The full version string for this update release is 11.0.18+11 (where “+” means “build”). The version number is 11.0.18.
Full Java 11 release notes can be found here.
What is Java?
Java is a programming language and software platform. Examples of applications that use Java are numerous and widespread, but include web browsers, office applications, and even mainstream games like Minecraft that are based on Java.
What is Java JDK?
The Java Development Kit (JDK) is the complete software development kit for Java developers. It has everything the JRE has, but adds the compiler (javac) and tools (like javadoc and jdb). The JDK allows you to create and compile Java programs.
Is Java free to use?
Yes, Java is free to use under the jdk.java.net license. This means that anyone can download it for personal or development use at no cost. Oracle charges for long-term support, but this is optional.
IANA 2020a JDK data 11.0.16 contains time zone data
for IANA 2021a
. For more information, see Time Zone Data Versions in the JRE Software.
Security baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.16
are specified in the following table:
JRE Family Version =
JRE Security Baseline (Full Version String)
11 = 11.0.16+11
- 8 = 8u341-b10 7 = 7u351-b07
Keep the JDK up to date
Oracle recommends that the JDK be updated with each critical patch update. To determine whether a version is the latest, the Security Baseline page can be used to determine which version is the latest for each version family.
Critical patch updates,
which contain fixes for security vulnerabilities, are announced one year in advance in critical patch updates, security alerts, and bulletins. It is not recommended to use this JDK (version 11.0.13) after the next critical patch update scheduled for January 18, 2022.
What’s New
Oracle recommends that the JDK be updated with each critical patch update. To determine whether a version is the latest, the Security Baseline page can be used to determine which version is the latest for each version family.
Critical patch updates,
which contain fixes for security vulnerabilities, are announced one year in advance in critical patch updates, security alerts, and bulletins. It is not recommended to use this JDK (version 11.0.16) after the next critical patch update scheduled for October 18, 2022.
New features
core-libs/java.net
➜ Added HTTPS channel binding support for Java Added Java GSS/Kerberos support for TLS channel binding tokens
for Negotiate/Kerberos over HTTPS authentication via javax.net.HttpsURLConnection. Channel
link
tokens
are increasingly required as an enhanced form of security that can mitigate certain types of social engineering (man in the middle) attacks. They work by communicating from a client to a server the client’s understanding of the link between connection security (represented by a TLS server certificate) and higher-level authentication credentials (such as a user name and password). The server can detect if the client has been tricked by a MITM and close the session/connection.
The feature is controlled through a new system property jdk.https.negotiate.cbt that is described in detail on the Network Properties page.
Other notes
➜ JDK package extensions truncated when downloading using Firefox 102 In oracle.com and java.com, certain
JDK package extensions
are truncated when downloaded when using Firefox version 102. Downloaded packages have no file extension like “.exe”, “.rpm”, “.deb”. If you can’t update to Firefox ESR 102.0.1 or Firefox 103 when it’s released, as a workaround, you can:
- Manually add a file extension to the file name after downloading
- Use a different browser
.
Changes
core-libs/
java.io
➜ Enable alternative Windows data streams by
default
The Windows implementation of java.io.File has been changed so that strict validity checks are not performed by default on file paths. This includes allowing a colon (‘:’) in the path other than just immediately after a single drive letter. It also allows paths that represent NTFS alternate data streams (ADS), such as “filename:streamname”. This restores the default behavior of java.io.File to what it was before the April 2022 CPU in which strict validity checks were not performed by default on file paths in Windows. To re-enable strict path checking in java.io.File, the jdk.io.File.enableADS system property must be set to false (case is ignored). This might be preferable, for example, if special Windows device paths such as NUL: are not used.
Bug
fixes
This version is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved
: JDK-8284920 Category: xml Subcategory:
- javax.xml.path Summary: Incorrect token type causes XPath expression to return incorrect results JDK-8284548 Category:xml Subcategory
- jaxpInvalid Summary: XPath expression raises StringIndexOutOfBoundsException
:
Java SE 11.0.15 Advanced – Bundled Patch Release (BPR) – Bug fixes and updates
The following sections summarize the changes made in all versions of Java SE 11.0.15 BPR. The BPR versions are listed below in order of date, the most recent BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
JDK-8221741 Category: client-libs Subcategory: 2d Description:
- ClassCastException can occur when using fontconfig.properties
- javax.swing Description: The JTextArea line wrap is incorrect when using the
- jaxp Description: Update BCEL md to include copyright notice JDK-8283350 Category: core-libs Subcategory:
- java.time Description: (tz) Update time zone data to 2022a
JDK-8212904 Category: client-libs Subcategory:
JDK-8282583 UI scale Category: xml Subcategory:
Previous Release
Notes
security-libs/org.ietf.jgss:krb5 ➜ Cross-realm
MSSFU
support Support for Kerberos MSSFU extensions [1] is now extended to cross-realm environments
.
