October 17, 2023
The full version string for this update release is 21.0.1+12 (where "+" means "build"). The version number is 21.0.1.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 21.0.1 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
21 | 21.0.1+12 |
17 | 17.0.9+11 |
11 | 11.0.21+9 |
8 | 8u391-b13 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 21.0.1) be used after the next critical patch update scheduled for January 16, 2024.
The fix for JDK-8302017 updated the RSA signature verification algorithm for compliance with RFC 8017. However, this modification introduced a regression: signatures not strictly conforming to RFC 8017 may fail verification. This issue will be addressed in a forthcoming update. For further information, refer to JDK-8320597.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignarootca
DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
jdk.jar.maxSignatureFileSize
(JDK-8312489)
The system property, jdk.jar.maxSignatureFileSize
, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 21.0.1:# | JBS | Component/Subcomponent | Summary |
---|---|---|---|
1 | JDK-8312555 | client-libs/2d | Ideographic characters aren't stretched by AffineTransform.scale(2, 1) |
2 | JDK-8311160 | client-libs/javax.accessibility | [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem |
3 | JDK-8312535 | client-libs/javax.sound | MidiSystem.getSoundbank() throws unexpected SecurityException |
4 | JDK-8308609 | core-libs/java.lang | java/lang/ScopedValue/StressStackOverflow.java fails with "-XX:-VMContinuations" |
5 | JDK-8309591 | core-libs/java.net | Socket.setOption(TCP_QUICKACK) uses wrong level |
6 | JDK-8313765 | core-libs/java.util.jar | Invalid CEN header (invalid zip64 extra data field size) |
7 | JDK-8312976 | core-libs/java.util.regex | MatchResult produces StringIndexOutOfBoundsException for groups outside match |
8 | JDK-8313657 | core-libs/javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
9 | JDK-8314063 | core-libs/javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
10 | JDK-8313248 | hotspot/compiler | C2: setScopedValueCache intrinsic exposes nullptr pre-values to store barriers |
11 | JDK-8313262 | hotspot/compiler | C2: Sinking node may cause required cast to be dropped |
12 | JDK-8313402 | hotspot/compiler | C1: Incorrect LoadIndexed value numbering |
13 | JDK-8304954 | hotspot/compiler | SegmentedCodeCache fails when using large pages |
14 | JDK-8314024 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info |
15 | JDK-8299658 | hotspot/compiler | C1 compilation crashes in LinearScan::resolve_exception_edge |
16 | JDK-8312909 | hotspot/compiler | C1 should not inline through interface calls with non-subtype receiver |
17 | JDK-8313626 | hotspot/compiler | C2 crash due to unexpected exception control flow |
18 | JDK-8311249 | hotspot/gc | Remove unused MemAllocator::obj_memory_range |
19 | JDK-8293114 | hotspot/gc | JVM should trim the native heap |
20 | JDK-8307766 | hotspot/runtime | Linux: Provide the option to override the timer slack |
21 | JDK-8312182 | hotspot/runtime | THPs cause huge RSS due to thread start timing issue |
22 | JDK-8312394 | hotspot/runtime | [linux] SIGSEGV if kernel was built without hugepage support |
23 | JDK-8314020 | hotspot/runtime | Print instruction blocks in byte units |
24 | JDK-8312620 | hotspot/runtime | WSL Linux build crashes after JDK-8310233 |
25 | JDK-8312585 | hotspot/runtime | Rename DisableTHPStackMitigation flag to THPStackMitigation |
26 | JDK-8312401 | hotspot/runtime | SymbolTable::do_add_if_needed hangs when called in InstanceKlass::add_initialization_error path with requesting length exceeds max_symbol_length |
27 | JDK-8314850 | hotspot/runtime | SharedRuntime::handle_wrong_method() gets called too often when resolving Continuation.enter |
28 | JDK-8314679 | hotspot/svc-agent | SA fails to properly attach to JVM after having just detached from a different JVM |
29 | JDK-8313312 | other-libs | Add missing classpath exception copyright header |
30 | JDK-8308474 | security-libs/java.security | DSA does not reset SecureRandom when initSign is called again |
31 | JDK-8302017 | security-libs/java.security | Allocate BadPaddingException only if it will be thrown |
32 | JDK-8311592 | security-libs/javax.crypto | ECKeySizeParameterSpec causes too many exceptions on third party providers |
33 | JDK-8309214 | security-libs/javax.crypto:pkcs11 | sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154 |
34 | JDK-8314216 | tools/javac | Case enumConstant, pattern compilation fails |
35 | JDK-8314423 | tools/javac | Multiple patterns without unnamed variables |
36 | JDK-8312619 | tools/javac | Strange error message when switching over long |
37 | JDK-8315534 | tools/javac | Incorrect warnings about implicit annotation processing |
38 | JDK-8313323 | tools/javac | javac -g on a java file which uses unnamed variable leads to ClassFormatError when launching that class |
39 | JDK-8240567 | tools/jlink | MethodTooLargeException thrown while creating a jlink image |
40 | JDK-8308042 | tools/jpackage | [macOS] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters |