This page contains all of the release notes for the JDK 17 General Availability (GA) releases:
The full version string for this update release is 17.0.7+8 (where "+" means "build"). The version number is 17.0.7.
JDK 17.0.7 contains IANA time zone data 2022g which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.7 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.7+8 |
11 | 11.0.19+9 |
8 | 8u371-b11 |
Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 17.0.7) after the next critical patch update release, scheduled for July 18, 2023.
A new Java Flight Recorder (JFR) event has been added to record details of initial security properties when loaded via the java.security.Security
class.
The new event name is jdk.InitialSecurityProperty
and contains the following fields:
Field name | Field Description |
---|---|
key | Security Property Key |
value | Corresponding Security Property Value |
This new JFR event is enabled by default. The java.security.debug=properties
system property will also now print initial security properties to the standard error stream. With this new event and the already available jdk.SecurityPropertyModification
event (when enabled since it is not enabled by default), a JFR recording can now monitor the initial settings of all security properties and any subsequent changes.
Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object>
tag which allows for subclasses of java.awt.Component
to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true
.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignarootca
DN: CN=Certigna, O=Dhimyotis, C=FR
The behavior of the method java.io.File.listRoots()
on Microsoft Windows has changed in this release so that the returned array includes a File
object for all available disk drives. This differs from the behavior in JDK 10 to JDK 20, where this method filtered out disk drives that were not accessible or did not have media present. This change avoids performance issues observed in these releases and also ensures that the method is consistent with the root directories in the iteration returned by FileSystem.getDefault().getRootDirectories()
.
A behavioral change has been made in the case where the default conf/security/java.security
security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError
.
Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.
Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:
Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.7:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8282577 | client-libs/2d | ICC_Profile.setData(int, byte[]) invalidates the profile |
2 | JDK-8285399 | client-libs/2d | JNI exception pending in awt_GraphicsEnv.c:1432 |
3 | JDK-8284023 | client-libs/java.awt | java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo |
4 | JDK-8296496 | client-libs/java.awt | Overzealous check in sizecalc.h prevents large memory allocation |
5 | JDK-8279614 | client-libs/java.awt | The left line of the TitledBorder is not painted on 150 scale factor |
6 | JDK-8288332 | client-libs/java.awt | Tier1 validate-source fails after 8279614 |
7 | JDK-8295685 | client-libs/java.awt | Update Libpng to 1.6.38 |
8 | JDK-8292948 | client-libs/javax.swing | JEditorPane ignores font-size styles in external linked css-file |
9 | JDK-8282958 | client-libs/javax.swing | Rendering Issues with Borders on Windows High-DPI systems |
10 | JDK-8294378 | core-libs/java.net | URLPermission constructor exception when using tr locale |
11 | JDK-8297569 | core-libs/java.net | URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 |
12 | JDK-8299439 | core-libs/java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
13 | JDK-8295530 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.2.13 |
14 | JDK-8287180 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-08-08 |
15 | JDK-8267038 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-03-02 |
16 | JDK-8296239 | core-libs/java.util:i18n | ISO 4217 Amendment 174 Update |
17 | JDK-8292778 | core-svc/java.lang.instrument | EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free |
18 | JDK-8292541 | core-svc/java.lang.management | [Metrics] Reported memory limit may exceed physical machine memory |
19 | JDK-8297656 | performance/hotspot | AArch64: Enable AES/GCM Intrinsics |
20 | JDK-8268276 | hotspot/compiler | Base64 Decoding optimization for x86 using AVX-512 |
21 | JDK-8269404 | hotspot/compiler | Base64 Encoding optimization enhancements for x86 using AVX-512 |
22 | JDK-8273108 | hotspot/compiler | RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 |
23 | JDK-8273459 | hotspot/compiler | Update code segment alignment to 64 bytes |
24 | JDK-8296958 | hotspot/compiler | [JVMCI] add API for retrieving ConstantValue attributes |
25 | JDK-8296961 | hotspot/compiler | [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField |
26 | JDK-8296960 | hotspot/compiler | [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool |
27 | JDK-8296967 | hotspot/compiler | [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod |
28 | JDK-8282528 | hotspot/compiler | AArch64: Incorrect replicate2L_zero rule |
29 | JDK-8277137 | hotspot/compiler | Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 |
30 | JDK-8294902 | hotspot/compiler | Undefined Behavior in C2 regalloc with null references |
31 | JDK-8290322 | hotspot/compiler | Optimize Vector.rearrange over byte vectors for AVX512BW targets. |
32 | JDK-8295066 | hotspot/compiler | Folding of loads is broken in C2 after JDK-8242115 |
33 | JDK-8296912 | hotspot/compiler | C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 |
34 | JDK-8294538 | hotspot/compiler | missing is_unloading() check in SharedRuntime::fixup_callers_callsite() |
35 | JDK-8292602 | hotspot/compiler | ZGC: C2 late barrier analysis uses invalid dominator information |
36 | JDK-8292660 | hotspot/compiler | C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly |
37 | JDK-8292285 | hotspot/compiler | C2: remove unreachable block after NeverBranch-to-Goto conversion |
38 | JDK-8290964 | hotspot/compiler | C2 compilation fails with assert "non-reduction loop contains reduction nodes" |
39 | JDK-8281122 | hotspot/compiler | [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 |
40 | JDK-8276064 | hotspot/compiler | CheckCastPP with raw oop input floats below a safepoint |
41 | JDK-8296924 | hotspot/compiler | C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address |
42 | JDK-8290850 | hotspot/compiler | C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph |
43 | JDK-8297431 | hotspot/compiler | [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception |
44 | JDK-8285835 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work |
45 | JDK-8295788 | hotspot/compiler | C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" |
46 | JDK-8297951 | hotspot/compiler | C2: Create skeleton predicates for all If nodes in loop predication |
47 | JDK-8297264 | hotspot/compiler | C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top |
48 | JDK-8295116 | hotspot/compiler | C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead |
49 | JDK-8242115 | hotspot/compiler | C2 SATB barriers are not safepoint-safe |
50 | JDK-8292301 | hotspot/compiler | [REDO v2] C2 crash when allocating array of size too large |
51 | JDK-8296136 | hotspot/compiler | Use correct register in aarch64_enc_fast_unlock() |
52 | JDK-8296389 | hotspot/compiler | C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors |
53 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
54 | JDK-8296733 | hotspot/jfr | JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect |
55 | JDK-8283199 | hotspot/runtime | Linux os::cpu_microcode_revision() stalls cold startup |
56 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
57 | JDK-8294160 | hotspot/runtime | misc crash dump improvements |
58 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
59 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
60 | JDK-8287011 | hotspot/runtime | Improve container information |
61 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
62 | JDK-8262386 | hotspot/svc-agent | resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out |
63 | JDK-8297918 | infrastructure | Remove platform dependency in corelibs-atr and langtools-atr task definition files |
64 | JDK-8298349 | install/install | /usr/java/latest points to wrong JDK |
65 | JDK-8298330 | install/install | /usr/java/latest is missing after one of JDK rpms is uninstalled |
66 | JDK-8280890 | security-libs/java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
67 | JDK-8292297 | security-libs/java.security | Fix up loading of override java.security properties file |
68 | JDK-8293701 | core-svc/tools | jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present |
69 | JDK-8296619 | tools/javadoc(tool) | Upgrade jQuery to 3.6.1 |
The following sections summarize changes made in all Java SE 17.0.6 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
January 17, 2023
The full version string for this update release is 17.0.6+9 (where "+" means "build"). The version number is 17.0.6.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.6 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.6+9 |
11 | 11.0.18+9 |
8 | 8u361-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.6) be used after the next critical patch update scheduled for April 18, 2023.
With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie
is false
. The property only affects the cookie exchange for resumption.
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
This issue prevents yum
from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum
but with the x86_64 architecture.
After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:
rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo
It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install
command to ensure the installation of the required packages.
The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.
If the JDK has a JavaScript script engine, it can be enabled by setting the system property: -Djavafx.allowjs=true
With 11.0.14, we are shipping the original JDK 11 translated resource bundles for German.
Installation directory name of Oracle JDK in RPM package has changed from /usr/java/jdk-${VERSION}
to /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
. Thus the 17.0.6, and 17.0.7 releases for x64 will both be installed in /usr/lib/jvm/jdk-17-oracle-x64
directory. RPM package will create /usr/java/jdk-${FEATURE}
link pointing to the installation directory for backward compatibility.
Communication with the alternatives framework of JDK RPM package has changed. JDK RPM packages of prior versions registered a single java
group of commands with the alternatives framework. The JDK 17 RPM package registers java
and javac
groups with the alternatives framework. java
group is for commands used to run applications: java
, keytool
, and rmiregistry
. javac
group is used for all other commands. The set of commands registered by the package has not changed.
Two new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-17-headless
and jdk-17-headful
. These packages are available in OL7, OL8, and OL9 repositories. They are not available for OTN downloads. jdk-17-headless
is a Headless Java Runtime for running non-GUI applications. jdk-17-headful
is a Headful Java Runtime & Development Tools for developing and running applications of all types.
The combination of the OL-specific jdk-17-headless
and jdk-17-headful
packages provides the same JDK image and the same capabilities as jdk-17
OTN package. OL-specific JDK RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist}
suffix.
Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE%
instead of %Program Files%\Java\jdk-%VNUM%
. I.e. all updates of the same release must share one installation directory.
Thus the 17.0.6 and 17.0.7 releases will both install into %Program Files%\Java\jdk-17
by default, and they both cannot be installed at the same time.
If the JDK17.0.7 installer is launched when JDK17.0.6 is already installed, it will auto-upgrade them to JDK17.0.7. There may be a Files In Use dialog shown if the older version was running and locking JDK files.
If the JDK17.0.6 installer is launched when JDK17.0.7 is already installed, it will show an error that a newer version of this JDK family is already installed.
The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk-${VERSION}.jdk
to /Library/Java/JavaVirtualMachines/jdk-${FEATURE}.jdk
. Thus the 17.0.6 and 17.0.7 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-17.jdk
installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 17.0.N update releases shipped prior JEP C208 will not be uninstalled during installation of JDK 17 update release with JEP C208. However, JDK 17 GA release will be removed and its location /Library/Java/JavaVirtualMachines/jdk-17.jdk will be reused.
ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\"
, would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.
The Set
implementation that holds principals and credentials in a JAAS Subject
prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException
. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule
implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout()
method of the LoginModule
interface. Developers should verify and if necessary update any custom LoginModule
implementations to be compliant with this implementation advice.
As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.
If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.
The SunJSSE close notification checks for SSLEngine
to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.
