New updates released for Java 8, 11, 17, and 19 as of Jan 17 2023: resources and thoughts
Here's a heads-up that some will want to hear about: there are new JVM updates released today (Jan 17, 2023) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the current interim update 19. (Note that prior to Java 9, releases of Java were known technically as 1.x, so 8 is referred to in resources below as 1.8.)
TLDR: The new updates are 1.8.0_361 (aka 8u361), 11.0.18, 17.0.6, and 19.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes as each other, though not always.
Update: After posting this, I learned of some rather surprising implications of a new feature of the new JDK installer, as 11.0.18 or 17.0.6 and later. For more, see another post I created.
For some folks, that's all they need to hear. For others, read on for topics like:
- Finding more info on these Jan 2023 Java updates
- What about other JVM distributions besides Oracle?
- News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
- Should you apply the update? how soon?
- Beware a change in the Oct 22 JVM update regarding Java no longer trusting jars signed with SHA-1
- Beware a change in the April 2021 JVM update, if you may be skipping over it
- Wrapping up, getting more help
First, we should help readers seeing this to know that that applies only to the Windows and Mac installers, as it's about how those installers work. Those who just extract a zip or tar, etc won't face the issue.
Second, there's even a bit more to it than may meet the eye. After I saw that info and experienced that "bit more", I started planning out another post (just like I did soon after the last Oct '22 JVM update, where I pointed out in a subsequent post how there was a surprising implication to one of its changes.)
I just had not had a break yet this week to put that post together, but I will. And when I do, I would update this post to also highlight the point and point to the new post.
But in the meantime, thanks for taking the time to share the news for folks.
I also updated this post to point to that, near the top here, to help ensure folks are more aware of it.