The following issues are addressed in 17.0.15.6.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.15+6tAlltUpdate Corretto baseline to OpenJDK 17.0.15+6tjdk-17.0.15+6$$$(tz) Update Timezone Data to 2025btAlltUpdate tz code and data to use 2025b releasetJDK-8352716$$$The following CVEs are addressed in 17.0.15.6.1:$$$$$$CVEtCVSStComponent$$$CVE-2025-21587tsecurity-libs/javax.net.sslt7.4$$$CVE-2025-30698tclient-libs/2dt5.6$$$CVE-2025-30691thotspot/compilert4.8

The following issues are addressed in 17.0.14.7.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.14+7tAlltUpdate Corretto baseline to OpenJDK 17.0.14+7tjdk-17.0.14+7$$$JDK-8345296taarch64tVM crashes with SIGILL when prctl is disallowedtJDK-8345296$$$The following CVEs are addressed in 17.0.14.7.1:$$$$$$CVEtCVSStComponent$$$CVE-2025-21502t4.8thotspot/compiler

Corretto version: 17.0.13.11.1$$$Release Date: October 15; 2024$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Linux using glibc 2.25 or later; Arm$$$Linux using muslc 1.2.2 or later; Arm$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86; x86_64$$$macOS 12.0 and later; x86_64$$$macOS 12.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.13.11.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.13+11tAlltUpdate Corretto baseline to OpenJDK 17.0.13+11tjdk-17.0.13+11$$$JDK-8279164tAlltThe TLS_ECDH cipher suites do not preserve forward secrecy and are rarely used in practice. With this release; they are disabled by adding ECDH to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. Attempts to use these suites with this release will result in a SSLHandshakeException being thrown. Note that ECDH cipher suites which use RC4 were already disabled prior to this change. Users can; at their own risk; remove this restriction by modifying the java.security configuration file (or override it by using the java.security.properties system property) so ECDH is no longer listed in the jdk.tls.disabledAlgorithms security property. This change has no effect on TLS_ECDHE cipher suites; which remain enabled by default.tJDK-8279164$$$JDK-8341059tAlltIn accordance with similar plans recently announced by Google and Mozilla; the JDK will not trust Transport Layer Security (TLS) certificates issued after the 12th of November 2024 which are anchored by Entrust root certificates. This includes certificates branded as AffirmTrust; which are managed by Entrust. Certificates issued on or before November 12th; 2024 will continue to be trusted until they expire. If a servers certificate chain is anchored by an affected certificate; attempts to negotiate a TLS session will fail with an Exception that indicates the trust anchor is not trusted.tJDK-8341059$$$JDK-8307779tAlltThis release of OpenJDK 17 updates to the latest maintenance release of the Java 17 specification. This relaxes the specification of three methods in the java.awt.Robot class - mouseMove(int;int); getPixelColor(int;int) and createScreenCapture(Rectangle) - to allow these methods to fail when the desktop environment does not permit moving the mouse pointer or capturing screen content.tJDK-8307779$$$JDK-8290367tAlltWith this OpenJDK release; the JDK implementation of the LDAP provider no longer supports the deserialisation of Java objects by default. This is achieved by the system property com.sun.jndi.ldap.object.trustSerialData being set to false by default. Note that this release also increases the scope of the com.sun.jndi.ldap.object.trustSerialData to cover the reconstruction of RMI remote objects from the javaRemoteLocation LDAP attribute. The result of this change is that transparent deserialisation of Java objects will require an explicit opt-in. Applications that wish to reconstruct Java objects and RMI stubs from LDAP attributes will need to set the com.sun.jndi.ldap.object.trustSerialData to true.tJDK-8290367$$$JDK-8328286tAlltThis OpenJDK release limits the maximum header field size accepted by the HTTP client within the JDK for all supported versions of the HTTP protocol. The header field size is computed as the sum of the size of the uncompressed header name; the size of the uncompressed header value and a overhead of 32 bytes for each field section line. If a peer sends a field section that exceeds this limit; a java.net.ProtocolException will be raised. This release also introduces a new system property; jdk.http.maxHeaderSize. This property can

