Release date: July 16, 2024
The full version string for this update release is 22.0.2+9 (where "+" means "build"). The version number is 22.0.2.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 22.0.2 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
22 | 22.0.2+9 |
21 | 21.0.4+8 |
17 | 17.0.12+8 |
11 | 11.0.24+7 |
8 | 8u421-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 22.0.2) be used after the next critical patch update scheduled for October 15, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
jpackage
May Produce an Inaccurate List of Required Packages on Debian Linux Distros
(JDK-8295111)
Fixed an issue on Debian Linux distros where jpackage
could not always build an accurate list of required packages from shared libraries with symbolic links in their paths, causing installations to fail due to missing shared libraries.
Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons
, /usr/share/mime
, and /usr/share/applications
subtrees.
The following root certificates have been added to the cacerts truststore:
+ GlobalSign
+ globalsignr46
DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
+ GlobalSign
+ globalsigne46
DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
RPATH
Instead of RUNPATH
(JDK-8326891)
Native executables and libraries on Linux have switched to using RPATH
instead of RUNPATH
in this release.
JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH
or RUNPATH
. The main difference is that the dynamic linker considers RPATH
before the LD_LIBRARY_PATH
environment variable, while RUNPATH
is only considered after LD_LIBRARY_PATH
.
By making the change to using RPATH
, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH
.
The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
.
Every update release will be installed in a separate directory on Linux platform.
Installers will create a /usr/java/jdk-${FEATURE}-oracle-${ARCH}
link pointing to the installation directory to allow programs to find the latest JDK version in the ${FEATURE}
release train.
JDK 17 introduced a performance improvement that made OCSP clients unconditionally use GET requests for small requests, while doing POST requests for everything else. This is explicitly allowed and recommended by RFC 5019 and RFC 6960. However, we have seen OCSP responders that, despite RFC requirements, are not working well with GET requests.
This release introduces a new JDK system property to allow clients to fallback to POST-only behavior. This unblocks interactions with those OCSP responders through the use of -Dcom.sun.security.ocsp.useget={false,true}
. This amends the original change that introduced GET OCSP requests (JDK-8179503). The default behavior is not changed; the option defaults to true
. Set the option to false
to disable GET OCSP requests. Any value other than false
(case-insensitive) defaults to true
.
This option is non-standard, and might go away once problematic OCSP responders get upgraded.
Library | New Version | Module | JBS |
---|---|---|---|
Zlib Data Compression Library | 1.3.1 | java.base | JDK-8324632 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 22.0.2:# | JBS | Component/Subcomponent | Summary |
---|---|---|---|
1 | JDK-8185862 | client-libs/java.awt | AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 |
2 | JDK-8187759 | client-libs/javax.swing | Background not refreshed when painting over a transparent JFrame |
3 | JDK-8320692 | client-libs/javax.swing | Null icon returned for .exe without custom icon |
4 | JDK-8328953 | client-libs/javax.swing | JEditorPane.read throws ChangedCharSetException |
5 | JDK-8323801 | client-libs/javax.swing | <s> tag doesn't strikethrough the text |
6 | JDK-8325179 | client-libs/javax.swing | Race in BasicDirectoryModel.validateFileCache |
7 | JDK-8330748 | core-libs/java.io | ByteArrayOutputStream.writeTo(OutputStream) pins carrier |
8 | JDK-8325621 | core-libs/java.lang | Improve jspawnhelper version checks |
9 | JDK-8325028 | core-libs/java.nio | (ch) Pipe channels should lazily set socket to non-blocking mode on first use by virtual thread |
10 | JDK-8328366 | core-libs/java.util.concurrent | Thread.setContextClassloader from thread in FJP commonPool task no longer works after JDK-8327501 |
11 | JDK-8327631 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-03-07 |
12 | JDK-8325579 | core-libs/javax.naming | Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket |
13 | JDK-8328165 | hotspot/compiler | improve assert(idx < _maxlrg) failed: oob |
14 | JDK-8325432 | hotspot/compiler | enhance assert message "relocation addr must be in this section" |
15 | JDK-8328702 | hotspot/compiler | C2: Crash during parsing because sub type check is not folded |
16 | JDK-8328822 | hotspot/compiler | C2: "negative trip count?" assert failure in profile predicate code |
17 | JDK-8324121 | hotspot/compiler | SIGFPE in PhaseIdealLoop::extract_long_range_checks |
18 | JDK-8322484 | hotspot/gc | 22-b26 Regression in J2dBench-bimg_misc-G1 (and more) on Windows-x64 and macOS-x64 |
19 | JDK-8329570 | hotspot/gc | G1: Excessive is_obj_dead_cond calls in verification |
20 | JDK-8328166 | hotspot/gc | Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes |
21 | JDK-8328168 | hotspot/gc | Epsilon: Premature OOM when allocating object larger than uncommitted heap size |
22 | JDK-8329223 | hotspot/gc | Parallel: Parallel GC resizes heap even if -Xms = -Xmx |
23 | JDK-8329109 | hotspot/gc | Threads::print_on() tries to print CPU time for terminated GC threads |
24 | JDK-8329528 | hotspot/gc | G1 does not update TAMS correctly when dropping retained regions during Concurrent Start pause |
25 | JDK-8328744 | hotspot/gc | Parallel: Parallel GC throws OOM before heap is fully expanded |
26 | JDK-8330275 | hotspot/gc | Crash in XMark::follow_array |
27 | JDK-8329134 | hotspot/gc | Reconsider TLAB zapping |
28 | JDK-8326446 | hotspot/jfr | The User and System of jdk.CPULoad on Apple M1 are inaccurate |
29 | JDK-8326106 | hotspot/jfr | Write and clear stack trace table outside of safepoint |
30 | JDK-8327059 | hotspot/runtime | os::Linux::print_proc_sys_info add swappiness information |
31 | JDK-8328589 | hotspot/runtime | unify os::breakpoint among posix platforms |
32 | JDK-8328997 | hotspot/runtime | Remove unnecessary template parameter lists in GrowableArray |
33 | JDK-8331942 | hotspot/runtime | On Linux aarch64, CDS archives should be using 64K alignment by default |
34 | JDK-8329656 | hotspot/runtime | assertion failed in MAP_ARCHIVE_MMAP_FAILURE path: Invalid immediate -5 0 |
35 | JDK-8329605 | hotspot/runtime | hs errfile generic events - move memory protections and nmethod flushes to separate sections |
36 | JDK-8330464 | hotspot/runtime | hserr generic events - add entry for the before_exit calls |
37 | JDK-8324933 | hotspot/runtime | ConcurrentHashTable::statistics_calculate synchronization is expensive |
38 | JDK-8331714 | hotspot/runtime | Make OopMapCache installation lock-free |
39 | JDK-8324646 | security-libs/java.security | Avoid Class.forName in SecureRandom constructor |
40 | JDK-8324648 | security-libs/java.security | Avoid NoSuchMethodError when instantiating NativePRNG |
41 | JDK-8326643 | security-libs/java.security | JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message |
42 | JDK-8261433 | security-libs/javax.crypto:pkcs11 | Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit |
43 | JDK-8312383 | security-libs/javax.net.ssl | Log X509ExtendedKeyManager implementation class name in TLS/SSL connection |
44 | JDK-8329213 | security-libs/javax.security | Better validation for com.sun.security.ocsp.useget option |