Specifically, if an application tries to close its SSLEngine
inbound side using SSLEngine.closeInbound()
without having received a close notification message from its peer, the SSLEngine
will no longer:
The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException
. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the SSLEngine
will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus
value on the SSLEngine
. Any outstanding outbound data must still be obtained (SSLEngine.wrap()
) and sent in order to gracefully close the connection.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.6:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8295429 | client-libs | Update harfbuzz md file |
2 | JDK-8293672 | client-libs | Update freetype md file |
3 | JDK-8289697 | client-libs/2d | buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad |
4 | JDK-8240756 | client-libs/2d | [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled |
5 | JDK-8284033 | client-libs/java.awt | Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c |
6 | JDK-8273655 | core-libs/java.net | content-types.properties files are missing some common types |
7 | JDK-8272352 | core-libs/java.util:i18n | Java launcher can not parse Chinese character when system locale is set to UTF-8 |
8 | JDK-8294307 | core-libs/java.util:i18n | ISO 4217 Amendment 173 Update |
9 | JDK-8293657 | core-svc/javax.management | sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" |
10 | JDK-8293319 | hotspot/compiler | [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if |
11 | JDK-8280511 | hotspot/compiler | AArch64: Combine shift and negate to a single instruction |
12 | JDK-8276108 | hotspot/compiler | Wrong instruction generation in aarch64 backend |
13 | JDK-8251216 | hotspot/compiler | Implement MD5 intrinsics on AArch64 |
14 | JDK-8186670 | hotspot/compiler | Implement _onSpinWait() intrinsic for AArch64 |
15 | JDK-8290781 | hotspot/compiler | Segfault at PhaseIdealLoop::clone_loop_handle_data_uses |
16 | JDK-8282347 | hotspot/compiler | AARCH64: Untaken branch in has_negatives stub |
17 | JDK-8282049 | hotspot/compiler | AArch64: Use ZR for integer zero immediate volatile stores |
18 | JDK-8291775 | hotspot/compiler | C2: assert(r != __null && r->is_Region()) failed: this phi must have a region |
19 | JDK-8290711 | hotspot/compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
20 | JDK-8287349 | hotspot/compiler | AArch64: Merge LDR instructions to improve C1 OSR performance |
21 | JDK-8277411 | hotspot/compiler | C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check |
22 | JDK-8277358 | hotspot/compiler | Accelerate CRC32-C |
23 | JDK-8291599 | hotspot/compiler | Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 |
24 | JDK-8290705 | hotspot/compiler | StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" |
25 | JDK-8290529 | hotspot/compiler | C2: assert(BoolTest(btest).is_canonical()) failure |
26 | JDK-8288445 | hotspot/compiler | AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding |
27 | JDK-8280872 | hotspot/compiler | Reorder code cache segments to improve code density |
28 | JDK-8272094 | hotspot/compiler | compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" |
29 | JDK-8293816 | hotspot/compiler | CI: ciBytecodeStream::get_klass() is not consistent |
30 | JDK-8293044 | hotspot/compiler | C1: Missing access check on non-accessible class |
31 | JDK-8292158 | hotspot/compiler | AES-CTR cipher state corruption with AVX-512 |
32 | JDK-8270947 | hotspot/compiler | AArch64: C1: use zero_words to initialize all objects |
33 | JDK-8287425 | hotspot/compiler | Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path |
34 | JDK-8290451 | hotspot/compiler | Incorrect result when switching to C2 OSR compilation from C1 |
35 | JDK-8268779 | hotspot/gc | ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" |
36 | JDK-8278389 | hotspot/gc | SuspendibleThreadSet::_suspend_all should be volatile/atomic |
37 | JDK-8288754 | hotspot/gc | GCC 12 fails to build zReferenceProcessor.cpp |
38 | JDK-8279398 | hotspot/jfr | jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" |
39 | JDK-8268297 | hotspot/jfr | jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out |
40 | JDK-8291459 | hotspot/runtime | JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) |
41 | JDK-8292083 | hotspot/runtime | Detected container memory limit may exceed physical machine memory |
42 | JDK-8293156 | hotspot/svc | Dcmd VM.classloaders fails to print the full hierarchy |
43 | JDK-8257722 | security-libs/java.security | Improve "keytool -printcert -jarfile" output |
44 | JDK-8273553 | security-libs/javax.net.ssl | sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 |
45 | JDK-8276764 | core-svc/tools | Enable deterministic file content ordering for Jar and Jmod |
46 | JDK-8276766 | tools/jar | Enable jar and jmod to produce deterministic timestamped content |
47 | JDK-8293578 | tools/javac | Duplicate ldc generated by javac |
48 | JDK-8266082 | tools/javac | AssertionError in Annotate.fromAnnotations with -Xdoclint |
49 | JDK-8272776 | tools/javac | NullPointerException not reported |
50 | JDK-8286444 | tools/javac | javac errors after JDK-8251329 are not helpful enough to find root cause |
51 | JDK-8286855 | tools/javac | javac error on invalid jar should only print filename |
52 | JDK-8287076 | xml/org.w3c.dom | Document.normalizeDocument() produces different results |
The following sections summarize changes made in all Java SE 17.0.5 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8291973 | install | install | Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
October 18, 2022
The full version string for this update release is 17.0.5+9 (where "+" means "build"). The version number is 17.0.5.
JDK 17.0.5 contains IANA time zone data 2022b, 2022c.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.5 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.5+9 |
11 | 11.0.17+10 |
8 | 8u351-b10 |
7 | 7u361-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.5) be used after the next critical patch update scheduled for January 17, 2023.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.
For example:
- Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or override it by using the java.security.properties
system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server
and http.keepAlive.time.proxy
respectively. More information about them can be found in Networking Properties.
This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.
As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.
For more details, refer to the announcement of 2022b.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.5:
# | JBS | Component | Summary |
---|---|---|---|
1 | JDK-8285686 | client-libs/2d | Update FreeType to 2.12.0 |
2 | JDK-8264666 | client-libs/2d | Change implementation of safeAdd/safeMult in the LCMSImageLayout class |
3 | JDK-8289853 | client-libs/2d | Update HarfBuzz to 4.4.1 |
4 | JDK-8290334 | client-libs/2d | Update FreeType to 2.12.1 |
5 | JDK-8274939 | client-libs/java.awt | Incorrect size of the pixel storage is used by the robot on macOS |
6 | JDK-8273506 | client-libs/java.awt | java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 |
7 | JDK-8255439 | client-libs/java.awt | System Tray icons get corrupted when Windows scaling changes |
8 | JDK-8287740 | client-libs/javax.accessibility | NSAccessibilityShowMenuAction not working for text editors |
9 | JDK-8284690 | client-libs/javax.accessibility | [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox |
10 | JDK-8284014 | client-libs/javax.accessibility | Menu items with submenus in JPopupMenu are not spoken on macOS |
11 | JDK-8277497 | client-libs/javax.accessibility | Last column cell in the JTable row is read as empty cell |
12 | JDK-8278609 | client-libs/javax.accessibility | [macos] accessibility frame is misplaced on a secondary monitor on macOS |
13 | JDK-8283383 | client-libs/javax.accessibility | [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name |
14 | JDK-8286266 | client-libs/javax.accessibility | [macos] VoiceOver : Moving JTable column to be the first column JVM crashes |
15 | JDK-8287917 | core-libs/java.lang:class_loading | System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier |
16 | JDK-8281183 | core-libs/java.util | RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 |
17 | JDK-8280950 | core-libs/java.util | RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix |
18 | JDK-8288769 | core-libs/java.util.jar | Revert unintentional change to deflate.c |
19 | JDK-8283277 | core-libs/java.util:i18n | ISO 4217 Amendment 171 Update |
20 | JDK-8289549 | core-libs/java.util:i18n | ISO 4217 Amendment 172 Update |
21 | JDK-8276990 | core-svc/debugger | Memory leak in invoker.c fillInvokeRequest() during JDI operations |
22 | JDK-8281615 | core-svc/debugger | Deadlock caused by jdwp agent |
23 | JDK-8284094 | core-svc/debugger | Memory leak in invoker_completeInvokeRequest() |
24 | JDK-8284848 | hotspot/compiler | C2: Compiler blackhole arguments should be treated as globally escaping |
25 | JDK-8282467 | hotspot/compiler | add extra diagnostics for JDK-8268184 |
26 | JDK-8284883 | hotspot/compiler | JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 |
27 | JDK-8285923 | hotspot/compiler | [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities |
28 | JDK-8282555 | hotspot/compiler | Missing memory edge when spilling MoveF2I, MoveD2L etc |
29 | JDK-8286638 | hotspot/compiler | C2: CmpU needs to do more precise over/underflow analysis |
30 | JDK-8288303 | hotspot/compiler | C1: Miscompilation due to broken Class.getModifiers intrinsic |
31 | JDK-8270090 | hotspot/compiler | C2: LCM may prioritize CheckCastPP nodes over projections |
32 | JDK-8280696 | hotspot/compiler | C2 compilation hits assert(is_dominator(c, n_ctrl)) failed |
33 | JDK-8285820 | hotspot/compiler | C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 |
34 | JDK-8287091 | hotspot/compiler | aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn |
35 | JDK-8287396 | hotspot/compiler | LIR_Opr::vreg_number() and data() can return negative number |
36 | JDK-8286625 | hotspot/compiler | C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect |
37 | JDK-8288467 | hotspot/compiler | remove memory_operand assert for spilled instructions |
38 | JDK-8276546 | hotspot/compiler | [IR Framework] Whitelist and ignore CompileThreshold |
39 | JDK-8279622 | hotspot/compiler | C2: miscompilation of map pattern as a vector reduction |
40 | JDK-8286177 | hotspot/compiler | C2: "failed: non-reduction loop contains reduction nodes" assert failure |
41 | JDK-8284944 | hotspot/compiler | assert(cnt++ < 40) failed: infinite cycle in loop optimization |
42 | JDK-8287223 | hotspot/compiler | C1: Inlining attempt through MH::invokeBasic() with null receiver |
43 | JDK-8272736 | hotspot/compiler | [JVMCI] Add API for reading and writing JVMCI thread locals |
44 | JDK-8284358 | hotspot/compiler | Unreachable loop is not removed from C2 IR, leading to a broken graph |
45 | JDK-8288360 | hotspot/compiler | CI: ciInstanceKlass::implementor() is not consistent for well-known classes |
46 | JDK-8288781 | hotspot/compiler | C1: LIR_OpVisitState::maxNumberOfOperands too small |
47 | JDK-8287432 | hotspot/compiler | C2: assert(tn->in(0) != __null) failed: must have live top node |
48 | JDK-8283441 | hotspot/compiler | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
49 | JDK-8289127 | hotspot/compiler | Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible |
50 | JDK-8286314 | hotspot/compiler | Trampoline not created for far runtime targets outside small CodeCache |
51 | JDK-8281297 | hotspot/gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
52 | JDK-8283597 | hotspot/jvmti | [REDO] Invalid generic signature for redefined classes |
53 | JDK-8278753 | hotspot/runtime | Runtime crashes with access violation during JNI_CreateJavaVM call |
54 | JDK-8283469 | hotspot/runtime | Don't use memset to initialize members in FileMapInfo and fix memory leak |
55 | JDK-8268773 | hotspot/runtime | Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) |
56 | JDK-8289477 | hotspot/runtime | Memory corruption with CPU_ALLOC, CPU_FREE on muslc |
57 | JDK-8289799 | hotspot/runtime | Build warning in methodData.cpp memset zero-length parameter |
58 | JDK-8290417 | hotspot/runtime | CDS cannot archive lamda proxy with useImplMethodHandle |
59 | JDK-8287107 | hotspot/runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
60 | JDK-8287741 | hotspot/runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
61 | JDK-8283723 | infrastructure | Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows |
62 | JDK-8275887 | security-libs/java.security | jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled |
63 | JDK-8281628 | security-libs/javax.crypto | KeyAgreement : generateSecret intermittently not resetting |
64 | JDK-8284694 | security-libs/javax.net.ssl | Avoid evaluating SSLAlgorithmConstraints twice |
65 | JDK-8286211 | security-libs/javax.smartcardio | Update PCSC-Lite for SUSE Linux to 1.9.5 |
66 | JDK-8285398 | security-libs/jdk.security | Cache the results of constraint checks |
67 | JDK-8155701 | tools/javac | The compiler fails with an AssertionError: typeSig ERROR |
68 | JDK-8281316 | tools/javac | javac performance issues with large number of jars on classpath |
69 | JDK-8282214 | tools/javadoc(tool) | Upgrade JQuery to version 3.6.0 |
70 | JDK-8284367 | tools/javadoc(tool) | JQuery UI upgrade from 1.12.1 to 1.13.1 |
71 | JDK-8277494 | tools/jpackage | [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged" |
72 | JDK-8284675 | tools/jpackage | "jpackage.exe" creates application launcher without Windows Application Manfiest |
73 | JDK-8276837 | tools/jpackage | [macos]: Error when signing the additional launcher |
74 | JDK-8278311 | tools/jpackage | Debian packaging doesn't work |
75 | JDK-8279370 | tools/jpackage | jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 |
76 | JDK-8284067 | tools/jpackage | jpackage'd launcher reports non-zero exit codes with error prompt |
77 | JDK-8289486 | xml/jaxp | Improve XSLT XPath operators count efficiency |
The following sections summarize changes made in all Java SE 17.0.4.1 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
August 18, 2022
The full version string for this update release is 17.0.4.1+1 (where "+" means "build"). The version number is 17.0.4.1.