The following sections describe the changes for each release of Amazon Corretto 17.$$$Corretto version: 17.0.12.7.1$$$Release Date: July 16; 2024 Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 12.0 and later; x86_64$$$macos 12.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.12.7.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.12+7tAlltUpdate Corretto baseline to OpenJDK 17.0.12+7t17.0.12+7$$$The following CVEs are addressed in 17.0.12.7.1:$$$$$$CVEtCVSStComponent$$$CVE-2024-21147t7.4thotspot/compiler$$$CVE-2024-21145t4.8tclient-libs/2d$$$CVE-2024-21140t4.8thotspot/compiler$$$CVE-2024-21131t3.7thotspot/runtime$$$CVE-2024-21138t3.7thotspot/runtime

The following sections describe the changes for each release of Amazon Corretto 17.$$$$$$Corretto version: 17.0.11.9.1$$$Release Date: April 16; 2024 Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 12.0 and later; x86_64$$$macos 12.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.11.9.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.11+9tAlltUpdate Corretto baseline to OpenJDK 17.0.11+9t17.0.11+9$$$Fallback option for POST-only OCSP requeststAlltAdd option to fallback to old OCSP behavior to not unconditionally use GET requests for small requeststJDK-8328638$$$Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phitAlltFix SIGSEGV crash when using Shenandoah garbage collectortJDK-8325372$$$The following CVEs are addressed in 17.0.11.9.1:$$$$$$CVEtCVSStComponent$$$CVE-2024-21012t3.7tcore-libs/java.net$$$CVE-2024-21011t3.7thotspot/runtime$$$CVE-2024-21068t3.7thotspot/compiler$$$CVE-2024-21094t3.7thotspot/compiler

Corretto version: 17.0.10.7.1$$$Release Date: January 16; 2024 Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 12.0 and later; x86_64$$$macos 12.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.10.7.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.10+7tAlltUpdates Corretto baseline to OpenJDK 17.0.10+7tjdk-17.0.10+7$$$Data loss in AVX3 Base64 decodingtAlltBase64 appears to give different (wrong) results in some rare cases when AVX3 is enabled.tJDK-8321599$$$(tz) Update Timezone Data to 2023dtAlltUpdate Timezone Data to 2023dtJDK-8322725$$$NPE in PKCS7.parseOldSignedDatatAlltFixes exception PKCS7.parseOldSignedDattJDK-8315042$$$Enable Neoverse N1 optimizations for Neoverse V2tAlltEnable Neoverse N1 optimizations for Neoverse V2tJDK-8321025$$$Enable UseCryptoPmullForCRC32 for Neoverse V2tAlltEnable UseCryptoPmullForCRC32tJDK-8321105$$$The following CVEs are addressed in 17.0.10.7.1:$$$$$$CVEtCVSStComponent$$$CVE-2024-20918t7.4thotspot/compiler$$$CVE-2024-20952t7.4tsecurity-libs/java.security$$$CVE-2024-20919t5.9thotspot/runtime$$$CVE-2024-20921t5.9thotspot/compiler$$$CVE-2024-20945t4.7tsecurity-libs/javax.xml.crypto

Change Log for Amazon Corretto 17$$$The following sections describe the changes for each release of Amazon Corretto 17.$$$$$$Corretto version: 17.0.9.8.1$$$Release Date: October 17; 2023$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 11.0 and later; x86_64$$$macos 11.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.9.8.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.9+8tAlltUpdates Corretto baseline to OpenJDK 17.0.9+8tjdk-17.0.9+8$$$The following CVEs are addressed in 17.0.9.8.1:$$$$$$CVEtCVSStComponent$$$CVE-2023-22081t5.3tsecurity-libs/javax.net.ssl$$$CVE-2023-22025t3.7thotspot/compiler$$$Corretto version: 17.0.8.8.1$$$Release Date: August 22; 2023$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 11.0 and later; x86_64$$$macos 11.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.8.8.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$8313765: Invalid CEN header (invalid zip64 extra data field size)tAlltFix ZipException that may be encountered when opening select APK; ZIP or JAR filestJDK-8313765

