java

Consolidated JDK 17 Release Notes

Consolidated Release Notes

This page contains all of the release notes for the JDK 17 General Availability (GA) releases:

  • JDK 17.0.13 (GA)
  • JDK 17.0.12 (GA and BPR builds)
  • JDK 17.0.11 (GA and BPR builds)
  • JDK 17.0.10 (GA and BPR builds)
  • JDK 17.0.9 (GA and BPR builds)
  • JDK 17.0.8 (GA and BPR builds)
  • JDK 17.0.7 (GA and BPR builds)
  • JDK 17.0.6 (GA and BPR builds)
  • JDK 17.0.5 (GA and BPR builds)
  • JDK 17.0.4.1 (GA and BPR builds)
  • JDK 17.0.4 (GA and BPR builds)
  • JDK 17.0.3.1 (GA and BPR builds)
  • JDK 17.0.3 (GA and BPR builds)
  • JDK 17.0.2 (GA)
  • JDK 17.0.1 (GA)
  • JDK 17 (GA)

Java™ SE Development Kit 17, Update 17.0.13 (JDK 17.0.13)

Release date: October 15, 2024

The full version string for this update release is 17.0.13+10 (where "+" means "build"). The version number is 17.0.13.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 17.0.13 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1717.0.13+10
1111.0.25+9
81.8.0_431-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.13) be used after the next critical patch update scheduled for January 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

Important Oracle JDK 17 License Update starting with JDK 17.0.13

JDK 17.0.13 is the first JDK 17 update release made available under the Oracle Technology Network License Agreement for Oracle Java SE (OTN for Java SE). This license is substantially different from the Oracle No-fee Terms and Conditions (NTFC) used in earlier JDK 17 updates. The OTN for Java SE license permits certain uses, such as personal use and development use, at no cost, but other uses authorized under the NFTC may no longer be available. Please review the terms carefully before using this product. An FAQ is available here.

 

New Features

security-libs/java.security
 Thread and Timestamp Options for java.security.debug System Property (JDK-8051959)

The java.security.debug system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.

+timestamp can be appended to debug options to print a timestamp for that debug option. +thread can be appended to debug options to print thread and caller information for that debug option.

Examples: -Djava.security.debug=all+timestamp+thread adds timestamp and thread information to every debug statement generated.

-Djava.security.debug=properties+timestamp adds timestamp information to every debug statement generated for the properties component.

You can also specify -Djava.security.debug=help which will display a complete list of supported components and arguments.

See Printing Thread and Timestamp Information for more information.

 

Notable Issues Fixed

install/install
 JDK RPM Upgrade Leaves Orphan Alternatives Entry (JDK-8336107 (not public))

Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.

Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.

The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.

Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.

 

Other Notes

core-libs/java.net
 New Default Limits in the JDK HTTP Implementations (JDK-8328286 (not public))

New Default limits have been added to HTTP in the JDK.

The JDK built-in implementation of the legacy URL protocol handler for HTTP, HttpURLConnection, and the new HttpClient, in the module java.net.http, now have a default limit on the maximum response headers size they will accept from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.

The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the appropriate conf.properties or net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The JDK built-in implementation of the com.sun.net.httpserver.HttpServer (jdk.httpserver) implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.

In addition, the JDK built-in implementation of the new java.net.http.HttpClient enforces two additional limits:

The system property jdk.httpclient.maxNonFinalResponses can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many interim responses the client will accept before receiving a final response. An interim response is considered informational and is a response whose status is in the range [100, 199]. These responses are typically either handled internally or simply discarded by the implementation. The default limit is now set at a maximum of 8 interim responses before receiving the final response. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The system property jdk.httpclient.maxLiteralWithIndexing can be specified with a positive value on the java command line, or in the conf.properties or net.properties file, to control how many additions a server may request a client to make to the HPack dynamic table when decoding a set of headers. The default maximum value is now set to 512. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com

  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

security-libs/javax.net.ssl
 Disabled TLS_ECDH Cipher Suites (JDK-8279164)

The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.

security-libs/javax.net.ssl
 Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024 (JDK-8337664)

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),

OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23


You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

client-libs
 Relax the java.awt.Robot Specification (JDK-8307779)

This JDK release relaxes the specification of java.awt.Robot to account for possible platform and desktop environment access restrictions or limitations.

core-libs/java.lang
 System Property for Java SE Specification Maintenance Version (JDK-8330417)

This JDK implements Maintenance Release 1 of the Java SE 17 specification JSR 392. This is indicated by the new system property java.specification.maintenance.version having the value of "1".

core-libs/java.text
 MessageFormat ArgumentIndex Now Has a Limit (JDK-8331446 (not public))

In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.

If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by

  • MessageFormats constructors
  • applyPattern(String pattern) instance method
  • format(String pattern, Object... arguments) static method

De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.

core-svc/java.lang.management
 The ClassLoadingMXBean and MemoryMXBean isVerbose Methods Are Now Consistent with Their setVerbose Methods (JDK-8338139)

The ClassLoadingMXBean::setVerbose(boolean enabled) method will set class+load* logging on log output stdout to level info if enabled is true, and to level off otherwise. In contrast, the isVerbose method would check if exactly class+load logging was enabled at the info level on any log output. This could result in counter-intuitive behavior when logging class+load=info to a file via the command-line, as it caused isVerbose to return true, even after a call to setVerbose(false) had been made. A similar problem existed for the MemoryMXBean::isVerbose method. Starting with this release, the behavior is as follows:

  • ClassLoadingMXBean::isVerbose will return true only if class+load* logging (note the wildcard use) has been enabled at the info level (or above) on the stdout log output.
  • MemoryMXBean::isVerbose will return true only if gc logging has been enabled at the info level (or above) on the stdout log output.

security-libs/javax.crypto
 KEM.getInstance() Should Check If a Third-Party Security Provider Is Signed (JDK-8322971)

When instantiating a third-party security provider's implementation (class) of a KEM algorithm, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. This is consistent with other JCE service classes, such as Cipher, Mac, KeyAgreement, and others.

tools/launcher
 Available Locales Information Now Listed with -XshowSettings:locale Option (JDK-8310201)

The showSettings launcher option no longer prints available locales information by default, when -XshowSettings is used. The -XshowSettings:locale option will continue to print all settings related to available locales.

 

Updates to Third Party Libraries

Library New Version Module JBS
GIFlib 5.2.2 java.desktop JDK-8328999
Libpng 1.6.43 java.desktop JDK-8329004
PipeWire 0.3.68 java.desktop JDK-8308802 (not public)
JQuery 3.7.1 jdk.javadoc JDK-8330063

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.13:

# JBS Component Summary
1JDK-8328896client-libs/2dFontmetrics for large Fonts has zero width
2JDK-8282526client-libs/java.awtDefault icon is not painted properly
3JDK-8309621client-libs/java.awt[XWayland][Screencast] screen capture failure with sun.java2d.uiScale other than 1
4JDK-8280993client-libs/java.awt[XWayland] Popup is not closed on click outside of area controlled by XWayland
5JDK-8280994client-libs/java.awt[XWayland] Drag and Drop does not work in java -> wayland app direction
6JDK-8313697client-libs/java.awt[XWayland][Screencast] consequent getPixelColor calls are slow
7JDK-8309756client-libs/java.awt Occasional crashes with pipewire screen capture on Wayland
8JDK-8280982client-libs/java.awt[Wayland] [XWayland] java.awt.Robot taking screenshots
9JDK-8331011client-libs/java.awt[XWayland] TokenStorage fails under Security Manager
10JDK-8321176client-libs/java.awt[Screencast] make a second attempt on screencast failure
11JDK-8323801client-libs/javax.swing<s> tag doesn't strikethrough the text
12JDK-8326734client-libs/javax.swingtext-decoration applied to <span> lost when mixed with <u> or <s>
13JDK-8325179client-libs/javax.swingRace in BasicDirectoryModel.validateFileCache
14JDK-8294680client-libs/javax.swingRefactor scaled border rendering
15JDK-8328953client-libs/javax.swingJEditorPane.read throws ChangedCharSetException
16JDK-8335967client-libs/javax.swing"text-decoration: none" does not work with "A" HTML tags
17JDK-8320692client-libs/javax.swingNull icon returned for .exe without custom icon
18JDK-8319103client-libs/javax.swingPopups that request focus are not shown on Linux with Wayland
19JDK-8285497core-libs/java.langAdd system property for Java SE specification maintenance version
20JDK-8332424core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-05-16
21JDK-8334418core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-06-14
22JDK-8334653core-libs/java.util:i18nISO 4217 Amendment 177 Update
23JDK-8005885hotspot/compilerenhance PrintCodeCache to print more data
24JDK-8329126hotspot/compilerNo native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462
25JDK-8297878security-libs/javax.cryptoKEM: Implementation
26JDK-8261433security-libs/javax.crypto:pkcs11Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
27JDK-8341059security-libs/javax.net.sslChange Entrust TLS distrust date to November 12, 2024
28JDK-8312229tools/javacCrash involving yield, switch and anonymous classes
29JDK-8326332tools/javadoc(tool)Unclosed inline tags cause misalignment in summary tables

Java SE 17.0.12 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.12 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.12.0.2

Bug Fixes

Release date: August 16, 2024
BugId Category Subcategory Summary
JDK-8336107 (not public) install JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry

 

Changes in Java SE 17.0.12.0.1

Bug Fixes

July 16, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 17, Update 17.0.12 (JDK 17.0.12)

Release date: July 16, 2024

The full version string for this update release is 17.0.12+8 (where "+" means "build"). The version number is 17.0.12.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 17.0.12 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1717.0.12+8
1111.0.24+7
88u421-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.12) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

Availability of Oracle JDK 17 under NFTC

Oracle JDK 17 LTS, released in September 2021, has been permissively licensed under the free Java license and will continue to be so until one year after the subsequent LTS release. Oracle designated Oracle JDK 21, released in September of 2023, as a Long Term Support (LTS) release. Therefore, update releases of Oracle JDK 17 after September of 2024 will switch to the Java SE OTN license, the same license under which we offer updates to Java 8 and 11. Users wishing to receive updates of the Oracle JDK under the free Java license should migrate to Oracle JDK 21.

 

New Features

security-libs/java.security
 New Security Category for -XshowSettings Launcher Option (JDK-8281658)

The -XshowSettings launcher has a new security category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X:

   -XshowSettings:security

       show all security settings and continue
   -XshowSettings:security:*sub-category*
       show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
       all: show all security settings and continue
       properties: show security properties and continue
       providers: show static security provider settings and continue
       tls: show TLS related security settings and continue

Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security file.

 

Notable Issues Fixed

tools/jpackage
 jpackage May Produce an Inaccurate List of Required Packages on Debian Linux Distros (JDK-8295111)

Fixed an issue on Debian Linux distros where jpackage could not always build an accurate list of required packages from shared libraries with symbolic links in their paths, causing installations to fail due to missing shared libraries.

 

Removed Features and Options

install/install
 Remove Obsolete Desktop Integration from Linux Installers (JDK-8322234 (not public))

Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons, /usr/share/mime, and /usr/share/applications subtrees.

 

Other Notes

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

security-libs/javax.net.ssl
 Disabled DTLS 1.0 (JDK-8256660)

DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms security property.

infrastructure/build
 Native Executables and Libraries on Linux Use RPATH Instead of RUNPATH (JDK-8326891)

Native executables and libraries on Linux have switched to using RPATH instead of RUNPATH in this release.

JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH or RUNPATH. The main difference is that the dynamic linker considers RPATH before the LD_LIBRARY_PATH environment variable, while RUNPATH is only considered after LD_LIBRARY_PATH.

By making the change to using RPATH, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH.

install/install
 Install DEB and RPM Java Packages in Version Directory (JDK-8325265 (not public))

The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH} to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}.

Every update release will be installed in a separate directory on Linux platform.

Installers will create a /usr/java/jdk-${FEATURE}-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JDK version in the ${FEATURE} release train.

 

Updates to Third Party Libraries

Library New Version Module JBS
LCMS 2.16 java.desktop JDK-8321489
Zlib Data Compression Library 1.3.1 java.base JDK-8324632

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.12:

# JBS Component Summary
1JDK-8318854client-libs/java.awt[macos14] Running any AWT app prints Secure coding warning
2JDK-8317771client-libs/javax.accessibility[macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma
3JDK-8296878client-libs/javax.swingDocument Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters
4JDK-8322239client-libs/javax.swing[macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane
5JDK-8187759client-libs/javax.swingBackground not refreshed when painting over a transparent JFrame
6JDK-8320570core-libs/java.langNegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters
7JDK-8302791core-libs/java.lang:class_loadingAdd specific ClassLoader object to Proxy IllegalArgumentException message
8JDK-8319436core-libs/java.lang:reflectProxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader
9JDK-8306040core-libs/java.netHttpResponseInputStream.available() returns 1 on empty stream
10JDK-8318599core-libs/java.netHttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809
11JDK-8292044core-libs/java.netHttpClient doesn't handle 102 or 103 properly
12JDK-8263940core-libs/java.nioNPE when creating default file system when default file system provider is packaged as JAR file on class path
13JDK-8280113core-libs/java.nio(dc) DatagramSocket.receive does not always throw when the channel is closed
14JDK-8318322core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-10-16
15/td>JDK-8304761core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-03-22
16JDK-8302512core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-02-14
17JDK-8306031core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-04-13
18JDK-8308021core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-05-11
19JDK-8327631core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-03-07
20JDK-8313702core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-08-02
21JDK-8321599hotspot/compilerData loss in AVX3 Base64 decoding
22JDK-8310844hotspot/compiler[AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate
23JDK-8324050hotspot/compilerIssue store-store barrier after re-materializing objects during deoptimization
24JDK-8326638hotspot/compilerCrash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop
25JDK-8319372hotspot/compilerC2 compilation fails with "Bad immediate dominator info"
26JDK-8282414hotspot/compilerx86: Enhance the assembler to generate more compact instructions
27JDK-8298129hotspot/jfrLet checkpoint event sizes grow beyond u4 limit
28JDK-8298649hotspot/jfrJFR: RemoteRecordingStream support for checkpoint event sizes beyond u4
29JDK-8286740hotspot/jfrJFR: Active Setting event emitted incorrectly
30JDK-8326106hotspot/jfrWrite and clear stack trace table outside of safepoint
31JDK-8298472hotspot/runtimeAArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options
32JDK-8278241hotspot/runtimeImplement JVM SpinPause on linux-aarch64
33JDK-8296437hotspot/runtimeNMT incurs costs if disabled
34JDK-8327036hotspot/runtime[macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0
35JDK-8319048hotspot/runtimeMonitor deflation unlink phase prolongs time to safepoint
36JDK-8324933hotspot/runtimeConcurrentHashTable::statistics_calculate synchronization is expensive
37JDK-8296343security-libs/java.securityCPVE thrown on missing content-length in OCSP response
38JDK-8326643security-libs/java.securityJDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message
39JDK-8312383security-libs/javax.net.sslLog X509ExtendedKeyManager implementation class name in TLS/SSL connection
40JDK-8303809security-libs/org.ietf.jgssDispose context in SPNEGO NegotiatorImpl
41JDK-8294699tools/jpackageLauncher causes lingering busy cursor
42JDK-8325203tools/jpackageSystem.exit(0) kills the launched 3rd party application

Java SE 17.0.11 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.11 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.11.0.2

Bug Fixes

June 21, 2024
BugId Category Subcategory Description
JDK-8331885 hotspot compiler C2: meet between unloaded and speculative types is not symmetric

 

Changes in Java SE 17.0.11.0.1

Bug Fixes

May 24, 2024
BugId Category Subcategory Description
JDK-8322726 hotspot compiler C2: Unloaded signature class kills argument value
JDK-8321151 client-libs javas.swing JDK-8294427 breaks Windows L&F on all older Windows versions

Java™ SE Development Kit 17, Update 17.0.11 (JDK 17.0.11)

Release date: April 16, 2024

The full version string for this update release is 17.0.11+7 (where "+" means "build"). The version number is 17.0.11.

