Java News Roundup: JDK 19 in RDP2, Oracle Critical Patch Update, TornadoVM on M1, Grails CVE
MMS • Michael Redlich
Article originally posted on InfoQ. Visit InfoQ
This week’s Java roundup for July 18th, 2022, features news from Oracle, JDK 18, JDK 19, JDK 20, Spring Boot and Spring Security milestone and point releases, Spring for GraphQL 1.0.1, Liberica JDK updates, Quarkus 2.10.3, CVE in Grails, JobRunr 5.1.6, JReleaser maintenance, Apache Tomcat 9.0.65 and 10.1.0-M17, Tornado VM on Apple M1 and the JBNC conference.
Oracle
As part of Oracle’s Critical Patch Update for July 2022, Oracle has released versions 18.0.1.1, 17.0.3.1, 11.0.15.1, 8u333 and 7u343 of Oracle Java SE. More details may be found in the release notes for JDK 18, JDK 17, JDK 11, JDK 8 and JDK 7.
JDK 18
Concurrent with Oracle’s Critical Patch Update, JDK 18.0.2 has been released with minor updates and removal of the alternate ThreadLocal
class implementation of the current()
and callAs()
methods within the Subject
class. However, support for the default implementation has been maintained. Further details on this release may be found in the release notes.
JDK 19
As per the JDK 19 release schedule, Mark Reinhold, chief architect, Java Platform Group at Oracle, formally declared that JDK 19 has entered Rampdown Phase Two to signal continued stabilization for the GA release in September. Critical bugs, such as regressions or serious functionality issues, may be addressed, but must be approved via the Fix-Request process.
The final set of seven (7) features for JDK 19 release will include:
Build 32 of the JDK 19 early-access builds was made available this past week, featuring updates from Build 31 that include fixes to various issues. More details may be found in the release notes.
JDK 20
Build 7 of the JDK 20 early-access builds was also made available this past week, featuring updates from Build 6 that include fixes to various issues. Release notes are not yet available.
For JDK 19 and JDK 20, developers are encouraged to report bugs via the Java Bug Database.
Spring Framework
Spring Boot 2.7.2 has been released featuring bug fixes, improvements in documentation and dependency upgrades such as: Spring Framework 5.3.22, Spring Data 2021.2.2, Spring GraphQL 1.0.1, Tomcat 9.0.65, Micrometer 1.9.2, Reactor 2020.0.21 and MariaDB 3.0.6. Further details on this release may be found in the release notes.
Spring Boot 2.6.10 has been released featuring bug fixes, improvements in documentation and dependency upgrades such as: Spring Framework 5.3.22, Spring Data 2021.1.6, Jetty Reactive HTTPClient 1.1.12, Hibernate 5.6.10.Final, Micrometer 1.8.8, Netty 4.1.79.Final and Reactor 2020.0.21. More details on this release may be found in the release notes.
On the road to Spring Boot 3.0, the fourth milestone release has been made available to provide support for: the new Java Client in Elasticsearch; Flyway 9; and Hibernate 6.1. Further details on this release may be found in the release notes.
Spring Security 5.8.0-M1 and 6.0.0-M6 have been released featuring: a new setDeferredContext()
method in the SecurityContextHolder
class to support lazy access to a SecurityContext
lookup; support for the SecurityContextHolderStrategy
interface to eliminate race conditions when there are multiple application contexts; support for the AuthorizationManager
interface to delay a lookup up of the Authentication
(such as Supplier<Authentication>
) vs a direct Authentication
lookup; and provide an alternative for MD5 hashing in the Remember-Me
token. There were numerous breaking changes in version 6.0.0-M6. More details on these releases may be found in the release notes for version 5.8.0-M1 and version 6.0.0-M6.
Spring for GraphQL 1.0.1 has been released featuring: improved handling when a source/parent is expected and is null
; support for resolving exceptions from a GraphQL subscription; and a new default limit on the DEFAULT_AUTO_GROW_COLLECTION_LIMIT
field within the DataBinder
class. This version also ships with Spring Boot 2.7.2 and a dependency upgrade to GraphQL Java 18.2. Further details on this release may be found in the release notes.
Liberica JDK
Also concurrent with Oracle’s Critical Patch Update for July 2022, BellSoft has released patches for versions 17.0.3.1.1, 11.0.15.1.1 and 8u341 of Liberica JDK, their downstream distribution of OpenJDK. In addition, PSU versions 18.0.2, 17.0.4, 11.0.16, and 8u342 containing non-critical fixes have also been released.
Quarkus
Quarkus 2.10.3.Final has been released to address CVE-2022-2466, a vulnerability discovered in the SmallRye GraphQL server extension in which server requests were not properly terminated. This vulnerability only affects the 2.10.x release train. Developers are encouraged to upgrade to this latest release. More details on this release may be found in the release notes.
Grails Framework
The Micronaut Foundation has identified a remote code execution vulnerability in the Grails Framework that has been documented as CVE-2022-35912. This allows an attacker to “remotely execute malicious code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader.”
This attack exploits a portion of data binding capability within Grails. Versions 5.2.1, 5.1.9, 4.1.1 and 3.3.15 have been patched to protect against this vulnerability.
JobRunr
Ronald Dehuysser, founder and primary developer of JobRunr, a utility to perform background processing in Java, has released version 5.1.6 with support for Micrometer Metrics that now exposes recurring jobs and number of background job servers.
JReleaser
An early-access release of JReleaser, a Java utility that streamlines creating project releases, has been made available featuring a fix to an issue in Gradle where a property wasn’t properly checked before accessing it.
Apache Tomcat
The Apache Software Foundation has provided milestone and point releases for Apache Tomcat.
Tomcat 9.0.65 available features: a fix for CVE-2022-34305, a low severity XSS vulnerability in the Form authentication example; support for repeatable builds; and an update of the packaged version of the Tomcat Native Library to 1.2.35 that includes Windows binaries built with OpenSSL 1.1.1q. Further details on this release may be found in the changelog.
Apache Tomcat 10.1.0-M17 (beta) available features: an update of the packaged version of the Tomcat Native Library to 2.0.1 that includes Windows binaries built with OpenSSL 3.0.5; support for repeatable builds; and an update of the experimental Panama modules with support for OpenSSL 3.0+. Apache Tomcat 10.1.0-M17 is an alpha milestone release to provide developers with early access to the new features in Apache Tomcat 10.1 release train. More details on this release may be found in the changelog.
TornadoVM
TornadoVM, an open-source software technology company, has announced that developers may still install TornadoVM on the Apple M1 architecture despite Apple having deprecated OpenCL.
JBCNConf
JBCNConf 2022 was held at the International Barcelona Convention Center in Barcelona, Spain this past week featuring many speakers from the Java community who presented talks and workshops.