Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY New in release OpenJDK 17.0.1 (2021-10-19): =========================================== Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt * Security fixes - JDK-8263314: Enhance XML Dsig modes - JDK-8265167, CVE-2021-35556: Richer Text Editors - JDK-8265574: Improve handling of sheets - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - JDK-8265776: Improve Stream handling for SSL - JDK-8266097, CVE-2021-35561: Better hashing support - JDK-8266103: Better specified spec values - JDK-8266109: More Resilient Classloading - JDK-8266115: More Manifest Jar Loading - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - JDK-8266689, CVE-2021-35567: More Constrained Delegation - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - JDK-8267712: Better LDAP reference processing - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - JDK-8267735, CVE-2021-35586: Better BMP support - JDK-8268193: Improve requests of certificates - JDK-8268199: Correct certificate requests - JDK-8268205: Enhance DTLS client handshake - JDK-8268500: Better specified ParameterSpecs - JDK-8268506: More Manifest Digests - JDK-8269618, CVE-2021-35603: Better session identification - JDK-8269624: Enhance method selection support - JDK-8270398: Enhance canonicalization - JDK-8270404: Better canonicalization * Other changes - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - JDK-8263531: Remove unused buffer int - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - JDK-8269297: Bump version numbers for JDK 17.0.1 - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - JDK-8269763: The JEditorPane is blank after JDK-8265167 - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - JDK-8269882: stack-use-after-scope in NewObjectA - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - JDK-8270344: Session resumption errors - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - JDK-8271276: C2: Wrong JVM state used for receiver null check - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - JDK-8271589: fatal error with variable shift count integer rotate operation. - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - JDK-8273358: macOS Monterey does not have the font Times needed by Serif Notes on individual issues: =========================== security-libs/java.security: JDK-8271434: Removed IdenTrust Root Certificate =============================================== The following root certificate from IdenTrust has been removed from the `cacerts` keystore: Alias Name: identrustdstx3 [jdk] Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. New in release OpenJDK 17.0.0 (2021-09-14): =========================================== The full list of changes in the interim releases from 11u to 17u can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-12.txt * https://builds.shipilev.net/backports-monitor/release-notes-13.txt * https://builds.shipilev.net/backports-monitor/release-notes-14.txt * https://builds.shipilev.net/backports-monitor/release-notes-15.txt * https://builds.shipilev.net/backports-monitor/release-notes-16.txt * https://builds.shipilev.net/backports-monitor/release-notes-17.txt Major changes are listed below. Some changes may have been backported to earlier releases following their first appearance in OpenJDK 12 through to 17. NEW FEATURES ============ Language Features ================= Switch Expressions ================== https://openjdk.java.net/jeps/325 https://openjdk.java.net/jeps/354 https://openjdk.java.net/jeps/361 Extend the `switch` statement so that it can be used as either a statement or an expression, and that both forms can use either a "traditional" or "simplified" scoping and control flow behavior. Both forms can use either traditional `case ... :` labels (with fall through) or new `case ... ->` labels (with no fall through), with a further new statement for yielding a value from a `switch` expression. These changes will simplify everyday coding, and also prepare the way for the use of pattern matching in `switch`. This was a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 12 & 13 and became final in OpenJDK 14. Text Blocks =========== https://openjdk.java.net/jeps/355 https://openjdk.java.net/jeps/368 https://openjdk.java.net/jeps/378 Add text blocks to the Java language. A text block is a multi-line string literal that avoids the need for most escape sequences, automatically formats the string in a predictable way, and gives the developer control over format when desired. This was a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 13 & 14 and became final in OpenJDK 15. Pattern Matching for instanceof =============================== https://openjdk.java.net/jeps/305 https://openjdk.java.net/jeps/375 https://openjdk.java.net/jeps/394 http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html Enhance the Java programming language with pattern matching for the `instanceof` operator. Pattern matching allows common logic in a program, namely the conditional extraction of components from objects, to be expressed