 

IANA TZ Data 2024a

JDK 17.0.11 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 17.0.11 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1717.0.11+7
1111.0.23+7
88u411-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.11) be used after the next critical patch update scheduled for July 16, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

Availability of Oracle JDK 17 under NFTC

Oracle JDK 17 LTS, released in September 2021, has been permissively licensed under the free Java license and will continue to be so until one year after the subsequent LTS release. Oracle designated Oracle JDK 21, released in September of 2023, as a Long Term Support (LTS) release. Therefore, update releases of Oracle JDK 17 after September of 2024 will switch to the Java SE OTN license, the same license under which we offer updates to Java 8 and 11. Users wishing to receive updates of the Oracle JDK under the free Java license should migrate to Oracle JDK 21.

 

New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Known Issues

tools/jpackage
 jpackage Apps May Fail to Build on Debian Linux Distros Due to Missing Shared Libraries (JDK-8295111)

There is an issue on Debian Linux distros where jpackage could not always build an accurate list of required packages from shared libraries with symbolic links in their paths, causing installations to fail due to missing shared libraries.

 

Other Notes

client-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

 

Updates to Third Party Libraries

Library New Version Module JBS
FreeType 2.13.2 java.desktop JDK-8316028
HarfBuzz 8.2.2 java.desktop JDK-8313643
libpng 1.6.40 java.desktop JDK-8316030
Xalan Java 2.7.3 java.xml JDK-8305814
XML Security for Java 3.0.3 java.xml.crypto JDK-8319124

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.11:

# JBS Component Summary
1JDK-8318951client-libs/2dAdditional negative value check in JPEG decoding
2JDK-8301846client-libs/javax.soundInvalid TargetDataLine after screen lock when using JFileChooser or COM library
3JDK-8299058core-libs/java.netAssertionError in sun.net.httpserver.ServerImpl when connection is idle
4JDK-8321480core-libs/java.util:i18nISO 4217 Amendment 176 Update
5JDK-8271118hotspot/compilerC2: StressGCM should have higher priority than frequency-based policy
6JDK-8316679hotspot/compilerC2 SuperWord: wrong result, load should not be moved before store if not comparable
7JDK-8274060hotspot/compilerC2: Incorrect computation after JDK-8273454
8JDK-8273454hotspot/compilerC2: Transform (-a)*(-b) into a*b
9JDK-8315920hotspot/compilerC2: "control input must dominate current control" assert failure
10JDK-8297968hotspot/compilerCrash in PrintOptoAssembly
11JDK-8321215hotspot/compilerIncorrect x86 instruction encoding for VSIB addressing mode
12JDK-8316414hotspot/compilerC2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86
13JDK-8320209hotspot/compilerVectorMaskGen clobbers rflags on x86_64
14JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
15JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
16JDK-8277919hotspot/jfrOldObjectSample event causing bloat in the class constant pool in JFR recording
17JDK-8287113hotspot/jfrJFR: Periodic task thread uses period for method sampling events
18JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
19JDK-8312585hotspot/runtimeRename DisableTHPStackMitigation flag to THPStackMitigation
20JDK-8312182hotspot/runtimeTHPs cause huge RSS due to thread start timing issue
21JDK-8312620hotspot/runtimeWSL Linux build crashes after JDK-8310233
22JDK-8312394hotspot/runtime[linux] SIGSEGV if kernel was built without hugepage support
23JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack
24JDK-8320208security-libs/java.securityUpdate Public Suffix List to b5bf572
25JDK-8302182security-libs/java.securityUpdate Public Suffix List to 88467c9
26JDK-8307185security-libs/javax.crypto:pkcs11pkcs11 native libraries make JNI calls into java code while holding GC lock
27JDK-8277307security-libs/javax.net.sslPre shared key sent under both session_ticket and pre_shared_key extensions
28JDK-8284910security-libs/javax.securityBuffer clean in PasswordCallback
29JDK-8318971tools/jarBetter Error Handling for Jar Tool When Processing Non-existent Files
30JDK-8308245tools/javacAdd -proc:full to describe current default annotation processing policy
31JDK-8298087xml/javax.xml.validationXML Schema Validation reports an required attribute twice via ErrorHandler

Java SE 17.0.10 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.10 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.10.0.1

Bug Fixes

January 16, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 17, Update 17.0.10 (JDK 17.0.10)

January 16, 2024

The full version string for this update release is 17.0.10+11 (where "+" means "build"). The version number is 17.0.10.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 17.0.10 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
1717.0.10+11
1111.0.22+9
88u401-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.10) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).

 

New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

By default, secure validation mode is enabled. Disabling secure validation mode is done at your own risk.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

 

Other Notes

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added Telia Root CA v2 Certificate (JDK-8317373)

The following root certificate has been added to the cacerts truststore:

+ Telia Root CA v2

  + teliarootcav2
    DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.10:

# JBS Component Summary
1JDK-8238436client-libs/java.awtjava/awt/Frame/FrameLocationTest/FrameLocationTest.java fails
2JDK-8294427client-libs/javax.swingCheck boxes and radio buttons have rendering issues on Windows in High DPI env
3JDK-8282444core-libs/java.lang.moduleModule finder incorrectly assumes default file system path-separator character
4JDK-8293659core-libs/java.lang:class_loadingImprove UnsatisfiedLinkError error message to include dlopen error details
5JDK-8299015core-libs/java.netEnsure that HttpResponse.BodySubscribers.ofFile writes all bytes
6JDK-8274562core-libs/java.nio(fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS
7JDK-8273162core-libs/java.utilAbstractSplittableWithBrineGenerator does not create a random salt
8JDK-8301637core-libs/java.util.concurrentThreadLocalRandom.current().doubles().parallel() contention
9JDK-8314263core-libs/java.util.loggingSigned jars triggering Logger finder recursion and StackOverflowError
10JDK-8303440core-libs/java.util:i18nThe "ZonedDateTime.parse" may not accept the "UTC+XX" zone id
11JDK-8313657core-libs/javax.namingcom.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
12JDK-8314063core-libs/javax.namingThe socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
13JDK-8299658hotspot/compilerC1 compilation crashes in LinearScan::resolve_exception_edge
14JDK-8301489hotspot/compilerC1: ShortLoopOptimizer might lift instructions before their inputs
15JDK-8313626hotspot/compilerC2 crash due to unexpected exception control flow
16JDK-8313402hotspot/compilerC1: Incorrect LoadIndexed value numbering
17JDK-8312909hotspot/compilerC1 should not inline through interface calls with non-subtype receiver
18JDK-8303279hotspot/compilerC2: crash in SubTypeCheckNode::sub() at IGVN split if
19JDK-8304954hotspot/compilerSegmentedCodeCache fails when using large pages
20JDK-8316178hotspot/compilerBetter diagnostic header for CodeBlobs
21JDK-8315377hotspot/compilerC2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes?
22JDK-8316514hotspot/compilerBetter diagnostic header for VtableStub
23JDK-8314024hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info
24JDK-8313262hotspot/compilerC2: Sinking node may cause required cast to be dropped
25JDK-8312440hotspot/compilerassert(cast != nullptr) failed: must have added a cast to pin the node
26JDK-8313756hotspot/compiler[BACKOUT] 8308682: Enhance AES performance
27JDK-8313760hotspot/compiler[REDO] Enhance AES performance
28JDK-8308103hotspot/compilerMassive (up to ~30x) increase in C2 compilation time since JDK 17
29JDK-8309119hotspot/compiler[17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication
30JDK-8307683hotspot/compilerLoop Predication should not hoist range checks with trap on success projection by negating their condition
31JDK-8275333hotspot/gcPrint count in "Too many recored phases?" assert
32JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
33JDK-8270894hotspot/runtimeUse acquire semantics in ObjectSynchronizer::read_stable_mark()
34JDK-8305994hotspot/runtimeGuarantee eventual async monitor deflation
35JDK-8309228hotspot/runtimeClarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp
36JDK-8306825hotspot/runtimeMonitor deflation might be accidentally disabled by zero intervals
37JDK-8279545hotspot/runtimeBuffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517
38JDK-8283326hotspot/runtimeImplement SafeFetch statically
39JDK-8314679hotspot/svc-agentSA fails to properly attach to JVM after having just detached from a different JVM
40JDK-8320597security-libs/java.securityRSA signature verification fails on signed data that does not encode params correctly
41JDK-8302017security-libs/java.securityAllocate BadPaddingException only if it will be thrown
42JDK-8311592security-libs/javax.cryptoECKeySizeParameterSpec causes too many exceptions on third party providers
43JDK-8313742security-libs/javax.cryptoZipFile.getManifestName fails during jar verification for Spring Boot
44JDK-8291154tools/javacCreate a non static nested class without enclosing class throws VerifyError
45JDK-8301247tools/jpackageJPackage app-image exe launches multiple exe's in JDK 17+
46JDK-8313792tools/jshellVerify 4th party information in src/jdk.internal.le/share/legal/jline.md

Java SE 17.0.9 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.9 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.9.0.3

Bug Fixes

December 8, 2023
BugId Category Subcategory Description
JDK-8054022 core-libs java.net HttpURLConnection timeouts with Expect: 100-Continue and no chunking
JDK-8313742 security-libs javax.crypto ZipFile.getManifestName fails during jar verification for Spring Boot

 

Changes in Java SE 17.0.9.0.2

November 13, 2023

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

Bug Fixes

BugId Category Subcategory Description
JDK-8312489 security-libs java.security Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

 

Changes in Java SE 17.0.9.0.1+2

Bug Fixes

October 17, 2023
BugId Category Subcategory Description
JDK-8309489 (not public) install install 17.0.7/11.0.19 and later fail to run jar file via UNC path when using .exe files under javapath
JDK-8317121 (not public) hotspot compiler vector_masked_load instruction is moved too early after JDK-8286941

Java™ SE Development Kit 17, Update 17.0.9 (JDK 17.0.9)

October 17, 2023

The full version string for this update release is 17.0.9+11 (where "+" means "build"). The version number is 17.0.9.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.9 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.9+11
1111.0.21+9
88u391-b13

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.9) be used after the next critical patch update scheduled for January 16, 2024.

 

New Features

tools/launcher
 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:

.....

Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c
    .....

 

Removed Features and Options

security-libs/java.security
 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP

 

Other Notes

security-libs/java.security
 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

security-libs/javax.net.ssl
 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.9:

# JBS Component Summary
1JDK-8298887client-libsOn the latest macOS+XCode the Robot API may report wrong colors
2JDK-8306881client-libs/2dUpdate FreeType to 2.13.0
3JDK-8307301client-libs/2dUpdate HarfBuzz to 7.2.0
4JDK-8312555client-libs/2dIdeographic characters aren't stretched by AffineTransform.scale(2, 1)
5JDK-8304054client-libs/java.awtLinux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed
6JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
7JDK-8310054client-libs/java.awtScrollPane insets are incorrect
8JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
9JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
10JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
11JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
12JDK-8288589core-libs/java.langFiles.readString ignores encoding errors for UTF-16
13JDK-8287541core-libs/java.langFiles.writeString fails to throw IOException for charset "windows-1252"
14JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3
15JDK-8313765core-libs/java.util.jarInvalid CEN header (invalid zip64 extra data field size)
16JDK-8281560core-libs/java.util.regexMatcher.hitEnd returns unexpected results in presence of CANON_EQ flag.
17JDK-8300659core-svc/java.lang.managementRefactor TestMemoryAwareness to use WhiteBox api for host values
18JDK-8303937core-svc/toolsCorrupted heap dumps due to missing retries for os::write()
19JDK-8274243hotspot/compilerImplement fast-path for ASCII-compatible CharsetEncoders on aarch64
20JDK-8299544hotspot/compilerImprove performance of CRC32C intrinsics (non-AVX-512) for small inputs
21JDK-8153837hotspot/compilerAArch64: Handle special cases for MaxINode & MinINode
22JDK-8272586hotspot/compileremit abstract machine code in hs-err logs
23JDK-8308192hotspot/compilerError in parsing replay file when staticfield is an array of single dimension
24JDK-8309266hotspot/compilerC2: assert(final_con == (jlong)final_int) failed: final value should be integer
25JDK-8300584hotspot/compilerAccelerate AVX-512 CRC32C for small buffers
26JDK-8274986hotspot/compilermax code printed in hs-err logs should be configurable
27JDK-8310126hotspot/compilerC1: Missing receiver null check in Reference::get intrinsic
28JDK-8284760hotspot/compilerCorrect type/array element offset in LibraryCallKit::get_state_from_digest_object()
29JDK-8299158hotspot/compilerImprove MD5 intrinsic on AArch64
30JDK-8303154hotspot/compilerInvestigate and improve instruction cache flushing during compilation
31JDK-8252990hotspot/compilerIntrinsify Unsafe.storeStoreFence
32JDK-8305088hotspot/compilerSIGSEGV in Method::is_method_handle_intrinsic
33JDK-8296545hotspot/compilerC2 Blackholes should allow load optimizations
34JDK-8292713hotspot/compilerUnsafe.allocateInstance should be intrinsified without UseUnalignedAccesses
35JDK-8302736hotspot/compilerMajor performance regression in Math.log on aarch64
36JDK-8307572hotspot/compilerAArch64: Vector registers are clobbered by some macroassemblers
37JDK-8280396hotspot/gcG1: Full gc mark stack draining should prefer to make work available to other threads
38JDK-8308643hotspot/gcIncorrect value of 'used' jvmstat counter
39JDK-8284532hotspot/jfrMemory leak in BitSet::BitMapFragmentTable in JFR leak profiler
40JDK-8283520hotspot/jfrJFR: Memory leak in dcmd_arena
41JDK-8307526hotspot/jfr[JFR] Better handling of tampered JFR repository
42JDK-8309862hotspot/jfrUnsafe list operations in JfrStringPool
43JDK-8307331hotspot/jvmtiCorrectly update line maps when class redefine rewrites bytecodes
44JDK-8306428hotspot/runtimeRunThese30M.java crashed with assert(early->flag() == current->flag() || early->flag() == mtNone)
45JDK-8297887hotspot/runtimeUpdate Siphash
46JDK-8305425hotspot/runtimeThread.isAlive0 doesn't need to call into the VM
47JDK-8269466hotspot/runtimeFactor out the common code for initializing and starting internal VM JavaThreads
48JDK-8287854hotspot/runtimeDangling reference in ClassVerifier::verify_class
49JDK-8303215hotspot/runtimeMake thread stacks not use huge pages
50JDK-8290067hotspot/runtimeShow stack dimensions in UL logging when attaching threads
51JDK-8283849hotspot/svcAsyncGetCallTrace may crash JVM on guarantee
52JDK-8301170hotspot/svcperfMemory_windows.cpp add free_security_attr to early returns
53JDK-8295657hotspot/svc-agentSA: Allow larger object alignments
54JDK-8304671tools/javacjavac regression: Compilation with --release 8 fails on underscore in enum identifiers
55JDK-8275233tools/javacIncorrect line number reported in exception stack trace thrown from a lambda expression
56JDK-8268582tools/javadoc(tool)javadoc throws NPE with --ignore-source-errors option

Java SE 17.0.8 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.8 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.8.0.2

Bug Fixes

BugId Category Subcategory Description
JDK-8313765 core-libs java.util.jar Invalid CEN header (invalid zip64 extra data field size)
JDK-8232933 tools javac Javac inferred type does not conform to equality constraint

Java™ SE Development Kit 17, Update 17.0.8 (JDK 17.0.8)

July 18, 2023

The full version string for this update release is 17.0.8+9 (where "+" means "build"). The version number is 17.0.8.

