[ad_1]
The complete model string for this replace launch is 11.0.13+10 (the place “+” means “construct”). The model quantity is 11.0.13.
Full launch notes for Java 11 might be discovered here.
IANA Knowledge 2020a
JDK 11.0.13 comprises IANA time zone information 2021a. For extra data, check with Timezone Knowledge Variations within the JRE Software.
Safety Baselines
The safety baselines for the Java Runtime Atmosphere (JRE) on the time of the discharge of JDK 11.0.13 are specified within the following desk:
JRE Household Model = JRE Safety Baseline (Full Model String)
- 11 = 11.0.13+10
- 8 = 8u311-b11
- 7 = 7u321-b08
Preserving the JDK as much as Date
Oracle recommends that the JDK is up to date with every Essential Patch Replace. In an effort to decide if a launch is the most recent, the Safety Baseline web page can be utilized to find out which is the most recent model for every launch household.
Essential patch updates, which include safety vulnerability fixes, are introduced one 12 months upfront on Essential Patch Updates, Safety Alerts and Bulletins. It’s not advisable that this JDK (model 11.0.13) be used after the following essential patch replace scheduled for January 18, 2022.
What’s New:
security-libs/org.ietf.jgss:krb5
➜ Help cross-realm MSSFU
The assist for the Kerberos MSSFU extensions [1] is now prolonged to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement launched within the context of JDK-8215032, the ‘S4U2Self’ and ‘S4U2Proxy’ extensions could also be used to impersonate person and repair principals positioned on totally different realms.
security-libs/java.safety
➜ Customizing PKCS12 keystore Era
New system and safety properties have been added to allow customers to customise the technology of PKCS #12 keystores. This consists of algorithms and parameters for key safety, certificates safety, and MacData. The detailed rationalization and potential values for these properties might be discovered within the “PKCS12 KeyStore properties” part of the java.safety file.
Additionally, assist for the next SHA-2 primarily based HmacPBE algorithms has been added to the SunJCE supplier: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
Eliminated Options and Choices
security-libs/java.safety
➜ Eliminated Root Certificates with 1024-bit Keys
The next root certificates with weak 1024-bit RSA public keys have been faraway from the cacerts keystore:
+ alias identify “thawtepremiumserverca [jdk]” Distinguished Identify: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Companies Division, O=Thawte Consulting cc, L=Cape City, ST=Western Cape, C=ZA + alias identify “verisignclass2g2ca [jdk]” Distinguished Identify: OU=VeriSign Belief Community, OU=”(c) 1998 VeriSign, Inc. – For approved use solely”, OU=Class 2 Public Major Certification Authority – G2, O=”VeriSign, Inc.”, C=US + alias identify “verisignclass3ca [jdk]” Distinguished Identify: OU=Class 3 Public Major Certification Authority, O=”VeriSign, Inc.”, C=US + alias identify “verisignclass3g2ca [jdk]” Distinguished Identify: OU=VeriSign Belief Community, OU=”(c) 1998 VeriSign, Inc. – For approved use solely”, OU=Class 3 Public Major Certification Authority – G2, O=”VeriSign, Inc.”, C=US + alias identify “verisigntsaca [jdk]” Distinguished Identify: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Earlier launch notes
security-libs/java.safety
➜ -groupname Possibility Added to keytool Key Pair Era
A brand new -groupname possibility has been added to keytool -genkeypair so {that a} person can specify a named group when producing a key pair. For instance, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair through the use of the secp384r1 curve. As a result of there is perhaps a number of curves with the identical dimension, utilizing the -groupname possibility is most well-liked over the -keysize possibility.
security-libs/javax.web.ssl
➜ Help for certificate_authorities Extension
The “certificate_authorities” extension is an non-compulsory extension launched in TLS 1.3. It’s used to point the certificates authorities (CAs) that an endpoint helps and must be utilized by the receiving endpoint to information certificates choice.
With this JDK launch, the “certificate_authorities” extension is supported for TLS 1.3 in each the consumer and the server sides. This extension is at all times current for consumer certificates choice, whereas it’s non-compulsory for server certificates choice.
Functions can allow this extension for server certificates choice by setting the jdk.tls.consumer.enableCAExtension system property to true. The default worth of the property is fake.
Notice that if the consumer trusts extra CAs than the dimensions restrict of the extension (lower than 2^16 bytes), the extension is just not enabled. Additionally, some server implementations don’t permit handshake messages to exceed 2^14 bytes. Consequently, there could also be interoperability points when jdk.tls.consumer.enableCAExtension is ready to true and the consumer trusts extra CAs than the server implementation restrict.
core-libs/java.lang
➜ POSIX_SPAWN Possibility on Linux
As an extra approach to launch processes on Linux, the jdk.lang.Course of.launchMechanism property might be set to POSIX_SPAWN. This selection has been obtainable for a very long time on different *nix platforms. The default launch mechanism (VFORK) on Linux is unchanged, so this extra possibility doesn’t have an effect on present installations.