The security baselines are unchanged from the release of JDK 17.0.4.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.4+11 |
11 | 11.0.16+11 |
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.4.1) be used after the next critical patch update scheduled for October 18, 2022.
Oracle recommends that all JDK 17 users, even those that have already updated to 17.0.4, uptake the 17.0.4.1 patch release.
Fixes a regression in the C2 JIT compiler which caused the Java Runtime to crash unpredictably.
The following sections summarize changes made in all Java SE 17.0.4 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8255439 | client-libs | java.awt | System Tray icons get corrupted when windows scaling changes |
July 19, 2022
The full version string for this update release is 17.0.4+11 (where "+" means "build"). The version number is 17.0.4.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.4 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.4+11 |
11 | 11.0.16+11 |
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.4) be used after the next critical patch update scheduled for October 18, 2022.
Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property jdk.https.negotiate.cbt
which is described fully in the Networking Properties page.
The java.net.InetAddress
class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress
class methods are updated to throw an java.net.UnknownHostException
for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".
DeflaterOutputStream.close()
and GZIPOutputStream.finish()
methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry()
method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.
Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares
command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.4:
# | JBS | Component | Subcomponent | Sumary |
---|---|---|---|---|
1 | JDK-8283217 | client-libs | 2d | Leak FcObjectSet in getFontConfigLocations() in fontpath.c |
2 | JDK-8278604 | client-libs | demo | SwingSet2 table demo does not have accessible description set for images |
3 | JDK-8274751 | client-libs | java.awt | Drag And Drop hangs on Windows |
4 | JDK-8278526 | client-libs | javax.accessibility | [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column |
5 | JDK-8279586 | client-libs | javax.accessibility | [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking |
6 | JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
7 | JDK-8274735 | client-libs | javax.imageio | javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image |
8 | JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
9 | JDK-8282293 | core-libs | java.net | Domain value for system property jdk.https.negotiate.cbt should be case-insensitive |
10 | JDK-8282929 | core-libs | java.text | Localized monetary symbols are not reflected in `toLocalizedPattern` return value |
11 | JDK-8280543 | docs | hotspot | Update the "java" and "jcmd" tool specification for CDS |
12 | JDK-8279219 | hotspot | compiler | [REDO] C2 crash when allocating array of size too large |
13 | JDK-8278796 | hotspot | compiler | Incorrect behavior of FloatVector.withLane on X86 |
14 | JDK-8277906 | hotspot | compiler | Incorrect type for IV phi of long counted loops after CCP |
15 | JDK-8268231 | hotspot | compiler | Aarch64: Use Ldp in intrinsics for String.compareTo |
16 | JDK-8273139 | hotspot | compiler | C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency |
17 | JDK-8280799 | hotspot | compiler | С2: assert(false) failed: cyclic dependency prevents range check elimination |
18 | JDK-8265317 | hotspot | compiler | [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL |
19 | JDK-8283451 | hotspot | compiler | C2: assert(_base == Long) failed: Not a Long |
20 | JDK-8282592 | hotspot | compiler | C2: assert(false) failed: graph should be schedulable |
21 | JDK-8282590 | hotspot | compiler | C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes |
22 | JDK-8282312 | hotspot | compiler | Minor corrections to evbroadcasti32x4 intrinsic on x86 |
23 | JDK-8281811 | hotspot | compiler | assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 |
24 | JDK-8275854 | hotspot | compiler | C2: assert(stride_con != 0) failed: missed some peephole opt |
25 | JDK-8275638 | hotspot | compiler | GraphKit::combine_exception_states fails with "matching stack sizes" assert |
26 | JDK-8256368 | hotspot | compiler | Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers |
27 | JDK-8283641 | hotspot | compiler | Large value for CompileThresholdScaling causes assert |
28 | JDK-8283408 | hotspot | compiler | Fix a C2 crash when filling arrays with unsafe |
29 | JDK-8280867 | hotspot | compiler | Cpuid1Ecx feature parsing is incorrect for AMD CPUs |
30 | JDK-8280600 | hotspot | compiler | C2: assert(!had_error) failed: bad dominance |
31 | JDK-8279837 | hotspot | compiler | C2: assert(is_Loop()) failed: invalid node class: Region |
32 | JDK-8279668 | hotspot | compiler | x86: AVX2 versions of vpxor should be asserted |
33 | JDK-8275337 | hotspot | compiler | C1: assert(false) failed: live_in set of first block must be empty |
34 | JDK-8274983 | hotspot | compiler | C1 optimizes the invocation of private interface methods |
35 | JDK-8280901 | hotspot | compiler | MethodHandle::linkToNative stub is missing w/ -Xint |
36 | JDK-8280526 | hotspot | compiler | x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} |
37 | JDK-8279356 | hotspot | compiler | Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! |
38 | JDK-8278948 | hotspot | compiler | compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler |
39 | JDK-8277180 | hotspot | compiler | Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 |
40 | JDK-8282874 | hotspot | compiler | Bad performance on gather/scatter API caused by different IntSpecies of indexMap |
41 | JDK-8281266 | hotspot | compiler | [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly |
42 | JDK-8279515 | hotspot | compiler | C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked |
43 | JDK-8279822 | hotspot | compiler | CI: Constant pool entries in error state are not supported |
44 | JDK-8279560 | hotspot | compiler | AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment |
45 | JDK-8279437 | hotspot | compiler | [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM |
46 | JDK-8275830 | hotspot | compiler | C2: Receiver downcast is missing when inlining through method handle linkers |
47 | JDK-8282231 | hotspot | compiler | x86-32: runtime call to SharedRuntime::ldiv corrupts registers |
48 | JDK-8282295 | hotspot | runtime | SymbolPropertyEntry::set_method_type fails with assert |
49 | JDK-8281274 | hotspot | runtime | deal with ActiveProcessorCount in os::Linux::print_container_info |
50 | JDK-8281275 | hotspot | runtime | Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths |
51 | JDK-8281181 | hotspot | runtime | Do not use CPU Shares to compute active processor count |
52 | JDK-8278553 | hotspot | test | RunThese30M.java failed due to errors in JckStressModule.out |
53 | JDK-8281517 | install | install | Improve the error message shown when a user tries to install the aarch64 bundle on an intel mac |
54 | JDK-8278851 | security-libs | java.security | Correct signer logic for jars signed with multiple digest algorithms |
55 | JDK-8255266 | security-libs | java.security | Update Public Suffix List to 3c213aa |
56 | JDK-8274524 | security-libs | javax.net.ssl | SSLSocket.close() hangs if it is called during the ssl handshake |
57 | JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
58 | JDK-8279520 | security-libs | org.ietf.jgss | SPNEGO has not passed channel binding info into the underlying mechanism |
59 | JDK-8277165 | tools | jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories | |
60 | JDK-8225559 | tools | javac | assertion error at TransTypes.visitApply |
The following sections summarize changes made in all Java SE 17.0.3 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
May 2, 2022
The full version string for this update release is 17.0.3.1+2 (where "+" means "build"). The version number is 17.0.3.1.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines are unchanged from the release of JDK 17.0.3.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.3+8 |
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.3.1) be used after the next critical patch update scheduled for July 19, 2022.
The Windows implementation of java.io.File
allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS
has been added to control this behavior. To disable ADS support in java.io.File
, the system property jdk.io.File.enableADS
should be set to false
(case ignored). Stricter path checking however prevents the use of special devices such as NUL:
This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
JBS | Component | Subcomponent | Sumary |
---|---|---|---|
JDK-8284920 | xml | javax.xml.path | Incorrect Token type causes XPath expression to return incorrect results |
JDK-8284548 | xml | jaxp | Invalid XPath expression causes StringIndexOutOfBoundsException |
The following sections summarize changes made in all Java SE 17.0.3 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8281181 | hotspot | runtime | Do not use CPU Shares to compute active processor count |
JDK-8282583 | xml | jaxp | Update BCEL md to include the copyright notice |
JDK-8283350 | core-libs | java.time | (tz) Update Timezone Data to 2022a |
April 19, 2022
The full version string for this update release is 17.0.3+8 (where "+" means "build"). The version number is 17.0.3.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.3 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.3+8 |
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.3) be used after the next critical patch update scheduled for July 19, 2022.