 

IANA TZ Data 2023c

JDK 17.0.8 contains IANA time zone data 2023c which contains the following changes:

  • Egypt now uses DST again, from April through October.
  • This year Morocco springs forward April 23, not April 30.
  • Palestine delays the start of DST this year.
  • Much of Greenland still uses DST from 2024 on.
  • America/Yellowknife now links to America/Edmonton.
  • tzselect can now use current time to help infer timezone.
  • The code now defaults to C99 or later.
  • Fix use of C23 attributes.
  • This release's code and data are identical to 2023a.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.8 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.8+9
1111.0.20+9
88u381-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.8) be used after the next critical patch update scheduled for October 17, 2023.

 

New Features

core-libs/java.nio.charsets
 Support for GB18030-2022 (JDK-8307229)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset implementation for this new standard has now replaced the prior 2000 standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030, is introduced. By setting its value to 2000, the previous JDK releases' mappings for the GB18030 Charset are used, which are based on the 2000 standard.

security-libs/java.security
 Windows KeyStore Updated to Include Access to the Local Machine Location (JDK-6782021)

The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:

  • "Windows-MY-LOCALMACHINE"
  • "Windows-ROOT-LOCALMACHINE"

The following keystore types were also added, allowing developers to make it clear they map to the current user:

  • "Windows-MY-CURRENTUSER" (same as "Windows-MY")
  • "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")

security-libs/java.security
 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

 

Known Issues

install
 Problem Upgrading JDK on Windows if System User Is Using Shared Files (JDK-8310932 (not public))

Installing into the same, shared jdk-(family) directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.

 

Other Notes

core-libs/java.nio
 System Property to Turn off JDK-8251329 Restrictions (JDK-8302992)

A new system property, jdk.nio.zipfs.allowDotZipEntry, has been introduced. This system property can be used to remove the newly added restrictions in the Zip FS provider, which currently rejects ZIP files that contain entries with "." or ".." in name elements by default. Refer to the CSR for more detail.

install/install
 Debian JDK Installer Changes (JDK-8284854)

The installation directory of Oracle JDK Debian package has changed from /usr/lib/jvm/jdk-${FEATURE} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}.

The Oracle JDK Debian package registers jexec as an interpreter for launching .jar files from the command line.

The Oracle JDK Debian package configures storage for Java Preferences API in /etc/.java/.systemPrefs directory.

The Oracle JDK Debian package registers JDK commands with update-alternatives command and supplies /usr/lib/jvm/.jdk-${FEATURE}-oracle-${ARCH}.jinfo file for update-java-alternatives command.

install/install
 Missing /usr/java/default Symlink on Linux Restored (JDK-8306690)

A regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

install/install
 Installation of JDK RPM Corrupts Alternatives (JDK-8308244)

The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.

An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.

An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.

All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.

The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.

security-libs/java.security
 Added TWCA Root CA Certificate (JDK-8305975)

The following root certificate has been added to the cacerts truststore:

+ TWCA

  + twcaglobalrootca
    DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

security-libs/java.security
 Added 4 GTS Root CA Certificates (JDK-8307134)

The following root certificates have been added to the cacerts truststore:

+ Google Trust Services LLC

 + gtsrootcar1
  DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootcar2
  DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar3
  DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar4
  DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US

security-libs/java.security
 Added Microsoft Corporation's 2 TLS Root CA Certificates (JDK-8304760)

The following root certificates have been added to the cacerts truststore:

+ Microsoft Corporation

  + microsoftecc2017
    DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

+ Microsoft Corporation
  + microsoftrsa2017
    DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

hotspot/compiler
 GregorianCalender.computeTime() JVM Crash (JDK-8308884)

A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime() method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive. (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

security-libs/java.security
 New System Property to Control the Maximum Size of Signature Files (JDK-8300596 (not public))

A new system property, jdk.jar.maxSignatureFileSize, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.

core-libs/java.util.jar
 Improved ZIP64 Extra Field Validation (JDK-8302483 (not public))

java.util.zip.ZipFile has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation to true.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.8:

# JBS Component Summary
1JDK-8297241client-libs/2dUpdate sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
2JDK-8022403client-libs/2dsun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails
3JDK-8301998client-libs/2dUpdate HarfBuzz to 7.0.1
4JDK-8288854client-libs/java.awtgetLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE
5JDK-8302151client-libs/javax.imageioBMPImageReader throws an exception reading BMP images
6JDK-8227257client-libs/javax.swingjavax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError
7JDK-8283059core-libsUninitialized warning in check_code.c with GCC 11.2
8JDK-8275735core-libs[linux] Remove deprecated Metrics api (kernel memory limit)
9JDK-8286287core-libs/java.langReading file as UTF-16 causes Error which "shouldn't happen"
10JDK-8291638core-libs/java.netKeep-Alive timeout of 0 should close connection immediately
11JDK-8291637core-libs/java.netHttpClient default keep alive timeout not followed if server sends invalid value
12JDK-8287162core-libs/java.nio(zipfs) Performance regression related to support for POSIX file permissions
13JDK-8301119core-libs/java.nio.charsetsSupport for GB18030-2022
14JDK-8295564core-libs/java.textNorwegian Nynorsk Locale is missing formatting
15JDK-8301216core-libs/java.util.concurrentForkJoinPool invokeAll() ignores timeout
16JDK-8282227core-libs/java.util:i18nLocale information for nb is not working properly
17JDK-8305400core-libs/java.util:i18nISO 4217 Amendment 175 Update
18JDK-8275721core-libs/java.util:i18nName of UTC timezone in a locale changes depending on previous code
19JDK-8293540core-svc[Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
20JDK-8256811core-svc/debuggerDelayed/missed jdwp class unloading events
21JDK-8280007hotspot/compilerEnable Neoverse N1 optimizations for Arm Neoverse V1 & N2
22JDK-8299179hotspot/compilerArrayFill with store on backedge needs to reduce length by 1
23JDK-8302595hotspot/compileruse-after-free related to GraphKit::clone_map
24JDK-8299959hotspot/compilerC2: CmpU::Value must filter overflow computation against local sub computation
25JDK-8303564hotspot/compilerC2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
26JDK-8303508hotspot/compilerVector.lane() gets wrong value on x86
27JDK-8299570hotspot/compiler[JVMCI] Insufficient error handling when CodeBuffer is exhausted
28JDK-8300079hotspot/compilerSIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
29JDK-8299259hotspot/compilerC2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
30JDK-8296318hotspot/compileruse-def assert: special case undetected loops nested in infinite loops
31JDK-8296412hotspot/compilerSpecial case infinite loops with unmerged backedges in IdealLoopTree::check_safepts
32JDK-8297730hotspot/compilerC2: Arraycopy intrinsic throws incorrect exception
33JDK-8301491hotspot/compilerC2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
34JDK-8303588hotspot/compiler[JVMCI] make JVMCI source directories conform with standard layout
35JDK-8201516hotspot/compilerDebugNonSafepoints generates incorrect information
36JDK-8302508hotspot/compilerAdd timestamp to the output TraceCompilerThreads
37JDK-8289748hotspot/compilerC2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
38JDK-8303511hotspot/compilerC2: assert(get_ctrl(n) == cle_out) during unrolling
39JDK-8291456hotspot/jvmticom/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
40JDK-8280784hotspot/runtimeVM_Cleanup unnecessarily processes all thread oops
41JDK-8294677hotspot/runtimechunklevel::MAX_CHUNK_WORD_SIZE too small for some applications
42JDK-8277946hotspot/runtimeNMT: Remove VM.native_memory shutdown jcmd command option
43JDK-8301123hotspot/runtimeEnable Symbol refcounting underflow checks in PRODUCT
44JDK-8295974hotspot/runtimejni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
45JDK-8287007hotspot/runtime[cgroups] Consistently use stringStream throughout parsing code
46JDK-8278965hotspot/runtimecrash in SymbolTable::do_lookup
47JDK-8301749hotspot/runtimeTracking malloc pooled memory size
48JDK-8213059install/installJava .deb package implementation is incomplete
49JDK-8293858security-libs/java.securityChange PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
50JDK-8280703security-libs/javax.cryptoCipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption
51JDK-8294906security-libs/javax.crypto:pkcs11Memory leak in PKCS11 NSS TLS server
52JDK-8296329tools/jarjar validator doesn't account for minor class file version
53JDK-8278834tools/javacError "Cannot read field "sym" because "this.lvar[od]" is null" when compiling
54JDK-8297587tools/jshellUpgrade JLine to 3.22.0
55JDK-8280373xml/javax.xml.parsersUpdate Xalan serializer / SystemIDResolver to align with JDK-8270492
56JDK-8301269xml/jaxpUpdate Commons BCEL to Version 6.7.0

Java SE 17.0.7 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.7 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.7.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8308884 hotspot compiler [17u/11u] Backout JDK-8297951

Java™ SE Development Kit 17, Update 17.0.7 (JDK 17.0.7)

April 18, 2023

The full version string for this update release is 17.0.7+8 (where "+" means "build"). The version number is 17.0.7.

 

IANA TZ Data 2022g

JDK 17.0.7 contains IANA time zone data 2022g which contains the following changes:

  • The northern edge of Chihuahua changes to US timekeeping.
  • Much of Greenland stops changing clocks after March 2023.
  • Fix some pre-1996 timestamps in northern Canada.
  • C89 is now deprecated; please use C99 or later.
  • Portability fixes for AIX, libintl, MS-Windows, musl, z/OS.
  • In C code, use more C23 features if available.
  • C23 timegm now supported by default.
  • Fixes for unlikely integer overflows.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.7 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.7+8
1111.0.19+9
88u371-b11

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 17.0.7) after the next critical patch update release, scheduled for July 18, 2023.

 

New Features

security-libs/java.security
 New JFR Event: jdk.InitialSecurityProperty (JDK-8292177)

A new Java Flight Recorder (JFR) event has been added to record details of initial security properties when loaded via the java.security.Security class.

The new event name is jdk.InitialSecurityProperty and contains the following fields:

Field name Field Description
key Security Property Key
value Corresponding Security Property Value

This new JFR event is enabled by default. The java.security.debug=properties system property will also now print initial security properties to the standard error stream. With this new event and the already available jdk.SecurityPropertyModification event (when enabled since it is not enabled by default), a JFR recording can now monitor the initial settings of all security properties and any subsequent changes.

 

Other Notes

client-libs/javax.swing
 System Property to Handle HTML ObjectView Creation (JDK-8296832 (Not Public))

Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true.

security-libs/java.security
 Added Certigna(Dhimyotis) CA Certificate (JDK-8245654)

The following root certificate has been added to the cacerts truststore:


+ Certigna (Dhimyotis)
   + certignaca
      DN: CN=Certigna, O=Dhimyotis, C=FR

core-libs/java.io
 File::listRoots Changed to Return All Available Drives on Windows (JDK-8208077)

The behavior of the method java.io.File.listRoots() on Microsoft Windows has changed in this release so that the returned array includes a File object for all available disk drives. This differs from the behavior in JDK 10 to JDK 20, where this method filtered out disk drives that were not accessible or did not have media present. This change avoids performance issues observed in these releases and also ensures that the method is consistent with the root directories in the iteration returned by FileSystem.getDefault().getRootDirectories().

security-libs/java.security
 Throw Error If Default java.security File Fails to Load (JDK-8155246)

A behavioral change has been made in the case where the default conf/security/java.security security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError.

Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.

security-libs/java.security
 Crypto-J Exception for Diffie-Hellman and DSA AlgorithmParameters Requests (JDK-8278027)

Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:

Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.7:

# JBS Component Summary
1JDK-8282577client-libs/2dICC_Profile.setData(int, byte[]) invalidates the profile
2JDK-8285399client-libs/2dJNI exception pending in awt_GraphicsEnv.c:1432
3JDK-8284023client-libs/java.awtjava.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
4JDK-8296496client-libs/java.awtOverzealous check in sizecalc.h prevents large memory allocation
5JDK-8279614client-libs/java.awtThe left line of the TitledBorder is not painted on 150 scale factor
6JDK-8288332client-libs/java.awtTier1 validate-source fails after 8279614
7JDK-8295685client-libs/java.awtUpdate Libpng to 1.6.38
8JDK-8292948client-libs/javax.swingJEditorPane ignores font-size styles in external linked css-file
9JDK-8282958client-libs/javax.swingRendering Issues with Borders on Windows High-DPI systems
10JDK-8294378core-libs/java.netURLPermission constructor exception when using tr locale
11JDK-8297569core-libs/java.netURLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378
12JDK-8299439core-libs/java.textjava/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
13JDK-8295530core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.2.13
14JDK-8287180core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-08-08
15JDK-8267038core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-03-02
16JDK-8296239core-libs/java.util:i18nISO 4217 Amendment 174 Update
17JDK-8292778core-svc/java.lang.instrumentEncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
18JDK-8292541core-svc/java.lang.management[Metrics] Reported memory limit may exceed physical machine memory
19JDK-8297656performance/hotspotAArch64: Enable AES/GCM Intrinsics
20JDK-8268276hotspot/compilerBase64 Decoding optimization for x86 using AVX-512
21JDK-8269404hotspot/compilerBase64 Encoding optimization enhancements for x86 using AVX-512
22JDK-8273108hotspot/compilerRunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
23JDK-8273459hotspot/compilerUpdate code segment alignment to 64 bytes
24JDK-8296958hotspot/compiler[JVMCI] add API for retrieving ConstantValue attributes
25JDK-8296961hotspot/compiler[JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
26JDK-8296960hotspot/compiler[JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
27JDK-8296967hotspot/compiler[JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
28JDK-8282528hotspot/compilerAArch64: Incorrect replicate2L_zero rule
29JDK-8277137hotspot/compilerSet OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
30JDK-8294902hotspot/compilerUndefined Behavior in C2 regalloc with null references
31JDK-8290322hotspot/compilerOptimize Vector.rearrange over byte vectors for AVX512BW targets.
32JDK-8295066hotspot/compilerFolding of loads is broken in C2 after JDK-8242115
33JDK-8296912hotspot/compilerC2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1
34JDK-8294538hotspot/compilermissing is_unloading() check in SharedRuntime::fixup_callers_callsite()
35JDK-8292602hotspot/compilerZGC: C2 late barrier analysis uses invalid dominator information
36JDK-8292660hotspot/compilerC2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly
37JDK-8292285hotspot/compilerC2: remove unreachable block after NeverBranch-to-Goto conversion
38JDK-8290964hotspot/compilerC2 compilation fails with assert "non-reduction loop contains reduction nodes"
39JDK-8281122hotspot/compiler[IR Framework] Cleanup IR matching code in preparation for JDK-8280378
40JDK-8276064hotspot/compilerCheckCastPP with raw oop input floats below a safepoint
41JDK-8296924hotspot/compilerC2: assert(is_valid_AArch64_address(dest.target())) failed: bad address
42JDK-8290850hotspot/compilerC2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph
43JDK-8297431hotspot/compiler[JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception
44JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
45JDK-8295788hotspot/compilerC2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node"
46JDK-8297951hotspot/compilerC2: Create skeleton predicates for all If nodes in loop predication
47JDK-8297264hotspot/compilerC2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top
48JDK-8295116hotspot/compilerC2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead
49JDK-8242115hotspot/compilerC2 SATB barriers are not safepoint-safe
50JDK-8292301hotspot/compiler[REDO v2] C2 crash when allocating array of size too large
51JDK-8296136hotspot/compilerUse correct register in aarch64_enc_fast_unlock()
52JDK-8296389hotspot/compilerC2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors
53JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
54JDK-8296733hotspot/jfrJFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
55JDK-8283199hotspot/runtimeLinux os::cpu_microcode_revision() stalls cold startup
56JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
57JDK-8294160hotspot/runtimemisc crash dump improvements
58JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
59JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
60JDK-8287011hotspot/runtimeImprove container information
61JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
62JDK-8262386hotspot/svc-agentresourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out
63JDK-8297918infrastructureRemove platform dependency in corelibs-atr and langtools-atr task definition files
64JDK-8298349install/install/usr/java/latest points to wrong JDK
65JDK-8298330install/install/usr/java/latest is missing after one of JDK rpms is uninstalled
66JDK-8280890security-libs/java.securityCannot use '-Djava.system.class.loader' with class loader in signed JAR
67JDK-8292297security-libs/java.securityFix up loading of override java.security properties file
68JDK-8293701core-svc/toolsjdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
69JDK-8296619tools/javadoc(tool)Upgrade jQuery to 3.6.1

Java SE 17.0.6 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.6.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java™ SE Development Kit 17.0.6 (JDK 17.0.6)

January 17, 2023

The full version string for this update release is 17.0.6+9 (where "+" means "build"). The version number is 17.0.6.

