Eclipse Temurin 8u402, 11.0.22, 17.0.10 and 21.0.2 Available

Adoptium is happy to announce the immediate availability of Eclipse Temurin 8u402, 11.0.22, 17.0.10 and 21.0.2. As always, all binaries are thoroughly tested and available free of charge without usage restrictions on a wide range of platforms. Binaries, installers, and source code are available from the Temurin download page, official container images are available at DockerHub, and installable packages are available for various operating systems.

Security Vulerabilities Resolved

The following table summaries security vulnerabilities fixed in this release cycle. The affected Temurin version streams are noted by an ‘X’ in the table. Each line shows the Common Vulnerabilities and Exposures (CVE) vulnerability database reference and Common Vulnerability Scoring System (CVSS) v3.1 base score provided by the OpenJDK Vulnerability Group. Note that defense-in-depth issues are not assigned CVEs.

CVE IdentifierComponentCVSS Scorev8v11v17v21
CVE-2024-20932security-libs/java.securityHigh (7.5)X
CVE-2024-20918hotspot/compilerHigh (7.4)XXXX
CVE-2024-20952security-libs/java.securityHigh (7.4)XXXX
CVE-2024-20926core-libs/javax.scriptMedium (5.9)XX
CVE-2024-20919hotspot/runtimeReserved (5.9)XXXX
CVE-2024-20921hotspot/runtimeReserved (5.9)XXXX
CVE-2024-20945security-libs/javax.xml.cryptoReserved (4.7)XXXX

Users should follow the Adoptium policy for reporting vulnerability concerns with this release.

Fixes and Updates

This release contains the following fixes and updates.

New and Noteworthy

No Temurin Arm 32-bit Linux binaries for JDK 21 and up

As per the Eclipse Adoptium PMC decision, the project will not produce Temurin binaries for Arm 32-bit Linux for JDK 21 and up. This decision is based on several criteria, including download statistics, level of support for the platform in the upstream OpenJDK project and interest from Adoptium Working Group members.

Availability of s390x Linux and ppc64 AIX in JDK 21.0.2+13

We are pleased to announce the availability of these 2 platforms for JDK 21.0.2+13. We were unable to release them during our October 2023 release period, so this is the first time that production-ready JDK 21 Temurin binaries have been published out of the project.

aarch64 macOS Respin

Eclipse Temurin 11.0.22 aarch64 macOS binaries are in a separate release named jdk-11.0.22+7.1 due to a respin that was required to fix a linking issue introduced in a compiler upgrade for that platform.

ppc64 AIX JDK11 and JDK17 Unavailable

Temurin 11 and 17 on AIX remain unavailable due to an issue with Harfbuzz. Fortunately, an update to the version of Harfbuzz is targeted for April 2024.

Refinements to SBOM Contents

As of this release, extra details relating to Windows and Mac compiler versions are being recorded in the Software Bill of Materials (SBOM) for those platforms (details can be found in temurin-build PR 3606).

Confirmation of Reproducible Builds for JDK 21 Temurin binaries

Now that we have created pipelines that verify the Temurin binaries we produce are reproducible, we have an effective way to confirm that this ‘feature’ does not regress. As indicated in the diagram below, for all primary platforms on JDK 21.0.2+13, we confirm those binaries are reproducible.

Reproducible jdk21u

SLSA Level 3 for Majority of platforms

Since our previous release, we have been diligently been working at closing the last issues required for us to declare SLSA Level 3 compliance for Linux and macOS Temurin binaries. This is a lauded accomplishment for the project, though our work is ongoing. Our 2024 plan sees us continue to focus on secure development best practices.

temurinannouncementrelease-notes

Do you have questions or want to discuss this post? Hit us up on the Adoptium Slack workspace!


Adoptium PMC

Posted by Adoptium PMCCollective of Adoptium Project Management Committee members