By taking advantage of Kerberos cross-domain referencing enhancement introduced in the context of JDK-8215032, extensions ‘S4U2Self’ and ‘S4U2Proxy’ can be used to impersonate service principals and users located in different domains.
security-libs/java.security
➜ Customizing
PKCS12
keystore generation
New system and security properties have been added to allow users to customize PKCS #12 keystore generation. This includes algorithms and parameters for key protection, certificate protection, and MacData. Detailed explanation and possible values of these properties can be found in the “PKCS12 KeyStore Properties” section of the java.security file.
In addition, support for the following SHA-2-based HmacPBE algorithms has been added to the SunJCE provider
: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
Features and options
removed security-libs
/java.security
➜ Deleted root certificates with 1024-bit keys The following root certificates with weak
1024-bit
RSA keys
have been removed from the cacerts keystore:
+ alias name “ThawtePremiumServerCA [JDK]” Distinguished name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + Alias name “verisignclass2g2ca [jdk]” Distinguished name: OU=VeriSign Trust Network, OU=”(c) 1998 VeriSign, Inc. – For Authorized Use Only”, OU=Class 2 – G2 Public Primary Certification Authority, O=”VeriSign, Inc.”, C=US + alias name “verisignclass3ca [jdk]” Distinguished name: OU=Class 3 Public Primary Certification Authority, O=”VeriSign, Inc.”, C=US + alias name “verisignclass3g2ca [jdk]” Distinguished Name: OU=VeriSign Trust Network, OU=”(c) 1998 VeriSign, Inc. – For Authorized Use Only”, OU=Class 3 Public Primary Certification Authority – G2, O=”VeriSign, Inc.”, C=US + alias name “VeriSigntsaca [jdk]” Distinguished Name: CN=Thawte Timestamp CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Previous Release Notes
security-libs/java.security
➜ -groupname Option added to keytool Generating key pairs A new -groupname option has been
added to
keytool -genkeypair so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair using the secp384r1 curve. Because there can be multiple curves with the same size, you prefer to use the -groupname option over the -keysize option.
security-libs/javax.net.ssl
➜ Support for
certificate_authorities extension The “
certificate_authorities” extension is an optional extension introduced in TLS 1.3. Used to indicate the certification authorities (CAs) that an endpoint supports and that should be used by the receiving end to guide certificate selection.
With this version of the JDK, the “certificate_authorities” extension supports TLS 1.3 on both the client and server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.
Note that if the client trusts more CAs than the extension size limit (less than 2^16 bytes), the extension is not enabled. Additionally, some server implementations do not allow handshake messages to exceed 2^14 bytes. As a result, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server deployment limit.
core-libs/java.lang
➜ POSIX_SPAWN option
on Linux
As an additional way to start processes on Linux, the jdk.lang.Process.launchMechanism property can be set to POSIX_SPAWN. This option has been available for a long time on other *nix platforms. The default release mechanism (VFORK) on Linux has not changed, so this additional option does not affect existing installations.
POSIX_SPAWN mitigates rare pathological cases by spawning infantile processes, but it has not yet been overtested. Caution is advised when using POSIX_SPAWN in production facilities.
security-libs/javax.net.ssl
➜ Support for X25519 and X448 in TLS Elliptic curve groups named x25519 and x448 are now available for JSSE key agreement in TLS versions 1.0 through 1.3
, with x25519 being
the
most preferred of the default enabled named groups. The default ordered list is now:
x25519, secp256r1, secp384r1,
secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
The default list can be overridden by using the jdk.tls.namedGroups system property.
security-libs/java.security
➜ jarsigner
Preserves
POSIX file permission and symbolic link attributes
When signing a file that contains POSIX file permissions or symbolic link attributes, jarsigner now retains these attributes in the newly signed file, but warns that these attributes are not signed and are not protected by the signature. The same warning is printed during the jarsigner -verify operation for such files.
