273553security-libs/ also has similar error of JDK-8253368
45JDK-8276764core-svc/toolsEnable deterministic file content ordering for Jar and Jmod
46JDK-8276766tools/jarEnable jar and jmod to produce deterministic timestamped content
47JDK-8293578tools/javacDuplicate ldc generated by javac
48JDK-8266082tools/javacAssertionError in Annotate.fromAnnotations with -Xdoclint
49JDK-8272776tools/javacNullPointerException not reported
50JDK-8286444tools/javacjavac errors after JDK-8251329 are not helpful enough to find root cause
51JDK-8286855tools/javacjavac error on invalid jar should only print filename
52JDK-8287076xml/org.w3c.domDocument.normalizeDocument() produces different results