The following sections summarize changes made in all Java SE 17.0.8 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8313765 | core-libs | java.util.jar | Invalid CEN header (invalid zip64 extra data field size) |
JDK-8232933 | tools | javac | Javac inferred type does not conform to equality constraint |
The full version string for this update release is 17.0.8+9 (where "+" means "build"). The version number is 17.0.8.
JDK 17.0.8 contains IANA time zone data 2023c which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.8 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.8+9 |
11 | 11.0.20+9 |
8 | 8u381-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.8) be used after the next critical patch update scheduled for October 17, 2023.
The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset
implementation for this new standard has now replaced the prior 2000
standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030
, is introduced. By setting its value to 2000
, the previous JDK releases' mappings for the GB18030 Charset
are used, which are based on the 2000
standard.
The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:
The following keystore types were also added, allowing developers to make it clear they map to the current user:
A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm)
calls.
The new event name is jdk.SecurityProviderService
and contains the following fields:
Field name | Field Description |
---|---|
type | Type of Service |
algorithm | Algorithm Name |
provider | Security Provider |
This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
Installing into the same, shared jdk-(family)
directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse
issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.
A new system property, jdk.nio.zipfs.allowDotZipEntry
, has been introduced. This system property can be used to remove the newly added restrictions in the Zip FS provider, which currently rejects ZIP files that contain entries with "." or ".." in name elements by default. Refer to the CSR for more detail.
The installation directory of Oracle JDK Debian package has changed from /usr/lib/jvm/jdk-${FEATURE}
to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
.
The Oracle JDK Debian package registers jexec as an interpreter for launching .jar files from the command line.
The Oracle JDK Debian package configures storage for Java Preferences API in /etc/.java/.systemPrefs
directory.
The Oracle JDK Debian package registers JDK commands with update-alternatives
command and supplies /usr/lib/jvm/.jdk-${FEATURE}-oracle-${ARCH}.jinfo
file for update-java-alternatives
command.
/usr/java/default
Symlink on Linux Restored
(JDK-8306690)
A regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.
An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.
An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.
All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.
The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.
The following root certificate has been added to the cacerts truststore:
+ TWCA + twcaglobalrootca DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
The following root certificates have been added to the cacerts truststore:
+ Google Trust Services LLC + gtsrootcar1 DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootcar2 DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootecccar3 DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US + Google Trust Services LLC + gtsrootecccar4 DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US
The following root certificates have been added to the cacerts truststore:
+ Microsoft Corporation + microsoftecc2017 DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US + Microsoft Corporation + microsoftrsa2017 DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime()
method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive. (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
A new system property, jdk.jar.maxSignatureFileSize
, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.
java.util.zip.ZipFile
has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation
to true
.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.8:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8297241 | client-libs/2d | Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java |
2 | JDK-8022403 | client-libs/2d | sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails |
3 | JDK-8301998 | client-libs/2d | Update HarfBuzz to 7.0.1 |
4 | JDK-8288854 | client-libs/java.awt | getLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE |
5 | JDK-8302151 | client-libs/javax.imageio | BMPImageReader throws an exception reading BMP images |
6 | JDK-8227257 | client-libs/javax.swing | javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError |
7 | JDK-8283059 | core-libs | Uninitialized warning in check_code.c with GCC 11.2 |
8 | JDK-8275735 | core-libs | [linux] Remove deprecated Metrics api (kernel memory limit) |
9 | JDK-8286287 | core-libs/java.lang | Reading file as UTF-16 causes Error which "shouldn't happen" |
10 | JDK-8291638 | core-libs/java.net | Keep-Alive timeout of 0 should close connection immediately |
11 | JDK-8291637 | core-libs/java.net | HttpClient default keep alive timeout not followed if server sends invalid value |
12 | JDK-8287162 | core-libs/java.nio | (zipfs) Performance regression related to support for POSIX file permissions |
13 | JDK-8301119 | core-libs/java.nio.charsets | Support for GB18030-2022 |
14 | JDK-8295564 | core-libs/java.text | Norwegian Nynorsk Locale is missing formatting |
15 | JDK-8301216 | core-libs/java.util.concurrent | ForkJoinPool invokeAll() ignores timeout |
16 | JDK-8282227 | core-libs/java.util:i18n | Locale information for nb is not working properly |
17 | JDK-8305400 | core-libs/java.util:i18n | ISO 4217 Amendment 175 Update |
18 | JDK-8275721 | core-libs/java.util:i18n | Name of UTC timezone in a locale changes depending on previous code |
19 | JDK-8293540 | core-svc | [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts |
20 | JDK-8256811 | core-svc/debugger | Delayed/missed jdwp class unloading events |
21 | JDK-8280007 | hotspot/compiler | Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 |
22 | JDK-8299179 | hotspot/compiler | ArrayFill with store on backedge needs to reduce length by 1 |
23 | JDK-8302595 | hotspot/compiler | use-after-free related to GraphKit::clone_map |
24 | JDK-8299959 | hotspot/compiler | C2: CmpU::Value must filter overflow computation against local sub computation |
25 | JDK-8303564 | hotspot/compiler | C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi |
26 | JDK-8303508 | hotspot/compiler | Vector.lane() gets wrong value on x86 |
27 | JDK-8299570 | hotspot/compiler | [JVMCI] Insufficient error handling when CodeBuffer is exhausted |
28 | JDK-8300079 | hotspot/compiler | SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument |
29 | JDK-8299259 | hotspot/compiler | C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE |
30 | JDK-8296318 | hotspot/compiler | use-def assert: special case undetected loops nested in infinite loops |
31 | JDK-8296412 | hotspot/compiler | Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts |
32 | JDK-8297730 | hotspot/compiler | C2: Arraycopy intrinsic throws incorrect exception |
33 | JDK-8301491 | hotspot/compiler | C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument |
34 | JDK-8303588 | hotspot/compiler | [JVMCI] make JVMCI source directories conform with standard layout |
35 | JDK-8201516 | hotspot/compiler | DebugNonSafepoints generates incorrect information |
36 | JDK-8302508 | hotspot/compiler | Add timestamp to the output TraceCompilerThreads |
37 | JDK-8289748 | hotspot/compiler | C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM |
38 | JDK-8303511 | hotspot/compiler | C2: assert(get_ctrl(n) == cle_out) during unrolling |
39 | JDK-8291456 | hotspot/jvmti | com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 |
40 | JDK-8280784 | hotspot/runtime | VM_Cleanup unnecessarily processes all thread oops |
41 | JDK-8294677 | hotspot/runtime | chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications |
42 | JDK-8277946 | hotspot/runtime | NMT: Remove VM.native_memory shutdown jcmd command option |
43 | JDK-8301123 | hotspot/runtime | Enable Symbol refcounting underflow checks in PRODUCT |
44 | JDK-8295974 | hotspot/runtime | jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames |
45 | JDK-8287007 | hotspot/runtime | [cgroups] Consistently use stringStream throughout parsing code |
46 | JDK-8278965 | hotspot/runtime | crash in SymbolTable::do_lookup |
47 | JDK-8301749 | hotspot/runtime | Tracking malloc pooled memory size |
48 | JDK-8213059 | install/install | Java .deb package implementation is incomplete |
49 | JDK-8293858 | security-libs/java.security | Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG |
50 | JDK-8280703 | security-libs/javax.crypto | CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption |
51 | JDK-8294906 | security-libs/javax.crypto:pkcs11 | Memory leak in PKCS11 NSS TLS server |
52 | JDK-8296329 | tools/jar | jar validator doesn't account for minor class file version |
53 | JDK-8278834 | tools/javac | Error "Cannot read field "sym" because "this.lvar[od]" is null" when compiling |
54 | JDK-8297587 | tools/jshell | Upgrade JLine to 3.22.0 |
55 | JDK-8280373 | xml/javax.xml.parsers | Update Xalan serializer / SystemIDResolver to align with JDK-8270492 |
56 | JDK-8301269 | xml/jaxp | Update Commons BCEL to Version 6.7.0 |