more concisely and safely. This was a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 14 & 15 and became final in OpenJDK 16. Records ======= https://openjdk.java.net/jeps/359 https://openjdk.java.net/jeps/384 https://openjdk.java.net/jeps/395 Enhance the Java programming language with records. Records provide a compact syntax for declaring classes which are transparent holders for shallowly immutable data. This was a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 14 & 15 and became final in OpenJDK 16. Sealed Classes ============== https://openjdk.java.net/jeps/360 https://openjdk.java.net/jeps/397 https://openjdk.java.net/jeps/409 https://cr.openjdk.java.net/~briangoetz/amber/datum.html Enhance the Java programming language with sealed classes and interfaces. Sealed classes and interfaces restrict which other classes or interfaces may extend or implement them. This was a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 15 & 16 and became final in OpenJDK 17. Restore Always-Strict Floating-Point Semantics ============================================== https://openjdk.java.net/jeps/306 Make floating-point operations consistently strict, rather than have both strict floating-point semantics (`strictfp`) and subtly different default floating-point semantics. This will restore the original floating-point semantics to the language and VM, matching the semantics before the introduction of strict and default floating-point modes in Java SE 1.2. Pattern Matching for switch =========================== https://openjdk.java.net/jeps/406 Enhance the Java programming language with pattern matching for `switch` expressions and statements, along with extensions to the language of patterns. Extending pattern matching to `switch` allows an expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely. This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK 17. Library Features ================ JVM Constants API ================= https://openjdk.java.net/jeps/334 Introduce an API to model nominal descriptions of key class-file and run-time artifacts, in particular constants that are loadable from the constant pool. Reimplement the Legacy Socket API ================================= https://openjdk.java.net/jeps/353 Replace the underlying implementation used by the `java.net.Socket` and `java.net.ServerSocket` APIs with a simpler and more modern implementation that is easy to maintain and debug. The new implementation will be easy to adapt to work with user-mode threads, a.k.a. fibers, currently being explored in Project Loom (https://openjdk.java.net/projects/loom). JFR Event Streaming =================== https://openjdk.java.net/jeps/349 Expose JDK Flight Recorder data for continuous monitoring. Non-Volatile Mapped Byte Buffers ================================ https://openjdk.java.net/jeps/352 Add new JDK-specific file mapping modes so that the `FileChannel` API can be used to create `MappedByteBuffer` instances that refer to non-volatile memory. Helpful NullPointerExceptions ============================= https://openjdk.java.net/jeps/358 Improve the usability of `NullPointerException`s generated by the JVM by describing precisely which variable was `null`. Foreign-Memory Access API ========================= https://openjdk.java.net/jeps/370 https://openjdk.java.net/jeps/383 https://openjdk.java.net/jeps/393 Introduce an API to allow Java programs to safely and efficiently access foreign memory outside of the Java heap. This was a incubation feature (https://openjdk.java.net/jeps/11) in OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory API in OpenJDK 17 (see below). Edwards-Curve Digital Signature Algorithm (EdDSA) ================================================= https://openjdk.java.net/jeps/339 Implement cryptographic signatures using the Edwards-Curve Digital Signature Algorithm (EdDSA) as described by RFC 8032 (https://tools.ietf.org/html/rfc8032). Hidden Classes ============== https://openjdk.java.net/jeps/371 Introduce hidden classes, which are classes that cannot be used directly by the bytecode of other classes. Hidden classes are intended for use by frameworks that generate classes at run time and use them indirectly, via reflection. A hidden class may be defined as a member of an access control nest (https://openjdk.java.net/jeps/181), and may be unloaded independently of other classes. Reimplement the Legacy DatagramSocket API ========================================= https://openjdk.java.net/jeps/373 Replace the underlying implementations of the `java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with simpler and more modern implementations that are easy to maintain and debug. The new implementations will be easy to adapt to work with virtual threads, currently being explored in Project Loom (https://openjdk.java.net/projects/loom). This is a follow-on to JEP 353 (see above), which already reimplemented the legacy Socket API. Vector API ========== https://openjdk.java.net/jeps/338 https://openjdk.java.net/jeps/414 Provide an initial iteration of an incubator module, `jdk.incubator.vector`, to express vector computations that reliably compile at runtime to optimal vector hardware instructions on supported CPU architectures and thus achieve superior performance to equivalent scalar computations. This is an incubation feature (https://openjdk.java.net/jeps/11) introduced in OpenJDK 16. Unix-Domain Socket Channels =========================== https://openjdk.java.net/jeps/380 Add Unix-domain (`AF_UNIX`) socket support to the socket channel and server-socket channel APIs in the `java.nio.channels` package. Extend the inherited channel mechanism to support Unix-domain socket channels and server socket channels. Foreign Linker API (Incubator) ============================== https://openjdk.java.net/jeps/389 Introduce an API that offers statically-typed, pure-Java access to native code. This API, together with the Foreign-Memory API (see above), will considerably simplify the otherwise error-prone process of binding to a native library. This was an incubation feature (https://openjdk.java.net/jeps/11) introduced in OpenJDK 16, now superseded by the Foreign Function & Memory API in OpenJDK 17 (see below). Strongly Encapsulate JDK Internals by Default ============================================= https://openjdk.java.net/jeps/396 https://openjdk.java.net/jeps/403 Strongly encapsulate all internal elements of the JDK by default, except for critical internal APIs such as `sun.misc.Unsafe`. It will no longer be possible to relax the strong encapsulation of internal elements via a single command-line option, as was possible in OpenJDK 9 through 16. Enhanced Pseudo-Random Number Generators ======================================== https://openjdk.java.net/jeps/356 Provide new interface types and implementations for pseudo-random number generators (PRNGs), including jumpable PRNGs and an additional class of splittable PRNG algorithms (LXM). Foreign Function & Memory API ============================= https://openjdk.java.net/jeps/412 Introduce an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the JVM), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the API enables Java programs to call native libraries and process native data without the brittleness and danger of JNI. This API is an incubation feature (https://openjdk.java.net/jeps/11) introduced in OpenJDK 17, and is an evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK 16) (see above). Context-Specific Deserialization Filters ======================================== https://openjdk.java.net/jeps/415 Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each individual deserialization operation. Tools ===== Packaging Tool ============== https://openjdk.java.net/jeps/343 https://openjdk.java.net/jeps/392 Provide the `jpackage` tool, for packaging self-contained Java applications. JVM Features ============ Shenandoah: A Low-Pause-Time Garbage Collector ============================================== https://openjdk.java.net/jeps/189 https://openjdk.java.net/jeps/379 Add a new garbage collection (GC) algorithm named Shenandoah which reduces GC pause times by doing evacuation work concurrently with the running Java threads. Pause times with Shenandoah are independent of heap size, meaning you will have the same consistent pause times whether your heap is 200 MB or 200 GB. Shenandoah has been provided in Red Hat builds of OpenJDK 8 since 8u131 in April 2017 and in all 11u builds. Upstream, it was introduced in OpenJDK 12 as an experimental feature and became a production feature in OpenJDK 15. It was backported to OpenJDK 11 with the 11.0.9 release in October 2020. Abortable Mixed Collections for G1 ================================== https://openjdk.java.net/jeps/344 Make G1 mixed collections abortable if they might exceed the pause target. Promptly Return Unused Committed Memory from G1 =============================================== https://openjdk.java.net/jeps/346 Enhance the G1 garbage collector to automatically return Java heap memory to the operating system when idle. Dynamic CDS Archives ==================== https://openjdk.java.net/jeps/310 https://openjdk.java.net/jeps/350 Extend application class-data sharing to allow the dynamic archiving of classes at the end of Java application execution. The archived classes will include all loaded application classes and library classes that are not present in the default, base-layer CDS archive. ZGC: Uncommit Unused Memory (Experimental) ========================================== https://openjdk.java.net/jeps/351 Enhance ZGC to return unused heap memory to the operating system. NUMA-Aware Memory Allocation for G1 =================================== https://openjdk.java.net/jeps/345 Improve G1 performance on large machines by implementing NUMA-aware memory allocation. ZGC on macOS (Experimental) =========================== https://openjdk.java.net/jeps/364 Port the ZGC garbage collector to macOS. ZGC on Windows (Experimental) ============================= https://openjdk.java.net/jeps/365 Port the ZGC garbage collector to Windows. ZGC: A Scalable Low-Latency