 

IANA TZ Data 2022d, 2022e, 2022f

JDK 17.0.6 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.6 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.6+9
1111.0.18+9
88u361-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.6) be used after the next critical patch update scheduled for April 18, 2023.

 

New Features

security-libs/javax.net.ssl
 DTLS Resumption Uses HelloVerifyRequest Messages (JDK-8287411 (not public))

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption.

security-libs/java.security
 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.

 

Known Issues

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8305976 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.

 

Other Notes

javafx/fxml
 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

If the JDK has a JavaScript script engine, it can be enabled by setting the system property: -Djavafx.allowjs=true

globalization
 Translated resource bundles for German (JDK-8263773)

With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.

install/install
 RPM JDK Installer Changes (JDK-8292834)

Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION} to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}. Thus the 17.0.6, and 17.0.7 releases for x64 will both be installed in /usr/lib/jvm/jdk-17-oracle-x64 directory. RPM package will create /usr/java/jdk-${FEATURE} link pointing to the installation directory for backward compatibility.

Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 17 RPM package registers java and javac groups with the alternatives framework. java group is for commands used to run applications: java, keytool, and rmiregistry. javac group is used for all other commands. The set of commands registered by the package has not changed.

Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-17-headless and jdk-17-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-17-headless is a Headless Java Runtime for running non-GUI applications. jdk-17-headful is a Headful Java Runtime & Development Tools for developing and running applications of all types.

The combination of the OL-specific jdk-17-headless and jdk-17-headful packages provides the same JDK image and the same capabilities as jdk-17 OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix.

install/install
 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292820)

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. I.e. all updates of the same release must share one installation directory.

Thus the 17.0.6 and 17.0.7 releases will both install into %Program Files%\Java\jdk-17 by default, and they both cannot be installed at the same time.

If the JDK17.0.7 installer is launched when JDK17.0.6 is already installed, it will auto-upgrade them to JDK17.0.7. There may be a Files In Use dialog shown if the older version was running and locking JDK files.

If the JDK17.0.6 installer is launched when JDK17.0.7 is already installed, it will show an error that a newer version of this JDK family is already installed.

install/install
 All JDK Update Releases Are Installed Into the Same Directory on macOS (JDK-8292827)

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk. Thus the 17.0.6 and 17.0.7 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-17.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 17.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 17 update release with JEP C208. However, JDK 17 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-17.jdk will be reused.

core-libs/java.lang
 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

security-libs/javax.security
 New Implementation Note for LoginModule on Removing Null from a Principals or Credentials set (JDK-8282730)

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.

infrastructure
 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.

security-libs/javax.net.ssl
 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.6:

# JBS Component Summary
1JDK-8295429client-libsUpdate harfbuzz md file
2JDK-8293672client-libsUpdate freetype md file
3JDK-8289697client-libs/2dbuffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
4JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
5JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
6JDK-8273655core-libs/java.netcontent-types.properties files are missing some common types
7JDK-8272352core-libs/java.util:i18nJava launcher can not parse Chinese character when system locale is set to UTF-8
8JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
9JDK-8293657core-svc/javax.managementsun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
10JDK-8293319hotspot/compiler[C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
11JDK-8280511hotspot/compilerAArch64: Combine shift and negate to a single instruction
12JDK-8276108hotspot/compilerWrong instruction generation in aarch64 backend
13JDK-8251216hotspot/compilerImplement MD5 intrinsics on AArch64
14JDK-8186670hotspot/compilerImplement _onSpinWait() intrinsic for AArch64
15JDK-8290781hotspot/compilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
16JDK-8282347hotspot/compilerAARCH64: Untaken branch in has_negatives stub
17JDK-8282049hotspot/compilerAArch64: Use ZR for integer zero immediate volatile stores
18JDK-8291775hotspot/compilerC2: assert(r != __null && r->is_Region()) failed: this phi must have a region
19JDK-8290711hotspot/compilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
20JDK-8287349hotspot/compilerAArch64: Merge LDR instructions to improve C1 OSR performance
21JDK-8277411hotspot/compilerC2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
22JDK-8277358hotspot/compilerAccelerate CRC32-C
23JDK-8291599hotspot/compilerAssertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
24JDK-8290705hotspot/compilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
25JDK-8290529hotspot/compilerC2: assert(BoolTest(btest).is_canonical()) failure
26JDK-8288445hotspot/compilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
27JDK-8280872hotspot/compilerReorder code cache segments to improve code density
28JDK-8272094hotspot/compilercompiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
29JDK-8293816hotspot/compilerCI: ciBytecodeStream::get_klass() is not consistent
30JDK-8293044hotspot/compilerC1: Missing access check on non-accessible class
31JDK-8292158hotspot/compilerAES-CTR cipher state corruption with AVX-512
32JDK-8270947hotspot/compilerAArch64: C1: use zero_words to initialize all objects
33JDK-8287425hotspot/compilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
34JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
35JDK-8268779hotspot/gcZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
36JDK-8278389hotspot/gcSuspendibleThreadSet::_suspend_all should be volatile/atomic
37JDK-8288754hotspot/gcGCC 12 fails to build zReferenceProcessor.cpp
38JDK-8279398hotspot/jfrjdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
39JDK-8268297hotspot/jfrjdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
40JDK-8291459hotspot/runtimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
41JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
42JDK-8293156hotspot/svcDcmd VM.classloaders fails to print the full hierarchy
43JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
44JDK-8273553security-libs/javax.net.sslsun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
45JDK-8276764core-svc/toolsEnable deterministic file content ordering for Jar and Jmod
46JDK-8276766tools/jarEnable jar and jmod to produce deterministic timestamped content
47JDK-8293578tools/javacDuplicate ldc generated by javac
48JDK-8266082tools/javacAssertionError in Annotate.fromAnnotations with -Xdoclint
49JDK-8272776tools/javacNullPointerException not reported
50JDK-8286444tools/javacjavac errors after JDK-8251329 are not helpful enough to find root cause
51JDK-8286855tools/javacjavac error on invalid jar should only print filename
52JDK-8287076xml/org.w3c.domDocument.normalizeDocument() produces different results

Java SE 17.0.5 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.5.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d

Java™ SE Development Kit 17.0.5 (JDK 17.0.5)

October 18, 2022

The full version string for this update release is 17.0.5+9 (where "+" means "build"). The version number is 17.0.5.

 

IANA TZ Data 2022b, 2022c

JDK 17.0.5 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.5 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.5+9
1111.0.17+10
88u351-b10
77u361-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.5) be used after the next critical patch update scheduled for January 17, 2023.

 

Other Notes

security-libs/java.security
 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

core-libs/java.net
 Make HttpURLConnection Default Keep Alive Timeout Configurable (JDK-8278067)

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties.

core-libs/java.time
 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

core-libs/java.net
 New System Property to Limit the Number of Open Connections to com.sun.net.httpserver.HttpServer (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.5:

# JBS Component Summary
1JDK-8285686client-libs/2dUpdate FreeType to 2.12.0
2JDK-8264666client-libs/2dChange implementation of safeAdd/safeMult in the LCMSImageLayout class
3JDK-8289853client-libs/2dUpdate HarfBuzz to 4.4.1
4JDK-8290334client-libs/2dUpdate FreeType to 2.12.1
5JDK-8274939client-libs/java.awtIncorrect size of the pixel storage is used by the robot on macOS
6JDK-8273506client-libs/java.awtjava Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
7JDK-8255439client-libs/java.awtSystem Tray icons get corrupted when Windows scaling changes
8JDK-8287740client-libs/javax.accessibilityNSAccessibilityShowMenuAction not working for text editors
9JDK-8284690client-libs/javax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
10JDK-8284014client-libs/javax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
11JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
12JDK-8278609client-libs/javax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
13JDK-8283383client-libs/javax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
14JDK-8286266client-libs/javax.accessibility[macos] VoiceOver : Moving JTable column to be the first column JVM crashes
15JDK-8287917core-libs/java.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
16JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
17JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
18JDK-8288769core-libs/java.util.jarRevert unintentional change to deflate.c
19JDK-8283277core-libs/java.util:i18nISO 4217 Amendment 171 Update
20JDK-8289549core-libs/java.util:i18nISO 4217 Amendment 172 Update
21JDK-8276990core-svc/debuggerMemory leak in invoker.c fillInvokeRequest() during JDI operations
22JDK-8281615core-svc/debuggerDeadlock caused by jdwp agent
23JDK-8284094core-svc/debuggerMemory leak in invoker_completeInvokeRequest()
24JDK-8284848hotspot/compilerC2: Compiler blackhole arguments should be treated as globally escaping
25JDK-8282467hotspot/compileradd extra diagnostics for JDK-8268184
26JDK-8284883hotspot/compilerJVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
27JDK-8285923hotspot/compiler[REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
28JDK-8282555hotspot/compilerMissing memory edge when spilling MoveF2I, MoveD2L etc
29JDK-8286638hotspot/compilerC2: CmpU needs to do more precise over/underflow analysis
30JDK-8288303hotspot/compilerC1: Miscompilation due to broken Class.getModifiers intrinsic
31JDK-8270090hotspot/compilerC2: LCM may prioritize CheckCastPP nodes over projections
32JDK-8280696hotspot/compilerC2 compilation hits assert(is_dominator(c, n_ctrl)) failed
33JDK-8285820hotspot/compilerC2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
34JDK-8287091hotspot/compileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
35JDK-8287396hotspot/compilerLIR_Opr::vreg_number() and data() can return negative number
36JDK-8286625hotspot/compilerC2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
37JDK-8288467hotspot/compilerremove memory_operand assert for spilled instructions
38JDK-8276546hotspot/compiler[IR Framework] Whitelist and ignore CompileThreshold
39JDK-8279622hotspot/compilerC2: miscompilation of map pattern as a vector reduction
40JDK-8286177hotspot/compilerC2: "failed: non-reduction loop contains reduction nodes" assert failure
41JDK-8284944hotspot/compilerassert(cnt++ < 40) failed: infinite cycle in loop optimization
42JDK-8287223hotspot/compilerC1: Inlining attempt through MH::invokeBasic() with null receiver
43JDK-8272736hotspot/compiler[JVMCI] Add API for reading and writing JVMCI thread locals
44JDK-8284358hotspot/compilerUnreachable loop is not removed from C2 IR, leading to a broken graph
45JDK-8288360hotspot/compilerCI: ciInstanceKlass::implementor() is not consistent for well-known classes
46JDK-8288781hotspot/compilerC1: LIR_OpVisitState::maxNumberOfOperands too small
47JDK-8287432hotspot/compilerC2: assert(tn->in(0) != __null) failed: must have live top node
48JDK-8283441hotspot/compilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
49JDK-8289127hotspot/compilerApache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
50JDK-8286314hotspot/compilerTrampoline not created for far runtime targets outside small CodeCache
51JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
52JDK-8283597hotspot/jvmti[REDO] Invalid generic signature for redefined classes
53JDK-8278753hotspot/runtimeRuntime crashes with access violation during JNI_CreateJavaVM call
54JDK-8283469hotspot/runtimeDon't use memset to initialize members in FileMapInfo and fix memory leak
55JDK-8268773hotspot/runtimeImprovements related to: Failed to start thread - pthread_create failed (EAGAIN)
56JDK-8289477hotspot/runtimeMemory corruption with CPU_ALLOC, CPU_FREE on muslc
57JDK-8289799hotspot/runtimeBuild warning in methodData.cpp memset zero-length parameter
58JDK-8290417hotspot/runtimeCDS cannot archive lamda proxy with useImplMethodHandle
59JDK-8287107hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
60JDK-8287741hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
61JDK-8283723infrastructureUpdate Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
62JDK-8275887security-libs/java.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
63JDK-8281628security-libs/javax.cryptoKeyAgreement : generateSecret intermittently not resetting
64JDK-8284694security-libs/javax.net.sslAvoid evaluating SSLAlgorithmConstraints twice
65JDK-8286211security-libs/javax.smartcardioUpdate PCSC-Lite for SUSE Linux to 1.9.5
66JDK-8285398security-libs/jdk.securityCache the results of constraint checks
67JDK-8155701tools/javacThe compiler fails with an AssertionError: typeSig ERROR
68JDK-8281316tools/javacjavac performance issues with large number of jars on classpath
69JDK-8282214tools/javadoc(tool)Upgrade JQuery to version 3.6.0
70JDK-8284367tools/javadoc(tool)JQuery UI upgrade from 1.12.1 to 1.13.1
71JDK-8277494tools/jpackage[BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged"
72JDK-8284675tools/jpackage"jpackage.exe" creates application launcher without Windows Application Manfiest
73JDK-8276837tools/jpackage[macos]: Error when signing the additional launcher
74JDK-8278311tools/jpackageDebian packaging doesn't work
75JDK-8279370tools/jpackagejdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
76JDK-8284067tools/jpackagejpackage'd launcher reports non-zero exit codes with error prompt
77JDK-8289486xml/jaxpImprove XSLT XPath operators count efficiency

Java SE 17.0.4.1 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.4.1 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.4.1.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 17, Patch 17.0.4.1 (JDK 17.0.4.1)

August 18, 2022

The full version string for this update release is 17.0.4.1+1 (where "+" means "build"). The version number is 17.0.4.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 17.0.4.

JRE Family Version JRE Security Baseline (Full Version String)
17 17.0.4+11
11 11.0.16+11
8 8u341-b10
7 7u351-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.4.1) be used after the next critical patch update scheduled for October 18, 2022.

Oracle recommends that all JDK 17 users, even those that have already updated to 17.0.4, uptake the 17.0.4.1 patch release.

 

Changes

hotspot/compiler
 C2 Compilation Errors Unpredictably Crashes JVM

Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.


Java SE 17.0.4 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.4.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8255439 client-libs java.awt System Tray icons get corrupted when windows scaling changes

Java™ SE Development Kit 17.0.4 (JDK 17.0.4)

July 19, 2022

The full version string for this update release is 17.0.4+11 (where "+" means "build"). The version number is 17.0.4.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.4 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
1717.0.4+11
1111.0.16+11
88u341-b10
77u351-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.4) be used after the next critical patch update scheduled for October 18, 2022.

New Features

core-libs/java.net
 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property jdk.https.negotiate.cbt which is described fully in the Networking Properties page.

Other Notes

core-libs/java.net
 Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals

The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)
core-libs/java.util.jar
 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

hotspot/runtime
 CPU Shares Ignored When Computing Active Processor Count

Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.

Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.4:

# JBS Component Subcomponent Sumary
1JDK-8283217client-libs2dLeak FcObjectSet in getFontConfigLocations() in fontpath.c
2JDK-8278604client-libsdemoSwingSet2 table demo does not have accessible description set for images
3JDK-8274751client-libsjava.awtDrag And Drop hangs on Windows
4JDK-8278526client-libsjavax.accessibility[macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column
5JDK-8279586client-libsjavax.accessibility[macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking
6JDK-8277922client-libsjavax.accessibilityUnable to click JCheckBox in JTable through Java Access Bridge
7JDK-8274735client-libsjavax.imageiojavax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
8JDK-8279842core-libsjava.netHTTPS Channel Binding support for Java GSS/Kerberos
9JDK-8282293core-libsjava.netDomain value for system property jdk.https.negotiate.cbt should be case-insensitive
10JDK-8282929core-libsjava.textLocalized monetary symbols are not reflected in `toLocalizedPattern` return value
11JDK-8280543docshotspotUpdate the "java" and "jcmd" tool specification for CDS
12JDK-8279219hotspotcompiler[REDO] C2 crash when allocating array of size too large
13JDK-8278796hotspotcompilerIncorrect behavior of FloatVector.withLane on X86
14JDK-8277906hotspotcompilerIncorrect type for IV phi of long counted loops after CCP
15JDK-8268231hotspotcompilerAarch64: Use Ldp in intrinsics for String.compareTo
16JDK-8273139hotspotcompilerC2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
17JDK-8280799hotspotcompilerС2: assert(false) failed: cyclic dependency prevents range check elimination
18JDK-8265317hotspotcompiler[vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL
19JDK-8283451hotspotcompilerC2: assert(_base == Long) failed: Not a Long
20JDK-8282592hotspotcompilerC2: assert(false) failed: graph should be schedulable
21JDK-8282590hotspotcompilerC2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
22JDK-8282312hotspotcompilerMinor corrections to evbroadcasti32x4 intrinsic on x86
23JDK-8281811hotspotcompilerassert(_base == Tuple) failed: Not a Tuple after JDK-8280799
24JDK-8275854hotspotcompilerC2: assert(stride_con != 0) failed: missed some peephole opt
25JDK-8275638hotspotcompilerGraphKit::combine_exception_states fails with "matching stack sizes" assert
26JDK-8256368hotspotcompilerAvoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
27JDK-8283641hotspotcompilerLarge value for CompileThresholdScaling causes assert
28JDK-8283408hotspotcompilerFix a C2 crash when filling arrays with unsafe
29JDK-8280867hotspotcompilerCpuid1Ecx feature parsing is incorrect for AMD CPUs
30JDK-8280600hotspotcompilerC2: assert(!had_error) failed: bad dominance
31JDK-8279837hotspotcompilerC2: assert(is_Loop()) failed: invalid node class: Region
32JDK-8279668hotspotcompilerx86: AVX2 versions of vpxor should be asserted
33JDK-8275337hotspotcompilerC1: assert(false) failed: live_in set of first block must be empty
34JDK-8274983hotspotcompilerC1 optimizes the invocation of private interface methods
35JDK-8280901hotspotcompilerMethodHandle::linkToNative stub is missing w/ -Xint
36JDK-8280526hotspotcompilerx86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
37JDK-8279356hotspotcompilerMethod linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
38JDK-8278948hotspotcompilercompiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler
39JDK-8277180hotspotcompilerIntrinsify recursive ObjectMonitor locking for C2 x64 and A64
40JDK-8282874hotspotcompilerBad performance on gather/scatter API caused by different IntSpecies of indexMap
41JDK-8281266hotspotcompiler[JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
42JDK-8279515hotspotcompilerC1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked
43JDK-8279822hotspotcompilerCI: Constant pool entries in error state are not supported
44JDK-8279560hotspotcompilerAArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment
45JDK-8279437hotspotcompiler[JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM
46JDK-8275830hotspotcompilerC2: Receiver downcast is missing when inlining through method handle linkers
47JDK-8282231hotspotcompilerx86-32: runtime call to SharedRuntime::ldiv corrupts registers
48JDK-8282295hotspotruntimeSymbolPropertyEntry::set_method_type fails with assert
49JDK-8281274hotspotruntimedeal with ActiveProcessorCount in os::Linux::print_container_info
50JDK-8281275hotspotruntimeUpgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
51JDK-8281181hotspotruntimeDo not use CPU Shares to compute active processor count
52JDK-8278553hotspottestRunThese30M.java failed due to errors in JckStressModule.out
53JDK-8281517installinstallImprove the error message shown when a user tries to install the aarch64 bundle on an intel mac
54JDK-8278851security-libsjava.securityCorrect signer logic for jars signed with multiple digest algorithms
55JDK-8255266security-libsjava.securityUpdate Public Suffix List to 3c213aa
56JDK-8274524security-libsjavax.net.sslSSLSocket.close() hangs if it is called during the ssl handshake
57JDK-8275082security-libsjavax.xml.cryptoUpdate XML Security for Java to 2.3.0
58JDK-8279520security-libsorg.ietf.jgssSPNEGO has not passed channel binding info into the underlying mechanism
59JDK-8277165toolsjdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories
60JDK-8225559toolsjavacassertion error at TransTypes.visitApply

Java SE 17.0.3.1 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.3 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 17.0.3.1.1

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 17, Patch 17.0.3.1 (JDK 17.0.3.1)

May 2, 2022

The full version string for this update release is 17.0.3.1+2 (where "+" means "build"). The version number is 17.0.3.1.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 17.0.3.

JRE Family Version JRE Security Baseline (Full Version String)
17 17.0.3+8
11 11.0.15+8
8 8u331-b09
7 7u341-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.3.1) be used after the next critical patch update scheduled for July 19, 2022.

 

Changes

 

core-libs/java.io
 New System Property to Disable Windows Alternate Data Stream Support in java.io.File

The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File, the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

See JDK-8285445

 

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:

JBS Component Subcomponent Sumary
JDK-8284920 xml javax.xml.path Incorrect Token type causes XPath expression to return incorrect results
JDK-8284548 xml jaxp Invalid XPath expression causes StringIndexOutOfBoundsException


Java SE 17.0.3 - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 17.0.3 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in Java SE 17.0.3.0.1

Bug Fixes

BugId Category Subcategory Description
JDK-8281181 hotspot runtime Do not use CPU Shares to compute active processor count
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 17.0.3 (JDK 17.0.3)

April 19, 2022

The full version string for this update release is 17.0.3+8 (where "+" means "build"). The version number is 17.0.3.

 

IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.3 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
17 17.0.3+8
11 11.0.15+8
8 8u331-b09
7 7u341-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.3) be used after the next critical patch update scheduled for July 19, 2022.

 

New Features

xml/jaxp
 New XML Processing Limits

Three processing limits have been added to the XML libraries. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20

 

There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

security-libs/java.security
 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

core-libs/javax.naming
 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)

 

The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.3:

# JBS Component Subcomponent Sumary
1 JDK-8270874 client-libs 2d JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
2 JDK-8275650 core-libs java.io Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
3 JDK-8279833 core-libs java.lang Loop optimization issue in String.encodeUTF8_UTF16
4 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
5 JDK-8277795 core-libs javax.naming LDAP connection timeout not honoured under contention
6 JDK-8277777 hotspot compiler [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad
7 JDK-8277441 hotspot compiler CompileQueue::add fails with assert(_last->next() == __null) failed: not last
8 JDK-8275610 hotspot compiler C2: Object field load floats above its null check resulting in a segfault
9 JDK-8275326 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
10 JDK-8262134 hotspot compiler compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
11 JDK-8277447 hotspot compiler Hotspot C1 compiler crashes on Kotlin suspend fun with loop
12 JDK-8273277 hotspot compiler C2: Move conditional negation into rc_predicate
13 JDK-8271202 hotspot compiler C1: assert(false) failed: live_in set of first block must be empty
14 JDK-8275645 hotspot compiler [JVMCI] avoid unaligned volatile reads on AArch64
15 JDK-8271056 hotspot compiler C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity
16 JDK-8275643 hotspot compiler C2's unaryOp vector intrinsic does not properly handle LongVector.neg
17 JDK-8275847 hotspot compiler Scheduling fails with "too many D-U pinch points" on small method
18 JDK-8275874 hotspot compiler [JVMCI] only support aligned reads in c2v_readFieldValue
19 JDK-8279076 hotspot compiler C2: Bad AD file when matching SqrtF with UseSSE=0
20 JDK-8275330 hotspot compiler C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
21 JDK-8276314 hotspot compiler [JVMCI] check alignment of call displacement during code installation
22 JDK-8279225 hotspot compiler [arm32] C1 longs comparison operation destroys argument registers
23 JDK-8279412 hotspot compiler [JVMCI] failed speculations list must outlive any nmethod that refers to it
24 JDK-8278871 hotspot compiler [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
25 JDK-8278824 hotspot gc Uneven work distribution when scanning heap roots in G1
26 JDK-8276177 hotspot jvmti nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
27 JDK-8275800 hotspot jvmti Redefinition leaks MethodData::_extra_data_lock
28 JDK-8278239 hotspot jvmti vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
29 JDK-8276184 hotspot runtime Exclude lambda proxy class from the CDS archive if its caller class is excluded
30 JDK-8274714 hotspot runtime Incorrect verifier protected access error message
31 JDK-8277342 hotspot runtime vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
32 JDK-8276662 hotspot runtime Scalability bottleneck in SymbolTable::lookup_common()
33 JDK-8266490 hotspot runtime Extend the OSContainer API to support the pids controller of cgroups
34 JDK-8278020 hotspot runtime ~13% variation in Renaissance-Scrabble
35 JDK-8278384 hotspot runtime Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
36 JDK-8273967 hotspot runtime gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
37 JDK-8274753 hotspot runtime ZGC: SEGV in MetaspaceShared::link_shared_classes
38 JDK-8274944 hotspot runtime AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
39 JDK-8273526 hotspot runtime Extend the OSContainer API pids controller with pids.current
40 JDK-8274935 hotspot runtime dumptime_table has stale entry
41 JDK-8278309 hotspot runtime [windows] use of uninitialized OSThread::_state
42 JDK-8273341 hotspot runtime Update Siphash to version 1.0
43 JDK-8278951 hotspot runtime containers/cgroup/PlainRead.java fails on Ubuntu 21.10
44 JDK-8265150 hotspot svc AsyncGetCallTrace crashes on ResourceMark
45 JDK-8269849 hotspot test vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects"
46 JDK-8273682 tools jshell Upgrade Jline to 3.20.0
47 JDK-8276141 xml jaxp XPathFactory set/getProperty method
48 JDK-8282761 xml jaxp XPathFactoryImpl remove setProperty and getProperty methods

Java™ SE Development Kit 17.0.2 (JDK 17.0.2)

January 18, 2022

The full version string for this update release is 17.0.2+8 (where "+" means "build"). The version number is 17.0.2.

 

IANA TZ Data 2021b, 2021c, 2021d, 2021e

JDK 17.0.2 contains IANA time zone data 2021b, 2021c, 2021d, 2021e.
  • Jordan now starts DST on February's last Thursday.
  • Samoa no longer observes DST.
  • Merge more location-based Zones whose timestamps agree since 1970.
  • Move some backward-compatibility links to 'backward'.
  • Rename Pacific/Enderbury to Pacific/Kanton.
  • Correct many pre-1993 transitions in Malawi, Portugal, etc.
  • zic now creates each output file or link atomically.
  • zic -L no longer omits the POSIX TZ string in its output.
  • zic fixes for truncation and leap second table expiration.
  • zic now follows POSIX for TZ strings using all-year DST.
  • Fix some localtime crashes and bugs in obscure cases.
  • zdump -v now outputs more-useful boundary cases.
  • tzfile.5 better matches a draft successor to RFC 8536.
  • A new file SECURITY.
  • Revert most 2021b changes to 'backward'.
  • Fix 'zic -b fat' bug in pre-1970 32-bit data.
  • Fix two Link line typos.
  • Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

  • Fiji suspends DST for the 2021/2022 season.
  • 'zic -r' marks unspecified timestamps with "-00".
  • Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.2 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
17 17.0.2+8
11 11.0.14+8
8 8u321-b07
7 7u331-b06

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.2) be used after the next critical patch update scheduled for April 19, 2022.

 

Removed Features and Options

security-libs/java.security
 Removed Google's GlobalSign Root Certificate

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

Other Notes

install/install
 Extended Delay Before JDK Executable Installer Starts From Network Drive

On Windows 11 and Windows Server 2022, there can be some slowness with the extraction of temporary installation files when launched from a mapped network drive. The installer will still work, but there can be a temporary delay.

JDK-8274002 (not public)

core-libs/java.io
 file.encoding System Property Has an Incorrect Value on Windows

The initialization of the file.encoding system property on non macOS platforms has been reverted to align with the behavior on or before JDK 11. This has been an issue especially on Windows where the system and user's locales are not the same.

core-libs/java.nio
 Zip File System Provider Throws ZipException When Entry Name Element Contains "." or ".."

The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...) methods throw ZipException if the ZIP file contains these entries.

core-libs/java.time
 Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

hotspot/gc
 ZGC: Fixed long Process Non-Strong References times

A bug has been fixed that could cause long "Concurrent Process Non-Strong References" times with ZGC. The bug blocked the GC from making significant progress, and caused both latency and throughput issues for the Java application.

The long times could be seen in the GC logs when running with -Xlog:gc*:

[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.2:

