This week's Java roundup for October 14th, 2024 features news highlighting: the release of WildFly 34; JEP 485, Stream Gatherers, proposed to target for JDK 24; Oracle Critical Patch Update for October 2024; and a potential leak in the SmallRye and Quarkiverse release processes.
OpenJDK
JEP 485, Stream Gatherers, has been promoted from Candidate to Proposed to Target for JDK 24. This JEP proposes to finalize this feature after two rounds of preview, namely: JEP 473: Stream Gatherers (Second Preview), delivered in JDK 23; and JEP 461, Stream Gatherers (Preview), delivered in JDK 22. This feature was designed to enhance the Stream API to support custom intermediate operations that will "allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations." More details on this JEP may be found in the original design document and this InfoQ news story. The review is expected to conclude on October 23, 2024.
Oracle has released versions 23.0.1, 21.0.5, 17.0.13, 11.0.25, and 8u431 of the JDK as part of the quarterly Critical Patch Update Advisory for October 2024. More details on this release may be found in the release notes for version 23.0.1, version 21.0.5, version 17.0.13, version 11.0.25 and version 8u431.
Version 7.5.0 of the Regression Test Harness for the JDK, jtreg, has been released and ready for integration in the JDK. The most significant changes include: the restoration of the jtdiff tool; and support for a LIBRARY.properties file located in the directory specified in the @library tag and read when jtreg compiles classes in that library. There was also a dependency upgrade to JUnit 5.11.0. Further details on this release may be found in the release notes.
JDK 24
Build 20 of the JDK 24 early-access builds was made available this past week featuring updates from Build 19 that include fixes for various issues. Further details on this release may be found in the release notes.
For JDK 24, developers are encouraged to report bugs via the Java Bug Database.
Jakarta EE 11
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, provided an update on Jakarta EE 11, writing:
GlassFish now passes 84% of the tests in the refactored TCK for Jakarta EE 11. The remaining tests are mainly related to the Application Client Container. The Jakarta EE Platform Project is proposing to deprecate the Application Container in Jakarta EE 12. There are ongoing discussions about how much importance these tests should be given to Jakarta EE 11.
The Jakarta EE 11 Core Profile TCK has been staged, and both Open Liberty and WildFly are passing (or very close to passing) it. So it looks like we will be able to release Jakarta EE 11 Core Profile ahead of Jakarta EE 11 Platform and Jakarta EE 11 Web Profile.
The road to Jakarta EE 11 included four milestone releases with the potential for release candidates as necessary before the GA release in 4Q2024.
BellSoft
Concurrent with Oracle's Critical Patch Update (CPU) for October 2024, BellSoft has released CPU patches for versions 21.0.4.0.1, 17.0.12.0.1, 11.0.24.0.1, 8u431, 7u441 and 6u441 of Liberica JDK, their downstream distribution of OpenJDK, to address this list of CVEs. In addition, Patch Set Update (PSU) versions 23.0.1, 21.0.5, 17.0.13, 11.0.25 and 8u432, containing CPU and non-critical fixes, have also been released.
With an overall total of 1169 fixes and backports, BellSoft states that they have participated in eliminating 18 issues in all releases.
Spring Framework
The second release candidate of Spring Framework 6.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and many new features such as: a rename of the OverrideMetadata class to BeanOverrideHandler to align with the existing naming convention of the other classes, interfaces and annotations defined in the org.springframework.test.context.bean.override package; and the addition of the messageConverters() method to the RestClient.Builder interface to allow setting converters of the RestClient interface without initializing the default one. This version will be included in the upcoming release of Spring Boot 3.4.0-RC1. More details on this release may be found in the release notes.
Similarly, the release of version 6.1.14 of Spring Framework also provides bug fixes, improvements in documentation, dependency upgrades and new features such as: the removal of support for relative paths in the ResourceHandlerUtils class that eliminates security issues; and ensure proper exception handling from the isCorsRequest() method, defined in the CorsUtils class, upon encountering a malformed Origin header. This version will be included in the upcoming releases of Spring Boot and 3.3.5 and 3.2.11. More details on this release may be found in the release notes.
The Spring Framework team has also disclosed two Common Vulnerabilities and Exposures (CVEs):
- CVE-2024-38819, a path traversal vulnerability in the Spring Web MVC and Spring WebFlux functional web frameworks in which an attacker can create a malicious HTTP request to obtain any file on the file system that is also accessible to the process on the running Spring application. This CVE is follow up from CVE-2024-38816, Path Traversal Vulnerability in Functional Web Frameworks, that used different malicious input.
- CVE-2024-38820: a vulnerability in which the
toLowerCase()method, defined in the JavaStringclass, had someLocaleclass-dependent exceptions that could potentially result in fields not being protected as expected. This is a result of the resolution for CVE-2022-22968 that made patterns of thedisallowedFieldsfield, defined inDataBinderclass, case insensitive.
These CVEs affect Spring Framework versions 5.3.0 - 5.3.40, 6.0.0 - 6.0.24 and 6.1.0 - 6.1.13.
The first release candidate of Spring Data 2024.1.0 delivers expanded support for Spring Data Value Expressions where property-placeholders may be leveraged in repository query methods annotated with @Query. There were also updates to sub-projects such as: Spring Data Commons 3.4.0-RC1, Spring Data MongoDB 4.4.0-RC1, Spring Data Elasticsearch 5.4.0-RC1 and Spring Data Neo4j 7.4.0-RC1. More details on this release may be found in the release notes.
