JDK 11.0.28 Release Notes
Java SE 11.0.28 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 11.0.28 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Fixes from the prior BPR are included in this version.
Java™ SE Development Kit 11.0.28 (JDK 11.0.28)
Release date: July 15, 2025
The full version string for this update release is 11.0.28+12 (where "+" means "build"). The version number is 11.0.28. This JDK conforms to version 11.3 of the Java SE Specification (JSR 384 MR 3 2024-07-02).
IANA TZ Data 2025b
JDK 11.0.28 contains IANA time zone data 2025b which contains the following changes:
- New zone for Aysén Region in Chile which moves from -04/-03 to -03.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 11.0.28 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 11 | 11.0.28+12 |
| 8 | 1.8.0_461-b11 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 11.0.28) be used after the next critical patch update scheduled for October 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Removed Features and Options
The following expired root certificate has been removed from the cacerts keystore:
+ alias name "baltimorecybertrustca [jdk]"
Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore:
+ alias name "camerfirmachamberscommerceca [jdk]"
Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
+ alias name "camerfirmachambersignca [jdk]"
Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Other Notes
The following root certificates have been added to the cacerts truststore:
+ Sectigo Limited
+ sectigocodesignroote46
DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigocodesignrootr46
DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsroote46
DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsrootr46
DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
The oracle.com JDK RPM packages meant to be downloaded directly to the target system, now are signed with the OL9 signing key instead of the OL8 signing key. The RPM packages hosted on YUM repositories remain signed with the appropriate key for the target repository.
In this release, the JDK implementation of the LDAP provider no longer supports deserialization of Java objects by default:
- The default value of the
com.sun.jndi.ldap.object.trustSerialDatasystem property has been updated tofalse.
The transparent deserialization of Java objects from an LDAP context will now require an explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from the LDAP attributes would need to set the com.sun.jndi.ldap.object.trustSerialData system property to true.
In prior releases, JNI_GetCreatedJavaVMs:
jint JNI_GetCreatedJavaVMs(JavaVM **vmBuf, jsize bufLen, jsize *nVMs);
could return a JavaVM, via the vmBuf array, that was still in the process of being initialized and may not be ready for use. This has now changed so that it will only return fully initialized VMs. It is important that the programmer checks that the returned number of VMs, in nVMs, is greater than zero, before trying to use any vmBuf entries.
If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the JarFile API, since the getJarEntry method returns null as if the entry had never existed. With this change, the jarsigner -verify command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: "This JAR contains signed entries for files that do not exist". Users can further find out the names of these entries by adding the -verbose option to the command.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 11.0.28:
| # | JBS | Component | Summary |
|---|---|---|---|
| 1 | JDK-8348597 | client-libs/2d | Update HarfBuzz to 10.4.0 |
| 2 | JDK-8348596 | client-libs/2d | Update FreeType to 2.13.3 |
| 3 | JDK-8348600 | client-libs/java.awt | Update PipeWire to 1.3.81 |
| 4 | JDK-8348598 | client-libs/java.awt | Update Libpng to 1.6.47 |
| 5 | JDK-8286447 | client-libs/java.awt | [Linux] AWT should start in Headless mode if headful AWT library not installed |
| 6 | JDK-8286204 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS |
| 7 | JDK-8345728 | client-libs/javax.accessibility | [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state |
| 8 | JDK-8348936 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS |
| 9 | JDK-6928542 | client-libs/javax.swing | Chinese characters in RTF are not decoded |
| 10 | JDK-8224267 | client-libs/javax.swing | JOptionPane message string with 5000+ newlines produces StackOverflowError |
| 11 | JDK-8208364 | core-libs/java.lang:reflect | java/lang/reflect/callerCache/ReflectionCallerCacheTest.java missing module dependencies declaration |
| 12 | JDK-8318915 | core-libs/java.math | Enhance checks in BigDecimal.toPlainString() |
| 13 | JDK-8344589 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-11-19 |
| 14 | JDK-8356096 | core-libs/java.util:i18n | ISO 4217 Amendment 179 Update |
| 15 | JDK-8299858 | core-svc/java.lang.management | [Metrics] Swap memory limit reported incorrectly when too large |
| 16 | JDK-8297173 | core-svc/java.lang.management | usageTicks and totalTicks should be volatile to ensure that different threads get the latest ticks |
| 17 | JDK-8339148 | hotspot/runtime | Make os::Linux::active_processor_count() public |
| 18 | JDK-8300645 | hotspot/runtime | Handle julong values in logging of GET_CONTAINER_INFO macros |