# JBS Component Subcomponent Sumary
1 JDK-8269637 client-libs javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
2 JDK-8262031 client-libs Create implementation for NSAccessibilityNavigableStaticText protocol
3 JDK-8267387 client-libs Create implementation for NSAccessibilityOutline protocol
4 JDK-8275872 client-libs 2d Sync J2DBench run and analyze Makefile targets with build.xml
5 JDK-8271718 client-libs 2d Crash when during color transformation the color profile is replaced
6 JDK-8273135 client-libs 2d java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
7 JDK-8273887 client-libs 2d [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
8 JDK-8276905 client-libs 2d Use appropriate macosx_version_minimum value while compiling metal shaders
9 JDK-8273808 client-libs java.awt Cleanup AddFontsToX11FontPath
10 JDK-8275131 client-libs java.awt Exceptions after a touchpad gesture on macOS
11 JDK-8274326 client-libs javax.accessibility [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
12 JDK-8274056 client-libs javax.accessibility JavaAccessibilityUtilities leaks JNI objects
13 JDK-8274381 client-libs javax.accessibility missing CAccessibility definitions in JNI code
14 JDK-8267385 client-libs javax.accessibility Create NSAccessibilityElement implementation for JavaComponentAccessibility
15 JDK-8267388 client-libs javax.accessibility Create implementation for NSAccessibilityTable protocol
16 JDK-8274383 client-libs javax.accessibility JNI call of getAccessibleSelection on a wrong thread
17 JDK-8277195 client-libs javax.accessibility missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
18 JDK-8271071 client-libs javax.accessibility accessibility of a table on macOS lacks cell navigation
19 JDK-8275809 client-libs javax.accessibility crash in [CommonComponentAccessibility getCAccessible:withEnv:]
20 JDK-8273678 client-libs javax.accessibility TableAccessibility and TableRowAccessibility miss autorelease
21 JDK-8275071 client-libs javax.accessibility [macos] A11y cursor gets stuck when combobox is closed
22 JDK-8275819 client-libs javax.accessibility [TableRowAccessibility accessibilityChildren] method is ineffective
23 JDK-8270893 client-libs javax.imageio IndexOutOfBoundsException while reading large TIFF file
24 JDK-8269951 client-libs javax.swing [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
25 JDK-8266510 client-libs javax.swing Nimbus JTree default tree cell renderer does not use selected text color
26 JDK-8271895 client-libs javax.swing UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
27 JDK-8268284 client-libs javax.swing javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
28 JDK-8264287 client-libs javax.swing Create implementation for NSAccessibilityComboBox protocol peer
29 JDK-8264303 client-libs javax.swing Create implementation for NSAccessibilityTabGroup protocol peer
30 JDK-8264292 client-libs javax.swing Create implementation for NSAccessibilityList protocol peer
31 JDK-8264286 client-libs javax.swing Create implementation for NSAccessibilityColumn protocol peer
32 JDK-8264291 client-libs javax.swing Create implementation for NSAccessibilityCell protocol peer
33 JDK-8264298 client-libs javax.swing Create implementation for NSAccessibilityRow protocol peer
34 JDK-8271315 client-libs javax.swing Redo: Nimbus JTree renderer properties persist across L&F changes
35 JDK-8264293 client-libs javax.swing Create implementation for NSAccessibilityMenu protocol peer
36 JDK-8264295 client-libs javax.swing Create implementation for NSAccessibilityMenuItem protocol peer
37 JDK-8264294 client-libs javax.swing Create implementation for NSAccessibilityMenuBar protocol peer
38 JDK-8264296 client-libs javax.swing Create implementation for NSAccessibilityPopUpButton protocol peer
39 JDK-8264297 client-libs javax.swing Create implementation for NSAccessibilityProgressIndicator protocol peer
40 JDK-8269850 core-libs Most JDK releases report macOS version 12 as 10.16 instead of 12.0
41 JDK-8276572 core-libs Fake libsyslookup.so library causes tooling issues
42 JDK-8273450 core-libs Fix the copyright header of SVML files
43 JDK-8275145 core-libs java.io file.encoding system property has an incorrect value on Windows
44 JDK-8277093 core-libs java.io:serialization Vector should throw ClassNotFoundException for a missing class of an element
45 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
46 JDK-8274848 core-libs java.lang.invoke LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
47 JDK-8270290 core-libs java.net NTLM authentication fails if HEAD request is used
48 JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
49 JDK-8267256 core-libs java.net Extend minimal retry for loopback connections on Windows to PlainSocketImpl
50 JDK-8268294 core-libs java.net Reusing HttpClient in a WebSocket.Listener hangs.
51 JDK-8269481 core-libs java.net SctpMultiChannel never releases own file descriptor
52 JDK-8251329 core-libs java.nio (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
53 JDK-8273935 core-libs java.nio (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
54 JDK-8269280 core-libs java.nio (bf) Replace StringBuffer in *Buffer.toString()
55 JDK-8190753 core-libs java.nio (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
56 JDK-8271308 core-libs java.nio (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
57 JDK-8233020 core-libs java.nio (fs) UnixFileSystemProvider should use StaticProperty.userDir().
58 JDK-8272095 core-libs java.nio ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
59 JDK-8140241 core-libs java.nio (fc) Data transfer from FileChannel to itself causes hang in case of overlap
60 JDK-8274468 core-libs java.time TimeZoneTest.java fails with tzdata2021b
61 JDK-8274467 core-libs java.time TestZoneInfo310.java fails with tzdata2021b
62 JDK-8276536 core-libs java.time Update TimeZoneNames files to follow the changes made by JDK-8275766
63 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
64 JDK-8274349 core-libs java.util.concurrent ForkJoinPool.commonPool() does not work with 1 CPU
65 JDK-8214761 core-libs java.util.stream Bug in parallel Kahan summation implementation
66 JDK-8273790 core-libs java.util:i18n Potential cyclic dependencies between Gregorian and CalendarSystem
67 JDK-8273924 core-libs java.util:i18n ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
68 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
69 JDK-8268361 core-svc java.lang.management Fix the infinite loop in next_line
70 JDK-8272318 core-svc tools Improve performance of HeapDumpAllTest
71 JDK-8272970 hotspot Parallelize runtime/InvocationTests/
72 JDK-8273278 hotspot Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
73 JDK-8270886 hotspot compiler Crash in PhaseIdealLoop::verify_strip_mined_scheduling
74 JDK-8271600 hotspot compiler C2: CheckCastPP which should closely follow Allocate is sunk of a loop
75 JDK-8223923 hotspot compiler C2: Missing interference with mismatched unsafe accesses
76 JDK-8272570 hotspot compiler C2: crash in PhaseCFG::global_code_motion
77 JDK-8271341 hotspot compiler Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
78 JDK-8271340 hotspot compiler Crash PhaseIdealLoop::clone_outer_loop
79 JDK-8271459 hotspot compiler C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
80 JDK-8273165 hotspot compiler GraphKit::combine_exception_states fails with "matching stack sizes" assert
81 JDK-8272562 hotspot compiler C2: assert(false) failed: Bad graph detected in build_loop_late
82 JDK-8274145 hotspot compiler C2: condition incorrectly made redundant with dominating main loop exit condition
83 JDK-8274074 hotspot compiler SIGFPE with C2 compiled code with -XX:+StressGCM
84 JDK-8274401 hotspot compiler C2: GraphKit::load_array_element bypasses Access API
85 JDK-8274406 hotspot compiler RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
86 JDK-8276066 hotspot compiler Reset LoopPercentProfileLimit for x86 due to suboptimal performance
87 JDK-8270901 hotspot compiler Typo PHASE_CPP in CompilerPhaseType
88 JDK-8273021 hotspot compiler C2: Improve Add and Xor ideal optimizations
89 JDK-8275104 hotspot compiler IR framework does not handle client VM builds correctly
90 JDK-8276105 hotspot compiler C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
91 JDK-8276846 hotspot compiler JDK-8273416 is incomplete for UseSSE=1
92 JDK-8276112 hotspot compiler Inconsistent scalar replacement debug info at safepoints
93 JDK-8276025 hotspot compiler Hotspot's libsvml.so may conflict with user dependency
94 JDK-8270533 hotspot compiler AArch64: size_fits_all_mem_uses should return false if its output is a CAS
95 JDK-8273416 hotspot compiler C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
96 JDK-8273359 hotspot compiler CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
97 JDK-8244675 hotspot compiler assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
98 JDK-8272703 hotspot compiler StressSeed should be set via FLAG_SET_ERGO
99 JDK-8271954 hotspot compiler C2: assert(false) failed: Bad graph detected in build_loop_late
100 JDK-8272413 hotspot compiler Incorrect num of element count calculation for vector cast
101 JDK-8272574 hotspot compiler C2: assert(false) failed: Bad graph detected in build_loop_late
102 JDK-8276157 hotspot compiler C2: Compiler stack overflow during escape analysis on Linux x86_32
103 JDK-8268882 hotspot compiler C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
104 JDK-8271567 hotspot compiler AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
105 JDK-8271215 hotspot gc Fix data races in G1PeriodicGCTask
106 JDK-8274501 hotspot gc c2i entry barriers read int as long on AArch64
107 JDK-8271862 hotspot gc C2 intrinsic for Reference.refersTo() is often not used
108 JDK-8271121 hotspot gc ZGC: stack overflow (segv) when -Xlog:gc+start=debug
109 JDK-8272170 hotspot gc Missing memory barrier when checking active state for regions
110 JDK-8277212 hotspot gc GC accidentally cleans valid megamorphic vtable inline caches
111 JDK-8275426 hotspot gc PretouchTask num_chunks calculation can overflow
112 JDK-8274435 hotspot jfr EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
113 JDK-8272850 hotspot runtime Drop zapping values in the Zap* option descriptions
114 JDK-8273606 hotspot runtime Zero: SPARC64 build fails with si_band type mismatch
115 JDK-8273373 hotspot runtime Zero: Cannot invoke JVM in primordial threads on Zero
116 JDK-8273505 hotspot runtime runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
117 JDK-8273176 hotspot runtime handle latest VS2019 in abstract_vm_version
118 JDK-8273695 hotspot runtime Safepoint deadlock on VMOperation_lock
119 JDK-8273489 hotspot runtime Zero: Handle UseHeavyMonitors on all monitorenter paths
120 JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
121 JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
122 JDK-8273342 hotspot runtime Null pointer dereference in classFileParser.cpp:2817
123 JDK-8272345 hotspot runtime macos doesn't check `os::set_boot_path()` result
124 JDK-8272114 hotspot runtime Unused _last_state in osThread_windows
125 JDK-8274293 hotspot runtime Build failure on macOS with Xcode 13.0 as vfork is deprecated
126 JDK-8274338 hotspot runtime com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
127 JDK-8238649 hotspot runtime Call new Win32 API SetThreadDescription in os::set_native_thread_name
128 JDK-8261579 hotspot runtime AArch64: Support for weaker memory ordering in Atomic
129 JDK-8268927 hotspot runtime Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
130 JDK-8273486 hotspot runtime Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
131 JDK-8273483 hotspot runtime Zero: Clear pending JNI exception check in native method handler
132 JDK-8273440 hotspot runtime Zero: Disable runtime/Unsafe/InternalErrorTest.java
133 JDK-8273333 hotspot runtime Zero should warn about unimplemented -XX:+LogTouchedMethods
134 JDK-8268893 hotspot runtime jcmd to trim the glibc heap
135 JDK-8273902 hotspot runtime Memory leak in OopStorage due to bug in OopHandle::release()
136 JDK-8269687 hotspot runtime pauth_aarch64.hpp include name is incorrect
137 JDK-8275604 hotspot runtime Zero: Reformat opclabels_data
138 JDK-8277029 hotspot svc JMM GetDiagnosticXXXInfo APIs should verify output array sizes
139 JDK-8270320 hotspot test JDK-8270110 committed invalid copyright headers
140 JDK-8270946 security-libs java.security X509CertImpl.getFingerprint should not return the empty String
141 JDK-8273826 security-libs java.security Correct Manifest file name and NPE checks
142 JDK-8274215 security-libs java.security Remove globalsignr2ca root from 17.0.2
143 JDK-8274736 security-libs java.security Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
144 JDK-8277224 security-libs java.security sun.security.pkcs.PKCS9Attributes.toString() throws NPE
145 JDK-8270317 security-libs javax.net.ssl Large Allocation in CipherSuite
146 JDK-8275811 security-libs javax.net.ssl Incorrect instance to dispose
147 JDK-8273026 security-libs javax.security Slow LoginContext.login() on multi threading application
148 JDK-8274205 security-libs org.ietf.jgss:krb5 Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
149 JDK-8273894 security-libs org.ietf.jgss:krb5 ConcurrentModificationException raised every time ReferralsCache drops referral
150 JDK-8273234 tools javac extended 'for' with expression of type tvar causes the compiler to crash
151 JDK-8262095 tools javac NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
152 JDK-8268885 tools javac duplicate checkcast when destination type is not first type of intersection type
153 JDK-8269113 tools javac Javac throws when compiling switch (null)
154 JDK-8275302 tools javac unexpected compiler error: cast, intersection types and sealed
155 JDK-8274347 tools javac Passing a *nested* switch expression as a parameter causes an NPE during compile
156 JDK-8268894 tools javac forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
157 JDK-8273408 tools javac java.lang.AssertionError: typeSig ERROR on generated class property of record
158 JDK-8271254 tools javac javac generates unreachable code when using empty semicolon statement
159 JDK-8274942 tools javac AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
160 JDK-8272639 tools jpackage jpackaged applications using microphone on mac
161 JDK-8274087 tools jpackage Windows DLL path not set correctly.
162 JDK-8273593 tools jpackage [REDO] Warn user when using mac-sign option with unsigned app-image.
163 JDK-8272328 tools jpackage java.library.path is not set properly by Windows jpackage app launcher
164 JDK-8268457 xml XML Transformer outputs Unicode supplementary character incorrectly to HTML

Java™ SE Development Kit 17.0.1 (JDK 17.0.1)

October 19, 2021

The full version string for this update release is 17.0.1+12 (where "+" means "build"). The version number is 17.0.1.

IANA TZ Data 2021a

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.1 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
17 17.0.1+12
11 11.0.13+10
8 8u311-b11
7 7u321-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.1) be used after the next critical patch update scheduled for January 18, 2022.

Removed Features and Options

security-libs/java.security
 Removed IdenTrust Root Certificate

The following root certificate from IdenTrust has been removed from the cacerts keystore:

+ alias name "identrustdstx3 [jdk]"

  Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.

Other Notes

core-libs/java.lang
 Release Doesn't Correctly Recognize Windows 11

This release doesn't correctly identify Windows 11. The property os.name is set to Windows 10 on Windows 11. In HotSpot error logs, the OS is identified as Windows 10; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.

core-libs/javax.naming
 System Property to Control Reconstruction of Reference Address Objects by JDK's Built-in JNDI LDAP Implementation

The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to control the deserialization of java objects from the javaReferenceAddress LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData and javaReferenceAddress LDAP attributes.

To prevent deserialization of java objects from these attributes, the system property can be set to false. By default, the deserialization of java objects from javaSerializedData and javaReferenceAddress attributes is allowed.

JDK-8267712 (not public)

hotspot/runtime
 Release Doesn't Correctly Recognize Windows Server 2022

This release doesn't correctly identify Windows Server 2022. The property os.name is set to Windows Server 2019 on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above.

hotspot/runtime
 OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware

For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 17.0.1:

# JBS Component Subcomponent Sumary
1 JDK-8262731 client-libs 2d [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
2 JDK-8273358 client-libs 2d macOS Monterey does not have the font Times needed by Serif
3 JDK-8272602 client-libs java.awt [macos] not all KEY_PRESSED events sent when control modifier is used
4 JDK-8272806 client-libs java.awt [macOS] "Apple AWT Internal Exception" when input method is changed
5 JDK-8267666 core-svc tools Add option to jcmd GC.heap_dump to use existing file
6 JDK-8271925 hotspot compiler ZGC: Arraycopy stub passes invalid oop to load barrier
7 JDK-8271589 hotspot compiler fatal error with variable shift count integer rotate operation.
8 JDK-8271203 hotspot compiler C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
9 JDK-8270098 hotspot compiler ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
10 JDK-8272131 hotspot compiler PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
11 JDK-8271276 hotspot compiler C2: Wrong JVM state used for receiver null check
12 JDK-8268019 hotspot compiler C2: assert(no_dead_loop) failed: dead loop detected
13 JDK-8268261 hotspot compiler C2: assert(n != __null) failed: Bad immediate dominator info.
14 JDK-8269574 hotspot compiler C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
15 JDK-8272124 hotspot runtime Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
16 JDK-8269934 hotspot runtime RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
17 JDK-8225082 security-libs java.security Remove IdenTrust certificate that is expiring in September 2021
18 JDK-8268427 security-libs java.security Improve AlgorithmConstraints:checkAlgorithm performance
19 JDK-8225083 security-libs java.security Remove Google certificate that is expiring in December 2021
20 JDK-8273150 security-libs java.security Revert "8225083: Remove Google certificate that is expiring in December 2021"
21 JDK-8270344 security-libs javax.net.ssl Session resumption errors

JDK 17 Release Notes

The following sections are included in these Release Notes:


Introduction

These notes describe important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 17 and Java SE 17. In some cases, the descriptions provide links to additional detailed information about an issue or a change. This page does not duplicate the descriptions provided by the Java SE 17 ( JSR 392) Platform Specification, which provides informative background for all specification changes and might also include the identification of removed or deprecated APIs and features not described here. The Java SE 17 ( JSR 392) specification provides links to:

You should be aware of the content in the Java SE 17 ( JSR 392) specification as well as the items described in this page.

The descriptions on this Release Notes page also identify potential compatibility issues that you might encounter when migrating to JDK 17. The Kinds of Compatibility page on the OpenJDK wiki identifies the following three types of potential compatibility issues for Java programs that might be used in these release notes:

  • Source: Source compatibility preserves the ability to compile existing source code without error.

  • Binary: Binary compatibility is defined in The Java Language Specification as preserving the ability to link existing class files without error.

  • Behavioral: Behavioral compatibility includes the semantics of the code that is executed at runtime.

See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17 and the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for general information about compatibility.

The full version string for this release is build 17+35 (where "+" means "build"). The version number is 17.

 

IANA Data 2021a

JDK 17 contains IANA time zone data version 2021a. For more information, refer to Timezone Data Versions in the JRE Software.

TOP


New Features

This section describes some of the enhancements in Java SE 17 and JDK 17. In some cases, the descriptions provide links to additional detailed information about an issue or a change. The APIs described here are provided with the Oracle JDK. It includes a complete implementation of the Java SE 17 Platform and additional Java APIs to support developing, debugging, and monitoring Java applications. Another source of information about important enhancements and new features in Java SE 17 and JDK 17 is the Java SE 17 ( JSR 392) Platform Specification, which documents the changes to the specification made between Java SE 16 and Java SE 17. This document includes descriptions of those new features and enhancements that are also changes to the specification. The descriptions also identify potential compatibility issues that you might encounter when migrating to JDK 17.

 

specification
 JEP 409: Sealed Classes

Sealed Classes have been added to the Java Language. Sealed classes and interfaces restrict which other classes or interfaces may extend or implement them.

Sealed Classes were proposed by JEP 360 and delivered in JDK 15 as a preview feature. They were proposed again, with refinements, by JEP 397 and delivered in JDK 16 as a preview feature. Now in JDK 17, Sealed Classes are being finalized with no changes from JDK 16.

