January 14, 2020
The full version string for this update release is 13.0.2+8 (where "+" means "build"). The version number is 13.0.2.
JDK 13.0.2 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 13.0.2 are specified in the following table:
|JRE Family Version||JRE Security Baseline |
(Full Version String)
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the following Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 13.0.2) be used after the next critical patch update scheduled for April 14, 2020.
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named
jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
The following root certificate has been added to the cacerts truststore:
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
The following root certificates have been added to the cacerts truststore:
DN: CN=Amazon Root CA 1, O=Amazon, C=US
DN: CN=Amazon Root CA 2, O=Amazon, C=US
DN: CN=Amazon Root CA 3, O=Amazon, C=US
DN: CN=Amazon Root CA 4, O=Amazon, C=US
java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
java.rmi.Remotecan be invoked remotely
Remotedirectly or indirectly cannot be invoked remotely
This affects remote objects in the
java.rmi.registry.Registry and any other remote object.
The following are some of the notable bug fixes included in this release:
jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with
java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with
java.lang.System.setProperty has no effect.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 13.0.2 Bug Fixes page.