Adoptium is happy to announce the immediate availability of Eclipse Temurin 8u412-b08, 11.0.23+9, 17.0.11+9, 21.0.3+9 and 22.0.1+8. As always, all binaries are thoroughly tested and available free of charge without usage restrictions on a wide range of platforms. Binaries, installers, and source code are available from the Temurin download page, official container images are available at DockerHub, and installable packages are available for various operating systems.
This is by far our biggest release to date with 54 version/platform combinations with five major versions of OpenJDK currently being supported for the first time. By comparison, the January release had 41 combinations. Despite this, we still managed to complete the releases more quickly than in the previous cycles.
Security Vulnerabilities Resolved
The following table summarizes security vulnerabilities fixed in this release cycle. The affected Temurin version streams are noted by an 'X' in the table. Each line shows the Common Vulnerabilities and Exposures (CVE) vulnerability database reference and Common Vulnerability Scoring System (CVSS) v3.1 base score provided by the OpenJDK Vulnerability Group. Note that defense-in-depth issues are not assigned CVEs.
| CVE Identifier | Component | CVSS Score | v8 | v11 | v17 | v21 | v22 |
|---|---|---|---|---|---|---|---|
| CVE-2024-21094 | hotspot/compiler | Low (3.7) | X | X | X | X | |
| CVE-2024-21085 | core-libs/java.util | Low (3.7) | X | X | |||
| CVE-2024-21011 | hotspot/runtime | Low (3.7) | X | X | X | X | X |
| CVE-2024-21068 | hotspot/compiler | Low (3.7) | X | X | X | X | X |
| CVE-2024-21012 | core-libs/java.net | Low (3.7) | X | X | X | X |
Users should follow the Adoptium policy for reporting vulnerability concerns with this release.
Fixes and Updates
This release contains the following fixes and updates.
-
Temurin 8u412 release notes, including fixes in OpenJDK 8u412
-
Temurin 11.0.23 release notes, including fixes in OpenJDK 11.0.22
-
Temurin 17.0.11 release notes, including fixes in OpenJDK 17.0.10
-
Temurin 21.0.3 release notes, including fixes in OpenJDK 21.0.3
-
Temurin 22.0.1 release notes, including fixes in OpenJDK 22.0.1
New and Noteworthy
JDK21 and above are built using a Devkit
For the first time, Temurin builds of JDK 21 and 22 for Linux (currently excluding riscv64) are built using a devkit. For those not familiar with it, the devkit is a build environment with a fixed compiler, toolchain, and sysroot which contains enough to build OpenJDK. We publish the CentOS-based devkits for Linux on x64, aarch64, and ppc64le for users to download, which makes it even easier to verify our reproducible builds by rebuilding from source if you wish to do so, providing trusted validation of our binaries. This is a great step forward in Temurin's secure development story.
Availability of s390x Linux in jdk-22.0.1
For Linux/s390x there was an extra patch that we needed on top of 22.0.1+8 to pass our rigourous testing process. For this reason, the Linux/s390x version of Temurin is 22.0.3.1+1 instead of 22.0.3+8. The fix is JDK22u PR 137 from JBS bug JDK-8329545.
ppc64 AIX JDK11 and JDK17 now available
Great news for AIX users! After a bit of a gap (11.0.19+7 from April 2023, and 17.0.8.1 from August 2023) the current release includes versions for AIX. The issue with Harfbuzz has now been resolved.
Note that JDK22 is not yet available for AIX. This is awaiting a compiler update in our infrastructure so we can build on OpenXL 17 and is being tracked under Infrastructure issue 3208.
CA Certifcates updated
This release contains SSL CA certificates changes from March 13th which were updated under this PR.
Summary of changes:
Additions:
- Add D-Trust S/MIME Roots - TBD (CA Program Bug # 1781510)
- Add Deutsche Telekom Roots - TBD (CA Program Bug # 1820592)
Removals:
- Remove Expired SECOM Root - Bug #1865450
Refinements to SBOM Contents
We have added a new components section to the SBOM which lists more details on the specific versions of packages which were on the build machine at the time of building, in order to assist with enabling build reproducibility.
dnf/apt installer support for Fedora 40, Ubuntu 24.04 (Noble Numbat) and Debian 13 (Trixie)
We have added support for these three distributions to our apt/yum repositories so they can be installed as per our instructions without any adjustments.