Note that the jar tool does not read/write these attributes. This change is most visible for tools like unzip where these attributes are preserved.
client-libs/2d
➜ Oracle JDK11u for Solaris now requires harfbuzz to be installed Oracle JDK-11.0.10
and later releases for Solaris 11 require the operating system to provide the package library/desktop/harfbuzz as part of the system installation. This package is provided for the Solaris 11.3 and later releases.
$ pkg info harfbuzz Name: library/
desktop/harfbuzz Summary: HarfBuzz is an OpenType text modeling engine Description: HarfBuzz is a text shaping library, which converts unicode text into indexes and glyph positions. HarfBuzz is used directly by libraries such as Pango and the design engines in Firefox. Category: Desktop (GNOME)/Libraries Status: Installed Publisher: solaris
This is a desktop library, but the font processing it performs is part of some common backend server workloads. It should always be considered as necessary.
If this library is missing, the pkg mechanism will require it during the installation of the JDK. If the JDK is installed using a tar.gz package (for example) and the library/desktop/harfbuzz package is missing, a run-time link error will occur when this package is needed.
JDK-8251907 (
non-public) core-libs/java.time
➜ JDK time zone data updated to tzdata2020d The
JDK update incorporates tzdata2020d
. The main change is
that Palestine ends daylight saving time ahead of schedule, on 2020-10-24
.
See https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information
.
core-libs/java.time
➜ JDK time zone data updated to tzdata2020c The
JDK update incorporates tzdata2020c
. The main change is
that Fiji starts daylight saving time later than usual, on 2020-12-20
.
See https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information
.
core-libs/java.time
➜ New US/Pacific zone name removed as part of tzdata2020b Following the JDK upgrade to
tzdata2020b
, obsolete files named pacificnew and systemv have been removed. As a result, the zone name “US/Pacific-New” declared in the pacificnew data file is no longer available for use.
Information about this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html.
Bug
fixes
- This release also contains fixes for the security vulnerabilities described in Oracle Critical Patch Update. For a more complete list of bug fixes included in this release, see the JDK 11.0.10 bug fixes page.
security-libs/java.security
➜ Weak named curves
in TLS, CertPath, and signed JAR
disabled by default
- Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.
- weak named curves to disable, adding individual named curves to each disabledAlgorithms property would be overwhelming. To alleviate this, a new security property, jdk.disabled.namedCurves, is implemented, which can enumerate named curves common to all disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the fully qualified name of the property with the include keyword. Users can still add individual named curves to the disabledAlgorithms properties independent of this new property. You cannot include any other properties in the disabledAlgorithms properties.
- To restore named curves, remove the include jdk.disabled.namedCurves security properties from specific or all disabledAlgorithms security properties. To restore one or more curves, remove specific named curves from the jdk.disabled.namedCurves property.
- x9.62 c2tnb239v1, X9.62 c2tnb239v2
- The curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448. See JDK-8233228
With 47
Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, x9.62 c2tnb191v1, x9.62 c2tnb191v2, x9.62 c2tnb191v3,
, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
security-libs/org.ietf.jgss:krb5
➜ Support for Kerberos Cross-Domain Referencing (RFC 6806) The Kerberos client has been enhanced with support for canonicalization of principal names and cross-domain
referencing
- , as defined in the RFC 6806 protocol extension.
- As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to get to the realm of a target principal (user or service).
- Support is enabled by default and 5 is the maximum number of reference hops allowed. To disable it, set the sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of reference hops, set the sun.security.krb5.maxReferrals security or system property to any positive value.
Previous versions:
Java SE JDK 11.0.10 for Windows Java SE JDK 11.0.10 for macOS Java SE JDK 11.0.10 for Linux DEB Java SE JDK 11.0.10 for Linux RPM Java SE JDK 11.0.6 for Windows Java SE JDK 11.0.6 for macOS Java SE JDK 11.0.6 for Linux DEB Java SE JDK 11.0.6 for Linux RPM Java SE JDK 11.0.4 for
- Windows
- Java SE JDK
- 11.0.4
- for macOS
- DEB Java SE JDK 11.0.3
- for Linux RPM
Java SE JDK 11.0.4 for Linux DEB Java SE JDK 11.0.4 for Linux RPM Java SE JDK 11.0.3 for Windows Java SE JDK 11.0.3 for macOS Java SE JDK 11.0.3 for Linux