For further details, see JEP 409.

See JDK-8260514

specification
 JEP 406: Pattern Matching for switch (Preview)

Enhance the Java programming language with pattern matching for switch expressions and statements, along with extensions to the language of patterns. Extending pattern matching to switch allows an expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely.

For further details, see JEP 406.

See JDK-8213076

client-libs/2d
 JEP 382: New macOS Rendering Pipeline

The Java 2D API used by the Swing APIs for rendering, can now use the new Apple Metal accelerated rendering API for macOS.

This is currently disabled by default, so rendering still uses OpenGL APIs, which are deprecated by Apple but still available and supported.

To enable Metal, an application should specify its use by setting the system property:

-Dsun.java2d.metal=true

Use of Metal or OpenGL is transparent to applications since this is a difference of internal implementation and has no effect on Java APIs. The metal pipeline requires macOS 10.14.x or later. Attempts to set it on earlier releases will be ignored.

For further details, see JEP 382.

See JDK-8238361

client-libs/javax.swing
 New API for Accessing Large Icons

A new method, javax.swing.filechooser.FileSystemView.getSystemIcon(File, int, int), is available in JDK 17 that enables access to higher quality icons when possible. It is fully implemented for the Windows platform; however, results on other platforms might vary and will be enhanced later. For example, by using the following code:

  FileSystemView fsv = FileSystemView.getFileSystemView();

  Icon icon = fsv.getSystemIcon(new File("application.exe"), 64, 64);
  JLabel label = new JLabel(icon);

The user can obtain a higher quality icon for the "application.exe" file. This icon is suitable for creating a label that can be better scaled in a HighDPI environment.

See JDK-8182043

core-libs/java.net
 DatagramSocket Can Be Used Directly to Join Multicast Groups

java.net.DatagramSocket has been updated in this release to add support for joining multicast groups. It now defines joinGroup and leaveGroup methods to join and leave multicast groups. The class level API documentation of java.net.DatagramSocket has been updated to explain how a plain DatagramSocket can be configured and used to join and leave multicast groups.

This change means that the DatagramSocket API can be used for multicast applications without needing to use the legacy java.net.MulticastSocket API. The MulticastSocket API works as before, although most of its methods are deprecated.

More information on the rationale of this change can be seen in the CSR JDK-8260667.

See JDK-8237352

core-libs/java.nio
 Add support for UserDefinedFileAttributeView on macOS

The file system provider implementation on macOS has been updated in this release to support extended attributes. The java.nio.file.attribute.UserDefinedFileAttributeView API can now be used to obtain a view of a file's extended attributes. This (optional) view was not supported in previous JDK releases.

See JDK-8030048

core-libs/java.util
 JEP 356: Enhanced Pseudo-Random Number Generators

Provide new interface types and implementations for pseudorandom number generators (PRNGs), including jumpable PRNGs and an additional class of splittable PRNG algorithms (LXM).

For further details, see JEP 356.

See JDK-8193209

hotspot/compiler
 Modernization of Ideal Graph Visualizer

Ideal Graph Visualizer (IGV), a tool to explore visually and interactively the intermediate representation used in the HotSpot VM C2 just-in-time (JIT) compiler, has been modernized. Enhancements include:

  • Support for running IGV on up to JDK 15 (the latest version supported by IGV's underlying NetBeans Platform)
  • Faster, Maven-based IGV build system
  • Stabilization of block formation, group removal, and node tracking
  • More intuitive coloring and node categorization in default filters
  • Ranked quick node search with more natural default behavior

The modernized IGV is partially compatible with graphs generated from earlier JDK releases. It supports basic functionality such as graph loading and visualization, but auxiliary functionality such as node clustering and coloring might be affected.

Details about building and running IGV are available in the src/utils/IdealGraphVisualizer/README.md file in the tool's source directory.

See JDK-8254145

tools/javadoc(tool)
 Source Details in Error Messages

When JavaDoc reports an issue in an input source file, it displays the source line for the issue, and a line containing a caret (^) pointing to the position on the line, in a manner similar to compiler (javac) diagnostic messages.

In addition, logging and other "info" messages are now written to the standard error stream, leaving the standard output stream to be used for output that is specifically requested by command-line options, such as command-line help.

See JDK-8267126

tools/javadoc(tool)
 New Page for "New API" and Improved "Deprecated" Page

JavaDoc can now generate a page summarizing the recent changes in an API. The list of recent releases to be included is specified with the --since command-line option. These values are used to find the declarations with matching @since tags to be included on the new page. The --since-label command-line option provides text to use in the heading of the "New API" page.

On the page that summarizes deprecated items, you can view items grouped by the release in which they were deprecated.

See JDK-8263468

core-libs
 JEP 412: Foreign Function & Memory API (Incubator)

Introduce an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the JVM), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the API enables Java programs to call native libraries and process native data without the brittleness and danger of JNI.

For further details, see JEP 412.

See JDK-8265033

core-libs
 Console Charset API

java.io.Console has been updated to define a new method that returns the Charset for the console. The returned Charset may be different from the one returned from Charset.defaultCharset() method. For example, it returns IBM437 while Charset.defaultCharset() returns windows-1252 on Windows (en-US). Refer to the CSR for more detail.

See JDK-8264208

core-libs/java.io:serialization
 JDK Flight Recorder Event for Deserialization

It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named jdk.Deserialization, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism; see the ObjectInputFilter specification. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security. For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation.

See JDK-8261160

core-libs/java.io:serialization
 JEP 415: Implement Context-Specific Deserialization Filters

JEP 415: Context-Specific Deserialization Filters allows applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each individual deserialization operation.

The Java Core Libraries Developers Guide for Serialization Filtering describes use cases and provides examples.

See JDK-8264859

core-libs/java.lang
 System Property for Native Character Encoding Name

A new system property native.encoding has been introduced. This system property provides the underlying host environment's character encoding name. For example, typically it has UTF-8 in Linux and macOS platforms, and Cp1252 in Windows (en-US). Refer to the CSR for more detail.

See JDK-8265989

core-libs/java.time
 Add java.time.InstantSource

A new interface java.time.InstantSource has been introduced. This interface is an abstraction from java.time.Clock that only focuses on the current instant and does not refer to the time zone.

See JDK-8266846

core-libs/java.util
 Hex Formatting and Parsing Utility

java.util.HexFormat provides conversions to and from hexadecimal for primitive types and byte arrays. The options for delimiter, prefix, suffix, and uppercase or lowercase are provided by factory methods returning HexFormat instances.

See JDK-8251989

hotspot/compiler
 Experimental Compiler Blackholes Support

The experimental support for Compiler Blackholes is added. These are useful for low-level benchmarking, to avoid dead-code elimination on the critical paths, without affecting the benchmark performance. Current support is implemented as CompileCommand, accessible as -XX:CompileCommand=blackhole,<method>, with the plan to eventually graduate it to a public API.

JMH is already able to auto-detect and use this facility when instructed/available. Please consult JMH documentation for the next steps.

See JDK-8259316

hotspot/compiler
 New Class Hierarchy Analysis Implementation in the HotSpot JVM

A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.

To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA command-line flags.

The original implementation may be removed in a future release.

See JDK-8266074

hotspot/compiler
 JEP 391: macOS/AArch64 Port

macOS 11.0 now supports the AArch64 architecture. This JEP implements support for the macos-aarch64 platform in the JDK. One of the features added is support for the W^X (write xor execute) memory. It is enabled only for macos-aarch64 and can be extended to other platforms at some point. The JDK can be either cross-compiled on an Intel machine or compiled on an Apple M1-based machine.

For further details, see JEP 391.

See JDK-8251280

hotspot/runtime
 Unified Logging Supports Asynchronous Log Flushing

To avoid undesirable delays in a thread using unified logging, the user can now request that the unified logging system operate in asynchronous mode. This is done by passing the command-line option -Xlog:async. In asynchronous logging mode, log sites enqueue all logging messages to a buffer. A standalone thread is responsible for flushing them to the corresponding outputs. The intermediate buffer is bounded. On buffer exhaustion, the enqueuing message is discarded. The user can control the size of the intermediate buffer by using the command-line option -XX:AsyncLogBufferSize=<bytes>.

See JDK-8229517

infrastructure/build
 macOS on ARM Early Access Available

A new macOS is now available for ARM systems. The ARM port should behave similarly to the Intel port. There are no known feature differences. When reporting issues on macOS, please specify if using ARM or x64.

See JDK-8266858

security-libs/java.security
 Provide Support for Specifying a Signer in Keytool -genkeypair Command

The -signer and -signerkeypass options have been added to the -genkeypair command of the keytool utility. The -signer option specifies the keystore alias of a PrivateKeyEntry for the signer and the -signerkeypass option specifies the password used to protect the signer’s private key. These options allow keytool -genkeypair to sign the certificate by using the signer’s private key. This is especially useful for generating a certificate with a key agreement algorithm as its public key algorithm.

See JDK-8260693

security-libs/javax.crypto
 SunJCE Provider Supports KW and KWP Modes With AES Cipher

The SunJCE provider has been enhanced to support the AES Key Wrap Algorithm (RFC 3394) and the AES Key Wrap with Padding Algorithm (RFC 5649). In earlier releases, the SunJCE provider supported RFC 3394 under the "AESWrap" cipher algorithm that could only be used to wrap and unwrap keys. With this enhancement, two block cipher modes, KW and KWP, have been added that support data encryption/decryption and key wrap/unwrap by using AES. Please check the "SunJCE provider" section of the "JDK Providers Documentation" guide for more details.

See JDK-8248268

security-libs/javax.crypto:pkcs11
 New SunPKCS11 configuration properties

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

  1. destroyTokenAfterLogout (boolean, defaults to false) If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.
  2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period, i.e. how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory. Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries, i.e. when no references are found in the queue.
  3. cleaner.longInterval (integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period, i.e. how often should the cleaner thread check the queue for native references. Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
See JDK-8240256

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library

SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:

  • ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
  • CHACHA20-POLY1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
  • CHACHA20-POLY1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
  • CHACHA20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
See JDK-8255410

security-libs/javax.net.ssl
 Configurable Extensions With System Properties

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

See JDK-8217633

security-libs/org.ietf.jgss:krb5
 Use permitted_enctypes if default_tkt_enctypes or default_tgs_enctypes is not present

Use permitted_enctypes as the default value of default_tkt_enctypes or default_tgs_enctypes if any of the them are not defined in krb5.conf.

See JDK-8262389

tools/javadoc(tool)
 "Related Packages" on a Package Summary Page

The summary page for a package now includes a section listing any "related packages". The set of related packages is determined heuristically on common naming conventions, and may include the following:

  • The "parent" package (that is, the package for which a package is a subpackage)
  • Sibling packages (that is, other packages with the same parent package)
  • Any subpackages

The related packages need not all be in the same module.

See JDK-8260388

TOP


Removed Features and Options

This section describes the APIs, features, and options that were removed in Java SE 17 and JDK 17. The APIs described here are those that are provided with the Oracle JDK. It includes a complete implementation of the Java SE 17 Platform and additional Java APIs to support developing, debugging, and monitoring Java applications. Another source of information about important enhancements and new features in Java SE 17 and JDK 17 is the Java SE 17 ( JSR 392) Platform Specification, which documents changes to the specification made between Java SE 16 and Java SE 17. This document includes the identification of removed APIs and features not described here. The descriptions below might also identify potential compatibility issues that you could encounter when migrating to JDK 17.See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17.

core-libs
 JEP 403: Strongly Encapsulate JDK Internals

Strongly encapsulate all internal elements of the JDK, except for critical internal APIs such as sun.misc.Unsafe.

With this change, the java launcher option --illegal-access is obsolete. If used on the command line it causes a warning message to be issued, and otherwise has no effect. Existing code that must use internal classes, methods, or fields of the JDK can still be made to work by using the --add-opens launcher option, or the Add-Opens JAR-file manifest attribute, to open specific packages.

For further details, please see JEP 403.

See JDK-8266851

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA Certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI
See JDK-8225081

core-libs
 Removal of sun.misc.Unsafe::defineAnonymousClass

sun.misc.Unsafe::defineAnonymousClass API has been removed in JDK 17. The API replacement is java.lang.invoke.MethodHandles.Lookup::defineHiddenClass and java.lang.invoke.MethodHandles.Lookup::defineHiddenClassWithClassData.

See JDK-8243287

core-libs/java.rmi
 JEP 407: Remove RMI Activation

The Remote Method Invocation (RMI) Activation mechanism has been removed. RMI Activation was an obsolete part of RMI that has been optional since Java SE 8. RMI Activation was deprecated for removal by JEP 385 in Java SE 15, and it was removed from this release by JEP 407. The rmid tool has also been removed. See JEP 385 for background, rationale, risks, and alternatives. The rest of RMI remains unchanged.

See JDK-8263550

hotspot/compiler
 JEP 410: Remove the Experimental AOT and JIT Compiler

AOT Compiler related code in HotSpot VM has been removed. Using HotSpot VM options defined by JEP295 produce "Unrecognized VM option" error on VM initialization.

For further details, see JEP 410.

See JDK-8263327

TOP


Deprecated Features and Options

Additional sources of information about the APIs, features, and options deprecated in Java SE 17 and JDK 17 include:

  • The Deprecated API page identifies all deprecated APIs including those deprecated in Java SE 17.

  • The Java SE 17 ( JSR 392) specification documents changes to the specification made between Java SE 16 and Java SE 17 that include the identification of deprecated APIs and features not described here.

  • JEP 277: Enhanced Deprecation provides a detailed description of the deprecation policy. You should be aware of the updated policy described in this document.

You should be aware of the contents in those documents as well as the items described in this release notes page.

The descriptions of deprecated APIs might include references to the deprecation warnings of forRemoval=true and forRemoval=false. The forRemoval=true text indicates that a deprecated API might be removed from the next major release. The forRemoval=false text indicates that a deprecated API is not expected to be removed from the next major release but might be removed in some later release.

The descriptions below also identify potential compatibility issues that you might encounter when migrating to JDK 17. See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17.

client-libs/java.awt
 JEP 398: Deprecate the Applet API for Removal

JEP 398: Deprecate the Applet API for Removal. It is essentially irrelevant since all web-browser vendors have either removed support for Java browser plug-ins or announced plans to do so.

The Applet API was previously deprecated, though not for removal, by JEP 289 in Java 9.

See JDK-8256145

security-libs/java.security
 JEP 411: Deprecate the Security Manager for Removal

The Security Manager and APIs related to it have been deprecated and will be removed in a future release. To ensure that developers and users are aware that the Security Manager is deprecated for removal, the Java runtime issues a warning at startup if the Security Manager is enabled on the command line via java -Djava.security.manager. The Java runtime also issues a warning at run time if the Security Manager is enabled dynamically via the System::setSecurityManager API. These warnings cannot be disabled.

See JEP 411 for more information and a list of APIs that have been deprecated for removal.

See JDK-8264713

security-libs/org.ietf.jgss:krb5
 Deprecate 3DES and RC4 in Kerberos

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

See JDK-8139348

core-libs/java.net
 Deprecate the Socket Implementation Factory Mechanism

The following static methods used to set the system-wide socket implementation factories have been deprecated:

  • static void ServerSocket.setSocketFactory​(SocketImplFactory fac)
  • static void Socket.setSocketImplFactory​(SocketImplFactory fac)
  • static void DatagramSocket.setDatagramSocketImplFactory​(DatagramSocketImplFactory fac)

These API points were used to statically configure a system-wide factory for the corresponding socket types in the java.net package. These methods have mostly been obsolete since Java 1.4.