Similarly, the release of Spring Data 2024.0.5 and 2023.1.11 ship with bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.3.5 and 3.2.11; Spring Data MongoDB 4.3.5 and 4.2.11; Spring Data Elasticsearch 5.3.5 and 5.2.11; and Spring Data Neo4j 7.3.5 and 7.2.11. These versions will be included in the upcoming releases of Spring Boot and 3.3.5 and 3.2.11.
WildFly
The release of WildFly 34 primarily focuses on WildFly Preview, a technical preview variant of the WildFly server. New features include: support for Jakarta Data 1.0, MicroProfile Rest Client 4.0 and MicroProfile Telemetry 2.0; a new Bill of Materials for WildFly Preview; and four new system properties (backlog, connection-high-water, connection-low-water and no-request-timeout) for configuration in the HTTP management interface. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.
Quarkus
The Quarkus team has disclosed that they recently discovered a potential leak in their Quarkiverse and SmallRye release processes and reported that there was no damage.
Clement Escoffier, Distinguished Engineer at Red Hat, summarized the issue, writing:
We've uncovered a security flaw in the release process for Quarkiverse and SmallRye that could have allowed malicious actors to impersonate projects and publish compromised artifacts.
We've implemented a new, more secure release pipeline to address this. If you're a maintainer, you've received a pull request to migrate to the new process. Quarkus itself is not affected by this issue, only SmallRye and Quarkiverse.
As a result, they have implemented a more secure release process and wanted to share the details with the Java community. InfoQ will follow up with a more detailed news story.
Micrometer
The first release candidate of Micrometer Metrics 1.14.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: expose an instance of the TestObservationRegistry class via the assertThat() method from the AssertJ Assertions class; expand metrics to include virtual threads data; and improved performance with the initialization of the Tags class from already sorted array of unique tags. More details on this release may be found in the release notes.
Similarly, versions 1.13.6 and 1.12.11 of Micrometer Metrics also feature bug fixes, improvements in documentation and a new feature that improves the memory usage of the StepBucketHistogram class by eliminating an internal field of the buckets that can be acquired from an instance of the FixedBoundaryHistogram class when needed. Further details on these releases may be found in the release notes for version 1.13.6 and version 1.12.11.
The first release candidate of Micrometer Tracing 1.4.0 ships with dependency upgrades and new features: support for list values in tags in the Span and SpanCustomizer interfaces; and make the OtelSpan class public instead of private to eliminate use of reflection to act upon the underlying OpenTelemetry Span interface. More details on this release may be found in the release notes.
Similarly, version 1.3.5 and 1.2.11 of Micrometer Tracing 1.4.0 simply provide dependency upgrades. Further details on these releases may be found in the release notes for version 1.3.5 and version 1.2.11.
Project Reactor
The first release candidate of Project Reactor 2024.0.0 provides dependency upgrades to reactor-core 3.7.0-RC1, reactor-netty 1.2.0-RC1, reactor-pool 1.1.0-RC1, reactor-addons 3.6.0-RC1, reactor-kotlin-extensions 1.3.0-RC1 and reactor-kafka 1.4.0-RC1. Based on the Spring Calendar, it is anticipated that the GA version of Project 2024.0.0 will be released in November 2024. Further details on this release may be found in the changelog.
Next, Project Reactor 2023.0.11, the eleventh maintenance release, provides dependency upgrades to reactor-core 3.6.11 and reactor-netty 1.1.23. There was also a realignment to version 2023.0.11 with the reactor-pool 1.0.8, reactor-addons 3.5.2, reactor-kotlin-extensions 1.2.3 and reactor-kafka 1.3.23 artifacts that remain unchanged. More details on this release may be found in the changelog.
Piranha Cloud
The release of Piranha 24.10.0 delivers bug fixes and notable changes such as: ensure that an instance of the Eclipse Jersey InjecteeSkippingAnalyzer class is installed when needed; and use of the Java PrintStream class or the isWriterAcquired() method, defined in the in the DefaultWebApplicationResponse class, in the DefaultServletRequestDispatcher class as a response to a top-level exception. Further details on this release may be found in their documentation and issue tracker.
Apache Software Foundation
The third milestone release of Apache TomEE 10.0.0 provides bugs fixes, dependency upgrades and new features such as: an improved import of data sources and entity managers that obsoletes the use of the ImportSql class; and a new RequestNotActiveException class, that replaces throwing a NullPointerException, when an instance of a Jakarta Servlet HttpServletRequest is invoked on a thread with no active servlet request. More details on this release may be found in the release notes.
JobRunr
The release of JobRunr 7.3.1 provides new features such as: an instance of the JobDetails class is now cacheable when injecting an interface instead of an implementation; and an enhanced JobRunr Dashboard that includes tips for diagnosing severe JobRunr exceptions for improved clarity of notifications. Further details on this release may be found in the release notes.
Keycloak
Keycloak 26.0.1 has been released with bug fixes and enhancements: a clarification of the behavior of multiple versions of Keycloak Operator installed in the same cluster operator; and improved error logging during a transaction commit. More details on this release may be found in the release notes.
JDKUpdater
Version 14.0.59+79 of JDKUpdater, a new utility that provides developers the ability to keep track of updates related to builds of OpenJDK and GraalVM. Introduced in mid-March by Gerrit Grunwald, principal engineer at Azul, this release resolves an issue with the calculation of the next update and the next release date of the JDK. More details on this release may be found in the release notes.
Gradle
The first release candidate of Gradle 8.11.0 delivers new features such as: improved performance in the configuration cache with an opt-in parallel loading and storing of cache entries; the C++ and Swift plugins now compatible with the configuration cache; and improved error and warning reporting in which Java compilation errors are now displayed at the end of the build output. More details on this release may be found in the release notes.