Three processing limits have been added to the XML libraries. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
jdk.xml.xpathExprGrpLimit
and jdk.xml.xpathExprOpLimit
are supported by the XPath processor.
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
The default value is "compat" for all of the three providers.
In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI
constructors or its factory method to build URLs rather than handcrafting URL strings.
If an illegal URL string is found, a java.lang.IllegalArgumentException
or a javax.naming.NamingException
(or a subclass of it) is raised.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.3:
# | JBS | Component | Subcomponent | Sumary |
---|---|---|---|---|
1 | JDK-8270874 | client-libs | 2d | JFrame paint artifacts when dragged from standard monitor to HiDPI monitor |
2 | JDK-8275650 | core-libs | java.io | Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 |
3 | JDK-8279833 | core-libs | java.lang | Loop optimization issue in String.encodeUTF8_UTF16 |
4 | JDK-8274658 | core-libs | java.util:i18n | ISO 4217 Amendment 170 Update |
5 | JDK-8277795 | core-libs | javax.naming | LDAP connection timeout not honoured under contention |
6 | JDK-8277777 | hotspot | compiler | [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad |
7 | JDK-8277441 | hotspot | compiler | CompileQueue::add fails with assert(_last->next() == __null) failed: not last |
8 | JDK-8275610 | hotspot | compiler | C2: Object field load floats above its null check resulting in a segfault |
9 | JDK-8275326 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
10 | JDK-8262134 | hotspot | compiler | compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" |
11 | JDK-8277447 | hotspot | compiler | Hotspot C1 compiler crashes on Kotlin suspend fun with loop |
12 | JDK-8273277 | hotspot | compiler | C2: Move conditional negation into rc_predicate |
13 | JDK-8271202 | hotspot | compiler | C1: assert(false) failed: live_in set of first block must be empty |
14 | JDK-8275645 | hotspot | compiler | [JVMCI] avoid unaligned volatile reads on AArch64 |
15 | JDK-8271056 | hotspot | compiler | C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity |
16 | JDK-8275643 | hotspot | compiler | C2's unaryOp vector intrinsic does not properly handle LongVector.neg |
17 | JDK-8275847 | hotspot | compiler | Scheduling fails with "too many D-U pinch points" on small method |
18 | JDK-8275874 | hotspot | compiler | [JVMCI] only support aligned reads in c2v_readFieldValue |
19 | JDK-8279076 | hotspot | compiler | C2: Bad AD file when matching SqrtF with UseSSE=0 |
20 | JDK-8275330 | hotspot | compiler | C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions |
21 | JDK-8276314 | hotspot | compiler | [JVMCI] check alignment of call displacement during code installation |
22 | JDK-8279225 | hotspot | compiler | [arm32] C1 longs comparison operation destroys argument registers |
23 | JDK-8279412 | hotspot | compiler | [JVMCI] failed speculations list must outlive any nmethod that refers to it |
24 | JDK-8278871 | hotspot | compiler | [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob |
25 | JDK-8278824 | hotspot | gc | Uneven work distribution when scanning heap roots in G1 |
26 | JDK-8276177 | hotspot | jvmti | nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" |
27 | JDK-8275800 | hotspot | jvmti | Redefinition leaks MethodData::_extra_data_lock |
28 | JDK-8278239 | hotspot | jvmti | vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d |
29 | JDK-8276184 | hotspot | runtime | Exclude lambda proxy class from the CDS archive if its caller class is excluded |
30 | JDK-8274714 | hotspot | runtime | Incorrect verifier protected access error message |
31 | JDK-8277342 | hotspot | runtime | vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for |
32 | JDK-8276662 | hotspot | runtime | Scalability bottleneck in SymbolTable::lookup_common() |
33 | JDK-8266490 | hotspot | runtime | Extend the OSContainer API to support the pids controller of cgroups |
34 | JDK-8278020 | hotspot | runtime | ~13% variation in Renaissance-Scrabble |
35 | JDK-8278384 | hotspot | runtime | Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT |
36 | JDK-8273967 | hotspot | runtime | gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 |
37 | JDK-8274753 | hotspot | runtime | ZGC: SEGV in MetaspaceShared::link_shared_classes |
38 | JDK-8274944 | hotspot | runtime | AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info |
39 | JDK-8273526 | hotspot | runtime | Extend the OSContainer API pids controller with pids.current |
40 | JDK-8274935 | hotspot | runtime | dumptime_table has stale entry |
41 | JDK-8278309 | hotspot | runtime | [windows] use of uninitialized OSThread::_state |
42 | JDK-8273341 | hotspot | runtime | Update Siphash to version 1.0 |
43 | JDK-8278951 | hotspot | runtime | containers/cgroup/PlainRead.java fails on Ubuntu 21.10 |
44 | JDK-8265150 | hotspot | svc | AsyncGetCallTrace crashes on ResourceMark |
45 | JDK-8269849 | hotspot | test | vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" |
46 | JDK-8273682 | tools | jshell | Upgrade Jline to 3.20.0 |
47 | JDK-8276141 | xml | jaxp | XPathFactory set/getProperty method |
48 | JDK-8282761 | xml | jaxp | XPathFactoryImpl remove setProperty and getProperty methods |
January 18, 2022
The full version string for this update release is 17.0.2+8 (where "+" means "build"). The version number is 17.0.2.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.2 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.2+8 |
11 | 11.0.14+8 |
8 | 8u321-b07 |
7 | 7u331-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.2) be used after the next critical patch update scheduled for April 19, 2022.
The following root certificate from Google has been removed from the cacerts
keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
On Windows 11 and Windows Server 2022, there can be some slowness with the extraction of temporary installation files when launched from a mapped network drive. The installer will still work, but there can be a temporary delay.
The initialization of the file.encoding
system property on non macOS platforms has been reverted to align with the behavior on or before JDK 11. This has been an issue especially on Windows where the system and user's locales are not the same.
The ZIP file system provider has been changed to reject existing ZIP files that contain entries with "." or ".." in name elements. ZIP files with these entries cannot be used as a file system. Invoking the java.nio.file.FileSystems.newFileSystem(...)
methods throw ZipException
if the ZIP file contains these entries.
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
A bug has been fixed that could cause long "Concurrent Process Non-Strong References" times with ZGC. The bug blocked the GC from making significant progress, and caused both latency and throughput issues for the Java application.
The long times could be seen in the GC logs when running with -Xlog:gc*
:
[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.2:
# | JBS | Component | Subcomponent | Sumary |
---|---|---|---|---|
1 | JDK-8269637 | client-libs | javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows | |
2 | JDK-8262031 | client-libs | Create implementation for NSAccessibilityNavigableStaticText protocol | |
3 | JDK-8267387 | client-libs | Create implementation for NSAccessibilityOutline protocol | |
4 | JDK-8275872 | client-libs | 2d | Sync J2DBench run and analyze Makefile targets with build.xml |
5 | JDK-8271718 | client-libs | 2d | Crash when during color transformation the color profile is replaced |
6 | JDK-8273135 | client-libs | 2d | java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 |
7 | JDK-8273887 | client-libs | 2d | [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out |
8 | JDK-8276905 | client-libs | 2d | Use appropriate macosx_version_minimum value while compiling metal shaders |
9 | JDK-8273808 | client-libs | java.awt | Cleanup AddFontsToX11FontPath |
10 | JDK-8275131 | client-libs | java.awt | Exceptions after a touchpad gesture on macOS |
11 | JDK-8274326 | client-libs | javax.accessibility | [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m |
12 | JDK-8274056 | client-libs | javax.accessibility | JavaAccessibilityUtilities leaks JNI objects |
13 | JDK-8274381 | client-libs | javax.accessibility | missing CAccessibility definitions in JNI code |
14 | JDK-8267385 | client-libs | javax.accessibility | Create NSAccessibilityElement implementation for JavaComponentAccessibility |
15 | JDK-8267388 | client-libs | javax.accessibility | Create implementation for NSAccessibilityTable protocol |
16 | JDK-8274383 | client-libs | javax.accessibility | JNI call of getAccessibleSelection on a wrong thread |
17 | JDK-8277195 | client-libs | javax.accessibility | missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] |
18 | JDK-8271071 | client-libs | javax.accessibility | accessibility of a table on macOS lacks cell navigation |
19 | JDK-8275809 | client-libs | javax.accessibility | crash in [CommonComponentAccessibility getCAccessible:withEnv:] |
20 | JDK-8273678 | client-libs | javax.accessibility | TableAccessibility and TableRowAccessibility miss autorelease |
21 | JDK-8275071 | client-libs | javax.accessibility | [macos] A11y cursor gets stuck when combobox is closed |
22 | JDK-8275819 | client-libs | javax.accessibility | [TableRowAccessibility accessibilityChildren] method is ineffective |
23 | JDK-8270893 | client-libs | javax.imageio | IndexOutOfBoundsException while reading large TIFF file |
24 | JDK-8269951 | client-libs | javax.swing | [macos] Focus not painted in JButton when setBorderPainted(false) is invoked |
25 | JDK-8266510 | client-libs | javax.swing | Nimbus JTree default tree cell renderer does not use selected text color |
26 | JDK-8271895 | client-libs | javax.swing | UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 |
27 | JDK-8268284 | client-libs | javax.swing | javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" |
28 | JDK-8264287 | client-libs | javax.swing | Create implementation for NSAccessibilityComboBox protocol peer |
29 | JDK-8264303 | client-libs | javax.swing | Create implementation for NSAccessibilityTabGroup protocol peer |
30 | JDK-8264292 | client-libs | javax.swing | Create implementation for NSAccessibilityList protocol peer |
31 | JDK-8264286 | client-libs | javax.swing | Create implementation for NSAccessibilityColumn protocol peer |
32 | JDK-8264291 | client-libs | javax.swing | Create implementation for NSAccessibilityCell protocol peer |
33 | JDK-8264298 | client-libs | javax.swing | Create implementation for NSAccessibilityRow protocol peer |
34 | JDK-8271315 | client-libs | javax.swing | Redo: Nimbus JTree renderer properties persist across L&F changes |
35 | JDK-8264293 | client-libs | javax.swing | Create implementation for NSAccessibilityMenu protocol peer |
36 | JDK-8264295 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuItem protocol peer |
37 | JDK-8264294 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuBar protocol peer |
38 | JDK-8264296 | client-libs | javax.swing | Create implementation for NSAccessibilityPopUpButton protocol peer |
39 | JDK-8264297 | client-libs | javax.swing | Create implementation for NSAccessibilityProgressIndicator protocol peer |
40 | JDK-8269850 | core-libs | Most JDK releases report macOS version 12 as 10.16 instead of 12.0 | |
41 | JDK-8276572 | core-libs | Fake libsyslookup.so library causes tooling issues | |
42 | JDK-8273450 | core-libs | Fix the copyright header of SVML files | |
43 | JDK-8275145 | core-libs | java.io | file.encoding system property has an incorrect value on Windows |
44 | JDK-8277093 | core-libs | java.io:serialization | Vector should throw ClassNotFoundException for a missing class of an element |
45 | JDK-8275703 | core-libs | java.lang | System.loadLibrary fails on Big Sur for libraries hidden from filesystem |
