The full version string for this update release is 11.0.20+8. The version number is 11.
Liberica JDK 11.0.20+8
Liberica is a certified, Java SE 11-compliant distribution of OpenJDK 11 which works on server (Linux x86_64, Linux ARM64, Windows 64), desktop (Windows 64, Windows 32, Mac, Linux x86_64), and embedded devices (Linux ARM64, Linux ARMv7, including Raspberry Pi 2 & 3 (ARMv6 hardfloat)). It has the following notable additions:
- Linux x86_64 version contains experimental support for ZGC.
- Linux x86_64, ARMv8 and ARMv7 distributions include a choice of Client VM, Server VM and Minimal VM.
- Alpine Linux x86_64 version is build with musl support.
- Windows x86_64, Windows x86, Windows ARMv8, Mac, Linux x86_64, Linux x86 and Linux ARMv7 distributions contain OpenJFX 11.
- Linux ARMv7 distribution contains Device IO API compiled for Raspberry Pi.
Please refer to the Oracle JDK 11.0.20 release notes for further information on JDK 11 features. This document further outlines the peculiarities of Liberica distribution as compared to Oracle JDK 11 distribution.
Supported Server and Desktop configurations
Liberica is supported on the following OSes:
- Ubuntu Linux 16.04, 18.04, 20.04 (x86, x86_64, ARMv7, ARMv8)
- Debian Linux 8, 9, 10 (x86, x86_64, ARMv7, ARMv8)
- Red Hat, Oracle Linux and CentOS 8x, 6.x, 7.x (x86, x86_64, ARMv7, ARMv8)
- Alpine Linux 3.7+ (x86_64, ARMv8)
- SUSE Linux Enterprise 12, 15 and tumbleweed (x86_64, ARMv8)
- Apple macOS 10.11+ (x86_64, ARMv8)
- Microsoft Windows 2019, Windows 2016, Windows 2012 R2, Windows 10, Windows 8, Windows 7 (x86, x86_64, ARMv8)
It is also known to work on other Linux distributions and Windows versions.
Note: The minimum supported Linux kernel version is 2.6.18 and GLIBC version 2.6. LibericaFX works on all supported Ubuntu versions, Red Hat Linux family starting from 7.x and SUSE versions with GTK3 backend.
Supported Embedded configurations
Liberica is tested and certified on Raspberry Pi 2, 3 and 4 running the following OSes:
- Raspbian OS (armhf)
- OpenSUSE (armv8)
It is also known to work with Debian (armhf) and Ubuntu (armhf).
Liberica JDK 11 distribution
Liberica JDK 11 are distributed as .rpm, .zip, .deb and .tar.gz packages. Please select the one which is most appropriate for your purposes.
Liberica JDK 11 introduced all new features supported by OpenJDK 11.
With the introduction of the Jigsaw feature in JDK 9 and Minimal VM it is now possible to create a Runtime that is sufficient to run your application and trim down the size of the Runtime. To generate a Runtime with just the Minimal VM, add --vm=minimal to jlink options.
Liberica JDK continues to provide support for AOT and Graal JIT. Since in OpenJDK 11 builds these features are deemed experimental and deprecated, it is recommended to compile native executables with Liberica Native Image Kit to avoid errors.
By default, the Liberica uses Server VM. Server VM and Client VM can be enabled with -server and -client command line options, respectively. In case the deployment requires to minimize the footprint, it may be beneficial to use Minimal VM, which emphasises on a minimal footprint. It has C1 JIT compiler only, Serial GC and no serviceability features.
LibericaFX for the Raspberry Pi
Liberica JDK 11 come with a bundled LibericaFX implementation, which is based on OpenJFX. The following tables lists Java FX modules status of Liberica distribution
- Java FX Graphics - works.
- Java FX Controls - works.
- Java FX Media - does not work.
- Java FX Webkit - does not work.
The following pipelines are known to work: EGL, SW (direct framebuffer) and GTK. By default, Liberica tries to use the accelerated EGL pipeline, which requires the presence of EGL libraries. If they are not found, the implementation falls back to software rendering.
Use the following command line options to specify the rendering pipeline:
- -Dprism.order=sw forces the use of software rendering pipeline. *
- -Dprism.order=es2 forces the use of EGL pipeline and hardware acceleration. *
- -Djavafx.platform=gtk if you would like to launch a LibericaFX application using Liberica from X11.
* Not supported on Raspberry Pi 4.
Please refer to the following wiki for more information.
Device IO API for the Raspberry Pi
Liberica JDK 11 comes with a bundled OpenJDK Device I/O (DIO) API implementation module. DIO provides a Java API for accessing Raspberry PI GPIO pins and for communicating with peripheral devices:
- General Purpose Input/Output (GPIO).
- Inter-Integrated Circuit Bus (I2C), Serial Peripheral Interface (SPI).
- Universal Asynchronous Receiver/Transmitter (UART).
Please refer to the following wiki for more information.
Security Baselines
BellSoft Liberica follows the security baselines for Oracle Java SE. Please refer to the Oracle documentation for a list of issues fixed in a given release.
Known Issues
LibericaFX and EGL on Raspbian
As of 2017, the default location of Broadcom libEGL.so and libGLESv2.so has changed in Raspbian OS. If you'd like to leverage hardware EGL acceleration available from Broadcom video drivers in LibericaFX while running a recent Raspbian OS, run the following command:
cd /opt/vc/lib
sudo ln -s libbrcmEGL.so libEGL.so
sudo ln -s libbrcmGLESv2.so libGLESv2.soCVEs
This is the list of the security issues fixed in this release. CVSS scores are provided using the CVSS version 3.1 scoring system.
| CVE ID | Score | Component | Module | Attack vector | Complexity | Privileges | User interaction | Scope | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-22043 | 5.9 | javafx | graphics | network | high | none | none | unchanged | none | high | none |
| CVE-2023-22041 | 5.1 | hotspot | compiler | local | high | none | none | unchanged | high | none | none |
| CVE-2023-25193 | 3.7 | client-libs | 2d | network | high | none | none | unchanged | none | none | low |
| CVE-2023-22045 | 3.7 | hotspot | compiler | network | high | none | none | unchanged | low | none | none |
| CVE-2023-22049 | 3.7 | core-libs | java.io | network | high | none | none | unchanged | none | low | none |
| CVE-2023-22036 | 3.7 | core-libs | java.util | network | high | none | none | unchanged | none | none | low |
| CVE-2023-22006 | 3.1 | core-libs | java.net | network | high | none | required | unchanged | none | low | none |
Issues fixed
| Issue | Description |
|---|---|
| JDK-8308682 | Enhance AES performance |
| JDK-8305312 | Enhanced path handling |
| JDK-8304468 | Better array usages |
| JDK-8303376 | Better launching of JDI |
| JDK-8302483 | Enhance ZIP performance |
| JDK-8302475 | Enhance HTTP client file downloading |
| JDK-8300596 | Enhance Jar Signature validation |
| JDK-8300285 | Enhance TLS data handling |
| JDK-8298676 | Enhanced Look and Feel |
| JDK-8311465 | [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20 |
| JDK-8303465 | KeyStore of type KeychainStore, provider Apple does not show all trusted certificates |
| JDK-8309476 | [11u] tools/jmod/hashes/HashesOrderTest.java fails intermittently |
| JDK-8304291 | [AIX] Broken build after JDK-8301998 |
| JDK-8308884 | [17u/11u] Backout JDK-8297951 |
| JDK-8287876 | The recently de-problemlisted TestTitledBorderLeak test is unstable |
| JDK-8269746 | C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input? |
| JDK-8246383 | NullPointerException in JceSecurity.getVerificationResult when using Entrust provider |
| JDK-8300079 | SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument |
| JDK-8299259 | C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE |
| JDK-8307134 | Add GTS root CAs |
| JDK-8287007 | [cgroups] Consistently use stringStream throughout parsing code |
| JDK-8301119 | Support for GB18030-2022 |
| JDK-8275233 | Incorrect line number reported in exception stack trace thrown from a lambda expression |
| JDK-8278434 | timeouts in test java/time/test/java/time/format/TestZoneTextPrinterParser.java |
| JDK-8287246 | DSAKeyValue should check for missing params instead of relying on KeyFactory provider |
| JDK-8275735 | [linux] Remove deprecated Metrics api (kernel memory limit) |
| JDK-8304760 | Add 2 Microsoft TLS roots |
| JDK-8295974 | jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames |
| JDK-8304350 | Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0 |
| JDK-8305975 | Add TWCA Global Root CA |
| JDK-8243936 | NonWriteable system properties are actually writeable |
| JDK-8282201 | Consider removal of expiry check in VerifyCACerts.java test |
| JDK-8308006 | Missing NMT memory tagging in CMS |
| JDK-8303822 | gtestMain should give more helpful output |
| JDK-8307811 | [TEST] compilation of TimeoutInErrorHandlingTest fails after backport of JDK-8303861 |
| JDK-8214807 | Improve handling of very old class files |
| JDK-8285497 | Add system property for Java SE specification maintenance version |
| JDK-8282467 | add extra diagnostics for JDK-8268184 |
| JDK-8303576 | addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return |
| JDK-8303354 | addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return |
| JDK-8305682 | Update the javadoc in the Character class to state support for GB 18030-2022 Implementation Level 2 |
| JDK-8301401 | Allow additional characters for GB18030-2022 support |
| JDK-8301998 | Update HarfBuzz to 7.0.1 |
| JDK-8304295 | harfbuzz build fails with GCC 7 after JDK-8301998 |
| JDK-8296934 | Write a test to verify whether Undecorated Frame can be iconified or not |
| JDK-8292206 | TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected |
| JDK-8282077 | PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error |
| JDK-8209880 | tzdb.dat is not reproducibly built |
| JDK-8248701 | On Windows generated modules-deps.gmk can contain backslash-r (CR) characters |
| JDK-8257856 | Make ClassFileVersionsTest.java robust to JDK version updates |