POSIX_SPAWN mitigates uncommon pathological instances when spawning little one processes, nevertheless it has not but been excessively examined. Prudence is suggested when utilizing POSIX_SPAWN in productive installations.
security-libs/javax.web.ssl
➜ Help for X25519 and X448 in TLS
The named elliptic curve teams x25519 and x448 at the moment are obtainable for JSSE key settlement in TLS variations 1.0 to 1.3, with x25519 being essentially the most most well-liked of the default enabled named teams. The default ordered listing is now:
x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
The default listing might be overridden through the use of the system property jdk.tls.namedGroups.
security-libs/java.safety
➜ jarsigner Preserves POSIX File Permission and symlink Attributes
When signing a file that comprises POSIX file permission or symlink attributes, jarsigner now preserves these attributes within the newly signed file however warns that these attributes are unsigned and never protected by the signature. The identical warning is printed throughout the jarsigner -verify operation for such recordsdata.
Notice that the jar software doesn’t learn/write these attributes. This variation is extra seen to instruments like unzip the place these attributes are preserved.
client-libs/second
➜ Oracle JDK11u for Solaris Now Requires harfbuzz to be Put in
Oracle JDK-11.0.10 and later for Solaris 11 requires that the OS present the package deal library/desktop/harfbuzz as a part of the system set up. This package deal is supplied for Solaris 11.3 and later.
$ pkg data harfbuzz Identify: library/desktop/harfbuzz Abstract: HarfBuzz is an OpenType textual content shaping engine Description: HarfBuzz is a library for textual content shaping, which converts unicode textual content to glyph indices and positions. HarfBuzz is used instantly by libraries resembling Pango, and the structure engines in firefox. Class: Desktop (GNOME)/Libraries State: Put in Writer: solaris
It is a desktop library, however the font processing it does is a part of some widespread backend server workloads. It ought to at all times be thought-about as required.
If this library is lacking, then the pkg mechanism would require it throughout set up of the JDK. If putting in the JDK through the use of a tar.gz bundle (for instance) and the library/desktop/harfbuzz package deal is lacking, a runtime hyperlink failure will happen when this package deal is required.
JDK-8251907 (not public)
core-libs/java.time
➜ JDK time-zone information upgraded to tzdata2020d
The JDK replace incorporates tzdata2020d. The principle change is
Palestine ends DST sooner than predicted, on 2020-10-24.
Please check with https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for extra data.
core-libs/java.time
➜ JDK time-zone information upgraded to tzdata2020c
The JDK replace incorporates tzdata2020c. The principle change is
Fiji begins DST later than typical, on 2020-12-20.
Please check with https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for extra data.
core-libs/java.time
➜ US/Pacific-New Zone Identify Eliminated as A part of tzdata2020b
Following the JDK’s replace to tzdata2020b, the long-obsolete recordsdata named pacificnew and systemv have been eliminated. Because of this, the “US/Pacific-New” Zone identify declared within the pacificnew information file is not obtainable to be used.
Data relating to this replace might be seen at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html.
Bug Fixes
- This launch additionally comprises fixes for safety vulnerabilities described within the Oracle Essential Patch Replace. For a extra full listing of the bug fixes included on this launch, see the JDK 11.0.10 Bug Fixes page.
security-libs/java.safety
➜ Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
- Weak named curves are disabled by default by including them to the next disabledAlgorithms safety properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed beneath.
- With 47 weak named curves to be disabled, including particular person named curves to every disabledAlgorithms property could be overwhelming. To alleviate this, a brand new safety property, jdk.disabled.namedCurves, is applied that may listing the named curves widespread to all the disabledAlgorithms properties. To make use of the brand new property within the disabledAlgorithms properties, precede the complete property identify with the key phrase embody. Customers can nonetheless add particular person named curves to disabledAlgorithms properties separate from this new property. No different properties might be included within the disabledAlgorithms properties.
- To revive the named curves, take away the embody jdk.disabled.namedCurves both from particular or from all disabledAlgorithms safety properties. To revive a number of curves, take away the particular named curve(s) from the jdk.disabled.namedCurves property.
- Curves which can be disabled by way of jdk.disabled.namedCurves embody the next: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
- Curves that stay enabled are: secp256r1, secp384r1, secp521r1, X25519, X448. See JDK-8233228
security-libs/org.ietf.jgss:krb5
➜ Help for Kerberos Cross-Realm Referrals (RFC 6806)
- The Kerberos consumer has been enhanced with the assist of principal identify canonicalization and cross-realm referrals, as outlined by the RFC 6806 protocol extension.
- Because of this new function, the Kerberos consumer can benefit from extra dynamic atmosphere configurations and doesn’t essentially must know (upfront) the right way to attain the realm of a goal principal (person or service).
- Help is enabled by default and 5 is the utmost variety of referral hops allowed. To show it off, set the solar.safety.krb5.disableReferrals safety or system property to false. To configure a customized most variety of referral hops, set the solar.safety.krb5.maxReferrals safety or system property to any constructive worth.
Earlier variations:
[ad_2]
Source link