See JDK-8235139

hotspot/jvmti
 Deprecate JVM TI Heap functions 1.0

The following JVM TI functions have been deprecated in this release:

  • IterateOverObjectsReachableFromObject
  • IterateOverReachableObjects
  • IterateOverHeap
  • IterateOverInstancesOfClass

These functions were superseded in JVM TI version 1.2 (Java SE 6) by more powerful and flexible versions. These functions will be changed to return an error in a future release to indicate that they are no longer implemented/supported. The VM flags -Xlog:jvmti=trace and -XX:TraceJVMTI=<function_name> can be used to identify any residual usages of these functions. For example, -Xlog:jvmti=trace -XX:TraceJVMTI=IterateOverHeap is one way to get trace output when IterateOverHeap is used.

See JDK-8268241

TOP


Known Issues

The following notes describe known issues or limitations in this release.

xml/jaxp
 JDK XSLT Transformer Limitations

Applications using the JDK XSLT transformer to convert stylesheets to Java objects can encounter the following exception:

com.sun.org.apache.xalan.internal.xsltc.compiler.util.InternalError: Internal XSLTC error: a method in the translet exceeds the Java Virtual Machine limitation on the length of a method of 64 kilobytes. This is usually caused by templates in a stylesheet that are very large. Try restructuring your stylesheet to use smaller templates.

Applications will encounter the above exception if the size of the XSL template is too large. It is recommended to split the XSL template into smaller templates. Alternatively, applications can override the JDK XSLT Transformer by providing third-party implementation JAR files in the class path.

See JDK-8290347

TOP


Other Notes

The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.

core-libs/javax.naming
 New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations

jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.

com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed.

JDK-8244473 (not public)

core-libs/java.util:collections
 TreeMap.computeIfAbsent Mishandles Existing Entries Whose Values Are null

Enhancement JDK-8176894 inadvertently introduced erroneous behavior in the TreeMap.computeIfAbsent method. The other TreeMap methods that were modified by this enhancement are unaffected. The erroneous behavior is that, if the map contains an existing mapping whose value is null, the computeIfAbsent method immediately returns null. To conform with the specification, computeIfAbsent should instead call the mapping function and update the map with the function's result.

See JDK-8259622

install
 Change to Package Names in Linux RPM/DEB Installers

On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version> pattern instead of the jdk-<update_release_version> pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11, jdk-16, and jdk-17 respectively.

The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.

If a user wants to have multiple update releases from the same family, the user must download the tar.gz bundles.

JDK-8266653 (not public)

install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

install/install
 ADDLOCAL=ToolsFeature,SourceFeature Argument No Longer Needed For Windows JDK Installer

The ADDLOCAL=ToolsFeature,SourceFeature argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.

JDK-8262043 (not public)

security-libs/java.security
 Added 2 HARICA Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ HARICA

  + haricarootca2015
    DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

  + haricaeccrootca2015
    DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
See JDK-8256421

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

See JDK-8196415

security-libs/javax.xml.crypto
 Enable XML Signature Secure Validation Mode by Default

The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.

If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.

See JDK-8259801

security-libs/javax.xml.crypto
 Disable SHA-1 XML Signatures

XML signatures that use SHA-1 based digest or signature algorithms have been disabled by default. SHA-1 is no longer a recommended algorithm for digital signatures. If necessary, and at their own risk, applications can workaround this policy by modifying the jdk.xml.dsig.secureValidationPolicy security property and re-enabling the SHA-1 algorithms.

See JDK-8259709

core-libs
 RegEx Pattern Matching Loses Character Class After Intersection (&&) Operator

This release fixes a buggy behavior in regular expression pattern intersection. In prior releases, if a nested character class were included in some intersections after the intersection (&&) operator, it would be ignored and not included in the generated matcher from the pattern. This change brings the behavior in line with the intersection regex patterns seen in Ruby.

See JDK-8037397

core-libs/java.lang:reflect
 Remove Vestiges of Intermediate JSR 175 Annotation Format

When annotations were added to the platform in Java SE 5.0, early builds used a different representation of annotations in the class file than the final format. Support for this intermediate format has now been removed. Reading an annotation from a class file using the intermediate format which differs from the final format yields an exception similar to:

java.lang.reflect.GenericSignatureFormatError: Signature Parse error: Expected Field Type Signature

Recompiling the sources or otherwise regenerating the class file to conform to the proper format will resolve the issue.

See JDK-8265591

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

core-libs/java.nio
 New Implementation of java.nio.channels.Selector on Microsoft Windows

The Windows implementation of the java.nio.channels.Selector API has been replaced in this release to use a new more scalable implementation. No behavior or compatibility issues were observed during testing of the new implementation. The old implementation has not been removed and the JDK can be configured to use the old implementation, if needed, by running with -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.WindowsSelectorProvider on the command line.

See JDK-8266369

core-libs/java.util
 Extra '0' in java.util.Formatter for '%012a' Conversion With a Sign Character

In previous releases, formatter conversions with a %a conversion that used the 0 padding flag and a width specifier would produce paddings containing too many zeros if a leading sign or space character was also specified by their respective flags. This has been fixed so that paddings no longer include too many leading zeros.

See JDK-8262351

core-libs/java.util:collections
 Collections.unmodifiable* Methods Are Idempotent for Their Corresponding Collection

The unmodifiable* methods in java.util.Collections will no longer re-wrap a given collection with an unmodifiable view if that collection has already been wrapped by same method.

See JDK-6323374

core-libs/java.util:i18n
 Support for CLDR Version 39

Locale data based on Unicode Consortium's CLDR has been upgraded to version 39. For the detailed locale data changes, please refer to the Unicode Consortium's CLDR release notes:

See JDK-8258794

core-libs/java.util:i18n
 ISO 639 Language Codes for Hebrew/Indonesian/Yiddish

Historically, Java has used old/obsolete ISO 639 language codes for Hebrew/Indonesian/Yiddish languages to maintain compatibility. From Java 17, the default codes are the current codes. For example, "he" is now the language code for "Hebrew" instead of "iw". A new system property has also been introduced to revert to the legacy behavior. If -Djava.locale.useOldISOCodes=true is specified on the command line, it behaves the same way as the prior releases.

See JDK-8263202

core-svc/java.lang.instrument
 Requirements of an Agent's premain Method Changed to Conform to the Specification

The java.lang.instrument implementation has been changed in this release to require that agent premain and agentmain methods are public. The specification has always required this, but it was not enforced. Attempting to run with an agent where these methods are not public will fail with an exception such as:

java.lang.IllegalAccessException: method <fully-qualified-class-name>.premain must be declared public.

A related change in this release is that the premain and agentmain methods must be defined in the agent class. The implementation no longer searches for these methods in superclasses.

See JDK-8165276

docs/release_notes
 XML Implementation Specific Features and Properties

Documentation for Implementation Specific Features and Properties has been added to the java.xml module summary. Along with the existing properties, two new properties are introduced in JDK 17. The following section describes the changes in more detail:

  1. Added javadoc for the XML processing limits.

    XML processing limits were introduced in JDK 7u45 and JDK 8. They were previously documented in the Java Tutorial Processing Limits section.

    The definitions for these limits have been added to the java.xml module summary. See JDK-8261670.

  2. Moved the javadoc for JAXP Lookup Mechanism to the java.xml module summary.

    The javadoc for JAXP Lookup Mechanism has been moved to the module summary. The original javadoc in JAXP factories are replaced with a link to that section in the module summary.

    See JDK-8261673.

  3. Added a property to control the newline after the XML header for DOM LSSerializer.

    The DOM Load and Save LSSerializer did not have an explicit control for whether or not the XML Declaration ends with a newline. In this release, a JDK implementation specific property, jdk.xml.isStandalone, and its corresponding System property, jdk.xml.isStandalone, have been added to control the addition of a newline and acts independently without having to set the pretty-print property. This property can be used to reverse the incompatible change introduced in Java SE 7 Update 4 with an update of Xalan 2.7.1 in which a newline is omitted after the XML header.

    Usage:

    // to set the property, get an instance of LSSerializer
    
    LSSerializer ser = impl.createLSSerializer();
    // the isStandalone property is effective whether or not pretty-print is set
    ser.getDomConfig().setParameter("format-pretty-print", pretty ? true : false);
    ser.getDomConfig().setParameter("jdk.xml.isStandalone", standalone ? true : false);
    
    // to use the System property, set it before initializing a LSSerializer
    System.setProperty("jdk.xml.isStandalone", standalone ? “true” : "false");
    
    // to clear the property, place the line anywhere after the LSSerializer is initialized
    System.clearProperty("jdk.xml.isStandalone");
    

    See JDK-8249867.

  4. Added a property to control the newline after the XML header for XSLTC Serializerjava.xml.

    The XSLTC Serializer supported a property, http://www.oracle.com/xml/is-standalone, introduced through JDK-7150637, to control whether or not the XML Declaration ends with a newline. It is, however, not compliant with the new specification for Implementation Specific Features and Properties. In order to maintain compatibility, the legacy property is preserved, and a new property, jdk.xml.xsltcIsStandalone, along with its corresponding System property, jdk.xml.xsltcIsStandalone, have been created to perform the same function for the XSLTC Serializer as the isStandalone property for DOMLS LSSerializer. Note that the former has an extra prefix xsltc to avoid conflict with the later in case it is set through the System property.

    Usage:

    // to set the property, get an instance of the Transformer
    
    Transformer transformer = getTransformer(…);
    // the isStandalone property is effective whether or not pretty-print is set
    transformer.setOutputProperty(OutputKeys.INDENT, pretty ? "yes" : "no");
    transformer.setOutputProperty("jdk.xml.xsltcIsStandalone", standalone ? "yes" : "no");
    
    // to use the System property, set it before initializing a Transformer
    System.setProperty("jdk.xml.xsltcIsStandalone", standalone ? "yes" : "no");
    
    // to clear the property, place the line anywhere after the Transformer is initialized
    System.clearProperty("jdk.xml.xsltcIsStandalone");
    

    See JDK-8260858.

  5. Added existing features and properties and standardizing the prefix to jdk.xml.

    Existing features and properties have been added to the Implementation Specific Features and Properties tables in the java.xml module summary. All of the features and properties, existing and new, now have a prefix of jdk.xml as redefined in the Naming Convention section. System properties are searchable in the Java API documentation by the full name, such as jdk.xml.entityExpansionLimit.

    See JDK-8265252.

See JDK-8261856

hotspot/gc
 Segmentation Fault Error on 9th and 10th Generation Intel® Core™ Processors

When running Java on 9th and 10th Gen Intel® Core™ processors, a segmentation fault indicating invalid permissions for a mapped object may be observed. A workaround is included that reduces the frequency of the occurrences.

See JDK-8263710

hotspot/gc
 Parallel GC Enables Adaptive Parallel Reference Processing by Default

Parallel GC now ergonomically determines the optimal number of threads to use for processing java.lang.ref.Reference instances during garbage collection. The option -XX:ParallelRefProcEnabled is now true (enabled) by default.

The change improves this phase of the garbage collection pause significantly on machines with more than one thread available for garbage collection.

If you experience increased garbage collection pauses, you can revert to the original behavior by specifying -XX:-ParallelRefProcEnabled on the command line.

The ergonomics of java.lang.ref.Reference processing can be tuned by using the experimental option -XX:ReferencesPerThread (default value: 1000).

See JDK-8204686

security-libs/java.security
 New System Property Added to Enable the OCSP Nonce Extension

A new system property, jdk.security.certpath.ocspNonce, has been added to enable the OCSP Nonce Extension. This system property is disabled by default, and can be enabled by setting it to the value true. If set to true, the JDK implementation of PKIXRevocationChecker includes a nonce extension containing a 16 byte nonce with each OCSP request. See RFC 8954 for more details on the OCSP Nonce Extension.

See JDK-8256895

security-libs/java.security
 Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280

The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

See JDK-8257497

security-libs/java.security
 Updated Specifications of KeyStoreSpi.engineStore(KeyStore.LoadStoreParameter) and KeyStore.store(KeyStore.LoadStoreParameter) Methods

The specifications of the KeyStoreSpi.engineStore(KeyStore.LoadStoreParameter param) and KeyStore.store(KeyStore.LoadStoreParameter param) methods have been updated to specify that an UnsupportedOperationException is thrown if the implementation does not support the engineStore() operation. This change adjusts the specification to match the existing behavior.

See JDK-8246005

security-libs/java.security
 jarsigner Tool Warns if Weak Algorithms Are Used in Signer’s Certificate Chain

The jarsigner tool has been updated to warn users when weak keys or cryptographic algorithms are used in certificates of the signer’s certificate chain.

See JDK-8259401

security-libs/javax.net.ssl
 SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.

See JDK-8259662

specification/language
 JEP 306: Restore Always-Strict Floating-Point Semantics

Floating-point operations are now consistently strict, rather than having both "strict" floating-point semantics (strictfp) and subtly different "default" floating-point semantics. This restores the original floating-point semantics of the language and VM, matching the semantics before the introduction of "strict" and "default" floating-point modes in Java SE 1.2.

For further details, see JEP 306.

See JDK-8175916

tools/javadoc(tool)
 Improved Nested Class Summary

When a class or interface has nested classes or interfaces, the list is improved to show the kind of class or interface, such as enum class, record class, annotation interface, as appropriate.

See JDK-8266044

tools/javadoc(tool)
 Improved Package Summary Pages

The summary page for a package has been restructured to display the different kinds of classes and interfaces in a single tabbed table, instead of a series of separate tables. Additional links have been provided in the navigation bar at the top of the page, to aid in faster navigation to different parts of the page.

See JDK-8263507

tools/javadoc(tool)
 Improved Output for @see Tags

When a declaration has a series of @see tags, the output is generated in the form of an HTML <ul> list, instead of a simple comma-separated list of links. The style of the list depends on the number and kind of the links.

See JDK-8262992

tools/javadoc(tool)
 Ids Used by the Standard Doclet

"Multi-word" ids in the HTML generated by the Standard Doclet have been converted to a uniform style of lowercase words separated by hyphens. This primarily affects the ids used to navigate within the generated documentation and does not affect the ids used for field and method declarations, and which may be used in external pages to reference such declarations within the documentation.

See JDK-8261976

tools/javadoc(tool)
 Improved "Help" Page

The content of the "Help" page generated by the Standard Doclet has been revised, improved, and new information added.

  • There is a new "Navigation" section that provides general information on how to navigate around the documentation.
  • Information about the different kinds of pages has been gathered into a new section, along with new information about pages that were not previously documented.
  • There is a brief "table of contents" at the top of the page that provides links to all of the sections and subsections on the page.

In addition, the HELP link in the navigation bar for each kind of page now links directly to the section on the Help page for that kind of page.

See JDK-8263198

tools/javadoc(tool)
 Legal Headers for Generated Files

The set of files generated by the Standard Doclet typically includes some files with associated licensing requirements. The Standard Doclet now provides support for including the associated legal files, with default behavior for the common case and a new command-line option (--legal-notices) to override that behavior when appropriate.

See JDK-8259530

tools/javadoc(tool)
 Check for Empty Paragraphs

DocLint (invoked from javac and javadoc with the -Xdoclint option) now checks for constructs that lead to empty paragraphs in the generated documentation, which might be flagged by an HTML validator. The most common cause is the redundant use of <p> at the end of a block of text.

See JDK-8258957

tools/javadoc(tool)
 DocLint Reports Missing "descriptions"

DocLint detects and reports documentation comments that do not have any description about the associate declaration, before any block tags that may be present. (DocLint is a feature of the javac and javadoc tools, to detect and report issues in documentation comments.)

See JDK-8272374

core-libs/java.lang:class_loading
 URLClassLoader No Longer Throws Undocumented IllegalArgumentException From getResources and findResources

In the event that there is a problem getting a resource, URLClassLoader.getResource() and findResource() now return null instead of throwing an undocumented IllegalArgumentException. The same is true of Enumerations obtained from URLClassLoader.getResources() and URLClassLoader.findResources().

This behavior conforms with the long-standing specification. The situation would typically occur on Windows, due to the use of a Windows-style path ("c:/windows").

See JDK-8262277

core-libs/java.lang
 Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands property can be set to true: jdk.lang.Process.allowAmbiguousCommands=true or false. If left unset, it is the same as setting it to true.

JDK-8250568 (not public)