| JDK-8276880 | Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary |
| JDK-8303476 | Add the runtime version in the release file of a JDK image |
| JDK-8303861 | Error handling step timeouts should never be blocked by OnError and others |
| JDK-8305400 | ISO 4217 Amendment 175 Update |
| JDK-8297450 | ScaledTextFieldBorderTest.java fails when run with -show parameter |
| JDK-8287897 | Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies |
| JDK-8286398 | Address possibly lossy conversions in jdk.internal.le |
| JDK-8298887 | On the latest macOS+XCode the Robot API may report wrong colors |
| JDK-8303564 | C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi |
| JDK-8283059 | Uninitialized warning in check_code.c with GCC 11.2 |
| JDK-8289735 | UTIL_LOOKUP_PROGS fails on pathes with space |
| JDK-8306976 | UTIL_REQUIRE_SPECIAL warning on grep |
| JDK-8268558 | [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped |
| JDK-8306768 | CodeCache Analytics reports wrong threshold |
| JDK-8306664 | GHA: Update MSVC version to latest stepping |
| JDK-8306658 | GHA: MSVC installation could be optional since it might already be pre-installed |
| JDK-8213531 | Test javax/swing/border/TestTitledBorderLeak.java fails |
| JDK-8215015 | [TESTBUG] remove unneeded -Xfuture option from tests |
| JDK-8214459 | NSS source should be removed |
| JDK-8171426 | java/lang/ProcessBuilder/Basic.java failed with Stream closed |
| JDK-8187522 | test/sun/net/ftp/FtpURLConnectionLeak.java timed out |
| JDK-8209546 | Make sun/security/tools/keytool/autotest.sh to support macosx |
| JDK-8209167 | Use CLDR's time zone mappings for Windows |
| JDK-8306543 | GHA: MSVC installation is failing |
| JDK-8304134 | jib bootstrapper fails to quote filename when checking download filetype |
| JDK-8303482 | Update LCMS to 2.15 |
| JDK-8302151 | BMPImageReader throws an exception reading BMP images |
| JDK-8178806 | Better exception logging in crypto code |
| JDK-8277775 | Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905 |
| JDK-8305113 | (tz) Update Timezone Data to 2023c |
| JDK-8297000 | [jib] Add more friendly warning for proxy issues |
| JDK-8294906 | Memory leak in PKCS11 NSS TLS server |
| JDK-8300490 | Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 |
| JDK-8305711 | Arm: C2 always enters slowpath for monitorexit |
| JDK-8305721 | add `make compile-commands` artifacts to .gitignore |
| JDK-8274864 | Remove Amman/Cairo hacks in ZoneInfoFile |
| JDK-8305528 | [11u] Backport of JDK-8259530 breaks build with JDK10 bootstrap VM |
| JDK-8259530 | Generated docs contain MIT/GPL-licenced works without reproducing the licence |
| JDK-8291638 | Keep-Alive timeout of 0 should close connection immediately |
| JDK-8275721 | Name of UTC timezone in a locale changes depending on previous code |
| JDK-8291226 | Create Test Cases to cover scenarios for JDK-8278067 |
| JDK-8291637 | HttpClient default keep alive timeout not followed if server sends invalid value |
| JDK-8303102 | jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN |
| JDK-8227257 | javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError |
| JDK-8301170 | perfMemory_windows.cpp add free_security_attr to early returns |
| JDK-8215575 | C2 crash: assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded |
| JDK-8300205 | Swing test bug8078268 make latch timeout configurable |
| JDK-8302791 | Add specific ClassLoader object to Proxy IllegalArgumentException message |
| JDK-8232853 | AuthenticationFilter.Cache::remove may throw ConcurrentModificationException |
| JDK-8265486 | ProblemList javax/sound/midi/Sequencer/Recording.java on macosx-aarch64 |
| JDK-8294548 | Problem list SA core file tests on macosx-x64 due to JDK-8294316 |
| JDK-8263420 | Incorrect function name in NSAccessibilityStaticText native peer implementation |
| JDK-8264304 | Create implementation for NSAccessibilityToolbar protocol peer |
| JDK-8264290 | Create implementation for NSAccessibilityComponentGroup protocol peer |
| JDK-8220093 | Change to GCC 8.2 for building on Linux at Oracle |
| JDK-8303937 | Corrupted heap dumps due to missing retries for os::write() |
| JDK-8303440 | The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id |
| JDK-8293232 | Fix race condition in pkcs11 SessionManager |
| JDK-8282600 | SSLSocketImpl should not use user_canceled workaround when not necessary |
| JDK-8280703 | CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption |
| JDK-8289301 | P11Cipher should not throw out of bounds exception during padding |
| JDK-8293815 | P11PSSSignature.engineUpdate should not print debug messages during normal operation |
| JDK-8303432 | Bump update version for OpenJDK: jdk-11.0.20 |
| JDK-8301009 | Update libxml2 to 2.10.3 |
| JDK-8304751 | Improve pipeline layout |
| JDK-8306115 | Update libxml2 to 2.10.4 |
| JDK-8307641 | Change JavaFX release version to 11.0.20 in jfx11u |