Corretto version: 17.0.8.8.1$$$Release Date: August 22; 2023$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 11.0 and later; x86_64$$$macos 11.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.8.8.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$8313765: Invalid CEN header (invalid zip64 extra data field size)tAlltFix ZipException that may be encountered when opening select APK; ZIP or JAR filestJDK-8313765

Corretto version: 17.0.8.7.1$$$$$$Release Date: July 18; 2023$$$$$$Target Platforms 1$$$$$$ RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$ Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$ RPM-based Linux using glibc 2.17 or later; aarch64$$$ Debian-based Linux using glibc 2.17 or later; aarch64$$$ Alpine-based Linux; x86_64$$$ Alpine-based Linux; aarch64$$$ Windows 10 or later; x86_64$$$ macos 11.0 and later; x86_64$$$ macos 11.0 and later; aarch64$$$$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.8.7.1:$$$Issue Name tPlatform tDescription tLink$$$Import jdk-17.0.8+7 tAll tUpdates Corretto baseline to OpenJDK 17.0.8+7 tjdk-17.0.8+7$$$Dynamic linking zlib tAll tDynamic linking zlib t#125$$$8302483: Enhance ZIP performance tAll tThis release of OpenJDK includes stronger checks on the Zip64 fields of zip files. In the event that these checks cause failures on trusted zip files; the checks can be disabled by setting the new system property jdk.util.zip.disableZip64ExtraFieldValidation to true. t$$$8300596: Enhance Jar Signature validation tAll tA System property jdk.jar.maxSignatureFileSize is introduced to configure the maximum number of bytes allowed for the signature-related files in a JAR file during verification. The default value is 8000000 bytes (8 MB). t$$$$$$The following CVEs are addressed in 17.0.8.7.1:$$$CVE tCVSS tComponent$$$CVE-2023-22041 t5.1 thotspot/compiler$$$CVE-2023-25193 t3.7 tclient-libs/2d$$$CVE-2023-22044 t3.7 thotspot/compiler$$$CVE-2023-22045 t3.7 thotspot/compiler$$$CVE-2023-22049 t3.7 tcore-libs/java.io$$$CVE-2023-22036 t3.7 tcore-libs/java.util$$$CVE-2023-22006 t3.1 tcore-libs/java.net

Corretto version: 17.0.7.7.1$$$Release Date: April 18; 2023$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Alpine-based Linux; aarch64$$$Windows 10 or later; x86_64$$$macos 11.0 and later; x86_64$$$macos 11.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.7.7.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.7+7tAlltUpdates Corretto baseline to OpenJDK 17.0.7+7tjdk-17.0.7+7$$$Tz datatAlltAll tzdata updates up to 2023ct#117$$$Update amazon cacertstAlltUpdate amazon cacerts file from amazonlinuxt#113 #115 #116$$$The following CVEs are addressed in 17.0.7.7.1:$$$$$$CVEtCVSStComponent$$$CVE-2023-21930t7.4tsecurity-libs/javax.net.ssl$$$CVE-2023-21954t5.9thotspot/gc$$$CVE-2023-21967t5.9tsecurity-libs/javax.net.ssl$$$CVE-2023-21939t5.3tclient-libs/javax.swing$$$CVE-2023-21938t3.7tcore-libs/java.lang$$$CVE-2023-21937t3.7tcore-libs/java.net$$$CVE-2023-21968t3.7tcore-libs/java.nio