46 | JDK-8274848 | core-libs | java.lang.invoke | LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior |
47 | JDK-8270290 | core-libs | java.net | NTLM authentication fails if HEAD request is used |
48 | JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
49 | JDK-8267256 | core-libs | java.net | Extend minimal retry for loopback connections on Windows to PlainSocketImpl |
50 | JDK-8268294 | core-libs | java.net | Reusing HttpClient in a WebSocket.Listener hangs. |
51 | JDK-8269481 | core-libs | java.net | SctpMultiChannel never releases own file descriptor |
52 | JDK-8251329 | core-libs | java.nio | (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside |
53 | JDK-8273935 | core-libs | java.nio | (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported |
54 | JDK-8269280 | core-libs | java.nio | (bf) Replace StringBuffer in *Buffer.toString() |
55 | JDK-8190753 | core-libs | java.nio | (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream |
56 | JDK-8271308 | core-libs | java.nio | (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call |
57 | JDK-8233020 | core-libs | java.nio | (fs) UnixFileSystemProvider should use StaticProperty.userDir(). |
58 | JDK-8272095 | core-libs | java.nio | ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 |
59 | JDK-8140241 | core-libs | java.nio | (fc) Data transfer from FileChannel to itself causes hang in case of overlap |
60 | JDK-8274468 | core-libs | java.time | TimeZoneTest.java fails with tzdata2021b |
61 | JDK-8274467 | core-libs | java.time | TestZoneInfo310.java fails with tzdata2021b |
62 | JDK-8276536 | core-libs | java.time | Update TimeZoneNames files to follow the changes made by JDK-8275766 |
63 | JDK-8272473 | core-libs | java.time | Parsing epoch seconds at a DST transition with a non-UTC parser is wrong |
64 | JDK-8274349 | core-libs | java.util.concurrent | ForkJoinPool.commonPool() does not work with 1 CPU |
65 | JDK-8214761 | core-libs | java.util.stream | Bug in parallel Kahan summation implementation |
66 | JDK-8273790 | core-libs | java.util:i18n | Potential cyclic dependencies between Gregorian and CalendarSystem |
67 | JDK-8273924 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() |
68 | JDK-8273575 | core-svc | java.lang.instrument | memory leak in appendBootClassPath(), paths must be deallocated |
69 | JDK-8268361 | core-svc | java.lang.management | Fix the infinite loop in next_line |
70 | JDK-8272318 | core-svc | tools | Improve performance of HeapDumpAllTest |
71 | JDK-8272970 | hotspot | Parallelize runtime/InvocationTests/ | |
72 | JDK-8273278 | hotspot | Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT | |
73 | JDK-8270886 | hotspot | compiler | Crash in PhaseIdealLoop::verify_strip_mined_scheduling |
74 | JDK-8271600 | hotspot | compiler | C2: CheckCastPP which should closely follow Allocate is sunk of a loop |
75 | JDK-8223923 | hotspot | compiler | C2: Missing interference with mismatched unsafe accesses |
76 | JDK-8272570 | hotspot | compiler | C2: crash in PhaseCFG::global_code_motion |
77 | JDK-8271341 | hotspot | compiler | Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java |
78 | JDK-8271340 | hotspot | compiler | Crash PhaseIdealLoop::clone_outer_loop |
79 | JDK-8271459 | hotspot | compiler | C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity |
80 | JDK-8273165 | hotspot | compiler | GraphKit::combine_exception_states fails with "matching stack sizes" assert |
81 | JDK-8272562 | hotspot | compiler | C2: assert(false) failed: Bad graph detected in build_loop_late |
82 | JDK-8274145 | hotspot | compiler | C2: condition incorrectly made redundant with dominating main loop exit condition |
83 | JDK-8274074 | hotspot | compiler | SIGFPE with C2 compiled code with -XX:+StressGCM |
84 | JDK-8274401 | hotspot | compiler | C2: GraphKit::load_array_element bypasses Access API |
85 | JDK-8274406 | hotspot | compiler | RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" |
86 | JDK-8276066 | hotspot | compiler | Reset LoopPercentProfileLimit for x86 due to suboptimal performance |
87 | JDK-8270901 | hotspot | compiler | Typo PHASE_CPP in CompilerPhaseType |
88 | JDK-8273021 | hotspot | compiler | C2: Improve Add and Xor ideal optimizations |
89 | JDK-8275104 | hotspot | compiler | IR framework does not handle client VM builds correctly |
90 | JDK-8276105 | hotspot | compiler | C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly |
91 | JDK-8276846 | hotspot | compiler | JDK-8273416 is incomplete for UseSSE=1 |
92 | JDK-8276112 | hotspot | compiler | Inconsistent scalar replacement debug info at safepoints |
93 | JDK-8276025 | hotspot | compiler | Hotspot's libsvml.so may conflict with user dependency |
94 | JDK-8270533 | hotspot | compiler | AArch64: size_fits_all_mem_uses should return false if its output is a CAS |
95 | JDK-8273416 | hotspot | compiler | C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} |
96 | JDK-8273359 | hotspot | compiler | CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size |
97 | JDK-8244675 | hotspot | compiler | assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) |
98 | JDK-8272703 | hotspot | compiler | StressSeed should be set via FLAG_SET_ERGO |
99 | JDK-8271954 | hotspot | compiler | C2: assert(false) failed: Bad graph detected in build_loop_late |
100 | JDK-8272413 | hotspot | compiler | Incorrect num of element count calculation for vector cast |
101 | JDK-8272574 | hotspot | compiler | C2: assert(false) failed: Bad graph detected in build_loop_late |
102 | JDK-8276157 | hotspot | compiler | C2: Compiler stack overflow during escape analysis on Linux x86_32 |
103 | JDK-8268882 | hotspot | compiler | C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc |
104 | JDK-8271567 | hotspot | compiler | AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions |
105 | JDK-8271215 | hotspot | gc | Fix data races in G1PeriodicGCTask |
106 | JDK-8274501 | hotspot | gc | c2i entry barriers read int as long on AArch64 |
107 | JDK-8271862 | hotspot | gc | C2 intrinsic for Reference.refersTo() is often not used |
108 | JDK-8271121 | hotspot | gc | ZGC: stack overflow (segv) when -Xlog:gc+start=debug |
109 | JDK-8272170 | hotspot | gc | Missing memory barrier when checking active state for regions |
110 | JDK-8277212 | hotspot | gc | GC accidentally cleans valid megamorphic vtable inline caches |
111 | JDK-8275426 | hotspot | gc | PretouchTask num_chunks calculation can overflow |
112 | JDK-8274435 | hotspot | jfr | EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl |
113 | JDK-8272850 | hotspot | runtime | Drop zapping values in the Zap* option descriptions |
114 | JDK-8273606 | hotspot | runtime | Zero: SPARC64 build fails with si_band type mismatch |
115 | JDK-8273373 | hotspot | runtime | Zero: Cannot invoke JVM in primordial threads on Zero |
116 | JDK-8273505 | hotspot | runtime | runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes |
117 | JDK-8273176 | hotspot | runtime | handle latest VS2019 in abstract_vm_version |
118 | JDK-8273695 | hotspot | runtime | Safepoint deadlock on VMOperation_lock |
119 | JDK-8273489 | hotspot | runtime | Zero: Handle UseHeavyMonitors on all monitorenter paths |
120 | JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
121 | JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
122 | JDK-8273342 | hotspot | runtime | Null pointer dereference in classFileParser.cpp:2817 |
123 | JDK-8272345 | hotspot | runtime | macos doesn't check `os::set_boot_path()` result |
124 | JDK-8272114 | hotspot | runtime | Unused _last_state in osThread_windows |
125 | JDK-8274293 | hotspot | runtime | Build failure on macOS with Xcode 13.0 as vfork is deprecated |
126 | JDK-8274338 | hotspot | runtime | com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" |
127 | JDK-8238649 | hotspot | runtime | Call new Win32 API SetThreadDescription in os::set_native_thread_name |
128 | JDK-8261579 | hotspot | runtime | AArch64: Support for weaker memory ordering in Atomic |
129 | JDK-8268927 | hotspot | runtime | Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" |
130 | JDK-8273486 | hotspot | runtime | Zero: Handle DiagnoseSyncOnValueBasedClasses VM option |
131 | JDK-8273483 | hotspot | runtime | Zero: Clear pending JNI exception check in native method handler |
132 | JDK-8273440 | hotspot | runtime | Zero: Disable runtime/Unsafe/InternalErrorTest.java |
133 | JDK-8273333 | hotspot | runtime | Zero should warn about unimplemented -XX:+LogTouchedMethods |
134 | JDK-8268893 | hotspot | runtime | jcmd to trim the glibc heap |
135 | JDK-8273902 | hotspot | runtime | Memory leak in OopStorage due to bug in OopHandle::release() |
136 | JDK-8269687 | hotspot | runtime | pauth_aarch64.hpp include name is incorrect |
137 | JDK-8275604 | hotspot | runtime | Zero: Reformat opclabels_data |
138 | JDK-8277029 | hotspot | svc | JMM GetDiagnosticXXXInfo APIs should verify output array sizes |
139 | JDK-8270320 | hotspot | test | JDK-8270110 committed invalid copyright headers |
140 | JDK-8270946 | security-libs | java.security | X509CertImpl.getFingerprint should not return the empty String |
141 | JDK-8273826 | security-libs | java.security | Correct Manifest file name and NPE checks |
142 | JDK-8274215 | security-libs | java.security | Remove globalsignr2ca root from 17.0.2 |
143 | JDK-8274736 | security-libs | java.security | Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily |
144 | JDK-8277224 | security-libs | java.security | sun.security.pkcs.PKCS9Attributes.toString() throws NPE |
145 | JDK-8270317 | security-libs | javax.net.ssl | Large Allocation in CipherSuite |
146 | JDK-8275811 | security-libs | javax.net.ssl | Incorrect instance to dispose |
147 | JDK-8273026 | security-libs | javax.security | Slow LoginContext.login() on multi threading application |
148 | JDK-8274205 | security-libs | org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
149 | JDK-8273894 | security-libs | org.ietf.jgss:krb5 | ConcurrentModificationException raised every time ReferralsCache drops referral |
150 | JDK-8273234 | tools | javac | extended 'for' with expression of type tvar causes the compiler to crash |
151 | JDK-8262095 | tools | javac | NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null |
152 | JDK-8268885 | tools | javac | duplicate checkcast when destination type is not first type of intersection type |
153 | JDK-8269113 | tools | javac | Javac throws when compiling switch (null) |
154 | JDK-8275302 | tools | javac | unexpected compiler error: cast, intersection types and sealed |
155 | JDK-8274347 | tools | javac | Passing a *nested* switch expression as a parameter causes an NPE during compile |
156 | JDK-8268894 | tools | javac | forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition |
157 | JDK-8273408 | tools | javac | java.lang.AssertionError: typeSig ERROR on generated class property of record |
158 | JDK-8271254 | tools | javac | javac generates unreachable code when using empty semicolon statement |
159 | JDK-8274942 | tools | javac | AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) |
160 | JDK-8272639 | tools | jpackage | jpackaged applications using microphone on mac |
161 | JDK-8274087 | tools | jpackage | Windows DLL path not set correctly. |
162 | JDK-8273593 | tools | jpackage | [REDO] Warn user when using mac-sign option with unsigned app-image. |
163 | JDK-8272328 | tools | jpackage | java.library.path is not set properly by Windows jpackage app launcher |
164 | JDK-8268457 | xml | XML Transformer outputs Unicode supplementary character incorrectly to HTML |
October 19, 2021
The full version string for this update release is 17.0.1+12 (where "+" means "build"). The version number is 17.0.1.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 17.0.1 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
17 | 17.0.1+12 |
11 | 11.0.13+10 |
8 | 8u311-b11 |
7 | 7u321-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.1) be used after the next critical patch update scheduled for January 18, 2022.