Garbage Collector (Production) ========================================================== https://openjdk.java.net/jeps/377 Change the Z Garbage Collector from an experimental feature into a product feature. ZGC: Concurrent Thread-Stack Processing ======================================= https://openjdk.java.net/jeps/376 Move ZGC thread-stack processing from safepoints to a concurrent phase. Elastic Metaspace ================= https://openjdk.java.net/jeps/387 Return unused HotSpot class-metadata (i.e., metaspace) memory to the operating system more promptly, reduce metaspace footprint, and simplify the metaspace code in order to reduce maintenance costs. Ports ===== Alpine Linux Port ================= https://openjdk.java.net/jeps/386 Port the JDK to Alpine Linux, and to other Linux distributions that use musl as their primary C library, on both the x64 and AArch64 architectures, Windows/AArch64 Port ==================== https://openjdk.java.net/jeps/388 Port the JDK to Windows/AArch64. New macOS Rendering Pipeline ============================ https://openjdk.java.net/jeps/382 Implement a Java 2D internal rendering pipeline for macOS using the Apple Metal API as alternative to the existing pipeline, which uses the deprecated Apple OpenGL API. macOS/AArch64 Port ================== https://openjdk.java.net/jeps/391 Port the JDK to macOS/AArch64. DEPRECATIONS ============ Deprecate the ParallelScavenge + SerialOld GC Combination ========================================================= https://openjdk.java.net/jeps/366 Deprecate the combination of the Parallel Scavenge and Serial Old garbage collection algorithms. Deprecate and Disable Biased Locking ==================================== https://openjdk.java.net/jeps/374 Disable biased locking by default, and deprecate all related command-line options. Warnings for Value-Based Classes ================================ https://openjdk.java.net/jeps/390 Designate the primitive wrapper classes as value-based and deprecate their constructors for removal, prompting new deprecation warnings. Provide warnings about improper attempts to synchronize on instances of any value-based classes in the Java Platform. Deprecate the Applet API for Removal ==================================== https://openjdk.java.net/jeps/398 Deprecate the Applet API for removal. It is essentially irrelevant since all web-browser vendors have either removed support for Java browser plug-ins or announced plans to do so. Deprecate the Security Manager for Removal ========================================== https://openjdk.java.net/jeps/411 Deprecate the Security Manager for removal in a future release. The Security Manager dates from Java 1.0. It has not been the primary means of securing client-side Java code for many years, and it has rarely been used to secure server-side code. To move Java forward, we intend to deprecate the Security Manager for removal in concert with the legacy Applet API (see above). . REMOVALS ======== Remove the Concurrent Mark Sweep (CMS) Garbage Collector ======================================================== https://openjdk.java.net/jeps/363 Remove the Concurrent Mark Sweep (CMS) garbage collector. Remove the Pack200 Tools and API ================================ https://openjdk.java.net/jeps/336 https://openjdk.java.net/jeps/367 Remove the `pack200` and `unpack200` tools, and the `Pack200` API in the `java.util.jar` package. These tools and API were deprecated for removal in OpenJDK 11 with the express intent to remove them in a future release. Remove the Nashorn JavaScript Engine ==================================== https://openjdk.java.net/jeps/372 Remove the Nashorn JavaScript script engine and APIs, and the `jjs` tool. The engine, the APIs, and the tool were deprecated for removal in OpenJDK 11 with the express intent to remove them in a future release. Remove the Solaris and SPARC Ports ================================== https://openjdk.java.net/jeps/362 https://openjdk.java.net/jeps/381 Remove the source code and build support for the Solaris/SPARC, Solaris/x64, and Linux/SPARC ports. These ports were deprecated for removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). Remove RMI Activation ===================== https://openjdk.java.net/jeps/385 https://openjdk.java.net/jeps/407 https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html Remove the Remote Method Invocation (RMI) Activation mechanism, while preserving the rest of RMI. RMI Activation is an obsolete part of RMI that has been optional since OpenJDK 8 and was deprecated in OpenJDK 15. Remove the Experimental AOT and JIT Compiler ============================================ https://openjdk.java.net/jeps/410 Remove the experimental Java-based ahead-of-time (AOT) and just-in-time (JIT) compiler. This compiler has seen little use since its introduction and the effort required to maintain it is significant. Retain the experimental Java-level JVM compiler interface (JVMCI) so that developers can continue to use externally-built versions of the compiler for JIT compilation.