Release Date: January 17; 2023$$$$$$Target Platforms 1$$$$$$RPM-based Linux using glibc 2.12 or later; x86; x86_64$$$Debian-based Linux using glibc 2.12 or later; x86; x86_64$$$RPM-based Linux using glibc 2.17 or later; aarch64$$$Debian-based Linux using glibc 2.17 or later; aarch64$$$Alpine-based Linux; x86_64$$$Windows 10 or later; x86_64$$$macos 10.15 and later; x86_64$$$macos 11.0 and later; aarch64$$$1. This is the platform targeted by the build. See Using Amazon Corretto in the Amazon Corretto FAQ for supported platforms$$$$$$The following issues are addressed in 17.0.6.10.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.6+10tAlltUpdates Corretto baseline to OpenJDK 17.0.6+10tjdk-17.0.6+10$$$Fix provides for public shared libstALtAll tzdata updates up to 2022et#108$$$Fix java_home alternativetLinuxtAlternative dir without architecture should be created on headless packaget#106$$$Add corretto.gtest propertytAlltThe new corretto.gtest property will be used to pass the path to the gtest libraryt#104$$$Include commitId.txt in archivestAlltInclude commitId.txt in archivest#103$$$Update amazon cacertstAlltUpdate amazon cacerts file from amazonlinuxt$$$Relax VerifyCACertstAlltRelax VerifyCACerts expiry conditiont#101$$$The following CVEs are addressed in 17.0.6.10.1:$$$$$$CVEtCVSStComponent$$$CVE-2023-21835t8287411t5.3$$$CVE-2023-21830t8285021t5.3$$$CVE-2023-21843t8293742t3.7

The following issues are addressed in 17.0.5.8.1:$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.5+8tAlltUpdates Corretto baseline to OpenJDK 17.0.5+8tjdk-17.0.5+8$$$Update Timezone Data to 2022etAlltAll tzdata updates up to 2022et#97 #99$$$Add jpeg; alsa and fonts as headless dependenciestAmazon LinuxtAdd libraries that could be used in headless mode to RPM dependeciest#94$$$Update amazon cacertstAlltUpdate amazon cacerts file from amazonlinuxt$$$The following CVEs are addressed in 17.0.5.8.1:$$$$$$CVEtCVSStComponent$$$CVE-2022-21618t5.3tsecurity-libs/org.ietf.jgss$$$CVE-2022-21628t5.3tcore-libs/java.net$$$CVE-2022-39399t3.7tcore-libs/java.net$$$CVE-2022-21619t3.7tsecurity-libs/java.security$$$CVE-2022-21624t3.7tcore-libs/javax.naming$$$Corretto version: 17.0.4.9.1

The following issues are addressed in 17.0.4.9.1$$$$$$Issue NametPlatformtDescriptiontLink$$$Import jdk-17.0.4.1+0tAlltUpdates Corretto baseline to OpenJDK 17.0.4.1+0tjdk-17.0.4.1+0$$$Resolve C2 compiler crashtAlltJDK-8279219 caused regressions in the OpenJDK 11.0.16 and OpenJDK 17.0.4 releases and we are backing it out. See JDK-8291665.tJDK-8292260

The following issues are addressed in 17.0.4.8.1$$$Issue NametPlatformtDescription$$$Import jdk-17.0.4+8tAlltUpdates Corretto baseline to OpenJDK 17.0.4+8$$$Fix src.rpm name that some tools depend ontLinuxtUpdates src.rpm name$$$Migrate pkg builds to productbuild from packagestmacOStUpdates to macos packaging$$$Only require log4j-cve-mitigations on AL2tAL2tUpdates log4j-cve-mitigations to AL2 only$$$The documentation updatetAlltUpdates to code of conduct and contributing documentation$$$AL2022 updatestAL2; AL2022tUpdates to support Corretto in Amazon Linux 2022$$$Enable bundled zlib library via GradletmacOStUpdates to use bundled (not the system) version of the zlib library on macOS aarch64$$$Update amazon cacertstAlltUpdate amazon cacerts file from amazonlinux$$$$$$