The following root certificate from IdenTrust has been removed from the cacerts
keystore:
+ alias name "identrustdstx3 [jdk]"
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
This release doesn't correctly identify Windows 11. The property os.name
is set to Windows 10
on Windows 11. In HotSpot error logs, the OS is identified as Windows 10
; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.
The scope of the com.sun.jndi.ldap.object.trustSerialData
system property has been extended to control the deserialization of java objects from the javaReferenceAddress
LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData
and javaReferenceAddress
LDAP attributes.
To prevent deserialization of java objects from these attributes, the system property can be set to false
. By default, the deserialization of java objects from javaSerializedData
and javaReferenceAddress
attributes is allowed.
This release doesn't correctly identify Windows Server 2022. The property os.name
is set to Windows Server 2019
on Windows Server 2022. In HotSpot error logs the OS is identified as Windows Server 2019
; however, the HotSpot error log does show the Build number. Windows Server 2022 has Build 20348, or above.
For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad
now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.1:
# | JBS | Component | Subcomponent | Sumary |
---|---|---|---|---|
1 | JDK-8262731 | client-libs | 2d | [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" |
2 | JDK-8273358 | client-libs | 2d | macOS Monterey does not have the font Times needed by Serif |
3 | JDK-8272602 | client-libs | java.awt | [macos] not all KEY_PRESSED events sent when control modifier is used |
4 | JDK-8272806 | client-libs | java.awt | [macOS] "Apple AWT Internal Exception" when input method is changed |
5 | JDK-8267666 | core-svc | tools | Add option to jcmd GC.heap_dump to use existing file |
6 | JDK-8271925 | hotspot | compiler | ZGC: Arraycopy stub passes invalid oop to load barrier |
7 | JDK-8271589 | hotspot | compiler | fatal error with variable shift count integer rotate operation. |
8 | JDK-8271203 | hotspot | compiler | C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added |
9 | JDK-8270098 | hotspot | compiler | ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert |
10 | JDK-8272131 | hotspot | compiler | PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj |
11 | JDK-8271276 | hotspot | compiler | C2: Wrong JVM state used for receiver null check |
12 | JDK-8268019 | hotspot | compiler | C2: assert(no_dead_loop) failed: dead loop detected |
13 | JDK-8268261 | hotspot | compiler | C2: assert(n != __null) failed: Bad immediate dominator info. |
14 | JDK-8269574 | hotspot | compiler | C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events |
15 | JDK-8272124 | hotspot | runtime | Cgroup v1 initialization causes NullPointerException when cgroup path contains colon |
16 | JDK-8269934 | hotspot | runtime | RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status |
17 | JDK-8225082 | security-libs | java.security | Remove IdenTrust certificate that is expiring in September 2021 |
18 | JDK-8268427 | security-libs | java.security | Improve AlgorithmConstraints:checkAlgorithm performance |
19 | JDK-8225083 | security-libs | java.security | Remove Google certificate that is expiring in December 2021 |
20 | JDK-8273150 | security-libs | java.security | Revert "8225083: Remove Google certificate that is expiring in December 2021" |
21 | JDK-8270344 | security-libs | javax.net.ssl | Session resumption errors |
The following sections are included in these Release Notes:
These notes describe important changes, enhancements, removed APIs and features, deprecated APIs and features, and other information about JDK 17 and Java SE 17. In some cases, the descriptions provide links to additional detailed information about an issue or a change. This page does not duplicate the descriptions provided by the Java SE 17 ( JSR 392) Platform Specification, which provides informative background for all specification changes and might also include the identification of removed or deprecated APIs and features not described here. The Java SE 17 ( JSR 392) specification provides links to:
Annex 1: The complete Java SE 17 API Specification.
Annex 2: An annotated API specification showing the exact differences relative to Java SE 17. Informative background for these changes may be found in the list of approved Change Specification Requests for this release.
Annex 3: Java SE 17 Editions of The Java Language Specification and The Java Virtual Machine Specification. The Java SE 17 Editions contain all corrections and clarifications made since the Java SE 16 Editions, as well as additions for new features.
You should be aware of the content in the Java SE 17 ( JSR 392) specification as well as the items described in this page.
The descriptions on this Release Notes page also identify potential compatibility issues that you might encounter when migrating to JDK 17. The Kinds of Compatibility page on the OpenJDK wiki identifies the following three types of potential compatibility issues for Java programs that might be used in these release notes:
Source: Source compatibility preserves the ability to compile existing source code without error.
Binary: Binary compatibility is defined in The Java Language Specification as preserving the ability to link existing class files without error.
Behavioral: Behavioral compatibility includes the semantics of the code that is executed at runtime.
See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17 and the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for general information about compatibility.
The full version string for this release is build 17+35 (where "+" means "build"). The version number is 17.
IANA Data 2021a
JDK 17 contains IANA time zone data version 2021a. For more information, refer to Timezone Data Versions in the JRE Software.
This section describes some of the enhancements in Java SE 17 and JDK 17. In some cases, the descriptions provide links to additional detailed information about an issue or a change. The APIs described here are provided with the Oracle JDK. It includes a complete implementation of the Java SE 17 Platform and additional Java APIs to support developing, debugging, and monitoring Java applications. Another source of information about important enhancements and new features in Java SE 17 and JDK 17 is the Java SE 17 ( JSR 392) Platform Specification, which documents the changes to the specification made between Java SE 16 and Java SE 17. This document includes descriptions of those new features and enhancements that are also changes to the specification. The descriptions also identify potential compatibility issues that you might encounter when migrating to JDK 17.
Sealed Classes have been added to the Java Language. Sealed classes and interfaces restrict which other classes or interfaces may extend or implement them.
Sealed Classes were proposed by JEP 360 and delivered in JDK 15 as a preview feature. They were proposed again, with refinements, by JEP 397 and delivered in JDK 16 as a preview feature. Now in JDK 17, Sealed Classes are being finalized with no changes from JDK 16.
For further details, see JEP 409.
Enhance the Java programming language with pattern matching for switch expressions and statements, along with extensions to the language of patterns. Extending pattern matching to switch allows an expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely.
For further details, see JEP 406.
The Java 2D API used by the Swing APIs for rendering, can now use the new Apple Metal accelerated rendering API for macOS.
This is currently disabled by default, so rendering still uses OpenGL APIs, which are deprecated by Apple but still available and supported.
To enable Metal, an application should specify its use by setting the system property:
-Dsun.java2d.metal=true
Use of Metal or OpenGL is transparent to applications since this is a difference of internal implementation and has no effect on Java APIs. The metal pipeline requires macOS 10.14.x or later. Attempts to set it on earlier releases will be ignored.
For further details, see JEP 382.
A new method, javax.swing.filechooser.FileSystemView.getSystemIcon(File, int, int)
, is available in JDK 17 that enables access to higher quality icons when possible. It is fully implemented for the Windows platform; however, results on other platforms might vary and will be enhanced later. For example, by using the following code:
FileSystemView fsv = FileSystemView.getFileSystemView();
Icon icon = fsv.getSystemIcon(new File("application.exe"), 64, 64);
JLabel label = new JLabel(icon);
The user can obtain a higher quality icon for the "application.exe" file. This icon is suitable for creating a label that can be better scaled in a HighDPI environment.
java.net.DatagramSocket
has been updated in this release to add support for joining multicast groups. It now defines joinGroup
and leaveGroup
methods to join and leave multicast groups. The class level API documentation of java.net.DatagramSocket
has been updated to explain how a plain DatagramSocket
can be configured and used to join and leave multicast groups.
This change means that the DatagramSocket
API can be used for multicast applications without needing to use the legacy java.net.MulticastSocket
API. The MulticastSocket
API works as before, although most of its methods are deprecated.
More information on the rationale of this change can be seen in the CSR JDK-8260667.
The file system provider implementation on macOS has been updated in this release to support extended attributes. The java.nio.file.attribute.UserDefinedFileAttributeView
API can now be used to obtain a view of a file's extended attributes. This (optional) view was not supported in previous JDK releases.
Provide new interface types and implementations for pseudorandom number generators (PRNGs), including jumpable PRNGs and an additional class of splittable PRNG algorithms (LXM).
For further details, see JEP 356.
Ideal Graph Visualizer (IGV), a tool to explore visually and interactively the intermediate representation used in the HotSpot VM C2 just-in-time (JIT) compiler, has been modernized. Enhancements include:
The modernized IGV is partially compatible with graphs generated from earlier JDK releases. It supports basic functionality such as graph loading and visualization, but auxiliary functionality such as node clustering and coloring might be affected.
Details about building and running IGV are available in the src/utils/IdealGraphVisualizer/README.md
file in the tool's source directory.
When JavaDoc reports an issue in an input source file, it displays the source line for the issue, and a line containing a caret (^
) pointing to the position on the line, in a manner similar to compiler (javac
) diagnostic messages.
In addition, logging and other "info" messages are now written to the standard error stream, leaving the standard output stream to be used for output that is specifically requested by command-line options, such as command-line help.
JavaDoc can now generate a page summarizing the recent changes in an API. The list of recent releases to be included is specified with the --since
command-line option. These values are used to find the declarations with matching @since
tags to be included on the new page. The --since-label
command-line option provides text to use in the heading of the "New API" page.
On the page that summarizes deprecated items, you can view items grouped by the release in which they were deprecated.
Introduce an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the JVM), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the API enables Java programs to call native libraries and process native data without the brittleness and danger of JNI.
