Eclipse Temurin 8u412, 11.0.23, 17.0.11, 21.0.3 and 22.0.1 Available

Adoptium is happy to announce the immediate availability of Eclipse Temurin 8u412-b08, 11.0.23+9, 17.0.11+9, 21.0.3+9 and 22.0.1+8. As always, all binaries are thoroughly tested and available free of charge without usage restrictions on a wide range of platforms. Binaries, installers, and source code are available from the Temurin download page, official container images are available at DockerHub, and installable packages are available for various operating systems.

This is by far our biggest release to date with 54 version/platform combinations with five major versions of OpenJDK currently being supported for the first time. By comparison, the January release had 41 combinations. Despite this, we still managed to complete the releases more quickly than in the previous cycles.

Security Vulnerabilities Resolved

The following table summarizes security vulnerabilities fixed in this release cycle. The affected Temurin version streams are noted by an ‘X’ in the table. Each line shows the Common Vulnerabilities and Exposures (CVE) vulnerability database reference and Common Vulnerability Scoring System (CVSS) v3.1 base score provided by the OpenJDK Vulnerability Group. Note that defense-in-depth issues are not assigned CVEs.

CVE IdentifierComponentCVSS Scorev8v11v17v21v22
CVE-2024-21094hotspot/compilerLow (3.7)XXXX
CVE-2024-21085core-libs/java.utilLow (3.7)XX
CVE-2024-21011hotspot/runtimeLow (3.7)XXXXX
CVE-2024-21068hotspot/compilerLow (3.7)XXXXX
CVE-2024-21012core-libs/java.netLow (3.7)XXXX

Users should follow the Adoptium policy for reporting vulnerability concerns with this release.

Fixes and Updates

This release contains the following fixes and updates.

New and Noteworthy

JDK21 and above are built using a Devkit

For the first time, Temurin builds of JDK 21 and 22 for Linux (currently excluding riscv64) are built using a devkit. For those not familiar with it, the devkit is a build environment with a fixed compiler, toolchain, and sysroot which contains enough to build OpenJDK. We publish the CentOS-based devkits for Linux on x64, aarch64, and ppc64le for users to download, which makes it even easier to verify our reproducible builds by rebuilding from source if you wish to do so, providing trusted validation of our binaries. This is a great step forward in Temurin’s secure development story.

Availability of s390x Linux in jdk-22.0.1

For Linux/s390x there was an extra patch that we needed on top of 22.0.1+8 to pass our rigourous testing process. For this reason, the Linux/s390x version of Temurin is 22.0.3.1+1 instead of 22.0.3+8. The fix is JDK22u PR 137 from JBS bug JDK-8329545.

ppc64 AIX JDK11 and JDK17 now available

Great news for AIX users! After a bit of a gap (11.0.19+7 from April 2023, and 17.0.8.1 from August 2023) the current release includes versions for AIX. The issue with Harfbuzz has now been resolved.

Note that JDK22 is not yet available for AIX. This is awaiting a compiler update in our infrastructure so we can build on OpenXL 17 and is being tracked under Infrastructure issue 3208.

CA Certifcates updated

This release contains SSL CA certificates changes from March 13th which were updated under this PR.

Summary of changes:

Additions:

Removals:

Refinements to SBOM Contents

We have added a new components section to the SBOM which lists more details on the specific versions of packages which were on the build machine at the time of building, in order to assist with enabling build reproducibility.

dnf/apt installer support for Fedora 40, Ubuntu 24.04 (Noble Numbat) and Debian 13 (Trixie)

We have added support for these three distributions to our apt/yum repositories so they can be installed as per our instructions without any adjustments.

temurinannouncementrelease-notes

Do you have questions or want to discuss this post? Hit us up on the Adoptium Slack workspace!


Adoptium PMC

Posted by Adoptium PMCCollective of Adoptium Project Management Committee members