• Skip to content
• Accessibility Policy

Java™ SE Development Kit 11.0.5 (JDK 11.0.5)

October 15, 2019

The full version string for this update release is 11.0.5+10 (where "+" means "build"). The version number is 11.0.5.

IANA Data 2019b

JDK 11.0.5 contains IANA time zone data version 2019b. For more information, refer toTimezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 11.0.5 are specified in the following table:

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, theSecurity Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance onCritical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.5) be used after the next critical patch update scheduled for January 14, 2020.

New Features

security-libs/java.security
➜New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

• jdk.SecurityPropertyModification

  • RecordsSecurity.setProperty(String key, String value) method calls

• jdk.TLSHandshake

  • Records TLS handshake activity. The event fields include:
    • Peer hostname
    • Peer port
    • TLS protocol version negotiated
    • TLS cipher suite negotiated
    • Certificate id of peer client

• jdk.X509Validation

  • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)

• jdk.X509Certificate

  • Records details of X.509 Certificates. The event fields include:
    • Certificate algorithm
    • Certificate serial number
    • Certificate subject
    • Certificate issuer
    • Key type
    • Key length
    • Certificate id
    • Validity of certificate

Other notes

docs
➜Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please seehttps://www.oracle.com/java/technologies/javase/jdk-jre-macos-catalina.html.

security-libs/javax.net.ssl
➜Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes older non-NIST Suite B EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use thejdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:

java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192" ...

security-libs/javax.crypto
➜Use SunJCE Mac in SecretKeyFactory PBKDF2 Implementation
The SunJCE implementation of the PBKDF2 SecretKeyFactory will now exclusively use the SunJCE Mac service for the underlying pseudorandom function (PRF). This fixes an issue where 3rd party JCE providers in rare cases could cause the SunJCE PBKDF2 SecretKeyFactory's underlying pseudorandom function (PRF) to fail onMac.init().

install
➜Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without theWindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

• Stop JAWS before running the Java installer.
• Uninstall the existing JRE(s) before installing the new version of Java.
• Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in thejava.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

• Added support for embedding elliptic curve public keys in the KeyValue element

security-libs/javax.crypto
➜System Property jdk.security.useLegacyECC is Turned Off by Default
The system propertyjdk.security.useLegacyECC, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property,jdk.security.useLegacyECC, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify-Djdk.security.useLegacyECCin the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.

core-libs/java.util
➜Changed Properties.loadFromXML to Comply with Specification
The implementation of thejava.util.Properties.loadFromXML method has been changed to comply with its specification. Specifically, the underlying XML parser implementation now rejects non-compliant XML documents by throwing anInvalidPropertiesFormatException as specified by theloadFromXML method.

The effect of the change is as follows:

• Documents created byProperties.storeToXML: No change.Properties.loadFromXML will have no problem reading such files.

• Documents not created byProperties.storeToXML: Any documents containing DTDs not in the format as specified inProperties.loadFromXML will be rejected. This means the DTD shall be exactly as follows (as generated by theProperties.storeToXML method):

    <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">

core-libs/java.lang
➜Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec andProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system propertyjdk.lang.Process.allowAmbiguousCommands tofalse.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system propertyjdk.lang.Process.allowAmbiguousCommands totrue.

Applications usingRuntime.exec orProcessBuilder with a security manager to invoke.bat or.cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For.exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and thejdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

client-libs/2d
➜Windows 2019 Core Server Is Not Supported
Windows Core Server 2019 does not ship adll required by JDK in order to run. Specifically, if a Java application, including a headless one, requiresawt.dll, the Java runtime will exit with an exception. There is no workaround. Until this is resolved, this Windows Server configuration is not supported.

Bug Fixes

This release also contains fixes for security vulnerabilities described in theOracle Critical Patch Update.

➜ Issues fixed in 11.0.5: