OpenJDK 11.0.30 Released
Andrew Hughes
gnu.andrew at redhat.com
Thu Jan 22 18:43:54 UTC 2026
We are pleased to announce the release of OpenJDK 11.0.30.
The source tarball is available from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.30+7.tar.xz
The tarball is accompanied by a digital signature available at:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.30+7.tar.xz.sig
This is signed by our Red Hat OpenJDK key (openjdk at redhat.com):
PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net)
Fingerprint = CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F
SHA256 checksums:
a6feff944a28a342c567286a53b7ba80145f0d018c11a353291f02da5f48169a openjdk-11.0.30+7.tar.xz
e19c131baf0e9c7c9a2ceb65025d04def669ef4f776a3dd045d9036e8d23a377 openjdk-11.0.30+7.tar.xz.sig
SHA512 checksums:
90cd56e15150a5940904300e24e2dd11925fe3be5ef880f733d0d76e87cd977bdfe08ce543f9917706529b06fb6b0474f1a9e6b812c1ada9318d2531eeb75707 openjdk-11.0.30+7.tar.xz
5f7823d2958325c43ccd5ab746b1d8659b728e84d8015367ec0d470749cf084bd4895087bcabee20912d72a4b7ccb1395b6f88e3e245a882622f69d56a43326e openjdk-11.0.30+7.tar.xz.sig
The checksums can be downloaded from:
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.30+7.sha256
* https://openjdk-sources.osci.io/openjdk11/openjdk-11.0.30+7.sha512
New in release OpenJDK 11.0.30 (2026-01-20):
============================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk11030
* CVEs
- CVE-2026-21925
- CVE-2026-21932
- CVE-2026-21933
- CVE-2026-21945
* Changes
- JDK-4895924: Strings in format #rgb not handled by Color.decode() (affects CSS / Swing)
- JDK-8213781: web page background renders blue in JEditorPane
- JDK-8224087: Compile C code for at least C99 Standard compliance
- JDK-8245545: Disable TLS_RSA cipher suites
- JDK-8257709: C1: Double assignment in InstructionPrinter::print_stack
- JDK-8263622: The java.awt.color.ICC_Profile#setData invert the order of bytes for the "head" tag
- JDK-8264524: jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working
- JDK-8265429: Improve GCM encryption
- JDK-8271456: Avoid looking up standard charsets in "java.desktop" module
- JDK-8274893: Update java.desktop classes to use try-with-resources
- JDK-8295301: Problem list TrayIcon tests that fail on Ubuntu 22.04
- JDK-8299748: java/util/zip/Deinflate.java failing on s390x
- JDK-8313083: Print 'rss' and 'cache' as part of the container information
- JDK-8317970: Bump target macosx-x64 version to 11.00.00
- JDK-8336451: [11u] GHA macos-13 and macos-15 builders are unable to resolve local hostname
- JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout
- JDK-8337506: Disable "best-fit" mapping on Windows command line
- JDK-8339280: jarsigner -verify performs cross-checking between CEN and LOC
- JDK-8341496: Improve JMX connections
- JDK-8341861: GHA: Use only retention mechanism to remove bundles
- JDK-8341964: Add mechanism to disable different parts of TLS cipher suite
- JDK-8347129: cpuset cgroups controller is required for no good reason
- JDK-8347381: Upgrade jQuery UI to version 1.14.1
- JDK-8347911: Limit the length of inflated text chunks
- JDK-8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError
- JDK-8351933: Inaccurate masking of TC subfield decrement in ForkJoinPool
- JDK-8353299: VerifyJarEntryName.java test fails
- JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision
- JDK-8355528: Update HarfBuzz to 11.2.0
- JDK-8357657: [11u][windows] cannot stat '/jdk.crypto.ec/*': No such file or directory
- JDK-8358004: Delete applications/scimark/Scimark.java test
- JDK-8359402: Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp
- JDK-8359501: Enhance Handling of URIs
- JDK-8362308: Enhance Bitmap operations
- JDK-8362632: Improve HttpServer Request handling
- JDK-8364214: Enhance polygon data support
- JDK-8364597: Replace THL A29 Limited with Tencent
- JDK-8364660: ClassVerifier::ends_in_athrow() should be removed
- JDK-8365058: Enhance CopyOnWriteArraySet
- JDK-8365271: Improve Swing supports
- JDK-8366125: [11u] Test compiler/loopopts/TestRangeCheckPredicatesControl.java fails OOM
- JDK-8366359: Test should throw SkippedException when there is no lpstat
- JDK-8366572: Bump update version of OpenJDK: 11.0.30
- JDK-8367782: VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName
- JDK-8368032: Enhance Certificate Checking
- JDK-8368192: Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace
- JDK-8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out
- JDK-8369226: GHA: Switch to MacOS 15
- JDK-8372534: Update Libpng to 1.6.51
Notes on individual issues:
===========================
core-svc/javax.management:
JDK-8341496: Improve JMX connections
====================================
With this release of OpenJDK, SSL connections created by
`javax.rmi.ssl.SslRMIClientSocketFactory` now enable HTTPS-based
endpoint identification by default. This can be disabled by setting
the new system property
`jdk.rmi.ssl.client.enableEndpointIdentification` to false.