For further details, see JEP 412.
java.io.Console
has been updated to define a new method that returns the Charset
for the console. The returned Charset may be different from the one returned from Charset.defaultCharset()
method. For example, it returns IBM437
while Charset.defaultCharset()
returns windows-1252
on Windows (en-US). Refer to the CSR for more detail.
It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named jdk.Deserialization
, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism; see the ObjectInputFilter specification. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security. For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation.
JEP 415: Context-Specific Deserialization Filters allows applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each individual deserialization operation.
The Java Core Libraries Developers Guide for Serialization Filtering describes use cases and provides examples.
A new system property native.encoding
has been introduced. This system property provides the underlying host environment's character encoding name. For example, typically it has UTF-8
in Linux and macOS platforms, and Cp1252
in Windows (en-US). Refer to the CSR for more detail.
A new interface java.time.InstantSource
has been introduced. This interface is an abstraction from java.time.Clock
that only focuses on the current instant and does not refer to the time zone.
java.util.HexFormat
provides conversions to and from hexadecimal for primitive types and byte arrays. The options for delimiter, prefix, suffix, and uppercase or lowercase are provided by factory methods returning HexFormat instances.
The experimental support for Compiler Blackholes is added. These are useful for low-level benchmarking, to avoid dead-code elimination on the critical paths, without affecting the benchmark performance. Current support is implemented as CompileCommand, accessible as -XX:CompileCommand=blackhole,<method>
, with the plan to eventually graduate it to a public API.
JMH is already able to auto-detect and use this facility when instructed/available. Please consult JMH documentation for the next steps.
A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.
To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA
command-line flags.
The original implementation may be removed in a future release.
macOS 11.0 now supports the AArch64 architecture. This JEP implements support for the macos-aarch64 platform in the JDK. One of the features added is support for the W^X (write xor execute) memory. It is enabled only for macos-aarch64 and can be extended to other platforms at some point. The JDK can be either cross-compiled on an Intel machine or compiled on an Apple M1-based machine.
For further details, see JEP 391.
To avoid undesirable delays in a thread using unified logging, the user can now request that the unified logging system operate in asynchronous mode. This is done by passing the command-line option -Xlog:async
. In asynchronous logging mode, log sites enqueue all logging messages to a buffer. A standalone thread is responsible for flushing them to the corresponding outputs. The intermediate buffer is bounded. On buffer exhaustion, the enqueuing message is discarded. The user can control the size of the intermediate buffer by using the command-line option -XX:AsyncLogBufferSize=<bytes>
.
A new macOS is now available for ARM systems. The ARM port should behave similarly to the Intel port. There are no known feature differences. When reporting issues on macOS, please specify if using ARM or x64.
The -signer
and -signerkeypass
options have been added to the -genkeypair
command of the keytool
utility. The -signer
option specifies the keystore alias of a PrivateKeyEntry
for the signer and the -signerkeypass
option specifies the password used to protect the signer’s private key. These options allow keytool -genkeypair
to sign the certificate by using the signer’s private key. This is especially useful for generating a certificate with a key agreement algorithm as its public key algorithm.
The SunJCE provider has been enhanced to support the AES Key Wrap Algorithm (RFC 3394) and the AES Key Wrap with Padding Algorithm (RFC 5649). In earlier releases, the SunJCE provider supported RFC 3394 under the "AESWrap" cipher algorithm that could only be used to wrap and unwrap keys. With this enhancement, two block cipher modes, KW and KWP, have been added that support data encryption/decryption and key wrap/unwrap by using AES. Please check the "SunJCE provider" section of the "JDK Providers Documentation" guide for more details.
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
destroyTokenAfterLogout
(boolean, defaults to false) If set to true, when java.security.AuthProvider.logout()
is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.
cleaner.shortInterval
(integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period, i.e. how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory. Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries, i.e. when no references are found in the queue.
cleaner.longInterval
(integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period, i.e. how often should the cleaner thread check the queue for native references. Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
SunPKCS11 provider is enhanced to support the following crypto services and algorithms when the underlying PKCS11 library supports the corresponding PKCS#11 mechanisms:
Two new system properties have been added. The system property, jdk.tls.client.disableExtensions
, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions
, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.
Use permitted_enctypes as the default value of default_tkt_enctypes or default_tgs_enctypes if any of the them are not defined in krb5.conf.
The summary page for a package now includes a section listing any "related packages". The set of related packages is determined heuristically on common naming conventions, and may include the following:
The related packages need not all be in the same module.
This section describes the APIs, features, and options that were removed in Java SE 17 and JDK 17. The APIs described here are those that are provided with the Oracle JDK. It includes a complete implementation of the Java SE 17 Platform and additional Java APIs to support developing, debugging, and monitoring Java applications. Another source of information about important enhancements and new features in Java SE 17 and JDK 17 is the Java SE 17 ( JSR 392) Platform Specification, which documents changes to the specification made between Java SE 16 and Java SE 17. This document includes the identification of removed APIs and features not described here. The descriptions below might also identify potential compatibility issues that you could encounter when migrating to JDK 17.See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17.
Strongly encapsulate all internal elements of the JDK, except for critical internal APIs such as sun.misc.Unsafe
.
With this change, the java
launcher option --illegal-access
is obsolete. If used on the command line it causes a warning message to be issued, and otherwise has no effect. Existing code that must use internal classes, methods, or fields of the JDK can still be made to work by using the --add-opens
launcher option, or the Add-Opens
JAR-file manifest attribute, to open specific packages.
For further details, please see JEP 403.
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
sun.misc.Unsafe::defineAnonymousClass
API has been removed in JDK 17. The API replacement is java.lang.invoke.MethodHandles.Lookup::defineHiddenClass
and java.lang.invoke.MethodHandles.Lookup::defineHiddenClassWithClassData
.
The Remote Method Invocation (RMI) Activation mechanism has been removed. RMI Activation was an obsolete part of RMI that has been optional since Java SE 8. RMI Activation was deprecated for removal by JEP 385 in Java SE 15, and it was removed from this release by JEP 407. The rmid
tool has also been removed. See JEP 385 for background, rationale, risks, and alternatives. The rest of RMI remains unchanged.
AOT Compiler related code in HotSpot VM has been removed. Using HotSpot VM options defined by JEP295 produce "Unrecognized VM option" error on VM initialization.
For further details, see JEP 410.
Additional sources of information about the APIs, features, and options deprecated in Java SE 17 and JDK 17 include:
The Deprecated API page identifies all deprecated APIs including those deprecated in Java SE 17.
The Java SE 17 ( JSR 392) specification documents changes to the specification made between Java SE 16 and Java SE 17 that include the identification of deprecated APIs and features not described here.
You should be aware of the contents in those documents as well as the items described in this release notes page.
The descriptions of deprecated APIs might include references to the deprecation warnings of forRemoval=true
and forRemoval=false
. The forRemoval=true
text indicates that a deprecated API might be removed from the next major release. The forRemoval=false
text indicates that a deprecated API is not expected to be removed from the next major release but might be removed in some later release.
The descriptions below also identify potential compatibility issues that you might encounter when migrating to JDK 17. See CSRs Approved for JDK 17 for the list of CSRs closed in JDK 17.
JEP 398: Deprecate the Applet API for Removal. It is essentially irrelevant since all web-browser vendors have either removed support for Java browser plug-ins or announced plans to do so.
The Applet API was previously deprecated, though not for removal, by JEP 289 in Java 9.
The Security Manager and APIs related to it have been deprecated and will be removed in a future release. To ensure that developers and users are aware that the Security Manager is deprecated for removal, the Java runtime issues a warning at startup if the Security Manager is enabled on the command line via java -Djava.security.manager
. The Java runtime also issues a warning at run time if the Security Manager is enabled dynamically via the System::setSecurityManager
API. These warnings cannot be disabled.
See JEP 411 for more information and a list of APIs that have been deprecated for removal.
The des3-hmac-sha1
and rc4-hmac
Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true
in the krb5.conf
configuration file to re-enable them (along with other weak etypes including des-cbc-crc
and des-cbc-md5
) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes
, default_tgs_enctypes
, or permitted_enctypes
settings.
The following static methods used to set the system-wide socket implementation factories have been deprecated:
static void ServerSocket.setSocketFactory(SocketImplFactory fac)
static void Socket.setSocketImplFactory(SocketImplFactory fac)
static void DatagramSocket.setDatagramSocketImplFactory(DatagramSocketImplFactory fac)
These API points were used to statically configure a system-wide factory for the corresponding socket types in the java.net
package. These methods have mostly been obsolete since Java 1.4.
The following JVM TI functions have been deprecated in this release:
IterateOverObjectsReachableFromObject
IterateOverReachableObjects
IterateOverHeap
IterateOverInstancesOfClass
These functions were superseded in JVM TI version 1.2 (Java SE 6) by more powerful and flexible versions. These functions will be changed to return an error in a future release to indicate that they are no longer implemented/supported. The VM flags -Xlog:jvmti=trace and -XX:TraceJVMTI=<function_name>
can be used to identify any residual usages of these functions. For example, -Xlog:jvmti=trace -XX:TraceJVMTI=IterateOverHeap
is one way to get trace output when IterateOverHeap is used.
The following notes describe known issues or limitations in this release.
Applications using the JDK XSLT transformer to convert stylesheets to Java objects can encounter the following exception:
com.sun.org.apache.xalan.internal.xsltc.compiler.util.InternalError: Internal XSLTC error: a method in
the translet exceeds the Java Virtual Machine limitation on the length of a method of 64 kilobytes.
This is usually caused by templates in a stylesheet that are very large. Try restructuring your
stylesheet to use smaller templates.
Applications will encounter the above exception if the size of the XSL template is too large. It is recommended to split the XSL template into smaller templates. Alternatively, applications can override the JDK XSLT Transformer by providing third-party implementation JAR files in the class path.
The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.
jdk.jndi.object.factoriesFilter
: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.
com.sun.jndi.ldap.object.trustSerialData
: This system property allows control of the deserialization of java objects from the javaSerializedData
LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false
value. By default, deserialization of java objects from the javaSerializedData
attribute is allowed.
Enhancement JDK-8176894 inadvertently introduced erroneous behavior in the TreeMap.computeIfAbsent
method. The other TreeMap
methods that were modified by this enhancement are unaffected. The erroneous behavior is that, if the map contains an existing mapping whose value is null, the computeIfAbsent
method immediately returns null. To conform with the specification, computeIfAbsent
should instead call the mapping function and update the map with the function's result.
On the Linux platform, the names of JDK packages provided by Java RPM and DEB installers have been changed. Names of JDK packages follow the jdk-<feature_release_version>
pattern instead of the jdk-<update_release_version>
pattern that was previously used. For example, the new names of JDK 11, 16, and 17 packages are jdk-11
, jdk-16
, and jdk-17
respectively.
