It's that time again: there are new JVM updates released today (Apr 18, 2023) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the current interim update 20.
TLDR: The new updates are 1.8.0_371 (aka 8u371), 11.0.19, 17.0.7, and 20.0.1 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the versions as each other, though not always.
Note: If you use the JDK installer and may be coming to this update of Java 11 or 17 having skipped the last update, 11.0.18 or 17.0.6 respectively, please note there is an important change to the installer (for all OSs) which you should consider before proceeding. For more, see my discussion below.
For some folks, that's all they need to hear. For others, read on for topics like:
- Finding more info on these Apr 2023 Java updates
- What about other JVM distributions besides Oracle?
- News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
- Should you apply the update? how soon?
- Beware a change in the January 2023 JVM update regarding the JDK installer
- Beware a change in the October 2022 JVM update regarding Java no longer trusting jars signed with SHA-1
- Beware a change in the April 2021 JVM update, if you may be skipping over it
- Wrapping up, getting more help
[....Continue Reading....]