security-libs/java.security:
JDK-8368032: Enhance Certificate Checking
=========================================
OpenJDK supports the authorityInfoAccess extension in X.509
certificates when the `com.sun.security.enableAIAcaIssuers` system
property is set to `true`. With this release of OpenJDK, a security
and system property `com.sun.security.allowedAIALocations` is
introduced which acts as a filter on the URIs specified in the
extension. By default, the property is empty, which will cause all
URIs to be denied when the extension is enabled. A value of `any` may
be used to allow all URIs or a whitespace-separated list of filters
may be used for more fine-grained control. The syntax of the filters
is specified in the `java.security` file. A non-empty value for the
system property takes precedence over the security property.
security-libs/javax.net.ssl:
JDK-8341964: Add mechanism to disable different parts of TLS cipher suite
=========================================================================
The mechanisms in previous releases of OpenJDK for disabling TLS
algorithms were either too broad or too specific. Specifying an
algorithm (e.g. "RSA") would disable all suites using that algorithm.
The only alternative was to specify every suite. With this release,
the `jdk.tls.disabledAlgorithms` security property supports wildcards
for patterns that begin with "TLS_", so "TLS_RSA_*" can be used to
disable all suites that start with "TLS_RSA_".
JDK-8245545: Disable TLS_RSA cipher suites
==========================================
The TLS_RSA cipher suites do not preserve forward secrecy and are
rarely used in practice. With this release, they are disabled by
adding "TLS_RSA_*" to the `jdk.tls.disabledAlgorithms` security
property in the `java.security` configuration file. Attempts to use
these suites with this release will result in a
`SSLHandshakeException` being thrown. Note that RSA cipher suites
which use DES, 3DES, RC4 or NULL were already disabled prior to this
change.
Users can, *at their own risk*, remove this restriction by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) so "TLS_RSA_*" is no
longer listed in the `jdk.tls.disabledAlgorithms` security property.
This change results in the following cipher suites being disabled:
* TLS_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_CBC_SHA
tools/launcher:
JDK-8337506: Disable "best-fit" mapping on Windows command line
===============================================================
On Windows, the Java launcher in previous releases of OpenJDK used the
ANSI version of the GetCommandLine() Win32 API call to obtain
command-line arguments. If the arguments contained Unicode characters
that did not exist in the ANSI code page, they would be converted to
other characters using the Windows "best fit" mapping [0]. This
mapping could introduce unexpected characters and differed between
code pages. With this release, the JDK reads the command line
arguments as Unicode and then converts them to the ANSI codepage
itself, using the default replacement character for any that can not
be mapped. For cases where such Unicode characters need to be
retained as is, select UTF-8 in the Windows regional settings.
[0] https://www.unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/readme.txt
hotspot/runtime:
JDK-8313083: Print 'rss' and 'cache' as part of the container information
=========================================================================
In this release, the information provided for containers is improved
by inclusion of the memory usage information for the Resident Set Size
(RSS) and the cache, in bytes. This is visible in the output of `jcmd
<PID> VM.info`, where `<PID>` is the running JVM, and in the `hs_err`
file generated on abrupt JVM termination.
Happy hacking,
--
Andrew :)
Pronouns: he / him or they / them
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
Please contact via e-mail, not proprietary chat networks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20260122/3d6e3f71/signature-0001.asc>
More information about the jdk-updates-dev
mailing list