The change to package names disables side-by-side installation of multiple JDKs of the same release family. Only one JDK per release family can be installed on a system with RPM and DEB installers.
If a user wants to have multiple update releases from the same family, the user must download the tar.gz
bundles.
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other RPMs providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other rpms to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
The ADDLOCAL=ToolsFeature,SourceFeature
argument is no longer needed for the JDK installer silent mode. All required files are now installed by default.
The following root certificates have been added to the cacerts truststore:
+ HARICA
+ haricarootca2015
DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+ haricaeccrootca2015
DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacerts
keystore will not be restricted.These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or overriding it using the java.security.properties
system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy
security property.
If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation
property to Boolean.FALSE
with the DOMValidateContext.setProperty()
API.
XML signatures that use SHA-1 based digest or signature algorithms have been disabled by default. SHA-1 is no longer a recommended algorithm for digital signatures. If necessary, and at their own risk, applications can workaround this policy by modifying the jdk.xml.dsig.secureValidationPolicy
security property and re-enabling the SHA-1 algorithms.
This release fixes a buggy behavior in regular expression pattern intersection. In prior releases, if a nested character class were included in some intersections after the intersection (&&
) operator, it would be ignored and not included in the generated matcher from the pattern. This change brings the behavior in line with the intersection regex patterns seen in Ruby.
When annotations were added to the platform in Java SE 5.0, early builds used a different representation of annotations in the class file than the final format. Support for this intermediate format has now been removed. Reading an annotation from a class file using the intermediate format which differs from the final format yields an exception similar to:
java.lang.reflect.GenericSignatureFormatError: Signature Parse error: Expected Field Type Signature
Recompiling the sources or otherwise regenerating the class file to conform to the proper format will resolve the issue.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
The Windows implementation of the java.nio.channels.Selector
API has been replaced in this release to use a new more scalable implementation. No behavior or compatibility issues were observed during testing of the new implementation. The old implementation has not been removed and the JDK can be configured to use the old implementation, if needed, by running with -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.WindowsSelectorProvider
on the command line.
In previous releases, formatter conversions with a %a
conversion that used the 0
padding flag and a width specifier would produce paddings containing too many zeros if a leading sign or space character was also specified by their respective flags. This has been fixed so that paddings no longer include too many leading zeros.
The unmodifiable*
methods in java.util.Collections
will no longer re-wrap a given collection with an unmodifiable view if that collection has already been wrapped by same method.
Locale data based on Unicode Consortium's CLDR has been upgraded to version 39. For the detailed locale data changes, please refer to the Unicode Consortium's CLDR release notes:
Historically, Java has used old/obsolete ISO 639 language codes for Hebrew/Indonesian/Yiddish languages to maintain compatibility. From Java 17, the default codes are the current codes. For example, "he" is now the language code for "Hebrew" instead of "iw". A new system property has also been introduced to revert to the legacy behavior. If -Djava.locale.useOldISOCodes=true
is specified on the command line, it behaves the same way as the prior releases.
The java.lang.instrument
implementation has been changed in this release to require that agent premain
and agentmain
methods are public. The specification has always required this, but it was not enforced. Attempting to run with an agent where these methods are not public will fail with an exception such as:
java.lang.IllegalAccessException: method <fully-qualified-class-name>.premain must be declared public
.
A related change in this release is that the premain
and agentmain
methods must be defined in the agent class. The implementation no longer searches for these methods in superclasses.
Documentation for Implementation Specific Features and Properties has been added to the java.xml
module summary. Along with the existing properties, two new properties are introduced in JDK 17. The following section describes the changes in more detail:
XML processing limits were introduced in JDK 7u45 and JDK 8. They were previously documented in the Java Tutorial Processing Limits section.
The definitions for these limits have been added to the java.xml
module summary. See JDK-8261670.
JAXP Lookup Mechanism
to the java.xml
module summary.
The javadoc for JAXP Lookup Mechanism
has been moved to the module summary. The original javadoc in JAXP factories are replaced with a link to that section in the module summary.
See JDK-8261673.
The DOM Load and Save LSSerializer
did not have an explicit control for whether or not the XML Declaration ends with a newline. In this release, a JDK implementation specific property, jdk.xml.isStandalone
, and its corresponding System property, jdk.xml.isStandalone
, have been added to control the addition of a newline and acts independently without having to set the pretty-print property. This property can be used to reverse the incompatible change introduced in Java SE 7 Update 4 with an update of Xalan 2.7.1 in which a newline is omitted after the XML header.
Usage:
// to set the property, get an instance of LSSerializer
LSSerializer ser = impl.createLSSerializer();
// the isStandalone property is effective whether or not pretty-print is set
ser.getDomConfig().setParameter("format-pretty-print", pretty ? true : false);
ser.getDomConfig().setParameter("jdk.xml.isStandalone", standalone ? true : false);
// to use the System property, set it before initializing a LSSerializer
System.setProperty("jdk.xml.isStandalone", standalone ? “true” : "false");
// to clear the property, place the line anywhere after the LSSerializer is initialized
System.clearProperty("jdk.xml.isStandalone");
See JDK-8249867.
java.xml
.
The XSLTC Serializer supported a property, http://www.oracle.com/xml/is-standalone
, introduced through JDK-7150637, to control whether or not the XML Declaration ends with a newline. It is, however, not compliant with the new specification for Implementation Specific Features and Properties. In order to maintain compatibility, the legacy property is preserved, and a new property, jdk.xml.xsltcIsStandalone
, along with its corresponding System property, jdk.xml.xsltcIsStandalone
, have been created to perform the same function for the XSLTC Serializer as the isStandalone
property for DOMLS LSSerializer. Note that the former has an extra prefix xsltc
to avoid conflict with the later in case it is set through the System property.
Usage:
// to set the property, get an instance of the Transformer
Transformer transformer = getTransformer(…);
// the isStandalone property is effective whether or not pretty-print is set
transformer.setOutputProperty(OutputKeys.INDENT, pretty ? "yes" : "no");
transformer.setOutputProperty("jdk.xml.xsltcIsStandalone", standalone ? "yes" : "no");
// to use the System property, set it before initializing a Transformer
System.setProperty("jdk.xml.xsltcIsStandalone", standalone ? "yes" : "no");
// to clear the property, place the line anywhere after the Transformer is initialized
System.clearProperty("jdk.xml.xsltcIsStandalone");
See JDK-8260858.
jdk.xml
.
Existing features and properties have been added to the Implementation Specific Features and Properties
tables in the java.xml
module summary. All of the features and properties, existing and new, now have a prefix of jdk.xml
as redefined in the Naming Convention
section. System properties are searchable in the Java API documentation by the full name, such as jdk.xml.entityExpansionLimit
.
See JDK-8265252.
When running Java on 9th and 10th Gen Intel® Core™ processors, a segmentation fault indicating invalid permissions for a mapped object may be observed. A workaround is included that reduces the frequency of the occurrences.
Parallel GC now ergonomically determines the optimal number of threads to use for processing java.lang.ref.Reference
instances during garbage collection. The option -XX:ParallelRefProcEnabled
is now true
(enabled) by default.
The change improves this phase of the garbage collection pause significantly on machines with more than one thread available for garbage collection.
If you experience increased garbage collection pauses, you can revert to the original behavior by specifying -XX:-ParallelRefProcEnabled
on the command line.
The ergonomics of java.lang.ref.Reference
processing can be tuned by using the experimental option -XX:ReferencesPerThread
(default value: 1000).
A new system property, jdk.security.certpath.ocspNonce
, has been added to enable the OCSP Nonce Extension. This system property is disabled by default, and can be enabled by setting it to the value true
. If set to true
, the JDK implementation of PKIXRevocationChecker
includes a nonce extension containing a 16 byte nonce with each OCSP request. See RFC 8954 for more details on the OCSP Nonce Extension.
The gencert
command of the keytool
utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.
The specifications of the KeyStoreSpi.engineStore(KeyStore.LoadStoreParameter param)
and KeyStore.store(KeyStore.LoadStoreParameter param)
methods have been updated to specify that an UnsupportedOperationException
is thrown if the implementation does not support the engineStore()
operation. This change adjusts the specification to match the existing behavior.
The jarsigner
tool has been updated to warn users when weak keys or cryptographic algorithms are used in certificates of the signer’s certificate chain.
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
Floating-point operations are now consistently strict, rather than having both "strict" floating-point semantics (strictfp
) and subtly different "default" floating-point semantics. This restores the original floating-point semantics of the language and VM, matching the semantics before the introduction of "strict" and "default" floating-point modes in Java SE 1.2.
For further details, see JEP 306.
When a class or interface has nested classes or interfaces, the list is improved to show the kind of class or interface, such as enum class, record class, annotation interface, as appropriate.
The summary page for a package has been restructured to display the different kinds of classes and interfaces in a single tabbed table, instead of a series of separate tables. Additional links have been provided in the navigation bar at the top of the page, to aid in faster navigation to different parts of the page.
When a declaration has a series of @see
tags, the output is generated in the form of an HTML <ul>
list, instead of a simple comma-separated list of links. The style of the list depends on the number and kind of the links.
"Multi-word" ids in the HTML generated by the Standard Doclet have been converted to a uniform style of lowercase words separated by hyphens. This primarily affects the ids used to navigate within the generated documentation and does not affect the ids used for field and method declarations, and which may be used in external pages to reference such declarations within the documentation.
The content of the "Help" page generated by the Standard Doclet has been revised, improved, and new information added.
In addition, the HELP link in the navigation bar for each kind of page now links directly to the section on the Help page for that kind of page.
The set of files generated by the Standard Doclet typically includes some files with associated licensing requirements. The Standard Doclet now provides support for including the associated legal files, with default behavior for the common case and a new command-line option (--legal-notices
) to override that behavior when appropriate.
DocLint (invoked from javac
and javadoc
with the -Xdoclint
option) now checks for constructs that lead to empty paragraphs in the generated documentation, which might be flagged by an HTML validator. The most common cause is the redundant use of <p>
at the end of a block of text.
DocLint detects and reports documentation comments that do not have any description about the associate declaration, before any block tags that may be present. (DocLint is a feature of the javac
and javadoc
tools, to detect and report issues in documentation comments.)
In the event that there is a problem getting a resource, URLClassLoader.getResource()
and findResource()
now return null
instead of throwing an undocumented IllegalArgumentException
. The same is true of Enumeration
s obtained from URLClassLoader.getResources()
and URLClassLoader.findResources()
.
This behavior conforms with the long-standing specification. The situation would typically occur on Windows, due to the use of a Windows-style path ("c:/windows"
).
In the java.lang.ProcessBuilder
implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false
ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess
. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands
property can be set to true
: jdk.lang.Process.allowAmbiguousCommands=true
or false
. If left unset, it is the same as setting it to true
.